Problem with Port Triggering

I have an issue. I’m trying to duplicate the port triggering functionality found in many routers for my Debian-based router image. However, I can’t find any configuration options within the kernel to enable such functionality. I have enabled a few configuration options on my own, but I can’t seem to find anything similar to CONFIG_NETFILTER_XT_TARGET_TRIGGER… (or any options with the word TRIGGER in it)

So I started looking to see what my options are. I found ULOGD2 and the NFLOG target. I know I can write a script to deal with port triggering, based on this program and target. However, I was hoping to avoid this…

I found this: Port Triggering with OpenWRT, which adds the functionality to OpenWRT v0.9 (WhiteRussian). I also found this: https://github.com/dnetlab/port-trigger, which seems to also add it as a OpenWRT repository (maybe)…

I’m not sure how to integrate either of these into our kernel… Any ideas?

you want to execute a script/action when port comes up? maybe udev can handle it?

Well, I found this: https://www.howtoforge.com/port-triggering-using-a-nat-firestarter-firewall-and-specter-in-debian-ubuntu, which uses programs called firestarter (GUI front-end to iptables, not needed) and specter (available in Debian 5, not in Debian 10 or 11…). Specter only works with the ULOG target, not NFLOG, and I’m guessing it would be involved to update the code… (Not in anyway ideal!)

But the idea is to open specific port(s) when a port or a port range is accessed. Using iptables exclusively to do this would be ideal without an additional script… I have the supporting software I need installed to write the script, but I was hoping that I wouldn’t have to…

sounds like some kind of portknocking

I’m familiar with port knocking, and I kinda agree. But the difference is that the the port or port range gets directed to the IP address that makes the call to that port(s), not to a specified IP address. It also should last a specific amount of time after the last time that port was accessed…

I believe the “specific amount of time” can be dealt with in iptables. But I haven’t seen support for a trigger action (aka -j TRIGGER) that a very few and far between articles talk about.

ok, so more similar to upnp?

iptables is dead, you should search a way for nftables

Quite similar to UPnP, except that the port(s) and port range(s) are configured on the router.

I’m trying to resist that particular change :stuck_out_tongue: Seriously, why is iptables dead?

at least on debian (afaik buster too) nftables is used as backend for iptables-command and modern functions (like hw-nat) are only working with nft

Sigh… I guess I get to write another script, then… And see about converting to nftables…

Have you found any way for port triggering?

I currently search for port-knocking in nftables,there are some examples in nftables wiki,but have not completely understood them to integrate in my firewall

Sadly, I haven’t even begun to write the script yet… Been trying to get elements of my router Web UI working… Too many elements to write…

You can convert applied iptables into nftables to have a base. This is the way i had it done. Firat convert,the aggregate (same rules for different interfaces) and then some optimization (restructure in own chains as it is easier in nftables to read/define)

https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

The only thing that was tricky: delete/add rules by script at the right position (needed this for letsencrypt cert update - opening and closing http-port and for optional logging)