NTP Problem with Firewall Script
Need some help if you could please. Using Breezy 5.10, my iptables firewall script doesn't let me pass NTP stuff except by command-line /usr/sbin/ntpdate. I know that all NTP needs is 123 UDP, but for some reason the gnome date/time applet in the GUI won't let me click "Synchronize" unless I drop my firewall. Can you identify for me what might be the cause? Here's my current /etc/firewall.sh script:
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 80 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 443 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 123 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8888 --syn -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 8888 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 500 --syn -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp -m udp -s MYDNS1 --sport 53 -d 0/0 -j ACCEPT
iptables -A INPUT -p udp -m udp -s MYDNS2 --sport 53 -d 0/0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --syn -j REJECT
iptables -A INPUT -p udp -m udp -j REJECT
iptables -L
This permits for me:
* VPN
* Proxy hosting for my family
* DNS lookup
* web hosting (for when I test with family PCs against my Linux PC)
But it *does* allow me to lookup NTP from command line with:
/usr/sbin/ntpdate -b -s pool.ntp.org
But from the GUI in GNOME's date/time control panel, Sychronize button, it doesn't let me through unless I drop the firewall!
](*,)
A good friend replied to me by email:
iptables -A INPUT -p udp -m udp --sport 123 -j ACCEPT
(note the --sport)
...I must try this and let you all know.
Oddly enough, the GNOME timezone sync in the Gnome date/clock applet requires both UDP and TCP, not just UDP! In the end, I had to use this:
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 80 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 443 -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 123 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 123 --syn -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8888 --syn -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 8888 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 500 --syn -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp -m udp -s MYDNS1 --sport 53 -d 0/0 -j ACCEPT
iptables -A INPUT -p udp -m udp -s MYDNS2 --sport 53 -d 0/0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --syn -j REJECT
iptables -A INPUT -p udp -m udp -j REJECT
iptables -L
...to permit ntp time synch in GNOME along with everything else that I provide.