From 142778c71828e470887cc60a11d0c24412be6c68 Mon Sep 17 00:00:00 2001
From: ckubu <ckubu@oopen.de>
Date: Sun, 1 Sep 2019 17:29:54 +0200
Subject: [PATCH] Support local NTP Server.

---
 conf/main_ipv4.conf.sample | 15 +++++++++++++++
 conf/main_ipv6.conf.sample | 18 ++++++++++++++++++
 ip6t-firewall-server       | 18 ++++++++++++++++++
 ipt-firewall-server        | 20 ++++++++++++++++++++
 4 files changed, 71 insertions(+)

diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample
index 34086ba..cb24f23 100644
--- a/conf/main_ipv4.conf.sample
+++ b/conf/main_ipv4.conf.sample
@@ -199,6 +199,21 @@ forward_vpn_server_ips=""
 vpn_ports="$standard_vpn_port"
 
 
+# local NTP Server
+#
+local_ntp_service=false
+
+# NPT Port used by local service
+#
+ntp_port="$standard_ntp_port"
+
+# Network allowed for NTP requests
+#
+# Note: if not set no port will be open!
+#
+ntp_allowed_net=""
+
+
 # DHCP Server
 #
 # Comma seperated Interface list for DHCP services
diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample
index e8f4c88..5aceb6d 100644
--- a/conf/main_ipv6.conf.sample
+++ b/conf/main_ipv6.conf.sample
@@ -212,6 +212,24 @@ forward_vpn_server_ips=""
 vpn_ports="$standard_vpn_port"
 
 
+# local NTP Server
+#
+local_ntp_service=false
+
+# NPT Port used by local service
+#
+ntp_port="$standard_ntp_port"
+
+# Network allowed for NTP requests
+#
+# Note: if not set no port will be open!
+#
+# Example:
+#    ntp_allowed_net="2001:678:a40:3000::/64"
+#
+ntp_allowed_net=""
+
+
 # DHCP Server
 #
 # Comma seperated Interface list for DHCP services
diff --git a/ip6t-firewall-server b/ip6t-firewall-server
index e23b661..936545e 100755
--- a/ip6t-firewall-server
+++ b/ip6t-firewall-server
@@ -1685,6 +1685,24 @@ done
 echo_done
 
 
+# ---
+# - NTP local Service"
+# ---
+
+echononl "\t\tNTP local Service"
+if [[ -n $local_ntp_service ]] && $local_ntp_service  ; then
+   if [[ -z "$ntp_allowed_net" ]] ; then
+      echo_failed
+   else
+      $ip6t -A OUTPUT -p udp -d $ntp_allowed_net --dport $ntp_port -m conntrack --ctstate NEW -j ACCEPT
+      $ip6t -A INPUT -p udp -s $ntp_allowed_net --dport $ntp_port -m conntrack --ctstate NEW -j ACCEPT
+      echo_done
+   fi
+else
+   echo_skipped
+fi
+
+
 # ---
 # - Whois out only
 # ---
diff --git a/ipt-firewall-server b/ipt-firewall-server
index 0cac96b..3623c60 100755
--- a/ipt-firewall-server
+++ b/ipt-firewall-server
@@ -1929,6 +1929,26 @@ done
 echo_done
 
 
+# ---
+# - NTP local Service"
+# ---
+
+echononl "\t\tNTP local Service"
+if [[ -n $local_ntp_service ]] && $local_ntp_service  ; then
+   if [[ -z "$ntp_allowed_net" ]] ; then
+      echo_failed
+   else
+      $ipt -A OUTPUT -p udp -d $ntp_allowed_net --dport $ntp_port -m conntrack --ctstate NEW -j ACCEPT
+      $ipt -A INPUT -p udp -s $ntp_allowed_net --dport $ntp_port -m conntrack --ctstate NEW -j ACCEPT
+      echo_done
+   fi
+else
+   echo_skipped
+fi
+
+
+
+
 # ---
 # - Whois out only
 # ---