Subject: | |
From: | |
Reply To: | Steven J. Yellin |
Date: | Thu, 23 Jun 2005 09:29:53 -0700 |
Content-Type: | TEXT/PLAIN |
Parts/Attachments: |
|
|
On Thu, 23 Jun 2005, Ken Teh wrote:
> Do the following:
>
> chkconfig --level 0123456 ntpd off
>
> Bring up the machine and do
>
> service iptables status
>
> which will show you what the firewall rules are in effect.
>
> Then, repeat this again, but this time, reenable the ntpd service.
>
> chkconfig --level 2345 ntpd on
>
> Compare the outputs of 'service iptables status' and you should be able to
> determine what the ntpd did to the firewall rules.
>
> Good luck!
>
> Ken
>
Without rebooting you can do
service iptables restart
service iptables status > iptables.1
service ntpd restart
service iptables status > iptables.2
diff iptables.1 iptables.2
You should see that only the servers you requested in /etc/ntp.conf
have been let through the firewall.
>
>
> On Thu, 23 Jun 2005, Robert E. Blair wrote:
>
> > You might want to review /etc/rc.d/init.d/ntpd since it does diddle the
> > firewall (hate to see you place restrictions that get superceded). You
> > may need to set FIREWALL_MODS=no in /etc/sysconfig/ntpd to avoid it
> > changing the firewall rules for you.
> >
> > Steven J. Yellin wrote:
> >
> > > Put the restrictions into a firewall. For example, assuming
> > >the firewall is iptables, in the INPUT chain direct all packets
> > >which are not from yourself, but have destination 123, to target
> > >"NTP". Then do something like
> > >
> > ># Create the NTP chain
> > >iptables -N NTP
> > >#
> > ># Specify which IP's and interfaces are accepted. For example,
> > ># accept only eth1, IP 123.123.123.123 and eth0, IP 203.14.211.14
> > >iptables -A NTP -i eth1 -s 123.123.123.123 -j ACCEPT
> > >iptables -A NTP -i eth0 -s 203.14.211.14 -j ACCEPT
> > >#
> > ># Ignore anybody else entering this chain (coming in on port 123)
> > >iptables -A NTP -j DROP
> > >
> > >Steven Yellin
> > >
> > >On Thu, 23 Jun 2005, Michael Mansour wrote:
> > >
> > >
> > >
> > >>Hi,
> > >>
> > >>When I run ntpd on SL3/4 and it listens on port 123 on all my interfaces,
> > >>including virtual interfaces.
> > >>
> > >>How can I tell it to only listen on a certain IP/certain interface only?
> > >>
> > >>I've googled for this but can't find anything relevant.
> > >>
> > >>Thanks.
> > >>
> > >>Michael.
|
|
|