Firewall is broken after install if SSHD listens on multiple ports

Issue #148 resolved
Alexandre Kouznetsov
created an issue

Hello.

I have set up iRedMail-0.9.8 on a Debian 9 server, it's a VM hosted on a public cloud. It seems like the installation process breaks the firewall if more than one port is set up in /etc/ssh/sshd_config. In my specific case, the server has two network interfaces, one facing Internet and another plugged to internal network. I make SSHD listen on two ports, and then set up local firewall to allow connections from Internet only on non-standard port, while leave alone the port 22 on internal network. The issue is that the installation script has generated a broken /etc/default/iptables, which caused no netfilter rules to be applied at all.

After installing iRedMail and rebooted, I found my netfilter to have zero rules and the default policy set to ACCEPT. The expectation is that more restrictive setup was applied, according to the new /etc/default/iptables.

This is the diagnosis:

# iptables -L | grep Chain
Chain INPUT (policy ACCEPT)
Chain FORWARD (policy ACCEPT)
Chain OUTPUT (policy ACCEPT)

# grep ^Port /etc/ssh/sshd_config
Port 1022
Port 22

# grep -A 2 "# ssh" /etc/default/iptables
# ssh
-A INPUT -p tcp --dport 1022
22  -j ACCEPT

# grep -A 6 "# Location of sshd_config" iRedMail-0.9.8/conf/global
# Location of sshd_config
export SSHD_CONFIG='/etc/ssh/sshd_config'
export SSHD_PORT="$(awk '/^Port/ {print $2}' ${SSHD_CONFIG})"
if [ X"${SSHD_PORT}" == X'' ]; then
    # No port number defined, use default port number (22).
    export SSHD_PORT='22'
fi

# awk '/^Port/ {print $2}' /etc/ssh/sshd_config
1022
22

A manual fix to /etc/default/iptables solved the immediate problem, but I can't tell what else could have been broken due to this multiline SSHD_PORT value. I'm tempted to re-deploy my installation. I still need to figure out how to make iRedMail to live with my custom netfilter rules. I do not use /etc/default/iptables, instead I have reasons to place a executable script in /etc/network/if-pre-up.d. If a major detail is relevant, let us take this to forum.iredmail.org ?

Addressing the root cause, this fragility of iRedMail installer is unexpected. Since a multiport SSH server is a valid configuration, is shall not break the firewall setup during iRedMail installation.

My scripting skill is not that good, so, unfortunately, I can not offer a patch.

Greetings.