[ntp:questions] My ntpd stopped working

rasmus rasmusaa at gmail.com
Thu Sep 20 03:36:46 UTC 2007


On 19 Sep., 21:32, Jan Ceuleers <janspam.ceule... at skynet.be> wrote:
> rasmus wrote:
> >> The _first_ rule in your INPUT chain needs to explicitly allow all
> >> traffic to 123/UDP. Something like this:
>
> > Sorry, I was unclear. The rule I referred to was one that allowed udp/
> > 123 traffic. So I have a rule exactly matching what you wrote at the
> > head of my INPUT chain. I can see traffic reach my nptd and I can log
> > packets with sport 123 in my OUTPUT filter.
>
> You misunderstand. The rule only accepts packets that are related to an
> ongoing connection. You need to accept ALL packets destined to UDP port
> 123 (while retaining the stateful firewalling on all other traffic).
>
> So please do take Steve's advice and insert a -j ACCEPT rule matching
> only UDP port 123 traffic at the start of your INPUT chain.

If I do misunderstand, then I am confused :) More probably, I am not
explaining myself properly.
Snippets from my iptables:

67462 5124K ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0           udp dpt:123
....
  83M   40G ACCEPT     all  --  eth0   *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED

So, unless I misunderstand :), I think I have the setup you advocate.

Cheers,
  Rasmus




More information about the questions mailing list