[Pool] Firewall recommendations for ntp server?

mrex at tranzeo.com mrex at tranzeo.com
Fri May 8 23:17:14 UTC 2015


Tore and Kiss,

It looks like this is resolved.  For others that might benefit, this is what
I am currently using and now the nf_conntrack_count is < 20.

iptables -t raw -I OUTPUT -p udp --dport 123 -j NOTRACK
iptables -t raw -I OUTPUT -p udp --sport 123 -j NOTRACK
iptables -t raw -I PREROUTING -p udp --dport 123 -j NOTRACK
iptables -t raw -I PREROUTING -p udp --sport 123 -j NOTRACK
iptables -I INPUT -p udp --dport 123 -j ACCEPT
iptables -I INPUT -p udp --sport 123 -j ACCEPT
iptables -I OUTPUT -p udp --dport 123 -j ACCEPT
iptables -I OUTPUT -p udp --sport 123 -j ACCEPT

Thanks for your advice.  Have a good weekend!

Best regards,
Mike

-----Original Message-----
From: Tore Anderson [mailto:tore at fud.no] 
Sent: May 7, 2015 10:10 PM
To: mrex at tranzeo.com
Cc: pool at lists.ntp.org
Subject: Re: [Pool] Firewall recommendations for ntp server?

* <mrex at tranzeo.com>

> 3. Disable connection tracking altogether (I think the best solution,
> no?)

This. At least do it just for your NTP traffic. Since NTP is UDP,
there's in reality no "connections" to track, and netfilter can't
remove an active flow immediately after it's over (since UDP, unlike
TCP, gives no hint to third-party observers like netfilter that "this
conversation is over"). So they all have to time out instead.

Something like this ought to do the trick:

ip{6,}tables -t raw -I PREROUTING -p udp --dport ntp -j NOTRACK
ip{6,}tables -t raw -I OUTPUT -p udp --sport ntp -j NOTRACK

Tore



More information about the pool mailing list