What would be the command to open another SSH port in the firewall?
OK, sounds like I would be supposed to know it. But actually I never used openSUSE’s nor Linux firewalls in general - and probably never will (when you have been using openBSD + pf for many years, you don’t want anything else). I did wrote some iptables scripts a while ago (must have been under Gentoo, I guess), but I really dont’ remember.
Here’s the problem:
I’m writing a new freenx setup that I will include in a new build of freenx (it will be systemd compatible and use NX agent 3.5.0). Users should be allowed to run the nx server on an alternate SSH port by giving this port as argument to a command line option. If they choose to do so, the freenx config will be changed accordingly, the port will be added in /etc/ssh/sshd_config and sshd will be restarted.
Now how do I check if the firewall is on?
If it is, which iptable rule do I have to write and where?
Please, don’t answer “use YaST”! This task has to be performed in a script. I would find out, but maybe you guys could save me time … this time. (?).
Whether you want it this way or not the correct answer is to setup the
firewall via Yast because otherwise anytime the system changes states it
may overwrite your setting and that will cause problems (especially if
you are reconfiguring things remotely via your alternate SSH port and
therefore losing your own connection to the system until you get back to
it another way).
If you want to modify things the “right way” without using Yast you
could modify the /etc/sysconfig/SuSEfirewall2 file (as root) and change
the following line (after saving the original file… just in case):
FW_SERVICES_EXT_TCP=""
to something like this:
FW_SERVICES_EXT_TCP=“2345”
where ‘2345’ is the TCP port you want to allow now. I have not tested
this but you are welcome to. If this does not work then undo it, open a
TCP port in Yast (Yast: Security and User: Firewall: Allowed Services:
Advanced: TCP: type in 2345 or whatever), save everything, and then see
how the file has changed (meld/diff/vimdiff/etc.) and then script it
your way. This is the “right way” because this way the system knows
what is happening and things like restarts, reconfigurations via Yast,
etc. will not break your system.
To answer your question the wrong way you could run something like this
and put it in a script, but there are downsides, like the fact that it
may not be inserting the command in the right spot (this will put it at
the top… first thing on the INPUT chain) which could cause things to
behave in ways you do not way. It’s probably not an issue for a simple
setup, but I do not know your setup:
> If it is, which iptable rule do I have to write and where?
No idea. I configure “/etc/sysconfig/SuSEfirewall2” and sometimes
“/etc/sysconfig/scripts/SuSEfirewall2-custom”.
> Please, don’t answer “use YaST”! This task has to be performed in a
> script. I would find out, but maybe you guys could save me time …
> this time. (?).
If you want to use iptables directly, you have to disable the firewall from
starting at all, then define your own rules somehow. Nobody does that,
AFAIK. Some use a different program to setup iptables instead of SuSEfirewall2.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
> If you want to use iptables directly, you have to disable the firewall from
> starting at all, then define your own rules somehow. Nobody does that,
> AFAIK. Some use a different program to setup iptables instead of SuSEfirewall2.
No, you do not have to disable the firewall. After all, the GUI just generates a
set of iptables commands.
Using the standard firewall, run the command ‘sudo iptables-save > iptable1’,
which will dump the firewall rules. Now use Yast to add one of the special
rules, and do ‘sudo iptables-save > iptable2’. The differences between iptable1
and iptable2 will tell you the form needed, which chain it is in, and where it
goes in the chain. In your script, you then use iptables -I to insert the rule
in the chain and in the place you need it.
Thank you, guys. I knew it was simple. OK, this works - following @ab suggestion in post #2:
if ( /sbin/SuSEfirewall2 status &>/dev/null ) ; then
if ( ! grep -q "FW_SERVICES_EXT_TCP=.*$p" /etc/sysconfig/SuSEfirewall2) ; then
echo "- opening SSH port $p"
sed -i "s|\(FW_SERVICES_EXT_TCP=\".*\)\"|\1 $p\"|;s|\" |\"|" /etc/sysconfig/SuSEfirewall2
/sbin/SuSEfirewall2 start
fi
fi
There is no “restart” option to SuSEfirewall2, but “start” seems not to care and reloads the rules.
But I found out that this works too and looks nicer:
if ( /sbin/SuSEfirewall2 status &>/dev/null ) ; then
if ( ! grep -q " $p" /etc/sysconfig/SuSEfirewall2.d/services/sshd ) ; then
echo "- opening SSH port $p"
sed -i "s|\(TCP=\".*\)\"|\1 $p\"|;s|\" |\"|" /etc/sysconfig/SuSEfirewall2.d/services/sshd
/sbin/SuSEfirewall2 start
fi
fi
To show the differences between both methods, look at how YaST displays the settings:
Picture on the left is what you would achieve with the first code or by clicking on “Advanced” in Allowed services for SSH in YaST… although it seems to me that the second code is better, as it opens port 9122 for ssh only.
