Some applications need special ports. When those ports are closed by the firewall then you as an administrator have a problem. You have 4 options:
The first option is the easiest one (to implement). The second option is to global. The third option is the good one (in my opinion).
But what about option 4? I think it is the very best. The application can be used and the firewall is not open 24/7. You do not risk that something else uses those ports to sneak something out if the computer stays connected for a long period of time.
How did I manage this? First of all I created a chain in the firewall. I also created a rule that 'jumps' to this chain for 1 particual computer.
iptables -N TimedAccess iptables -A FORWARD -p all -s 192.168.20.20 -o WAN -j TimedAccess
Now all you need to do is create a script that opens the ports in the chain TimedAccess:
iptables -A TimedAccess -p tcp --dport 6666 -j ACCEPT iptables -A TimedAccess -p tcp --dport 7777 -j ACCEPT
Put this script in the cron to run at the time that you want to open the ports. When you want to shut them again just put the following in the cron at the right time too:
iptables --flush TimedAccess
You can always check the content of the chain with:
iptables -L TimedAccess -n