Comment by rwmj

Not sure if this is the best, but I use nftables and this article helped me setup port knocking on a debian server: https://home.regit.org/2017/07/nftables-port-knocking/

Then I added a tripwire feature to make it less likely that a random port traversal would be successful. Here's a snippet of my nftables.conf:

    define KNOCK_PORT1 = 20000
    define KNOCK_PORT2 = 30000
    define KNOCK_PORT3 = 10000
    define TRIPWIRE_PORT1 = 15000
    define TRIPWIRE_PORT2 = 25000
    
    table inet filter {
    
        .
        .
    
        set allowed_ssh {
            type ipv4_addr
            flags timeout
            elements = { $HOME_IP, $OTHER_SERVER_IP }
        }
    
        # track port knocking
        set knock1 {
            type ipv4_addr
            timeout 5s
        }
        set knock2 {
            type ipv4_addr
            timeout 5s
        }
        set banned {
            type ipv4_addr
            timeout 1m
        }
    
        # handle port knocking
        chain raw {
            type filter hook prerouting priority raw;
            policy accept;
    
            ip saddr @banned tcp dport { $KNOCK_PORT1, $KNOCK_PORT2, $KNOCK_PORT3} log prefix "nft banned: " drop
    
            tcp dport $KNOCK_PORT1 set add ip saddr @knock1 log prefix "nft knock1: " drop
            ip saddr @knock1 tcp dport $TRIPWIRE_PORT1 set add ip saddr @banned log prefix "nft tripwire1: " drop
            ip saddr @knock1 tcp dport $KNOCK_PORT2 set add ip saddr @knock2 log prefix "nft knock2: " drop
            ip saddr @knock2 tcp dport $TRIPWIRE_PORT2 set add ip saddr @banned log prefix "nft tripwire2: " drop
            ip saddr @knock2 tcp dport $KNOCK_PORT3 set add ip saddr @allowed_ssh log prefix "nft knock3: " drop
        }
    }