Allowing ORANGE access to smoothwall’s NTP server

June 13th, 2009 · No Comments

For security reasons, a default install of Smoothwall 3.x isn’t designed to allow machines other than those on the GREEN network to use the NTP server running on the Smoothwall machine. But I find this is a bit annoying because the Smoothwall has a nice default ntpd config that synchronizes with a large group of random, publicly accessible time servers, and I’d rather not have to duplicate this on other machines, nor setup a timeserver in the GREEN network just to serve NTP requests to the ORANGE network. So here’s what I did to enable ORANGE connections to the NTP server on a Smoothwall install:

  1. First, let’s create a new modification directory in the standard Smoothwall location. I’m calling my extension ‘ntp_orange’:
    cd /var/smoothwall/mods
    mkdir ntp_orange
    
  2. Now, let’s follow the Smoothwall pattern for startup scripts by creating our script to enable NTP access within subdirectories like this:
    cd ntp_orange
    mkdir -p etc/rc.d
    
  3. Finally, let’s create our actual script to modify the system.
    vim etc/rc.d/rc.netaddress.up
    

    And then paste the following into the editor:

    #!/bin/sh
    
    # Source the standard smoothwall settings variables.
    . /var/smoothwall/ethernet/settings
    
    # Ensure the ntp.conf file contains instructions to listen on the orange
    # interface.  This is necessary because anytime the user edits the time
    # server settings page through the web interface, this setting goes away.
    NEW_LINE="listen on $ORANGE_ADDRESS"
    FILEPATH="/var/smoothwall/time/ntpd.conf"
    grep "$NEW_LINE" "$FILEPATH" > /dev/null
    if [ "$?" -eq "1" ]; then
      (
      echo $NEW_LINE
      cat $FILEPATH
      ) > ${FILEPATH}_TMP
      rm $FILEPATH
      mv ${FILEPATH}_TMP $FILEPATH
    fi
    
    # Restart the ntpserver.
    /usr/bin/smoothcom ntpdrestart
    
    # Insert a firewall rule to allow NTP packets on the ORANGE interface to
    # be accepted.
    # NOTE: Rule index 13 is designed to be after the rules for ipblocks,
    # spoofing, etc.  including the rules that accept all traffic on the loopback
    # and GREEN interfaces.
    iptables -I INPUT 13 -p UDP -i $ORANGE_DEV --dport 123 -j ACCEPT
    

    You can see that I’m sourcing the standard Smoothwall settings script to get the current definition of what interface and addresses are assigned to the ORANGE interface.

    I then have a block of code that checks to see if we’ve already configured NTP to listen on it’s ORANGE interface. If it is already configured, no modifications are made. But if it wasn’t, we simply insert the appropriate line at the beginning of the ntpd.conf file.

    Next, the script restart’s the Smoothwall’s NTP server.

    And finally, the script inserts a firewall rule to ensure the Smoothwall will additionally allow only UDP NTP connections from the ORANGE interface. Because this rule is limited to NTP’s port 123, and the UDP protocol, I figure this isn’t too much of a security hole.

  4. Then, to ensure our script gets run after reboots, we modify the file
    /etc/rc.d/rc.netaddress.up

    and append these lines at the very end:

    echo "Allowing NTP requests from ORANGE interface"
    . /var/smoothwall/mods/ntp_orange/etc/rc.d/rc.netaddress.up
    
  5. And lastly, either reboot your Smoothwall, or directly execute your new extension script. I would recommend that you actually do both: first, directly execute the script to ensure you had no cut and paste errors, etc. You can then verify the ntpd.conf file contains what you expected:
    cat /var/smoothwall/time/ntpd.conf
    

    and verify iptables contains the new INPUT rule:

    iptables -L INPUT -v -vv
    

    Once you know those are correct, do a reboot and then test them again to ensure you’ve gotten things working on reboot.

Good luck!

Tags: Hardware · IT/Network

0 responses so far ↓

  • There are no comments yet...Kick things off by filling out the form below.

Leave a Comment