| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] |
Sorry about the delay in posting a summary- today was the first day I had a chance to try the suggestions I received. I ended up using Tom Yate's suggestion: "iptables -A FORWARD -p udp --sport 123 --dport 123 -s a.b.c.d -d i.j.k.l -j ACCEPT where a.b.c.d is the address of the external timeserver, and i.j.k.l is the address of the internal machine wanting synchronisation." Other suggestions/info: 1) Time servers communicate both in AND out on port 123 so just add a -p tcp and a --dport / --sport 123 rule and you're good to go. According to /etc/services, ntp can use udp, too, so you may wish to duplicate the rule set for udp. As you're connecting from behind the firewall, be sure to have NAT configed too and put the same rules in the FORWARD chain as you do in the INPUT chain. 2) sync the clock on the firewall to the external source, and then have your internal clients sync to the firewall. 3) This is for NTP: iptables --append INPUT -i $IFACE -p udp -s $TIMESERVER --sport 123 -m state --state +ESTABLISHED -j ACCEPT Put your interface (i.e. eth1) for $IFACE, or define it somewhere in your script. $TIMESERVER should be the IP address of the time server. 123 is the NTP port, but if you use daytime you will need to create a rule for 13 too. This just does udp, but you should create a tcp rule if you have trouble with just udp. 4) $IPTABLES -A INPUT -p UDP -s 0/0 --source-port 123 -j ACCEPT 5) iptables -A OUTPUT -o eth0 -p tcp -m tcp -d atomicclockserver.com --dport 23 -j ACCEPT iptables -A INPUT -i eth0 -p tcp -m tcp -s atomicclockserver.com --sport 23 -j ACCEPT 6) iptables -a INPUT -i eth0 (if eth0 is your connection to the world) -t udp (i say udp because I'm assuming you're using ntp) -d xxx.xxx.xxx.xxx --dport 123 -s xxx.xxx.xxx.xxx --sport 123 -j ACCEPT 7) http://www.eecis.udel.edu/~ntp/ Much thanks to all those who responded: Tate Belden Steve Mickeler Mike Bruno Casey Paul Scott Skylar Thompson Tom Yates Raffael Marty Yura Pismerov Chris Fuhrman Edware Macnaghten Aaron Hirsch John Duksta Kent Schumacher _______________________________________________ LinuxManagers mailing list - http://www.linuxmanagers.org submissions: LinuxManagers@linuxmanagers.org subscribe/unsubscribe: http://www.linuxmanagers.org/mailman/listinfo/linuxmanagers
[Home] [Kernel List] [Linux SCSI] [Video 4 Linux] [Linux Admin] [Yosemite News] [Motherboards]