trixwood
(Tristan Wood)
30 May 2022 03:18
1
Took me almost a year…
Forward all time servers request, from all networks to external time servers to my local time server (10.2.200.5) on orange. Also let the local time server on orange be the only one to speak to the outside time servers.
Warning this will not block external ntp, this means port 123 on red is open …
No problem, since I was planning to add it to nl.pool.ntp.org .
But that will not stand with, DNS.
Anyone has a hint how to block red in the rules below?
iptables -t nat -F CUSTOMPREROUTING
iptables -t nat -F CUSTOMPOSTROUTING
iptables -F CUSTOMFORWARD
iptables -A CUSTOMFORWARD -p udp --dport 123 -s 10.2.200.5 -j LOG --log-prefix "NTP_ACCEPT_TIME "
iptables -A CUSTOMFORWARD -p udp --dport 123 -s 10.2.200.5 -j ACCEPT
iptables -A CUSTOMFORWARD ! -s 10.2.200.5 -p udp --dport 123 -j LOG --log-prefix "NTP_ACCEPT_OTHER "
iptables -A CUSTOMFORWARD ! -s 10.2.200.5 -p udp --dport 123 -j ACCEPT
iptables -t nat -A CUSTOMPREROUTING ! -s 10.2.200.5 -p udp --dport 123 -j LOG --log-prefix "NTP_PREROUTE "
iptables -t nat -A CUSTOMPREROUTING ! -s 10.2.200.5 -p udp --dport 123 -j DNAT --to 10.2.200.5:123
iptables -t nat -A CUSTOMPOSTROUTING ! -s 10.2.200.5 -p udp --dport 123 -d 10.2.200.5 -j LOG --log-prefix "NTP_POSTROUTE "
iptables -t nat -A CUSTOMPOSTROUTING ! -s 10.2.200.5 -p udp --dport 123 -d 10.2.200.5 -j MASQUERADE
This thus answered my question “how ” I asked at the end of Forcing all DNS traffic from the LAN to the firewall …
trixwood
(Tristan Wood)
30 May 2022 04:49
2
Blocking!!!
flushing if you want to reset the custom rules
iptables -t nat -F CUSTOMPREROUTING
iptables -t nat -F CUSTOMPOSTROUTING
iptables -F CUSTOMFORWARD
if you don’t want loggin remove the logging rules…
Private Time Server: 10.2.200.5
Accept private time server
iptables -A CUSTOMFORWARD -p udp --dport 123 -s 10.2.200.5 -j LOG --log-prefix "NTP_ACCEPT_PRIVATE "
iptables -A CUSTOMFORWARD -p udp --dport 123 -s 10.2.200.5 -j ACCEPT
Drop everything external (not on our subnet) *
* I wish I could just say RED
iptables -A CUSTOMFORWARD ! -s 10.0.0.0/8 -p udp --dport 123 -j LOG --log-prefix "NTP_DROP_EXTERNAL "
iptables -A CUSTOMFORWARD ! -s 10.0.0.0/8 -p udp --dport 123 -j DROP
Accept internal * network time server messages
*depending if you included the drop rule above, if not then it is all networks…
iptables -A CUSTOMFORWARD ! -s 10.2.200.5 -p udp --dport 123 -j LOG --log-prefix "NTP_ACCEPT_INTERNAL "
iptables -A CUSTOMFORWARD ! -s 10.2.200.5 -p udp --dport 123 -j ACCEPT
Reroute messages, to our private time server, except when it is from our private time server itself
iptables -t nat -A CUSTOMPREROUTING ! -s 10.2.200.5 -p udp --dport 123 -j LOG --log-prefix "NTP_PREROUTE "
iptables -t nat -A CUSTOMPREROUTING ! -s 10.2.200.5 -p udp --dport 123 -j DNAT --to 10.2.200.5:123
iptables -t nat -A CUSTOMPOSTROUTING ! -s 10.2.200.5 -p udp --dport 123 -d 10.2.200.5 -j LOG --log-prefix "NTP_POSTROUTE "
iptables -t nat -A CUSTOMPOSTROUTING ! -s 10.2.200.5 -p udp --dport 123 -d 10.2.200.5 -j MASQUERADE
Note
used external ntp server tester to test if the port is working . To test if port 123 is open externally…
iftop with command: sudo iftop -f "port 123"
running on my private time server to see ntp connections of that server.
python ntp client ripped off stackoverflow. To send ntp packages to external time servers… which now show up in iftop!