[ntp:questions] Questions about joining pool.ntp.org

A C agcarver+ntp at acarver.net
Tue Aug 30 20:25:24 UTC 2011

On 8/30/2011 11:22, Rob wrote:

> Also make sure that you have no NAT or connection-tracking firewall
> between your server and the internet.
> (NAT would actually be acceptable when it is a statically configured
> one-to-one address translation, not one that ends up building a session
> table like a connection-tracking firewall does)
> Really, it will break your router or firewall when you try to go live
> without make sure this is OK.

I'd actually like to know more about this.

Given a router running typical DNAT (perhaps via iptables) would it not 
be acceptable to map a single port across the firewall?  Example 
(assuming a single WAN interface on eth0 and ntpd on internal

iptables -t nat -A PREROUTING -p udp -i eth0 --dport 123 -j DNAT 
iptables -A FORWARDING -p udp -i eth0 --dport 123 -j ACCEPT -d

My understanding is that this should reliably work since it would 
perform a static mapping of a single port onto the server behind the 
router.  Connection tracking over UDP and a static mapping should also 
be easier because the ports are usually reused.

More information about the questions mailing list