[CentOS] NTP server problem behind firewall

Sun Sep 2 08:37:02 UTC 2012
Earl Ramirez <earlaramirez at gmail.com>

On Sun, 2012-09-02 at 07:46 +0000, Artifex Maximus wrote:
> Hello!
> I would like to setup an NTP server for my Windows network using
> CentOS 6.3 with firewall turned on. As I learned the NTP protocol uses
> port 123 UDP. I have two NIC cards. One for internal network and one
> for access internet. Both cards in private address range. The problem
> is when I am using firewall described below the client cannot access
> the server. No idea why. Without firewall everything works flawless.
> So the problem is not in the NTP configuration. No idea why but with
> disabled firewall the first query gives error but all other query is
> work. I am using arpwatch to see what is happen on network (new
> machines and so). Not know is that related to the problem or not.
> First I had used the system-config-firewall generated firewall
> (standard firewall with port 123:udp added). No success, client cannot
> connect.
> Next I made a script for myself and saved with 'service iptables save'
> command. The configuration is:
> eth0
> eth1
> The script for making firewall rules:
> iptables -P INPUT ACCEPT
> iptables -F
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> iptables -A INPUT -i eth0 -s -p udp --dport 123 -j ACCEPT
> iptables -A INPUT -i eth0 -s -p tcp --dport 123 -j ACCEPT
> iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables
> denied: " --log-level 7
> iptables -A INPUT -j DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT

I might be wrong but I think you need to add the IP Address of the NTP

you can also use tcpdump to capture the traffic between the clients and
the ntp server to see what is being blocked.

# iptables -A OUTPUT -o eth0 -p udp -s <client IPs> --sport 123 -d <NTP
Server IP> --dport 123 -m state --state NEW -j ACCEPT.
> Windows client time server is set to Just for sure I
> enabled 123 TCP as well even I think that was unnecessary. The rule
> which related to NTP (123 UDP) increments its packet and byte count
> with 'iptables -L -n -v' so some connection was made. But no success
> on sync.
> Any idea what is wrong?
> Bye,
> a
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos


Kind Regards
Earl Ramirez
GPG Key: http://trinipino.com/PublicKey.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part
URL: <http://lists.centos.org/pipermail/centos/attachments/20120902/6a430403/attachment-0005.sig>