IPTables allow NTP Time Server
Considering your last rule is an unconditional REJECT
I would do it with a -I
since appending it would create a rule that would never be reached. ntpd
only communicates over udp/123 so allowing that traffic and RELATED,ESTABLISHED is often good enough on its own.
Related videos on Youtube
John Wesley Gordon
Software Developer at Leidos. Owner of ZoneGordon.Com and Salted Chips Studios. Worked for 6 Months as a contractor for TekSystems, Worked for 14 years as a Systems Administrator and Developer for TimBar Packaging & Display / Packaging Corporation of America. I work in multiple programming areas including ASP.NET, C#, Java, JavaScript, HTML, CSS, and SQL to name a few.
Updated on September 18, 2022Comments
-
John Wesley Gordon over 1 year
I am new to IPTables. I have an existing config that seems to work well. I am not sure I know how to add NTP to the rule
Chain RH-Firewall-1-INPUT
correctly. My goal is to add an additional rule to allow NTP to enter the server so it can act as a NTP server for my network. Would I simply neediptables -I RH-Firewall-1-INPUT -p udp --dport 123 -j ACCEPT
and then of course if it worksiptables save
I'm not confident whether I should be using -I Insert or -A Append, or if it is much more difficult. Below is my existing config shown withiptables -L
Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:squid REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
-
Chad K about 10 yearsThe first line of RH-Firewall-1-INPUT is allowing all traffic of any protocol to come in. With that said, you shouldn't have to modify your ruleset to get NTP working
-