IPTables allow NTP Time Server
Considering your last rule is an unconditional REJECT I would do it with a -I since appending it would create a rule that would never be reached. ntpd only communicates over udp/123 so allowing that traffic and RELATED,ESTABLISHED is often good enough on its own.
Related videos on Youtube
06 : 28
10 : 14
07 : 15
02 : 01
07 : 26
John Wesley Gordon
Software Developer at Leidos. Owner of ZoneGordon.Com and Salted Chips Studios. Worked for 6 Months as a contractor for TekSystems, Worked for 14 years as a Systems Administrator and Developer for TimBar Packaging & Display / Packaging Corporation of America. I work in multiple programming areas including ASP.NET, C#, Java, JavaScript, HTML, CSS, and SQL to name a few.
Updated on September 18, 2022Comments
-
John Wesley Gordon over 1 year
I am new to IPTables. I have an existing config that seems to work well. I am not sure I know how to add NTP to the rule
Chain RH-Firewall-1-INPUTcorrectly. My goal is to add an additional rule to allow NTP to enter the server so it can act as a NTP server for my network. Would I simply neediptables -I RH-Firewall-1-INPUT -p udp --dport 123 -j ACCEPTand then of course if it worksiptables saveI'm not confident whether I should be using -I Insert or -A Append, or if it is much more difficult. Below is my existing config shown withiptables -LChain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:squid REJECT all -- anywhere anywhere reject-with icmp-host-prohibited-
Chad K about 10 yearsThe first line of RH-Firewall-1-INPUT is allowing all traffic of any protocol to come in. With that said, you shouldn't have to modify your ruleset to get NTP working
-
