[Pool] Firewall recommendations for ntp server?

mrex at tranzeo.com mrex at tranzeo.com
Fri May 8 20:35:02 UTC 2015


Tore,

Thanks for the response.  When I tried changing the script that sets up the
iptables rules on a few servers, the incoming NTP client traffic still came
in but no outgoing responses.  I also haven't been able to find the
firewall-cmd syntax, so I will stop using an iptables script and
firewall-cmd and just use basic iptables that will keep things simple.
However, when I tried that, now the incoming got broken.  So I don't think
those rules are working as intended. 

When I run tcpdump, it reports:

16:30:34.256262 IP 96. ###.###.189.52014 > 104. ###.###.112.123: NTPv4,
Client, length 48
16:30:34.256280 IP 104.###.###.112 > 96.###.###.189: ICMP host
104.167.113.112 unreachable - admin prohibited, length 84

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state
RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp
dpt:EtherNet/IP-1
REJECT     all  --  anywhere             anywhere             reject-with
icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere             reject-with
icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I'll do more reading over the weekend and figure this out.  But I think I'm
on the right track.

Thanks!

-----Original Message-----
From: Tore Anderson [mailto:tore at fud.no] 
Sent: May 7, 2015 10:10 PM
To: mrex at tranzeo.com
Cc: pool at lists.ntp.org
Subject: Re: [Pool] Firewall recommendations for ntp server?

* <mrex at tranzeo.com>

> 3. Disable connection tracking altogether (I think the best solution,
> no?)

This. At least do it just for your NTP traffic. Since NTP is UDP,
there's in reality no "connections" to track, and netfilter can't
remove an active flow immediately after it's over (since UDP, unlike
TCP, gives no hint to third-party observers like netfilter that "this
conversation is over"). So they all have to time out instead.

Something like this ought to do the trick:

ip{6,}tables -t raw -I PREROUTING -p udp --dport ntp -j NOTRACK
ip{6,}tables -t raw -I OUTPUT -p udp --sport ntp -j NOTRACK

Tore



More information about the pool mailing list