iptables and ntp

Sam Kuper sam.kuper at uclmail.net
Sat Nov 1 19:20:10 UTC 2008


Dear all,
I am having some trouble with ntp and iptables.

With iptables set to have no rules and a default ACCEPT stance, ntpq -p
works as it should (it prints a table of ntp servers I'm connected to). But
with my iptables rules loaded, ntpq -p gives the error: "ntpq: write to
localhost failed: Operation not permitted".

I guess there's a problem with the iptables rules that I've been unable to
spot, so I'd be grateful for suggestions!

Here is my iptables ruleset (which is based on the one Michael Rash provides
in his book Linux Firewalls):

#!/bin/sh
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe
INT_NET=192.168.11.2 # SPK: Set this to the local IP address of the host,
assuming the host is not a firewall with pass-through.

### flush existing rules and set chain policy setting to DROP
echo "[+] Flushing existing iptables rules..."
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

### load connection-tracking modules
#
$MODPROBE ip_conntrack
$MODPROBE iptable_nat
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp

###### INPUT chain ######
#
echo "[+] Setting up INPUT chain..."

### state tracking rules
$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP
INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### ACCEPT rules # SPK: Modified this to permit SSH access from anywhere.
$IPTABLES -A INPUT -i eth0 -p tcp --dport 22 --syn -m state --state NEW -j
ACCEPT
$IPTABLES -A INPUT -i eth0 -p udp --sport 123 -m state --state
NEW,ESTABLISHED -j ACCEPT # SPK for ntpd
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

### default INPUT LOG rule
$IPTABLES -A INPUT -i ! lo -j LOG --log-prefix "DROP " --log-ip-options
--log-tcp-options

###### OUTPUT chain ######
#
echo "[+] Setting up OUTPUT chain..."

### anti-spoofing rules # SPK: Changed this to refer to output on eth0 (but
remember to change interface if on VPS!).
$IPTABLES -A OUTPUT -s ! $INT_NET -j LOG --log-prefix "SPOOFED PKT "
$IPTABLES -A OUTPUT -s ! $INT_NET -j DROP

### state tracking rules
$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP
INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### ACCEPT rules for allowing connections out
$IPTABLES -A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 123 -m state --state NEW,ESTABLISHED -j
ACCEPT # SPK for ntpd
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

### default OUTPUT LOG rule
$IPTABLES -A OUTPUT -o ! lo -j LOG --log-prefix "DROP " --log-ip-options
--log-tcp-options

###### FORWARD chain ######
#
echo "[+] Setting up FORWARD chain..."

### state tracking rules # SPK: Modified to log & drop all invalid pkts for
forwarding (even though there shouldn't be any).
$IPTABLES -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP
INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A FORWARD -m state --state INVALID -j DROP

### anti-spoofing rules # SPK: Log & drop all spoofed packets for forwarding
(even though there shouldn't be any).
$IPTABLES -A FORWARD -i eth1 -s ! $INT_NET -j LOG --log-prefix "SPOOFED PKT
"
$IPTABLES -A FORWARD -i eth1 -s ! $INT_NET -j DROP

### default LOG rule
$IPTABLES -A FORWARD -i ! lo -j LOG --log-prefix "DROP " --log-ip-options
--log-tcp-options

exit
### EOF ###

Many thanks in advance,

Sam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20081101/922281c6/attachment.html>


More information about the ubuntu-users mailing list