Redirect All Time Servers Request To Time Server on Internal Network (Not IPFire itself)

Security Firewall Rules
1

Took me almost a year… :clock1130:

Forward all time servers request, from all networks to external time servers to my local time server (10.2.200.5) on orange. Also let the local time server on orange be the only one to speak to the outside time servers.

Warning this will not block external ntp, this means port 123 on red is open :fire:

No problem, since I was planning to add it to nl.pool.ntp.org.
But that will not stand with, DNS.

Anyone has a hint how to block red in the rules below?

iptables -t nat -F CUSTOMPREROUTING
iptables -t nat -F CUSTOMPOSTROUTING
iptables -F CUSTOMFORWARD
iptables -A CUSTOMFORWARD -p udp --dport 123 -s 10.2.200.5 -j LOG --log-prefix "NTP_ACCEPT_TIME "
iptables -A CUSTOMFORWARD -p udp --dport 123 -s 10.2.200.5 -j ACCEPT
iptables -A CUSTOMFORWARD ! -s 10.2.200.5 -p udp --dport 123 -j LOG --log-prefix "NTP_ACCEPT_OTHER "
iptables -A CUSTOMFORWARD ! -s 10.2.200.5 -p udp --dport 123 -j ACCEPT
iptables -t nat -A CUSTOMPREROUTING  ! -s 10.2.200.5 -p udp --dport 123 -j LOG --log-prefix "NTP_PREROUTE "
iptables -t nat -A CUSTOMPREROUTING  ! -s 10.2.200.5 -p udp --dport 123 -j DNAT --to 10.2.200.5:123
iptables -t nat -A CUSTOMPOSTROUTING ! -s 10.2.200.5 -p udp --dport 123 -d 10.2.200.5 -j LOG --log-prefix "NTP_POSTROUTE "
iptables -t nat -A CUSTOMPOSTROUTING ! -s 10.2.200.5 -p udp --dport 123 -d 10.2.200.5 -j MASQUERADE

This thus answered my question “how” I asked at the end of Forcing all DNS traffic from the LAN to the firewall

2

Blocking!!!

flushing if you want to reset the custom rules

iptables -t nat -F CUSTOMPREROUTING
iptables -t nat -F CUSTOMPOSTROUTING
iptables -F CUSTOMFORWARD

if you don’t want loggin remove the logging rules…

Private Time Server: 10.2.200.5

Accept private time server

iptables -A CUSTOMFORWARD -p udp --dport 123 -s 10.2.200.5 -j LOG --log-prefix "NTP_ACCEPT_PRIVATE "
iptables -A CUSTOMFORWARD -p udp --dport 123 -s 10.2.200.5 -j ACCEPT

Drop everything external (not on our subnet)*

* I wish I could just say RED

iptables -A CUSTOMFORWARD ! -s 10.0.0.0/8 -p udp --dport 123 -j LOG --log-prefix "NTP_DROP_EXTERNAL "
iptables -A CUSTOMFORWARD ! -s 10.0.0.0/8 -p udp --dport 123 -j DROP

Accept internal* network time server messages

*depending if you included the drop rule above, if not then it is all networks…

iptables -A CUSTOMFORWARD ! -s 10.2.200.5 -p udp --dport 123 -j LOG --log-prefix "NTP_ACCEPT_INTERNAL "
iptables -A CUSTOMFORWARD ! -s 10.2.200.5 -p udp --dport 123 -j ACCEPT

Reroute messages, to our private time server, except when it is from our private time server itself

iptables -t nat -A CUSTOMPREROUTING  ! -s 10.2.200.5 -p udp --dport 123 -j LOG --log-prefix "NTP_PREROUTE "
iptables -t nat -A CUSTOMPREROUTING  ! -s 10.2.200.5 -p udp --dport 123 -j DNAT --to 10.2.200.5:123
iptables -t nat -A CUSTOMPOSTROUTING ! -s 10.2.200.5 -p udp --dport 123 -d 10.2.200.5 -j LOG --log-prefix "NTP_POSTROUTE "
iptables -t nat -A CUSTOMPOSTROUTING ! -s 10.2.200.5 -p udp --dport 123 -d 10.2.200.5 -j MASQUERADE

Note

  • used external ntp server tester to test if the port is working. To test if port 123 is open externally…
  • iftop with command: sudo iftop -f "port 123" running on my private time server to see ntp connections of that server.
  • python ntp client ripped off stackoverflow. To send ntp packages to external time servers… which now show up in iftop!