rdate rule

rdate rule

Post by Luke Voge » Thu, 07 Dec 2000 04:00:00




> Would anyone mind taking a look at this ipchains rule and tell me what I
> screwed up?  Basically, this should allow me to use rdate to set the system
> time periodically.  The logs say I'm rejecting rdate's output.

> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR $UNPRIVPORTS
>         -d $TIME_SERVER 37 -j ACCEPT

Russ,
the following is my rule for just that purpose ...
# TIME client requests. (Port 37)
ipchains -A output -i ppp0 -p tcp  -s $PPP_IP $HI -d $TS_1 37  -j ACCEPT

It is basically exactly the same as yours ... Mine works fine ... so
there must be another reason.  Where in your script are you putting the
rule ... position *is* important.

--
Regards
Luke
PLEASE NOTE: Spamgard (tm) installed.
----
"Normal people ... believe that if it ain't broke, don't fix it.
Engineers believe that if it ain't broke, it doesn't have enough
features ... yet." -- Scott Adams
----
http://www.bell-bird.com.au

----

 
 
 

rdate rule

Post by Jens Hekto » Thu, 07 Dec 2000 04:00:00


Hi Luke & Neuromancer,

Usually "timed" is UDP not TCP. -> "man timed"



> > Would anyone mind taking a look at this ipchains rule and tell me what I
> > screwed up?  Basically, this should allow me to use rdate to set the system
> > time periodically.  The logs say I'm rejecting rdate's output.

> > ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR $UNPRIVPORTS
> >         -d $TIME_SERVER 37 -j ACCEPT

would be helpful to see the log line here. Maybe you see there PROTO=17 ?

Quote:> Russ,
> the following is my rule for just that purpose ...
> # TIME client requests. (Port 37)
> ipchains -A output -i ppp0 -p tcp  -s $PPP_IP $HI -d $TS_1 37  -j ACCEPT

> It is basically exactly the same as yours ... Mine works fine ... so
> there must be another reason.  Where in your script are you putting the
> rule ... position *is* important.

Do the counters rise for that rule ? -> ipchains -L -v

Bye, Jens

--
Jens Hektor, RWTH Aachen, Rechenzentrum, Seffenter Weg 23, 52074 Aachen
Computing Center Technical University Aachen, firewalls/network security

Private: Rochusstr. 26, D52062 Aachen, Fon: +49 241 29888, Fax: % 29889

 
 
 

rdate rule

Post by Luke Voge » Thu, 07 Dec 2000 04:00:00



> Hi Luke & Neuromancer,

> Usually "timed" is UDP not TCP. -> "man timed"

Good point ... if it were relevant,but Neuromancer asked about rdate NOT
timed

%man rdate
SYNOPSIS
       rdate [-p] [-s] [host...]

DESCRIPTION
       Rdate  uses  TCP  to  retrieve the current time of another
       machine using using the protocol  described  in  RFC  868.
       The  time  for each system is returned in ctime(3) format.



> > > Would anyone mind taking a look at this ipchains rule and tell me what I
> > > screwed up?  
> > >Basically, this should allow me to use rdate to set the system

--------------------------------------------^^^^^

--
Regards
Luke
PLEASE NOTE: Spamgard (tm) installed.
----
"Normal people ... believe that if it ain't broke, don't fix it.
Engineers believe that if it ain't broke, it doesn't have enough
features ... yet." -- Scott Adams
----
http://www.bell-bird.com.au

----

 
 
 

rdate rule

Post by Michael Erskin » Thu, 07 Dec 2000 04:00:00


[snip]

Quote:> Where in your script are you putting the
> rule ... position *is* important.

In a response the other day I believe I may
have implied that location of a rule in a
script did not matter...  That was not my
intent. Position *is* important.  Thanks
Luke for such a polite correction.

-m-

> --
> Regards
> Luke
> PLEASE NOTE: Spamgard (tm) installed.
> ----
> "Normal people ... believe that if it ain't broke, don't fix it.
> Engineers believe that if it ain't broke, it doesn't have enough
> features ... yet." -- Scott Adams
> ----
> http://www.bell-bird.com.au

> ----

--

Stunning Photo of Bitterroot Burning: http://www.urbanna.net/bitterroot.jpg

 
 
 

rdate rule

Post by Jens Hekto » Thu, 07 Dec 2000 04:00:00




> > Usually "timed" is UDP not TCP. -> "man timed"
> Good point ... if it were relevant,but Neuromancer asked about rdate NOT
> timed

Urrgh. Being able to read gives a clear advantage. Sorry.

Jens

--
Jens Hektor, RWTH Aachen, Rechenzentrum, Seffenter Weg 23, 52074 Aachen
Computing Center Technical University Aachen, firewalls/network security

Private: Rochusstr. 26, D52062 Aachen, Fon: +49 241 29888, Fax: % 29889

 
 
 

rdate rule

Post by Luke Voge » Fri, 08 Dec 2000 08:00:55



> Here's the log entry I get when trying to access any site with rdate:

> output REJECT ppp0 PROTO=6 <my ip here>:1036 <time server>:37 L=60
> S=0x00 I=696 F=0x0000 T=64 SYN (#46)

USe: "ipchains -nvL --line" to get list output of the rules.

What does rule #46 say?

--
Regards
Luke
PLEASE NOTE: Spamgard (tm) installed.
----
"Normal people ... believe that if it ain't broke, don't fix it.
Engineers believe that if it ain't broke, it doesn't have enough
features ... yet." -- Scott Adams
----
http://www.bell-bird.com.au

----

 
 
 

rdate rule

Post by Luke Voge » Fri, 08 Dec 2000 09:24:22



> > What does rule #46 say?

> 46       0     0 REJECT     all  ----l- 0xFF 0x00  ppp0
>         0.0.0.0/0            0.0.0.0/0             n/a

> All one line, of course.  I just split it for wrapping...

That, Sir, _is_ one of your sweeper rules, indicating that your rdate
rule is not working for some reason.

1.      check your syntax for case and accuracy on the $TIME_SERVER variable
etc.
2.      check the ip addr of the time server to ensure it is correct.
3.      try a broader rule like:

ipchains -A output -i ppp0 -p tcp  -s $IPADDR $UNPRIVPORTS --dport 37
-j ACCEPT

This will accept output to any host with a dest port of 37. (wouldn't
hurt to log it and compare the ip address of the time server to see if
it is the same as where you were trying to connect originally.)

if this works then try the original rule you had with the confirmed ip
address.

That should get you going!

--
Regards
Luke
PLEASE NOTE: Spamgard (tm) installed.
----
"Normal people ... believe that if it ain't broke, don't fix it.
Engineers believe that if it ain't broke, it doesn't have enough
features ... yet." -- Scott Adams
----
http://www.bell-bird.com.au

----

 
 
 

rdate rule

Post by Luke Voge » Fri, 08 Dec 2000 14:35:52



> > That should get you going!

> And it did.  Thank you.

Glad to be of assistance       ;8]

--
Regards
Luke
PLEASE NOTE: Spamgard (tm) installed.
----
"Normal people ... believe that if it ain't broke, don't fix it.
Engineers believe that if it ain't broke, it doesn't have enough
features ... yet." -- Scott Adams
----
http://www.bell-bird.com.au

----

 
 
 

rdate rule

Post by Luke Voge » Fri, 08 Dec 2000 14:39:54




> [snip]

> > Where in your script are you putting the
> > rule ... position *is* important.

> In a response the other day I believe I may
> have implied that location of a rule in a
> script did not matter...  That was not my
> intent. Position *is* important.  Thanks
> Luke for such a polite correction.

I dont think it was in this thread Michael, in fact I dont recall seeing
such a response,but I'll accept any praise thats forthcoming :8]

 ... lord knows our bosses rarely praise the work we do.

--
Regards
Luke
PLEASE NOTE: Spamgard (tm) installed.
----
"Normal people ... believe that if it ain't broke, don't fix it.
Engineers believe that if it ain't broke, it doesn't have enough
features ... yet." -- Scott Adams
----
http://www.bell-bird.com.au

----

 
 
 

1. iptables: rule with RETURN target just after a rule with ACCEPT target

Hi, I've seen in several scripts the following layout:

iptables criteria -j ACCEPT
iptables the_same_criteria_as_above -j RETURN

for example:

iptables  -A INPUT -p tcp -m tcp --dport 100 -j ACCEPT
iptables  -A INPUT -p tcp -m tcp --dport 100 -j RETURN

The last rule will be never matched, because all tcp incoming
connections will be accepted, and then will go throw the next chain.
So, What is the usefulness of this configuration?

IMHO, I think is for changing the scripts in a fast way (just
commenting on the first line will yield in default policy for the
INPUT chain)

TIA

2. Installation Difficulties

3. ipf.conf /ipf.rules/ ipnat.rules or conf

4. Is there an C Shell Tutor Out There?

5. Converting ipchains rules to iptables rules?

6. Can't get CD-RW working under RH 7.0

7. iptables: rule with RETURN target after a rule with the ACCEPT target

8. Linksys Realplayer 8 / Linksys BEFSR41 Router settings?

9. Jumpstart issue: Could not find matching rule in rules.ok

10. Operating System Sucks-Rules-O-Meter - Linux Rules,Rocks

11. Makefile : Rule of one line & Rule of some lines

12. PF vs IPF keep state rules (was 'ipf to pf rules conversion problems')

13. Running rdate after networking connection with WLAN and DHCP is established