Re: NTP server problem behind firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Sun, Sep 2, 2012 at 8:37 AM, Earl Ramirez <earlaramirez@xxxxxxxxx> wrote:
> On Sun, 2012-09-02 at 07:46 +0000, Artifex Maximus wrote:
>> Hello!
>>
>> I would like to setup an NTP server for my Windows network using
>> CentOS 6.3 with firewall turned on. As I learned the NTP protocol uses
>> port 123 UDP. I have two NIC cards. One for internal network and one
>> for access internet. Both cards in private address range. The problem
>> is when I am using firewall described below the client cannot access
>> the server. No idea why. Without firewall everything works flawless.
>> So the problem is not in the NTP configuration. No idea why but with
>> disabled firewall the first query gives error but all other query is
>> work. I am using arpwatch to see what is happen on network (new
>> machines and so). Not know is that related to the problem or not.
>>
>> First I had used the system-config-firewall generated firewall
>> (standard firewall with port 123:udp added). No success, client cannot
>> connect.
>>
>> Next I made a script for myself and saved with 'service iptables save'
>> command. The configuration is:
>>
>> eth0 10.0.0.99/24
>> eth1 10.0.1.10/24
>>
>> The script for making firewall rules:
>> iptables -P INPUT ACCEPT
>> iptables -F
>> iptables -A INPUT -i lo -j ACCEPT
>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
>> iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p udp --dport 123 -j ACCEPT
>> iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p tcp --dport 123 -j ACCEPT
>> iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables
>> denied: " --log-level 7
>> iptables -A INPUT -j DROP
>> iptables -P FORWARD DROP
>> iptables -P OUTPUT ACCEPT
>
> I might be wrong but I think you need to add the IP Address of the NTP
> server

Why? I am using a more general form of INPUT rule.

> you can also use tcpdump to capture the traffic between the clients and
> the ntp server to see what is being blocked.

Thanks for your answer. Good idea and I'll do it.

> # iptables -A OUTPUT -o eth0 -p udp -s <client IPs> --sport 123 -d <NTP
> Server IP> --dport 123 -m state --state NEW -j ACCEPT.

I am using

iptables -P OUTPUT ACCEPT

which allows all OUTPUT traffic on all interface as default rule. So I
do not think that I need any more specific rule.

Bye,
a
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux