I thought it was
Well, when ipt sees the IP hit port $KNOCK it jumps to ssh_add
That adds the IP to the ssh_knock list
If the IP tries port 22 it goes to the ssh_filter which checks if the IP is in the ssh_knock list.
If it is then the rule succeeds.
What doesn't happen is that the IP is *removed* from the ssh_knock list if it hits any other port between hitting the $KNOCK port and port 22.
So If I do a portscan, hitting ports 1-65534 port 22 opens and stays open for a short while.
What you really want is for port 22 to be closed if the IP hits any other port after hitting $KNOCK and before hitting 22.
Hmm, even better would be if hitting $KNOCK and !22 put the IP onto a pre-KNOCK DROP blacklist for a short while - that would stop/slow brute force attacks too.