[ntp:questions] Questions about joining pool.ntp.org
agcarver+ntp at acarver.net
Tue Aug 30 20:25:24 UTC 2011
On 8/30/2011 11:22, Rob wrote:
> Also make sure that you have no NAT or connection-tracking firewall
> between your server and the internet.
> (NAT would actually be acceptable when it is a statically configured
> one-to-one address translation, not one that ends up building a session
> table like a connection-tracking firewall does)
> Really, it will break your router or firewall when you try to go live
> without make sure this is OK.
I'd actually like to know more about this.
Given a router running typical DNAT (perhaps via iptables) would it not
be acceptable to map a single port across the firewall? Example
(assuming a single WAN interface on eth0 and ntpd on internal 192.168.1.15:
iptables -t nat -A PREROUTING -p udp -i eth0 --dport 123 -j DNAT
iptables -A FORWARDING -p udp -i eth0 --dport 123 -j ACCEPT -d 192.168.1.5
My understanding is that this should reliably work since it would
perform a static mapping of a single port onto the server behind the
router. Connection tracking over UDP and a static mapping should also
be easier because the ports are usually reused.
More information about the questions