0

I want to configure iptables such that it blocks everything except

  1. Date time synchronization over the internet using NTP and
  2. Access from machines in the LAN.

I wrote the following script:

# Reset firewall:
iptables -F

# Allow NTP so the hour syncs over the internet:
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --sport 123 -j ACCEPT

# Allow LAN:
iptables -A INPUT -s $NETWORK_ADDRESS/$MASK -j ACCEPT
iptables -A OUTPUT -d $NETWORK_ADDRESS/$MASK -j ACCEPT

# Block all the rest:
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

following this answer. After the script, I run sudo date -s "2 OCT 2006 18:00:00" && sudo service ntp stop && sudo service ntp start && date && watch -n 1 date. However, the date and time never synchronize until I do iptables -F.

What am I doing wrong?

Improve this question
3
  • Are you configuring the NTP service to connect to a specific NTP server by IP address? If not, then the NTP service will usually attempt to connect to a DNS-based connection pool by default, which means you'll also need DNS (port 53, both UDP and TCP needed) to resolve the actual IP address of the NTP server(s) to connect to. Commented Mar 1 at 10:55
  • I am not configuring the NTP, it is using whatever default settings it has. What would be the most appropriate way of achieving what I want to do? I guess, it would be to configure the NTP instead of the other thing (sorry, I am not very knowledgeable about all this). Commented Mar 1 at 11:30
  • Since minimizing the external connections seems to be one of your main objectives, you might want to find out the IP addresses of three or so reliable NTP servers that are located relatively close to you (in terms of network latency), and configure your NTP service to use those IP addresses. How to do that depends on which NTP service you're using: is it timesyncd (Ubuntu default, client only), chronyd (Ubuntu optional, suitable for also providing NTP service to your local network), or classic ntpd? Please add this information by editing your question, as these comments may expire. Commented Mar 1 at 12:22

1 Answer 1

Reset to default
0

What are you doing wrong:

  1. You should, accept on input the open and related connections.
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    This should be first. Among other things, this means you don't need the input rule for ntp (unless you are a server for external clients), and you will get related ICMP messages. Adding this to OUTPUT is also reasonable, where it will provide faster checking for your open connections.

  2. You should set the --policy of the chains:
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    You should be aware that this will survive iptables -F, so write an undo script or be prepared to use the console or reboot as needed.

  3. You should handle the FORWARD chain, even if you don't forward.
    iptables -P FORWARD DROP
    iptables -A FORWARD -j DROP
    While you may not be forwarding now, you should probably account for the possibility now.

  4. In development, you should log what you are dropping (before the final DROP):
    iptables -A INPUT -j LOG
    iptables -A OUTPUT -j LOG
    These log to the system log (either read /var/log/messages, or run dmesg), and should probably not be left permanently, unless you want to fill your logs. This will probably reveal that @telcoM was right.

  5. You don't have definitions in the script for NETWORK_ADDRESS and MASK. These could legitimately just have been removed for posting.

  6. You are writing numbers instead of names. Try:
    iptables -A OUTPUT -p udp --dport ntp -j ACCEPT

  7. You might want to be more specific about what you accept from the local LAN. In particular, you might just accept the servers you are supposed to be running.

  8. You should have only one NTP host on your network that talks to the internet. All the rest should talk to that one. This requires explicitly configuring NTP on most machines.

OK, apparently I treated this as codereview.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.