# [SOLVED] NTPd refuse connection from localhost

## Shadow AOK

Hello,

Using Gentoo AMD64 up-to-date, i'm having trouble connecting to ntpd from localhost.

```
# netstat -an | grep 123

udp        0      0 87.98.138.80:123        0.0.0.0:*

udp        0      0 87.98.140.248:123       0.0.0.0:*

udp        0      0 91.121.50.194:123       0.0.0.0:*

udp        0      0 176.31.253.63:123       0.0.0.0:*

udp        0      0 127.0.0.1:123           0.0.0.0:*

udp        0      0 0.0.0.0:123             0.0.0.0:*

udp6       0      0 fe80::3a60:77ff:fe4:123 :::*

udp6       0      0 2001:41d0:8:e3f::1:123  :::*

udp6       0      0 2001:41d0:8:e3f::2:123  :::*

udp6       0      0 2001:41d0:8:e3f::4:123  :::*

udp6       0      0 ::1:123                 :::*

udp6       0      0 :::123                  :::*

# ntpdc -c iostats

localhost: timed out, nothing received

***Request timed out

# /usr/bin/ntpq -c rv

localhost: timed out, nothing received

***Request timed out

```

/etc/conf.d/ntp-client

```
# /etc/conf.d/ntp-client

# Command to run to set the clock initially

# Most people should just leave this line alone ...

# however, if you know what you're doing, and you

# want to use ntpd to set the clock, change this to 'ntpd'

NTPCLIENT_CMD="ntpdate"

# Options to pass to the above command

# This default setting should work fine but you should

# change the default 'pool.ntp.org' to something closer

# to your machine.  See http://www.pool.ntp.org/ or

# try running `netselect -s 3 pool.ntp.org`.

NTPCLIENT_OPTS="-s -b -u ntp.unice.fr ntp.imag.fr"
```

/etc/conf.d/ntpd

```
# /etc/conf.d/ntpd

# Options to pass to the ntpd process

# Most people should leave this line alone ...

# however, if you know what you're doing, feel free to tweak

NTPD_OPTS="-g -u ntp:ntp"
```

/etc/ntp.conf

```
# NOTES:

#  - you should only have to update the server line below

#  - if you start getting lines like 'restrict' and 'fudge'

#    and you didnt add them, AND you run dhcpcd on your

#    network interfaces, be sure to add '-Y -N' to the

#    dhcpcd_ethX variables in /etc/conf.d/net

# Name of the servers ntpd should sync with

# Please respect the access policy as stated by the responsible person.

#server         ntp.example.tld         iburst

# Common pool for random people

#server pool.ntp.org

server ntp.unice.fr

server ntp.imag.fr

server 0.fr.pool.ntp.org

server 1.fr.pool.ntp.org

server 2.fr.pool.ntp.org

server 3.fr.pool.ntp.org

##

# A list of available servers can be found here:

# http://www.pool.ntp.org/

# http://www.pool.ntp.org/#use

# A good way to get servers for your machine is:

# netselect -s 3 pool.ntp.org

##

# you should not need to modify the following paths

driftfile       /var/lib/ntp/ntp.drift

# Warning: Using default NTP settings will leave your NTP

# server accessible to all hosts on the Internet.

# If you want to deny all machines (including your own)

# from accessing the NTP server, uncomment:

#restrict default ignore

# To deny other machines from changing the

# configuration but allow localhost:

restrict default kod nomodify nopeer notrap noquery

restrict 127.0.0.1

# To allow machines within your network to synchronize

# their clocks with your server, but ensure they are

# not allowed to configure the server or used as peers

# to synchronize against, uncomment this line.

#

#restrict 192.168.0.0 mask 255.255.255.0 nomodify nopeer notrap

logfile /var/log/ntp.log
```

I got nothing in the logs.

Any idea ?

Thanks,Last edited by Shadow AOK on Wed Feb 24, 2016 11:09 am; edited 2 times in total

----------

## eccerr0r

Well, telnet localhost 123 attempts a TCP connection, but NTP is listening only on UDP ports so that doesn't work...

----------

## Shadow AOK

Indeed.

Okay, so port 123 is open on localhost, but that doesn't tell me why ntpq doesn't work.

----------

## eccerr0r

Where did you get ntpq, I did not get it installed on my Gentoo machine with the openntpd package.

----------

## Shadow AOK

I have no idea, i guess it came with ntp package.

But I think i may have find an answer to my issue : 

https://forums.gentoo.org/viewtopic-t-943612-view-next.html

----------

## eccerr0r

Ah great I installed the wrong package... At least the BSD version I have is smaller...

----------

## Shadow AOK

And it doesn't help  :Sad: 

----------

## eccerr0r

Well, you could try openntpd (but not advocating it, use whichever you want).  Due to a sheer mistake I'm using openntpd and at least my machine seems to sync ntp client/server... at least it seems to work.

----------

## Syl20

 *Shadow AOK wrote:*   

> Using Gentoo AMD64 up-to-date, i'm having trouble connecting to ntpd from localhost.

 

No problem here, with a more restrictive configuration :

```
$ cat /etc/ntp.conf 

server 192.168.1.1

driftfile /var/lib/ntp/ntp.drift

logfile /var/log/ntp.log

restrict 127.0.0.1

restrict 192.168.1.1 nomodify nopeer notrap

restrict default ignore

$ ntpq -pn

     remote           refid      st t when poll reach   delay   offset  jitter

==============================================================================

*192.168.1.1   194.57.169.1     3 u  993 1024  377    0.106   -0.273   1.003

# equery u ntp

[ Legend : U - final flag setting for installation]

[        : I - package is installed with flag     ]

[ Colors : set, unset                             ]

 * Found these USE flags for net-misc/ntp-4.2.8_p6:

 U I

 - - caps         : Use Linux capabilities library to control privilege

 - - debug        : Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful

                    backtraces see https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Backtraces

 - - ipv6         : Add support for IP version 6

 - - openntpd     : Allow ntp to be installed alongside openntpd

 + + parse-clocks : Add support for PARSE clocks

 + + readline     : Enable support for libreadline, a GNU line-editing library that almost everyone wants

 - - samba        : Provide support for Samba's signing daemon (needed for Active Directory domain controllers)

 - - snmp         : Add support for the Simple Network Management Protocol if available

 + + ssl          : Add support for Secure Socket Layer connections

 + + threads      : Add threads support for various packages. Usually pthreads

 - - vim-syntax   : Pulls in related vim syntax scripts

 - - zeroconf     : Support for DNS Service Discovery (DNS-SD)
```

Did you upgrade glibc ? If so, did you restart the computer after ?

----------

## Shadow AOK

I upgraded glibc but i still need to reboot.

But i think I had the issue before the upgrade.

I'll reboot in an hour and try again.

----------

## Shadow AOK

Rebooted and it didn't help.

----------

## Syl20

Could you launch ntpd in debug mode, and test the connection in another terminal ?

```
# service ntpd stop

# ntpd -g -u ntp:ntp -dD 3
```

----------

## Shadow AOK

Tried and i haven't more info in the logs or on the screen.

----------

## freke

No idea if ntpq/ntpdc defaults to ipv6 or ipv4?

Could try ntpq -c rv 127.0.0.1 ?

Alternatively add 'restrict ::1' to ntp.conf for ipv6?

----------

## Shadow AOK

No idea but I already tried forcing it to use ipv4.

Both of your solutions didn't change anything.

It's no big deal, but thanks for the help.

----------

## Syl20

So you see the client attempts in the debug trace ? I wondered if the problem could be related to hardening components, like netfilter/iptables, or SElinux, or grsecurity... if you use some of them. But if the ntpd server sees clients connection attempts, and refuses to answer, this is a ntpd problem. Perhaps re-emerging ntp would help, but I don't think so.

Did you try to comment temporarly the "restict default ... " line in ntp.conf ? Restrict directives are often the cause of a quiet ntpd daemon.

----------

## Shadow AOK

I tried commenting the restrict line and it works this way.

----------

## Shadow AOK

And it works partially with the restrict lines if I allow the server wan ip (it's a dedicated server).

It's strange it uses the wan ip instead of localhost to talk to ntp through 127.0.0.1.

 *Quote:*   

> # ntpq -c rv => works
> 
> # ntpdc -c iostats
> 
> localhost: timed out, nothing received
> ...

 

Looks like ntpdc is deprecated anyway.

It's oday, i can do everything with ntpq.

Thanks  :Smile: 

----------

## freke

Missing loopback-interface?

Actually - probably not since netstat shows listening on 127.0.0.1 and ::1

----------

## Shadow AOK

Not at all, indeed.

----------

