Fedora Linux Support Community & Resources Center

Home Forums Posting Rules Linux Help Fedora Set-Up Guides Ask Fedora Fedora Project
Go Back   FedoraForum.org > Fedora 17/18 > Security and Privacy
Reload this Page Chrony and iptables
FedoraForum Search
Forgot Password? Join Us!
Register All Albums FAQ Search Today's Posts Mark Forums Read

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 2nd July 2012, 04:27 PM
JakeR Offline
Registered User
  
Join Date: Feb 2012
Location: Sweden
Posts: 13
macoschrome
Chrony and iptables
Hi

This is my iptables configuration (only allow chronyd for NTP):

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp --dport 53 -m owner --uid-owner chrony -j ACCEPT
-A OUTPUT -p udp --dport 53 -m owner --uid-owner chrony -j ACCEPT
-A OUTPUT -p udp --dport 123 -m owner --uid-owner root -j ACCEPT
COMMIT

53 tcp/udp for DNS lookup of pool.ntp.org. 123 udp for NTP.

Can someone explain why I need to open ntp port for root and dns for chrony?
Reply With Quote
  #2  
Old 10th July 2012, 05:43 PM
Keldorn's Avatar
Keldorn Offline
Registered User
  
Join Date: Jun 2008
Location: Russia
Age: 25
Posts: 515
linuxchrome
Re: Chrony and iptables
I can suggest that DNS needed to get ip address of ntp server to sync from and ntp port to root because chrony can update system time (which allowed only to root).
Reply With Quote
  #3  
Old 11th July 2012, 08:43 AM
stevea's Avatar
stevea Online
Registered User
  
Join Date: Apr 2006
Location: Ohio, USA
Posts: 8,346
linuxfirefox
Re: Chrony and iptables
If you look through the lsof
Code:
[stevea@crucibulum Desktop]$ sudo lsof -i :123
COMMAND PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
chronyd 682 chrony    1u  IPv4  13046      0t0  UDP *:ntp 
chronyd 682 chrony    2u  IPv6  13047      0t0  UDP *:ntp
its clear that port 123 socket is opening by user=chrony. So unclear why(if) you need to specify user as root.
__________________
None are more hopelessly enslaved than those who falsely believe they are free.
Johann Wolfgang von Goethe
Reply With Quote
Reply

Tags
chrony, iptables

« Previous Thread | Next Thread »
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
"Applying iptables firewall rules: iptables-restore: line 20 failed" colt Using Fedora 0 24th February 2012 03:17 AM
chrony seems very poor at finding a new network interface marko Servers & Networking 1 22nd March 2011 08:30 PM
GUI iptables "apply" differes from boot config - iptables config files load order? anocelot Security and Privacy 3 23rd August 2008 06:06 AM
command #service iptables save changed the original config of iptables kesavulur Security and Privacy 0 28th November 2007 06:33 AM
Problems In FC4 W/ Having to Type ./Iptables instead of Iptables eliminate Servers & Networking 2 17th January 2006 01:51 AM


Current GMT-time: 00:52 (Wednesday, 19-06-2013)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.
Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

 FedoraForum is Powered by RedHat