On 2.9.2012 09:46, Artifex Maximus wrote: > Hello! > > I would like to setup an NTP server for my Windows network using > CentOS 6.3 with firewall turned on. As I learned the NTP protocol uses > port 123 UDP. I have two NIC cards. One for internal network and one > for access internet. Both cards in private address range. The problem > is when I am using firewall described below the client cannot access > the server. No idea why. Without firewall everything works flawless. > So the problem is not in the NTP configuration. No idea why but with > disabled firewall the first query gives error but all other query is > work. I am using arpwatch to see what is happen on network (new > machines and so). Not know is that related to the problem or not. > > First I had used the system-config-firewall generated firewall > (standard firewall with port 123:udp added). No success, client cannot > connect. > > Next I made a script for myself and saved with 'service iptables save' > command. The configuration is: > > eth0 10.0.0.99/24 > eth1 10.0.1.10/24 > > The script for making firewall rules: > iptables -P INPUT ACCEPT > iptables -F > iptables -A INPUT -i lo -j ACCEPT > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p udp --dport 123 -j ACCEPT > iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p tcp --dport 123 -j ACCEPT > iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables > denied: " --log-level 7 > iptables -A INPUT -j DROP > iptables -P FORWARD DROP > iptables -P OUTPUT ACCEPT you must ACCEPT ntp in the FORWARD chain. http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-6.html -- Kind Regards, Markus Falb -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 304 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20120902/d0c5ceec/attachment-0005.sig>