# ntpd and iptables [solved]

## palmer

I'm setting up a gentoo home router and I am trying to get NTP working.

I've installed "net-misc/ntp".  I'm attempting to setup synchronization between pool.ntp.org and the server (which is on the public internet and the LAN), and I will then setup synchronization between the server and the desktops.  The server is setup with iptables and dnsmasq to do masquerading, and the internet seems to work properly (ie, web browsing, starcraft2, and email all work), but I'm quite new at setting up iptables so it's very possible that this is a firewall issue.

`ntpdate -b -u pool.ntp.org` works on both the server and the desktops.

I have had ntpd running on the server for over 24 hours, and the output of `ntpq -p` as follows, which I believe means there is no connection between the server and pool.ntp.org

```
# ntpq -p

     remote           refid      st t when poll reach   delay   offset  jitter

==============================================================================

 pool-test.ntp.o .INIT.          16 u    - 1024    0    0.000    0.000   0.000

 ntp2.Rescomp.Be .INIT.          16 u    - 1024    0    0.000    0.000   0.000

 dns4.rpi.edu    .INIT.          16 u    - 1024    0    0.000    0.000   0.000

 sulfur.mednor.n .INIT.          16 u    - 1024    0    0.000    0.000   0.000

```

My NTP configuration is as follows

```
# cat /etc/ntp.conf

server 0.us.pool.ntp.org

server 1.us.pool.ntp.org

server 2.us.pool.ntp.org

server 3.us.pool.ntp.org

driftfile   /var/lib/ntp/ntp.drift

restrict default nomodify nopeer

restrict 127.0.0.1

restrict default ignore

restrict 192.168.0.0 mask 255.255.255.0 notrust nomodify notrap

```

I've setup iptables per the home routing guide, and added a rule that I believe should allow NTP traffic through.

```
# iptables --list

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere            

ACCEPT     all  --  anywhere             anywhere            

REJECT     udp  --  anywhere             anywhere            udp dpt:bootps reject-with icmp-port-unreachable 

REJECT     udp  --  anywhere             anywhere            udp dpt:domain reject-with icmp-port-unreachable 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 

DROP       tcp  --  anywhere             anywhere            tcp dpts:0:1023 

DROP       udp  --  anywhere             anywhere            udp dpts:0:1023 

ACCEPT     udp  --  anywhere             anywhere            udp dpt:ntp 

Chain FORWARD (policy DROP)

target     prot opt source               destination         

DROP       all  --  anywhere             192.168.0.0/16      

ACCEPT     all  --  192.168.0.0/16       anywhere            

ACCEPT     all  --  anywhere             192.168.0.0/16      

TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     udp  --  anywhere             anywhere            udp spt:ntp 

```

I'm not quite sure what to do here, does anyone have a suggestion?

Thanks!Last edited by palmer on Mon May 23, 2011 9:23 pm; edited 1 time in total

----------

## Hu

 *palmem wrote:*   

> 
> 
> ```
> # iptables --list
> ```
> ...

 Use iptables-save -c, not iptables --list.

 *palmem wrote:*   

> 
> 
> ```
> Chain INPUT (policy ACCEPT)
> 
> ...

 ntp is on port 123, which would have been shown if you had done a numeric listing.  :Wink:   You drop the traffic before it can reach an allow rule.

----------

## palmer

 *Hu wrote:*   

> You drop the traffic before it can reach an allow rule.

 

Thanks!  I didn't know the iptables rules were processed in order, for some reason I assumed they were processed as most-specific first.

I believe I've fixed that problem by changing my iptables ruleset.  As far as I can tell, this should be handled the same as SSH, which works from outside the network.

```
# iptables --list

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere            

ACCEPT     all  --  anywhere             anywhere            

REJECT     udp  --  anywhere             anywhere            udp dpt:bootps reject-with icmp-port-unreachable 

REJECT     udp  --  anywhere             anywhere            udp dpt:domain reject-with icmp-port-unreachable 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 

ACCEPT     udp  --  anywhere             anywhere            udp dpt:ntp 

DROP       tcp  --  anywhere             anywhere            tcp dpts:0:1023 

DROP       udp  --  anywhere             anywhere            udp dpts:0:1023 

Chain FORWARD (policy DROP)

target     prot opt source               destination         

DROP       all  --  anywhere             192.168.0.0/16      

ACCEPT     all  --  192.168.0.0/16       anywhere            

ACCEPT     all  --  anywhere             192.168.0.0/16      

TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     udp  --  anywhere             anywhere            udp spt:ntp
```

Unfortunately, after restarting ntpd and letting it run for a day, the result is the same (ie, still broken), specifically

```
# ntpq -p

     remote           refid      st t when poll reach   delay   offset  jitter

==============================================================================

 javanese.kjsl.c .INIT.          16 u    - 1024    0    0.000    0.000   0.000

 64.73.32.135    .INIT.          16 u    - 1024    0    0.000    0.000   0.000

 rigel.jeffkapla .INIT.          16 u    - 1024    0    0.000    0.000   0.000

 173-203-122-111 .INIT.          16 u    - 1024    0    0.000    0.000   0.000
```

Any more ideas?

----------

## Hu

Those look plausible, but you are still hiding a great deal of useful information by using iptables --list instead of iptables-save -c as I suggested above.  If I had to guess, I would say that your rules are interface-specific and name the wrong interface.  The command you used to list rules does not show interface requirements, but iptables-save does show them.

----------

## palmer

 *Hu wrote:*   

> Those look plausible, but you are still hiding a great deal of useful information by using iptables --list instead of iptables-save -c as I suggested above.  If I had to guess, I would say that your rules are interface-specific and name the wrong interface.  The command you used to list rules does not show interface requirements, but iptables-save does show them.

 

Sorry, does this help any?  For reference eth1 is the WAN and eth0 is the LAN.

```
#  iptables-save -c 

# Generated by iptables-save v1.4.10 on Sun May 22 20:47:40 2011

*nat

:PREROUTING ACCEPT [56990:6002126]

:INPUT ACCEPT [11033:808726]

:OUTPUT ACCEPT [16413:1117013]

:POSTROUTING ACCEPT [87:24595]

[39303:2593625] -A POSTROUTING -o eth1 -j MASQUERADE 

COMMIT

# Completed on Sun May 22 20:47:40 2011

# Generated by iptables-save v1.4.10 on Sun May 22 20:47:40 2011

*mangle

:PREROUTING ACCEPT [6075561:4300398982]

:INPUT ACCEPT [74046:14794851]

:FORWARD ACCEPT [5998479:4282603091]

:OUTPUT ACCEPT [64420:12762676]

:POSTROUTING ACCEPT [6046402:4293792358]

COMMIT

# Completed on Sun May 22 20:47:40 2011

# Generated by iptables-save v1.4.10 on Sun May 22 20:47:40 2011

*filter

:INPUT ACCEPT [32106:9941079]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [63795:12697184]

[128:26056] -A INPUT -i lo -j ACCEPT 

[30652:2301288] -A INPUT -i eth0 -j ACCEPT 

[0:0] -A INPUT ! -i eth0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable 

[0:0] -A INPUT ! -i eth0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable 

[4142:371321] -A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT 

[542:41192] -A INPUT -p udp -m udp --dport 123 -j ACCEPT 

[300:16496] -A INPUT ! -i eth0 -p tcp -m tcp --dport 0:1023 -j DROP 

[6176:2097419] -A INPUT ! -i eth0 -p udp -m udp --dport 0:1023 -j DROP 

[16512:1578422] -A FORWARD -d 192.168.0.0/16 -i eth0 -j DROP 

[2768834:277337958] -A FORWARD -s 192.168.0.0/16 -i eth0 -j ACCEPT 

[3213133:4003686711] -A FORWARD -d 192.168.0.0/16 -i eth1 -j ACCEPT 

[0:0] -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 

[625:65492] -A OUTPUT -p udp -m udp --sport 123 -j ACCEPT 

COMMIT

# Completed on Sun May 22 20:47:40 2011

```

Thanks!

----------

## Hu

That output states that it is accepting traffic on the NTP port.  Are you sure that a packet filter is the cause of your trouble?

----------

## palmer

 *Hu wrote:*   

> That output states that it is accepting traffic on the NTP port.  Are you sure that a packet filter is the cause of your trouble?

 

It looks like that's no longer the problem, the line "restrict default ignore" in my ntp.conf made ntpd ignore all clients, even the servers I asked it to synchronize with.  Removing that seems to have made everything work.

Thanks for the iptables help!

----------

