[CentOS] NTP server problem behind firewall

Sun Sep 2 11:02:07 UTC 2012
Artifex Maximus <artifexor at gmail.com>

On Sun, Sep 2, 2012 at 8:37 AM, Earl Ramirez <earlaramirez at gmail.com> wrote:
> On Sun, 2012-09-02 at 07:46 +0000, Artifex Maximus wrote:
>> Hello!
>> I would like to setup an NTP server for my Windows network using
>> CentOS 6.3 with firewall turned on. As I learned the NTP protocol uses
>> port 123 UDP. I have two NIC cards. One for internal network and one
>> for access internet. Both cards in private address range. The problem
>> is when I am using firewall described below the client cannot access
>> the server. No idea why. Without firewall everything works flawless.
>> So the problem is not in the NTP configuration. No idea why but with
>> disabled firewall the first query gives error but all other query is
>> work. I am using arpwatch to see what is happen on network (new
>> machines and so). Not know is that related to the problem or not.
>> First I had used the system-config-firewall generated firewall
>> (standard firewall with port 123:udp added). No success, client cannot
>> connect.
>> Next I made a script for myself and saved with 'service iptables save'
>> command. The configuration is:
>> eth0
>> eth1
>> The script for making firewall rules:
>> iptables -P INPUT ACCEPT
>> iptables -F
>> iptables -A INPUT -i lo -j ACCEPT
>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
>> iptables -A INPUT -i eth0 -s -p udp --dport 123 -j ACCEPT
>> iptables -A INPUT -i eth0 -s -p tcp --dport 123 -j ACCEPT
>> iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables
>> denied: " --log-level 7
>> iptables -A INPUT -j DROP
>> iptables -P FORWARD DROP
>> iptables -P OUTPUT ACCEPT
> I might be wrong but I think you need to add the IP Address of the NTP
> server

Why? I am using a more general form of INPUT rule.

> you can also use tcpdump to capture the traffic between the clients and
> the ntp server to see what is being blocked.

Thanks for your answer. Good idea and I'll do it.

> # iptables -A OUTPUT -o eth0 -p udp -s <client IPs> --sport 123 -d <NTP
> Server IP> --dport 123 -m state --state NEW -j ACCEPT.

I am using


which allows all OUTPUT traffic on all interface as default rule. So I
do not think that I need any more specific rule.