Patrick, Good catch. Thanks for noticing. I'll adjust as you suggest.
Best regards, Mike -----Original Message----- From: pool [mailto:[email protected]] On Behalf Of Patrick Domack Sent: May 8, 2015 6:29 PM To: [email protected] Subject: Re: [Pool] Firewall recommendations for ntp server? You might want to adjust it alittle. iptables -t raw -I OUTPUT -p udp --sport 123 -j NOTRACK iptables -t raw -I PREROUTING -p udp --dport 123 -j NOTRACK iptables -I INPUT -p udp --dport 123 -j ACCEPT iptables -I OUTPUT -p udp --sport 123 -j ACCEPT That will cause clients requesting time from you, to not be tracked. But your requests to other servers for time, will be. It will close a small firewall hole vs the proposed, as the below any one using a source port of 123 would get past the firewall, even if it didn't go TO your ntp server, but to another udp port. If you need the other firewall rules so you can query time, add the INPUT and OUTPUT ones, but not the raw NOTRACK ones, so conntrack will still keep those locked down. Quoting [email protected]: > Tore and Kiss, > > It looks like this is resolved. For others that might benefit, this is what > I am currently using and now the nf_conntrack_count is < 20. > > iptables -t raw -I OUTPUT -p udp --dport 123 -j NOTRACK > iptables -t raw -I OUTPUT -p udp --sport 123 -j NOTRACK > iptables -t raw -I PREROUTING -p udp --dport 123 -j NOTRACK > iptables -t raw -I PREROUTING -p udp --sport 123 -j NOTRACK > iptables -I INPUT -p udp --dport 123 -j ACCEPT > iptables -I INPUT -p udp --sport 123 -j ACCEPT > iptables -I OUTPUT -p udp --dport 123 -j ACCEPT > iptables -I OUTPUT -p udp --sport 123 -j ACCEPT > > Thanks for your advice. Have a good weekend! > > Best regards, > Mike > > -----Original Message----- > From: Tore Anderson [mailto:[email protected]] > Sent: May 7, 2015 10:10 PM > To: [email protected] > Cc: [email protected] > Subject: Re: [Pool] Firewall recommendations for ntp server? > > * <[email protected]> > >> 3. Disable connection tracking altogether (I think the best solution, >> no?) > > This. At least do it just for your NTP traffic. Since NTP is UDP, > there's in reality no "connections" to track, and netfilter can't > remove an active flow immediately after it's over (since UDP, unlike > TCP, gives no hint to third-party observers like netfilter that "this > conversation is over"). So they all have to time out instead. > > Something like this ought to do the trick: > > ip{6,}tables -t raw -I PREROUTING -p udp --dport ntp -j NOTRACK > ip{6,}tables -t raw -I OUTPUT -p udp --sport ntp -j NOTRACK > > Tore > > _______________________________________________ > pool mailing list > [email protected] > http://lists.ntp.org/listinfo/pool _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
