FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 09-02-2012, 08:37 AM
Earl Ramirez
 
Default NTP server problem behind firewall

On Sun, 2012-09-02 at 07:46 +0000, Artifex Maximus wrote:
> Hello!
>
> I would like to setup an NTP server for my Windows network using
> CentOS 6.3 with firewall turned on. As I learned the NTP protocol uses
> port 123 UDP. I have two NIC cards. One for internal network and one
> for access internet. Both cards in private address range. The problem
> is when I am using firewall described below the client cannot access
> the server. No idea why. Without firewall everything works flawless.
> So the problem is not in the NTP configuration. No idea why but with
> disabled firewall the first query gives error but all other query is
> work. I am using arpwatch to see what is happen on network (new
> machines and so). Not know is that related to the problem or not.
>
> First I had used the system-config-firewall generated firewall
> (standard firewall with port 123:udp added). No success, client cannot
> connect.
>
> Next I made a script for myself and saved with 'service iptables save'
> command. The configuration is:
>
> eth0 10.0.0.99/24
> eth1 10.0.1.10/24
>
> The script for making firewall rules:
> iptables -P INPUT ACCEPT
> iptables -F
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p udp --dport 123 -j ACCEPT
> iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p tcp --dport 123 -j ACCEPT
> iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables
> denied: " --log-level 7
> iptables -A INPUT -j DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT

I might be wrong but I think you need to add the IP Address of the NTP
server

you can also use tcpdump to capture the traffic between the clients and
the ntp server to see what is being blocked.

# iptables -A OUTPUT -o eth0 -p udp -s <client IPs> --sport 123 -d <NTP
Server IP> --dport 123 -m state --state NEW -j ACCEPT.
>
> Windows client time server is set to 10.0.0.99. Just for sure I
> enabled 123 TCP as well even I think that was unnecessary. The rule
> which related to NTP (123 UDP) increments its packet and byte count
> with 'iptables -L -n -v' so some connection was made. But no success
> on sync.
>
> Any idea what is wrong?
>
> Bye,
> a
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

--


Kind Regards
Earl Ramirez
GPG Key: http://trinipino.com/PublicKey.asc
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-02-2012, 11:02 AM
Artifex Maximus
 
Default NTP server problem behind firewall

On Sun, Sep 2, 2012 at 8:37 AM, Earl Ramirez <earlaramirez@gmail.com> wrote:
> On Sun, 2012-09-02 at 07:46 +0000, Artifex Maximus wrote:
>> Hello!
>>
>> I would like to setup an NTP server for my Windows network using
>> CentOS 6.3 with firewall turned on. As I learned the NTP protocol uses
>> port 123 UDP. I have two NIC cards. One for internal network and one
>> for access internet. Both cards in private address range. The problem
>> is when I am using firewall described below the client cannot access
>> the server. No idea why. Without firewall everything works flawless.
>> So the problem is not in the NTP configuration. No idea why but with
>> disabled firewall the first query gives error but all other query is
>> work. I am using arpwatch to see what is happen on network (new
>> machines and so). Not know is that related to the problem or not.
>>
>> First I had used the system-config-firewall generated firewall
>> (standard firewall with port 123:udp added). No success, client cannot
>> connect.
>>
>> Next I made a script for myself and saved with 'service iptables save'
>> command. The configuration is:
>>
>> eth0 10.0.0.99/24
>> eth1 10.0.1.10/24
>>
>> The script for making firewall rules:
>> iptables -P INPUT ACCEPT
>> iptables -F
>> iptables -A INPUT -i lo -j ACCEPT
>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
>> iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p udp --dport 123 -j ACCEPT
>> iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p tcp --dport 123 -j ACCEPT
>> iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables
>> denied: " --log-level 7
>> iptables -A INPUT -j DROP
>> iptables -P FORWARD DROP
>> iptables -P OUTPUT ACCEPT
>
> I might be wrong but I think you need to add the IP Address of the NTP
> server

Why? I am using a more general form of INPUT rule.

> you can also use tcpdump to capture the traffic between the clients and
> the ntp server to see what is being blocked.

Thanks for your answer. Good idea and I'll do it.

> # iptables -A OUTPUT -o eth0 -p udp -s <client IPs> --sport 123 -d <NTP
> Server IP> --dport 123 -m state --state NEW -j ACCEPT.

I am using

iptables -P OUTPUT ACCEPT

which allows all OUTPUT traffic on all interface as default rule. So I
do not think that I need any more specific rule.

Bye,
a
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-02-2012, 12:33 PM
Markus Falb
 
Default NTP server problem behind firewall

On 2.9.2012 09:46, Artifex Maximus wrote:
> Hello!
>
> I would like to setup an NTP server for my Windows network using
> CentOS 6.3 with firewall turned on. As I learned the NTP protocol uses
> port 123 UDP. I have two NIC cards. One for internal network and one
> for access internet. Both cards in private address range. The problem
> is when I am using firewall described below the client cannot access
> the server. No idea why. Without firewall everything works flawless.
> So the problem is not in the NTP configuration. No idea why but with
> disabled firewall the first query gives error but all other query is
> work. I am using arpwatch to see what is happen on network (new
> machines and so). Not know is that related to the problem or not.
>
> First I had used the system-config-firewall generated firewall
> (standard firewall with port 123:udp added). No success, client cannot
> connect.
>
> Next I made a script for myself and saved with 'service iptables save'
> command. The configuration is:
>
> eth0 10.0.0.99/24
> eth1 10.0.1.10/24
>
> The script for making firewall rules:
> iptables -P INPUT ACCEPT
> iptables -F
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p udp --dport 123 -j ACCEPT
> iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p tcp --dport 123 -j ACCEPT
> iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables
> denied: " --log-level 7
> iptables -A INPUT -j DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT

you must ACCEPT ntp in the FORWARD chain.
http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-6.html
--
Kind Regards, Markus Falb

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-02-2012, 04:22 PM
Artifex Maximus
 
Default NTP server problem behind firewall

On Sun, Sep 2, 2012 at 2:33 PM, Markus Falb <markus.falb@fasel.at> wrote:
> On 2.9.2012 09:46, Artifex Maximus wrote:
>> Hello!
>>
>> I would like to setup an NTP server for my Windows network using
>> CentOS 6.3 with firewall turned on. As I learned the NTP protocol uses
>> port 123 UDP. I have two NIC cards. One for internal network and one
>> for access internet. Both cards in private address range. The problem
>> is when I am using firewall described below the client cannot access
>> the server. No idea why. Without firewall everything works flawless.
>> So the problem is not in the NTP configuration. No idea why but with
>> disabled firewall the first query gives error but all other query is
>> work. I am using arpwatch to see what is happen on network (new
>> machines and so). Not know is that related to the problem or not.
>>
>> First I had used the system-config-firewall generated firewall
>> (standard firewall with port 123:udp added). No success, client cannot
>> connect.
>>
>> Next I made a script for myself and saved with 'service iptables save'
>> command. The configuration is:
>>
>> eth0 10.0.0.99/24
>> eth1 10.0.1.10/24
>>
>> The script for making firewall rules:
>> iptables -P INPUT ACCEPT
>> iptables -F
>> iptables -A INPUT -i lo -j ACCEPT
>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
>> iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p udp --dport 123 -j ACCEPT
>> iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p tcp --dport 123 -j ACCEPT
>> iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables
>> denied: " --log-level 7
>> iptables -A INPUT -j DROP
>> iptables -P FORWARD DROP
>> iptables -P OUTPUT ACCEPT
>
> you must ACCEPT ntp in the FORWARD chain.
> http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-6.html

Thanks. Why?

"If it's destined for this box, the packet passes downwards in the
diagram, to the INPUT chain. If it passes this, any processes waiting
for that packet will receive it."

The packet destination is my server because NTP server is there so it
passes to input box where 123 UDP is enabled. If I read the how-to
correctly.

Bye,
a
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-03-2012, 08:41 AM
Markus Falb
 
Default NTP server problem behind firewall

On 2.9.2012 18:22, Artifex Maximus wrote:
> On Sun, Sep 2, 2012 at 2:33 PM, Markus Falb <markus.falb-fSWCc0FX9k8@public.gmane.org> wrote:
>> On 2.9.2012 09:46, Artifex Maximus wrote:
>>> Hello!
>>>
>>> I would like to setup an NTP server for my Windows network using
>>> CentOS 6.3 with firewall turned on.
...
>>> The script for making firewall rules:
>>> iptables -P INPUT ACCEPT
>>> iptables -F
>>> iptables -A INPUT -i lo -j ACCEPT
>>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
>>> iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p udp --dport 123 -j ACCEPT
>>> iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p tcp --dport 123 -j ACCEPT
>>> iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables
>>> denied: " --log-level 7
>>> iptables -A INPUT -j DROP
>>> iptables -P FORWARD DROP
>>> iptables -P OUTPUT ACCEPT
>>
>> you must ACCEPT ntp in the FORWARD chain.
>> http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-6.html
>
> Thanks. Why?
...
> The packet destination is my server because NTP server is there so it
> passes to input box where 123 UDP is enabled. If I read the how-to
> correctly.

I thought you wanted to forward to another host. I think I was confused
because you mentioned the 2 NIC cards. Sorry.
--
Kind Regards, Markus Falb

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-03-2012, 11:15 AM
Leonard den Ottolander
 
Default NTP server problem behind firewall

On Sun, 2012-09-02 at 07:46 +0000, Artifex Maximus wrote:
> Any idea what is wrong?

The iptables rules you specify only allow clients from your local
network access to your "proxy" ntp server. However, you do not specify
any rules for eth1 to allow that ntp server to synchronise with the
remote servers it is using. So unless you are using a local time source
that might be your problem.

Btw, when specifying rules for the external ntp servers you might want
to specify IPs as well to restrict access.

Regards,
Leonard.

--
mount -t life -o ro /dev/dna /genetic/research


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-03-2012, 12:00 PM
Philippe Naudin
 
Default NTP server problem behind firewall

Le lun. 03 sept. 2012 13:15:41 CEST, Leonard den Ottolander a écrit:

> On Sun, 2012-09-02 at 07:46 +0000, Artifex Maximus wrote:
> > Any idea what is wrong?
>
> The iptables rules you specify only allow clients from your local
> network access to your "proxy" ntp server. However, you do not specify
> any rules for eth1 to allow that ntp server to synchronise with the
> remote servers it is using. So unless you are using a local time source
> that might be your problem.

I don't think this is the problem : the firewall accept everything in
the output chain, and established/related in input : my ntp server
works fine with the same rules (123/tcp is indeed useless).

For me, the problem is not ntp+iptables, or it should appears in
/var/log/messages, thanks to the -j LOG.
There can be something wrong in ntp.conf (but this is probably not the
case since it works without firewall), in the firewall (for example, if
it blocks DNS requests), or in the network configuration.

Regards,

--
Philippe Naudin
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-03-2012, 12:32 PM
Giles Coochey
 
Default NTP server problem behind firewall

On 03/09/2012 13:00, Philippe Naudin wrote:

Le lun. 03 sept. 2012 13:15:41 CEST, Leonard den Ottolander a écrit:


On Sun, 2012-09-02 at 07:46 +0000, Artifex Maximus wrote:

Any idea what is wrong?

The iptables rules you specify only allow clients from your local
network access to your "proxy" ntp server. However, you do not specify
any rules for eth1 to allow that ntp server to synchronise with the
remote servers it is using. So unless you are using a local time source
that might be your problem.

I don't think this is the problem : the firewall accept everything in
the output chain, and established/related in input : my ntp server
works fine with the same rules (123/tcp is indeed useless).

For me, the problem is not ntp+iptables, or it should appears in
/var/log/messages, thanks to the -j LOG.
There can be something wrong in ntp.conf (but this is probably not the
case since it works without firewall), in the firewall (for example, if
it blocks DNS requests), or in the network configuration.

Regards,



Does 'ntpq -p' show your server actually syncing with ntp hosts?

--
Regards,

Giles Coochey, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 7983 877438
http://www.coochey.net
http://www.netsecspec.co.uk
giles@coochey.net


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-03-2012, 02:18 PM
Artifex Maximus
 
Default NTP server problem behind firewall

On Mon, Sep 3, 2012 at 11:15 AM, Leonard den Ottolander
<leonard@den.ottolander.nl> wrote:
> On Sun, 2012-09-02 at 07:46 +0000, Artifex Maximus wrote:
>> Any idea what is wrong?
>
> The iptables rules you specify only allow clients from your local
> network access to your "proxy" ntp server. However, you do not specify
> any rules for eth1 to allow that ntp server to synchronise with the
> remote servers it is using. So unless you are using a local time source
> that might be your problem.
>
> Btw, when specifying rules for the external ntp servers you might want
> to specify IPs as well to restrict access.

Thanks. You are right ntp proxy is absolutely what I want. Mine
description was not clean probably. So this is the setup:

GPSNTP(10.0.1.99/24) - eth1 myserver eth0 - clients(10.0.0.0/24)

Because GPSNTP is on a physically separated network I need this proxy
for my clients. My server is able to synchronize with GPSNTP so rules
are fine for that (because my output chain is ACCEPT per default). My
clients whom are cannot synchronize with my server even if I allow NTP
port which I do not understand.

Bye,
a
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-03-2012, 02:32 PM
Giles Coochey
 
Default NTP server problem behind firewall

On 03/09/2012 15:18, Artifex Maximus wrote:

On Mon, Sep 3, 2012 at 11:15 AM, Leonard den Ottolander
<leonard@den.ottolander.nl> wrote:

On Sun, 2012-09-02 at 07:46 +0000, Artifex Maximus wrote:

Any idea what is wrong?

The iptables rules you specify only allow clients from your local
network access to your "proxy" ntp server. However, you do not specify
any rules for eth1 to allow that ntp server to synchronise with the
remote servers it is using. So unless you are using a local time source
that might be your problem.

Btw, when specifying rules for the external ntp servers you might want
to specify IPs as well to restrict access.

Thanks. You are right ntp proxy is absolutely what I want. Mine
description was not clean probably. So this is the setup:

GPSNTP(10.0.1.99/24) - eth1 myserver eth0 - clients(10.0.0.0/24)

Because GPSNTP is on a physically separated network I need this proxy
for my clients. My server is able to synchronize with GPSNTP so rules
are fine for that (because my output chain is ACCEPT per default). My
clients whom are cannot synchronize with my server even if I allow NTP
port which I do not understand.


So at this stage, doing a "tcpdump -i eth0 -s 0 -w capture.cap" and
getting one of your clients to try to sync time with your server and
then repeating this with the firewall turned off (when it purportedly
works) ought to give you enough information to be able to view the
packet capture and see what is going wrong.


--
Regards,

Giles Coochey, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 7983 877438
http://www.coochey.net
http://www.netsecspec.co.uk
giles@coochey.net


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 06:46 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org