But it does not work. The ssh seems to be listening on 2526, as it does not say “connection refused” like any other port, but after a while, it times out.
Fedora CoreOS does not have a firewall enabled by default. However, the list of services listening on network ports is quite limited and is actively monitored via CI.
I would suggest checking if the port is open and setting up nftables rules.
what you are observing is the expected and desired default behavior of CoreOS. CoreOS is in enforcing SELinux mode which prohibits SSHD from opening non-standard ports and it does not support disabling enforcing mode altogether.
You can verify this by running journalctl -eu sshd. It will say “error: Bind to port 2526 on 0.0.0.0 failed: Permission denied.”.
To make matters worse, CoreOS does not come with semanage and co. because of their python dependency. Nevertheless you have two options to solve this issue.
1. Load a custom SELinux CIL module
You can add a SELinux rule by loading a custom Common Intermediate Language module.
Load that module using semodule -i ssh-port.cil and restart SSHD. The module is now installed and will survive reboots and upgrades.
You can encode that into your butane file by creating a systemd service with ConditionFirstBoot=yes running the semodule -i [...] command before SSHD starts.
2. Use nftables to redirect traffic to port 22
You can keep SSHD listening on port 22 but still expose it on a different port through firewall rules. Simply enable nftables.service and define your nftables rules. I’d recommend enabling a firewall anyways so this will only be a couple of extra lines. Make sure to allow incoming traffic for any other service you want to expose to the network too though.
systemd:
units:
- name: nftables.service
enabled: true
storage:
files:
- path: /etc/sysconfig/nftables.conf
contents:
inline: |
flush ruleset
table inet filter {
chain input {
# drop incoming packets by default
type filter hook input priority 0; policy drop;
# allow traffic on loopback interface
iif lo accept
iif != lo ip daddr 127.0.0.1/8 drop
iif != lo ip6 daddr ::1/128 drop
# allow established connections
ct state invalid drop
ct state { established, related } accept
# allow important ICMP and DHCP traffic
icmp type { destination-unreachable, echo-request, parameter-problem, time-exceeded } accept
icmpv6 type { destination-unreachable, echo-request, nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert, nd-router-solicit, packet-
too-big, parameter-problem, time-exceeded } accept
udp sport 67 udp dport 68 accept
udp sport 547 udp dport 546 accept
# allow traffic on public SSHD port
meta l4proto tcp ct original proto-dst 2526 accept
}
}
table inet nat {
chain prerouting {
type nat hook prerouting priority 0;
# redirect incoming traffic to port 2526 to SSHD port
tcp dport 2526 redirect to :22
}
}
I am trying to go with the nftables option, because I think too that a firewall could be a good solution. But when trying to create nftables.conf from butane, I am having the following error during ignition:
[ 103.480595] localhost ignition[7220]: Ignition failed: failed to create files: failed to create files: error creating /sysroot/etc/sysconfig/nftables.conf: error creating file "/sysroot/etc/sysconfig/nftables.conf": A file exists there already and overwrite is false
What could be wrong ? Did you need to do something else to be able to configure nftables from butane ?
Sorry, I didn’t test the config before sending my reply. You need to add overwrite: true right below the path: [...] line, because /etc/sysconfig/nftables.conf already exists in the base system.
Bonus: You can do the opposite and redirect from a standard port to a non-standard port with the same kind of rule. That lets you e.g. forward ports 80 and 443 to non-privileged ports where rootless services can listen for them.
But now, I am having problems when trying to access podman containers that have a web page. Portainer for example. The container is running with podman run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always --privileged -v /run/podman/podman.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:lts
And in the nftables, I have added
tcp dport { 80, 443, 9443, 8000 } accept in chain input for the traffic.
But I can’t access the web ui of portainer, even on the host machine.
Would you know how to configure nftables so that it does not interfere with podman ? It is not a problem for me if I have to manually add ports to nftables. But I can’t get it to work.
Odd. That rule seems perfectly fine to me. Have you restarted the machine or at least reloaded the nftables service? And have you tested if you can reach your service with nftables disabled?
If it won’t work maybe just throw your final nftables config at an LLM and see if it finds any issues
