Linux – Why does NTP require bi-directional firewall access to UDP port 123

firewalllinuxntp

From What are the iptables rules to permit ntp?:

iptables -A INPUT -p udp --dport 123 -j ACCEPT
iptables -A OUTPUT -p udp --sport 123 -j ACCEPT

Also, from the NTP website:

… ntpd requires full bidirectional access to the privileged UDP port 123. …

My question is, why? To someone not familiar with NTP, this seems like a potential security hole, especially when I'm asking a client of mine to open up that port in their firewall so that my servers can keep their time synchronised. Does anyone have a decent justification I can give to my client to convince them that I need this access in the firewall? Help is appreciated! 🙂

Best Answer

You only need allow incoming traffic NTP's ports if you are acting as a server, allowing clients to sync to you.

Otherwise, the existance of an NTP state will automatically determine whether the incoming NTP packet is blocked or allowed by an existing firewall state that we initiated.

iptables -A OUTPUT -p udp --sport 123 --dport 123 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Please let me know if the iptables rules are proper. I have no experience with iptables. My NTP client stays synchronized on my pfSense router with only an outgoing allow rule because pfSense is a stateful firewall.

Related Solutions

Linux – iptables: Allow only HTTP access for web browsing

Because the rule

iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

with a DROP policy on the OUTPUT chain requires two things which are highly relevant here:

The connection must already have been established
The source port must be 80/tcp

Source ports below 1024 are privileged, and generally aren't used for outgoing connections even when the socket owning process is running as root. You are more likely to see a high source port number going out, well above 30000 seems to be common.

There is also no way to establish a connection, since the only outgoing traffic that is allowed must be related to an already established connection.

Hence, in practice, nothing can match this rule.

Try instead:

iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT

which should allow any outbound connections to destination TCP port 80 where the traffic is routed through eth0, which is much more in line with what you want.

And then as has been pointed out, don't forget about HTTPS, DNS, ...

Linux – how can I allow outgoing access to a port in firewall

You are connecting to port 8983 on destination, so you must allow output traffic to that port on server 2, which you are:

iptables -A OUTPUT -p tcp -d 123.123.123.123 --dport 8983 -j ACCEPT

You should also accept incoming traffic on server 2 for related and established connections in general:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Also, don't forget to add the corresponding rules on server 1:

iptables -A INPUT -p tcp -m tcp --dport 8983 -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

If you are still unable to connect after setting this rules, you are probably being blocked by an intermediate firewall between server 1 and server 2.

If that's not the case, maybe server 1 is behind a NAT and you have to set the NAT router to forward incoming connections to 8983 to the same port on server 1 behind that router.

Best Answer

Related Solutions

Linux – iptables: Allow only HTTP access for web browsing

Linux – how can I allow outgoing access to a port in firewall

Related Question