incoming ssh/sftp blocked by iptables
Steven Bonneville
sbonnevi at redhat.com
Wed Apr 14 23:12:52 UTC 2004
William Hooper wrote:
> > When starting the system it seems as though the NTP
> > script 'knows' that iptables is in effect and adds
> > a hole to talk through.
>
> As someone else pointed out NTP (and IIRC it does this for your DNS
> servers in some cases) use UDP, so that connection tracking (seeing that
> the data is coming back from a request and not some random scan) doesn't
> work.
No, iptables connection tracking works fine with UDP, even though UDP
is not a connection-based protocol. An initial UDP packet counts as
NEW. A temporary connection tracking rule is set expecting a response
which expires in something like 30 seconds. If a response arrives in
time, it counts as ESTABLISHED and the timer is reset to something like
180 seconds. As long as packets keep getting passed before timeout,
the tracking rule's timer will keep getting reset to 180 seconds.
If it's been up for a while, ntpd will gradually increase the time
between queries to 1024 seconds, so the tracking rule will expire.
However, each new query sent by the firewall should recreate the rule.
You should be able to find these rules in the /proc/net/ip_conntrack
table.
The default firewall, unless it's changed in the FC2 tests, allows a
box to act as a NTP client just fine, since OUTPUT allows all traffic
and INPUT allows all ESTABLISHED and RELATED traffic. If you want to
act as an NTP *server*, then you'll need to open access to udp/123.
-- Steve Bonneville
More information about the fedora-test-list
mailing list