[CentOS] NTP server problem behind firewall

Sun Sep 2 12:33:35 UTC 2012
Markus Falb <markus.falb at fasel.at>

On 2.9.2012 09:46, Artifex Maximus wrote:
> Hello!
> I would like to setup an NTP server for my Windows network using
> CentOS 6.3 with firewall turned on. As I learned the NTP protocol uses
> port 123 UDP. I have two NIC cards. One for internal network and one
> for access internet. Both cards in private address range. The problem
> is when I am using firewall described below the client cannot access
> the server. No idea why. Without firewall everything works flawless.
> So the problem is not in the NTP configuration. No idea why but with
> disabled firewall the first query gives error but all other query is
> work. I am using arpwatch to see what is happen on network (new
> machines and so). Not know is that related to the problem or not.
> First I had used the system-config-firewall generated firewall
> (standard firewall with port 123:udp added). No success, client cannot
> connect.
> Next I made a script for myself and saved with 'service iptables save'
> command. The configuration is:
> eth0
> eth1
> The script for making firewall rules:
> iptables -P INPUT ACCEPT
> iptables -F
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> iptables -A INPUT -i eth0 -s -p udp --dport 123 -j ACCEPT
> iptables -A INPUT -i eth0 -s -p tcp --dport 123 -j ACCEPT
> iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables
> denied: " --log-level 7
> iptables -A INPUT -j DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT

you must ACCEPT ntp in the FORWARD chain.
Kind Regards, Markus Falb

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 304 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20120902/d0c5ceec/attachment-0005.sig>