Hello! I would like to setup an NTP server for my Windows network using CentOS 6.3 with firewall turned on. As I learned the NTP protocol uses port 123 UDP. I have two NIC cards. One for internal network and one for access internet. Both cards in private address range. The problem is when I am using firewall described below the client cannot access the server. No idea why. Without firewall everything works flawless. So the problem is not in the NTP configuration. No idea why but with disabled firewall the first query gives error but all other query is work. I am using arpwatch to see what is happen on network (new machines and so). Not know is that related to the problem or not. First I had used the system-config-firewall generated firewall (standard firewall with port 123:udp added). No success, client cannot connect. Next I made a script for myself and saved with 'service iptables save' command. The configuration is: eth0 10.0.0.99/24 eth1 10.0.1.10/24 The script for making firewall rules: iptables -P INPUT ACCEPT iptables -F iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p udp --dport 123 -j ACCEPT iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p tcp --dport 123 -j ACCEPT iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 iptables -A INPUT -j DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT Windows client time server is set to 10.0.0.99. Just for sure I enabled 123 TCP as well even I think that was unnecessary. The rule which related to NTP (123 UDP) increments its packet and byte count with 'iptables -L -n -v' so some connection was made. But no success on sync. Any idea what is wrong? Bye, a
On Sun, 2012-09-02 at 07:46 +0000, Artifex Maximus wrote:> Hello! > > I would like to setup an NTP server for my Windows network using > CentOS 6.3 with firewall turned on. As I learned the NTP protocol uses > port 123 UDP. I have two NIC cards. One for internal network and one > for access internet. Both cards in private address range. The problem > is when I am using firewall described below the client cannot access > the server. No idea why. Without firewall everything works flawless. > So the problem is not in the NTP configuration. No idea why but with > disabled firewall the first query gives error but all other query is > work. I am using arpwatch to see what is happen on network (new > machines and so). Not know is that related to the problem or not. > > First I had used the system-config-firewall generated firewall > (standard firewall with port 123:udp added). No success, client cannot > connect. > > Next I made a script for myself and saved with 'service iptables save' > command. The configuration is: > > eth0 10.0.0.99/24 > eth1 10.0.1.10/24 > > The script for making firewall rules: > iptables -P INPUT ACCEPT > iptables -F > iptables -A INPUT -i lo -j ACCEPT > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p udp --dport 123 -j ACCEPT > iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p tcp --dport 123 -j ACCEPT > iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables > denied: " --log-level 7 > iptables -A INPUT -j DROP > iptables -P FORWARD DROP > iptables -P OUTPUT ACCEPTI might be wrong but I think you need to add the IP Address of the NTP server you can also use tcpdump to capture the traffic between the clients and the ntp server to see what is being blocked. # iptables -A OUTPUT -o eth0 -p udp -s <client IPs> --sport 123 -d <NTP Server IP> --dport 123 -m state --state NEW -j ACCEPT.> > Windows client time server is set to 10.0.0.99. Just for sure I > enabled 123 TCP as well even I think that was unnecessary. The rule > which related to NTP (123 UDP) increments its packet and byte count > with 'iptables -L -n -v' so some connection was made. But no success > on sync. > > Any idea what is wrong? > > Bye, > a > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos-- Kind Regards Earl Ramirez GPG Key: http://trinipino.com/PublicKey.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part URL: <http://lists.centos.org/pipermail/centos/attachments/20120902/6a430403/attachment-0003.sig>
On Sun, Sep 2, 2012 at 8:37 AM, Earl Ramirez <earlaramirez at gmail.com> wrote:> On Sun, 2012-09-02 at 07:46 +0000, Artifex Maximus wrote: >> Hello! >> >> I would like to setup an NTP server for my Windows network using >> CentOS 6.3 with firewall turned on. As I learned the NTP protocol uses >> port 123 UDP. I have two NIC cards. One for internal network and one >> for access internet. Both cards in private address range. The problem >> is when I am using firewall described below the client cannot access >> the server. No idea why. Without firewall everything works flawless. >> So the problem is not in the NTP configuration. No idea why but with >> disabled firewall the first query gives error but all other query is >> work. I am using arpwatch to see what is happen on network (new >> machines and so). Not know is that related to the problem or not. >> >> First I had used the system-config-firewall generated firewall >> (standard firewall with port 123:udp added). No success, client cannot >> connect. >> >> Next I made a script for myself and saved with 'service iptables save' >> command. The configuration is: >> >> eth0 10.0.0.99/24 >> eth1 10.0.1.10/24 >> >> The script for making firewall rules: >> iptables -P INPUT ACCEPT >> iptables -F >> iptables -A INPUT -i lo -j ACCEPT >> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> iptables -A INPUT -p tcp --dport 22 -j ACCEPT >> iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p udp --dport 123 -j ACCEPT >> iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p tcp --dport 123 -j ACCEPT >> iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables >> denied: " --log-level 7 >> iptables -A INPUT -j DROP >> iptables -P FORWARD DROP >> iptables -P OUTPUT ACCEPT > > I might be wrong but I think you need to add the IP Address of the NTP > serverWhy? I am using a more general form of INPUT rule.> you can also use tcpdump to capture the traffic between the clients and > the ntp server to see what is being blocked.Thanks for your answer. Good idea and I'll do it.> # iptables -A OUTPUT -o eth0 -p udp -s <client IPs> --sport 123 -d <NTP > Server IP> --dport 123 -m state --state NEW -j ACCEPT.I am using iptables -P OUTPUT ACCEPT which allows all OUTPUT traffic on all interface as default rule. So I do not think that I need any more specific rule. Bye, a
On 2.9.2012 09:46, Artifex Maximus wrote:> Hello! > > I would like to setup an NTP server for my Windows network using > CentOS 6.3 with firewall turned on. As I learned the NTP protocol uses > port 123 UDP. I have two NIC cards. One for internal network and one > for access internet. Both cards in private address range. The problem > is when I am using firewall described below the client cannot access > the server. No idea why. Without firewall everything works flawless. > So the problem is not in the NTP configuration. No idea why but with > disabled firewall the first query gives error but all other query is > work. I am using arpwatch to see what is happen on network (new > machines and so). Not know is that related to the problem or not. > > First I had used the system-config-firewall generated firewall > (standard firewall with port 123:udp added). No success, client cannot > connect. > > Next I made a script for myself and saved with 'service iptables save' > command. The configuration is: > > eth0 10.0.0.99/24 > eth1 10.0.1.10/24 > > The script for making firewall rules: > iptables -P INPUT ACCEPT > iptables -F > iptables -A INPUT -i lo -j ACCEPT > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p udp --dport 123 -j ACCEPT > iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p tcp --dport 123 -j ACCEPT > iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables > denied: " --log-level 7 > iptables -A INPUT -j DROP > iptables -P FORWARD DROP > iptables -P OUTPUT ACCEPTyou must ACCEPT ntp in the FORWARD chain. http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-6.html -- Kind Regards, Markus Falb -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 304 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20120902/d0c5ceec/attachment-0003.sig>
On Sun, Sep 2, 2012 at 2:33 PM, Markus Falb <markus.falb at fasel.at> wrote:> On 2.9.2012 09:46, Artifex Maximus wrote: >> Hello! >> >> I would like to setup an NTP server for my Windows network using >> CentOS 6.3 with firewall turned on. As I learned the NTP protocol uses >> port 123 UDP. I have two NIC cards. One for internal network and one >> for access internet. Both cards in private address range. The problem >> is when I am using firewall described below the client cannot access >> the server. No idea why. Without firewall everything works flawless. >> So the problem is not in the NTP configuration. No idea why but with >> disabled firewall the first query gives error but all other query is >> work. I am using arpwatch to see what is happen on network (new >> machines and so). Not know is that related to the problem or not. >> >> First I had used the system-config-firewall generated firewall >> (standard firewall with port 123:udp added). No success, client cannot >> connect. >> >> Next I made a script for myself and saved with 'service iptables save' >> command. The configuration is: >> >> eth0 10.0.0.99/24 >> eth1 10.0.1.10/24 >> >> The script for making firewall rules: >> iptables -P INPUT ACCEPT >> iptables -F >> iptables -A INPUT -i lo -j ACCEPT >> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> iptables -A INPUT -p tcp --dport 22 -j ACCEPT >> iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p udp --dport 123 -j ACCEPT >> iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p tcp --dport 123 -j ACCEPT >> iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables >> denied: " --log-level 7 >> iptables -A INPUT -j DROP >> iptables -P FORWARD DROP >> iptables -P OUTPUT ACCEPT > > you must ACCEPT ntp in the FORWARD chain. > http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-6.htmlThanks. Why? "If it's destined for this box, the packet passes downwards in the diagram, to the INPUT chain. If it passes this, any processes waiting for that packet will receive it." The packet destination is my server because NTP server is there so it passes to input box where 123 UDP is enabled. If I read the how-to correctly. Bye, a
On Sun, 2012-09-02 at 07:46 +0000, Artifex Maximus wrote:> Any idea what is wrong?The iptables rules you specify only allow clients from your local network access to your "proxy" ntp server. However, you do not specify any rules for eth1 to allow that ntp server to synchronise with the remote servers it is using. So unless you are using a local time source that might be your problem. Btw, when specifying rules for the external ntp servers you might want to specify IPs as well to restrict access. Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research