[ntp:questions] IPv6 and ip6tables

Ivan Shmakov oneingray at gmail.com
Mon Mar 11 21:13:28 UTC 2013


>>>>> Xavier Robin <geckolimo at gmail.com> writes:

	[Cross-posting to news:comp.os.linux.networking.]

 > Has anyone some experience serving NTP over IPv6 through an ip6tables
 > firewall here?

 > Despite the fact that I opened port 123 (both UPD and TCP), as soon
 > as I set the INPUT policy to DROP, NTP becomes unreachable.  Is it
 > using a different port on ipv6 or something like this?  The server is
 > fully reachable when the INPUT policy is ACCEPT.  It is also
 > reachable over ipv4 with the same iptables rule (and DROP policy).

	I've never seen an issue with such a setup.  The only difference
	is that my firewall has also a -j ACCEPT rule for --dport 123 in
	the FORWARD chain.  I don't know if it's related, though.

[...]

 > xavier at arthur:~$ sudo ip6tables -L
 > [sudo] password for xavier: 
 > Chain INPUT (policy DROP)
 > target     prot opt source               destination         
 > ACCEPT     all      anywhere             anywhere            

	Is there really such an all-permitting rule?

 > ACCEPT     all      anywhere             anywhere             ctstate RELATED,ESTABLISHED
 > ACCEPT     tcp      anywhere             anywhere             tcp dpt:(some ports...)
 > ACCEPT     udp      anywhere             anywhere             udp dpt:ntp
 > ACCEPT     tcp      anywhere             anywhere             tcp dpt:ntp

[...]

-- 
FSF associate member #7257



More information about the questions mailing list