ich brech mir gerade einen ab, unter Buster iptables Regeln zu erstellen, die es erlauben, dass per OpenVPN verbundene Clients auf den ntp-Server dieses Servers zugreifen dürfen.
Aktuell kommt von den Clients:
Code: Alles auswählen
root@client:~$ nmap -sU -p123 172.27.64.1
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-26 06:58 CET
Nmap scan report for 172.27.64.1
Host is up (0.016s latency).
PORT STATE SERVICE
123/udp open|filtered ntp
Nmap done: 1 IP address (1 host up) scanned in 0.46 seconds
root@client:~$
Code: Alles auswählen
root@server:~$ iptables -L |grep -E -i 'chain|ntp'
Chain INPUT (policy DROP)
ACCEPT udp -- anywhere anywhere udp spt:ntp
ACCEPT udp -- anywhere anywhere udp spt:ntp
ACCEPT udp -- anywhere anywhere udp spt:ntp
Chain FORWARD (policy DROP)
Chain OUTPUT (policy DROP)
ACCEPT udp -- anywhere anywhere udp dpt:ntp
Chain f2b-openvpn-revoked (1 references)
Chain f2b-sshd (1 references)
root@server:~$
Code: Alles auswählen
iptables -A INPUT -p udp -i tun0 --sport 123 -j ACCEPT
iptables -A INPUT -p udp -i tun1 --sport 123 -j ACCEPT
Code: Alles auswählen
root@server:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ens2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:xxxxxxxxxxx brd ff:ff:ff:ff:ff:ff
inet 144.xxx.xxx.xxx peer 144.xxx.xxx.xxx/32 brd 144.xxx.xxx.xxx scope global ens2
valid_lft forever preferred_lft forever
3: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet 172.27.64.1 peer 172.27.64.2/32 scope global tun1
valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet 172.27.0.1 peer 172.27.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
root@server:~$