[CentOS] NTP server problem behind firewall

Sun Sep 2 16:22:35 UTC 2012
Artifex Maximus <artifexor at gmail.com>

On Sun, Sep 2, 2012 at 2:33 PM, Markus Falb <markus.falb at fasel.at> wrote:
> On 2.9.2012 09:46, Artifex Maximus wrote:
>> Hello!
>> I would like to setup an NTP server for my Windows network using
>> CentOS 6.3 with firewall turned on. As I learned the NTP protocol uses
>> port 123 UDP. I have two NIC cards. One for internal network and one
>> for access internet. Both cards in private address range. The problem
>> is when I am using firewall described below the client cannot access
>> the server. No idea why. Without firewall everything works flawless.
>> So the problem is not in the NTP configuration. No idea why but with
>> disabled firewall the first query gives error but all other query is
>> work. I am using arpwatch to see what is happen on network (new
>> machines and so). Not know is that related to the problem or not.
>> First I had used the system-config-firewall generated firewall
>> (standard firewall with port 123:udp added). No success, client cannot
>> connect.
>> Next I made a script for myself and saved with 'service iptables save'
>> command. The configuration is:
>> eth0
>> eth1
>> The script for making firewall rules:
>> iptables -P INPUT ACCEPT
>> iptables -F
>> iptables -A INPUT -i lo -j ACCEPT
>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
>> iptables -A INPUT -i eth0 -s -p udp --dport 123 -j ACCEPT
>> iptables -A INPUT -i eth0 -s -p tcp --dport 123 -j ACCEPT
>> iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables
>> denied: " --log-level 7
>> iptables -A INPUT -j DROP
>> iptables -P FORWARD DROP
>> iptables -P OUTPUT ACCEPT
> you must ACCEPT ntp in the FORWARD chain.
> http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-6.html

Thanks. Why?

"If it's destined for this box, the packet passes downwards in the
diagram, to the INPUT chain. If it passes this, any processes waiting
for that packet will receive it."

The packet destination is my server because NTP server is there so it
passes to input box where 123 UDP is enabled. If I read the how-to