Re: NTP server problem behind firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Sun, 2012-09-02 at 07:46 +0000, Artifex Maximus wrote:
> Hello!
> 
> I would like to setup an NTP server for my Windows network using
> CentOS 6.3 with firewall turned on. As I learned the NTP protocol uses
> port 123 UDP. I have two NIC cards. One for internal network and one
> for access internet. Both cards in private address range. The problem
> is when I am using firewall described below the client cannot access
> the server. No idea why. Without firewall everything works flawless.
> So the problem is not in the NTP configuration. No idea why but with
> disabled firewall the first query gives error but all other query is
> work. I am using arpwatch to see what is happen on network (new
> machines and so). Not know is that related to the problem or not.
> 
> First I had used the system-config-firewall generated firewall
> (standard firewall with port 123:udp added). No success, client cannot
> connect.
> 
> Next I made a script for myself and saved with 'service iptables save'
> command. The configuration is:
> 
> eth0 10.0.0.99/24
> eth1 10.0.1.10/24
> 
> The script for making firewall rules:
> iptables -P INPUT ACCEPT
> iptables -F
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p udp --dport 123 -j ACCEPT
> iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p tcp --dport 123 -j ACCEPT
> iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables
> denied: " --log-level 7
> iptables -A INPUT -j DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT

I might be wrong but I think you need to add the IP Address of the NTP
server

you can also use tcpdump to capture the traffic between the clients and
the ntp server to see what is being blocked.

# iptables -A OUTPUT -o eth0 -p udp -s <client IPs> --sport 123 -d <NTP
Server IP> --dport 123 -m state --state NEW -j ACCEPT.
> 
> Windows client time server is set to 10.0.0.99. Just for sure I
> enabled 123 TCP as well even I think that was unnecessary. The rule
> which related to NTP (123 UDP) increments its packet and byte count
> with 'iptables -L -n -v' so some connection was made. But no success
> on sync.
> 
> Any idea what is wrong?
> 
> Bye,
> a
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos

-- 


Kind Regards
Earl Ramirez
GPG Key: http://trinipino.com/PublicKey.asc

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux