Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Ubuntu User (http://www.linux-archive.org/ubuntu-user/)
-   -   iptables and ntp (http://www.linux-archive.org/ubuntu-user/186169-iptables-ntp.html)

"Sam Kuper" 11-01-2008 06:20 PM

iptables and ntp
 
Dear all,

I am having some trouble with ntp and iptables.
With iptables set to have no rules and a default ACCEPT stance, ntpq -p works as it should (it prints a table of ntp servers I'm connected to). But with my iptables rules loaded, ntpq -p gives the error: "ntpq: write to localhost failed: Operation not permitted".

I guess there's a problem with the iptables rules that I've been unable to spot, so I'd be grateful for suggestions!
Here is my iptables ruleset (which is based on the one Michael Rash provides in his book Linux Firewalls):

#!/bin/shIPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobeINT_NET=192.168.11.2 # SPK: Set this to the local IP address of the host, assuming the host is not a firewall with pass-through.

### flush existing rules and set chain policy setting to DROPecho "[+] Flushing existing iptables rules..."$IPTABLES -F$IPTABLES -F -t nat$IPTABLES -X
$IPTABLES -P INPUT DROP$IPTABLES -P OUTPUT DROP$IPTABLES -P FORWARD DROP
### load connection-tracking modules#$MODPROBE ip_conntrack$MODPROBE iptable_nat
$MODPROBE ip_conntrack_ftp$MODPROBE ip_nat_ftp
###### INPUT chain #######echo "[+] Setting up INPUT chain..."
### state tracking rules
$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options$IPTABLES -A INPUT -m state --state INVALID -j DROP$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### ACCEPT rules # SPK: Modified this to permit SSH access from anywhere.$IPTABLES -A INPUT -i eth0 -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT*$IPTABLES -A INPUT -i eth0 -p udp --sport 123 -m state --state NEW,ESTABLISHED -j ACCEPT # SPK for ntpd
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
### default INPUT LOG rule$IPTABLES -A INPUT -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

###### OUTPUT chain #######echo "[+] Setting up OUTPUT chain..."
### anti-spoofing rules # SPK: Changed this to refer to output on eth0 (but remember to change interface if on VPS!).
$IPTABLES -A OUTPUT -s ! $INT_NET -j LOG --log-prefix "SPOOFED PKT "$IPTABLES -A OUTPUT -s ! $INT_NET -j DROP
### state tracking rules$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
### ACCEPT rules for allowing connections out$IPTABLES -A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT$IPTABLES -A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT$IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT$IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT$IPTABLES -A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT$IPTABLES -A OUTPUT -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT # SPK for ntpd
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
### default OUTPUT LOG rule$IPTABLES -A OUTPUT -o ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

###### FORWARD chain #######echo "[+] Setting up FORWARD chain..."
### state tracking rules # SPK: Modified to log & drop all invalid pkts for forwarding (even though there shouldn't be any).
$IPTABLES -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options$IPTABLES -A FORWARD -m state --state INVALID -j DROP

### anti-spoofing rules # SPK: Log & drop all spoofed packets for forwarding (even though there shouldn't be any).$IPTABLES -A FORWARD -i eth1 -s ! $INT_NET -j LOG --log-prefix "SPOOFED PKT "
$IPTABLES -A FORWARD -i eth1 -s ! $INT_NET -j DROP
### default LOG rule$IPTABLES -A FORWARD -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

exit### EOF ###
Many thanks in advance,
Sam
--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

"Sam Kuper" 11-01-2008 06:26 PM

iptables and ntp
 
2008/11/1 Sam Kuper <sam.kuper@uclmail.net>

[...]Here is my iptables ruleset (which is based on the one Michael Rash provides in his book Linux Firewalls):
[...]
### anti-spoofing rules # SPK: Log & drop all spoofed packets for forwarding (even though there shouldn't be any).$IPTABLES -A FORWARD -i eth1 -s ! $INT_NET -j LOG --log-prefix "SPOOFED PKT "

$IPTABLES -A FORWARD -i eth1 -s ! $INT_NET -j DROP
I've now corrected the two above lines to feature eth0 instead of eth1, since this is for a workstation that only has one ethernet connection (eth0), but this hasn't affect the ntp problem.

Sam*
--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users


All times are GMT. The time now is 07:45 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.