[Pool] Firewall recommendations for ntp server?

mrex at tranzeo.com mrex at tranzeo.com
Mon May 11 17:17:50 UTC 2015


Patrick,

Good catch.  Thanks for noticing.  I'll adjust as you suggest.

Best regards,
Mike

-----Original Message-----
From: pool [mailto:pool-bounces+mrex=tranzeo.com at lists.ntp.org] On Behalf Of
Patrick Domack
Sent: May 8, 2015 6:29 PM
To: pool at lists.ntp.org
Subject: Re: [Pool] Firewall recommendations for ntp server?

You might want to adjust it alittle.

iptables -t raw -I OUTPUT -p udp --sport 123 -j NOTRACK
iptables -t raw -I PREROUTING -p udp --dport 123 -j NOTRACK
iptables -I INPUT -p udp --dport 123 -j ACCEPT
iptables -I OUTPUT -p udp --sport 123 -j ACCEPT

That will cause clients requesting time from you, to not be tracked.

But your requests to other servers for time, will be. It will close a  
small firewall hole vs the proposed, as the below any one using a  
source port of 123 would get past the firewall, even if it didn't go  
TO your ntp server, but to another udp port.

If you need the other firewall rules so you can query time, add the  
INPUT and OUTPUT ones, but not the raw NOTRACK ones, so conntrack will  
still keep those locked down.



Quoting mrex at tranzeo.com:

> Tore and Kiss,
>
> It looks like this is resolved.  For others that might benefit, this is
what
> I am currently using and now the nf_conntrack_count is < 20.
>
> iptables -t raw -I OUTPUT -p udp --dport 123 -j NOTRACK
> iptables -t raw -I OUTPUT -p udp --sport 123 -j NOTRACK
> iptables -t raw -I PREROUTING -p udp --dport 123 -j NOTRACK
> iptables -t raw -I PREROUTING -p udp --sport 123 -j NOTRACK
> iptables -I INPUT -p udp --dport 123 -j ACCEPT
> iptables -I INPUT -p udp --sport 123 -j ACCEPT
> iptables -I OUTPUT -p udp --dport 123 -j ACCEPT
> iptables -I OUTPUT -p udp --sport 123 -j ACCEPT
>
> Thanks for your advice.  Have a good weekend!
>
> Best regards,
> Mike
>
> -----Original Message-----
> From: Tore Anderson [mailto:tore at fud.no]
> Sent: May 7, 2015 10:10 PM
> To: mrex at tranzeo.com
> Cc: pool at lists.ntp.org
> Subject: Re: [Pool] Firewall recommendations for ntp server?
>
> * <mrex at tranzeo.com>
>
>> 3. Disable connection tracking altogether (I think the best solution,
>> no?)
>
> This. At least do it just for your NTP traffic. Since NTP is UDP,
> there's in reality no "connections" to track, and netfilter can't
> remove an active flow immediately after it's over (since UDP, unlike
> TCP, gives no hint to third-party observers like netfilter that "this
> conversation is over"). So they all have to time out instead.
>
> Something like this ought to do the trick:
>
> ip{6,}tables -t raw -I PREROUTING -p udp --dport ntp -j NOTRACK
> ip{6,}tables -t raw -I OUTPUT -p udp --sport ntp -j NOTRACK
>
> Tore
>
> _______________________________________________
> pool mailing list
> pool at lists.ntp.org
> http://lists.ntp.org/listinfo/pool



_______________________________________________
pool mailing list
pool at lists.ntp.org
http://lists.ntp.org/listinfo/pool



More information about the pool mailing list