[ntp:questions] Re: Servers reachable, but can't sync - FIXED!
Greg McCann
greg at cambria.com
Fri Sep 9 00:21:51 UTC 2005
On 9/8/2005 at 9:36 PM John DeDourek <dedourek at unb.ca> wrote:
>This a Linux machine???
Yes, RH9.
>IMPORTANT: tcpdump captures packets BEFORE the iptables
>filters, so it will show the incoming packet to port 123,
>even if the packet is dropped by the iptables filters.
That's good to know. It could explain why tcpdump sees the incoming port 123 packets, but ntpd doesn't.
>Suggest you do an
> /sbin/iptables -L -v 2>&1 | less
>and see what shows up.
Good idea - I think you might be on to something. I was wondering a little about this, but I'm not very familiar with iptables and was surprised to find that it had been installed on this machine.
# /sbin/iptables -L -v 2>&1
Chain INPUT (policy ACCEPT 1629 packets, 127K bytes)
pkts bytes target prot opt in out source destination
7777 670K RH-Lokkit-0-50-INPUT all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RH-Lokkit-0-50-INPUT all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 4342 packets, 319K bytes)
pkts bytes target prot opt in out source destination
Chain RH-Lokkit-0-50-INPUT (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- any any dns2.cambria.com anywhere udp spt:domain dpts:1025:65535
32 5222 ACCEPT udp -- any any dns1.cambria.com anywhere udp spt:domain dpts:1025:65535
3 180 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:telnet flags:SYN,RST,ACK/SYN
2996 129K ACCEPT all -- lo any anywhere anywhere
3 144 REJECT tcp -- any any anywhere anywhere tcp dpts:0:1023 flags:SYN,RST,ACK/SYN reject-
with icmp-port-unreachable
0 0 REJECT tcp -- any any anywhere anywhere tcp dpt:nfs flags:SYN,RST,ACK/SYN reject-with
icmp-port-unreachable
3114 408K REJECT udp -- any any anywhere anywhere udp dpts:0:1023 reject-with icmp-port-unreach
able
0 0 REJECT udp -- any any anywhere anywhere udp dpt:nfs reject-with icmp-port-unreachable
0 0 REJECT tcp -- any any anywhere anywhere tcp dpts:x11:6009 flags:SYN,RST,ACK/SYN rejec
t-with icmp-port-unreachable
0 0 REJECT tcp -- any any anywhere anywhere tcp dpt:xfs flags:SYN,RST,ACK/SYN reject-with
icmp-port-unreachable
Digging a little deeper, I found /etc/sysconfig/iptables...
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
COMMIT
This line looks suspicious:
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
Let's see if inserting this after the other ACCEPT lines helps:
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 123 -j ACCEPT
# /etc/rc.d/init.d/iptables restart
Flushing all current rules and user defined chains: OK ]
Clearing all current rules and user defined chains: OK ]
Applying iptables firewall rules: OK ]
# ntpdate -b 65.200.108.234
8 Sep 17:00:28 ntpdate[1984]: step time server 65.200.108.234 offset 0.153072 sec
Oooh!
# ntpd
# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
dns1.cambria.co 216.218.192.202 2 u 22 64 1 0.405 0.285 0.001
w00t!!
It works, but I noticed in the iptables config file it says "Manual customization of this file is not recommended." Is there another place I should have configured this instead?
A thousand thanks to John, and everyone else who helped me troubleshoot this.
Greg
More information about the questions
mailing list