[ntp:questions] My ntpd stopped working
rasmus
rasmusaa at gmail.com
Thu Sep 20 03:36:46 UTC 2007
On 19 Sep., 21:32, Jan Ceuleers <janspam.ceule... at skynet.be> wrote:
> rasmus wrote:
> >> The _first_ rule in your INPUT chain needs to explicitly allow all
> >> traffic to 123/UDP. Something like this:
>
> > Sorry, I was unclear. The rule I referred to was one that allowed udp/
> > 123 traffic. So I have a rule exactly matching what you wrote at the
> > head of my INPUT chain. I can see traffic reach my nptd and I can log
> > packets with sport 123 in my OUTPUT filter.
>
> You misunderstand. The rule only accepts packets that are related to an
> ongoing connection. You need to accept ALL packets destined to UDP port
> 123 (while retaining the stateful firewalling on all other traffic).
>
> So please do take Steve's advice and insert a -j ACCEPT rule matching
> only UDP port 123 traffic at the start of your INPUT chain.
If I do misunderstand, then I am confused :) More probably, I am not
explaining myself properly.
Snippets from my iptables:
67462 5124K ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:123
....
83M 40G ACCEPT all -- eth0 * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
So, unless I misunderstand :), I think I have the setup you advocate.
Cheers,
Rasmus
More information about the questions
mailing list