Debian / Ubuntu: Set Port Knocking With Knockd and Iptables

My iptables based firewall allows only port TCP 80 and 443. I also need tcp port # 22, but I do not have static IP at my home. How do I open and close TCP port #22 on demand under Debian or Ubuntu Linux based server systems? How do I install a port-knock server called knockd and configure it with iptables to open tcp port #22 or any other ports?

Debian or Ubuntu Linux comes with knockd. It is a port-knock server. It listens to all traffic on an ethernet and/or PPP interface created by VPN/dial-up pppd, looking for special “knock” sequences of port-hits. A knock client makes these port-hits by sending a TCP or UDP packet to a port on the server. This port need not be open — since knockd listens at the link-layer level, it sees all traffic even if it’s destined for a closed port.
Tutorial details
Difficulty level Advanced
Root privileges Yes
Requirements knockd+iptables
Est. reading time N/A
When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access.

Knockd installation

Open a terminal or login to the remote server using the ssh client. Type the following apt-get command as root user to install knockd server:
$ sudo apt-get install knockd
Sample outputs:

[sudo] password for vivek: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 4 not upgraded.
Need to get 27.6 kB of archives.
After this operation, 168 kB of additional disk space will be used.
Get:1 stable/main knockd amd64 0.5-3 [27.6 kB]
Fetched 27.6 kB in 1s (19.5 kB/s)
Selecting previously deselected package knockd.
(Reading database ... 352407 files and directories currently installed.)
Unpacking knockd (from .../knockd_0.5-3_amd64.deb) ...
Processing triggers for man-db ...
Setting up knockd (0.5-3) ...
knockd disabled: not starting. To enable it edit /etc/default/knockd ... (warning).


Edit the file /etc/knockd.conf, enter:
$ sudo vi /etc/knockd.conf
Update the config file as follows. Feel free to set the sequence port number as per your setup 2022, 3022, 4022:

        sequence    = 2022,3022,4022
        seq_timeout = 5
        command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn
        sequence    = 4022,3022,2022
        seq_timeout = 5
        command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn

Save and close the file. Edit the file /etc/default/knockd, enter:
$ sudo vi /etc/default/knockd


Replace with:


Optional: set an interface name such as eth0 or ppp0 as per your setup:

KNOCKD_OPTS="-i eth0"

Save and close the file.

How do I start / stop / restart kknockd?

Type the following commands:

sudo service knockd start #<-- start server
sudo service knockd stop #<-- stop server
sudo service knockd restart #<-- restart server
sudo service knockd status #<-- see status server


sudo /etc/init.d/knockd start #<-- start server
sudo /etc/init.d/knockd stop #<-- stop server
sudo /etc/init.d/knockd restart #<-- restart server
sudo /etc/init.d/knockd status #<-- see status server

How do I knock port?

You need to use the knock command. It is a port-knock client. To open tcp port #22 for sshd at ip address, enter:
$ knock -v 2022 3022 3022
Sample outputs:

hitting tcp
hitting tcp
hitting tcp

How do I close down the port?

The syntax is:
$ knock -v 4022 3022 2022

How do I open UDP port?

The syntax is:
$ knock -v -u 9090
You can also combine TCP and UDP port as follows:
$ knock 2022:tcp 9090:udp 4022:tcp

How do I verify that port was opened or closed on the server?

Use the ssh client as follows:
$ ssh user@
# iptables -L INPUT -v -n
# iptables -L INPUT -v -n | grep :22

Please note that port knocking is nothing but security by obscurity. I suggest that:

  1. Secure OpenSSH properly using our “OpenSSH Server Best Security Practices” guide.
  2. Use a better solution such as fwknop which implements an authorization scheme called Single Packet Authorization (SPA).
  • man pages – knockd, knock, and iptables

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 3 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
3 comments… add one
  • Daniel May 2, 2013 @ 12:50

    In the [closeSSH] section, shouldn’t that be

    command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j DROP


    • 🐧 nixCraft May 2, 2013 @ 16:04

      The -D switch means delete the rule that was previously defined using [openSSH].


  • bits4beats May 3, 2013 @ 14:09

    The command to open should be:

    > knock -v 2022 3022 4022

    the last one port is 4022 and not 3022 (as correctly executed in the output).
    Thanks for this post!

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum