2

Thanks for having me!

So... I did a fresh install of RHEL v6.7. I was setting up just NTP service and followed some tutorial on the interwebs. At some point is this tutorial it suggested that I should open port udp 123 so the server could receive NTP querys from other clients.

After that fresh install no configuration was done whatsoever.

When I checked the iptables service this is what I got.

[root@SVNTPRJO01 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I'm not a linux guy but reading man pages and some blog posts I understand that because of rule number 3 on the INPUT chain this server would accept anything from anywhere, including udp 123, right?

Is my understanding correct?

This server only has one nic (eth0).

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
rafaelbn
  • 23
  • 3

1 Answers1

4

The firewall is fine.

You need to add -v to see the full output.

Then you will see that the rule you think is allowing access from anywhere, actually allows access only on the lo interface, that is, anywhere on localhost.

You can open ports in the firewall configuration by running the system-config-firewall-tui command in a terminal, or system-config-firewall on a graphical system.

Community
  • 1
Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • You're absolutely right. I feel so dumb. Sorry for this stupid question. – rafaelbn Nov 19 '15 at 19:20
  • 1
    It's not so dumb. I hate this about iptables, that it doesn't show you the complete rules unless you use `-v`. It's not something I expect the average person to know. – Michael Hampton Nov 19 '15 at 19:23
  • That tiny detail explained a lot to me. This same tutorial I used also suggested that I should open an OUTPUT rule so this NTP server could connect to a higher stratum NTP server. But since the default policy for OUTPUT chain is ACCEPT I understand that that rule is not necessary, right? (sorry to bother you...) – rafaelbn Nov 19 '15 at 19:33
  • No, you don't need explicit OUTPUT rules, unless you set up egress filtering (which is a whole other question). – Michael Hampton Nov 19 '15 at 19:40