Sorry guys for being super lazy. I won’t write full article howto create port knocking. I have implemented this technique and couldn’t find simple windows client (that would knock on tcp). I have used some ideas and codes from Internet and have created my own super simple port knocker TCP/UDP (based on: https://github.com/sebastienwarin/Knock).
Here is Windows binary file and source code for Visual Studio Express – PortKnock
And on router side I will provide rules for my Mikrotik (/ip firewall filter>):
add action=add-src-to-address-list address-list=PKport:123 address-list-timeout=1m chain=input comment="Port Knocking 123 -> kolejnosc: 123, 789, 456" dst-port=123 protocol=tcp src-address-list=!PKban
add action=add-src-to-address-list address-list=PKport:789 address-list-timeout=1m chain=input comment="Port Knocking 789" dst-port=789 protocol=tcp src-address-list=PKport:123
add action=add-src-to-address-list address-list=PKban address-list-timeout=1m chain=input comment="Port Knocking 789" dst-port=789 protocol=tcp src-address-list=!PKport:123
add action=add-src-to-address-list address-list=PKsecure address-list-timeout=10m chain=input comment="Port Knocking 456" dst-port=456 protocol=tcp src-address-list=PKport:789
add action=add-src-to-address-list address-list=PKban address-list-timeout=1m chain=input comment="Port Knocking 456" dst-port=456 protocol=tcp src-address-list=!PKport:789
This will make your router create Adress List in Firewall called PKsecure with ip adresses which have knocked properly. Typically adresses on that list can be allowed to make new connections, while we pass established and related and drop everything else = Statefull firewall.
On linux you can use my program using mono or use simple bash script:
for x in 123 789 456; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x router_ip_address; done
Visit https://wiki.mikrotik.com/wiki/Port_Knocking if You are using Mikrotik as your firewall.