[ntp:questions] Re: Servers reachable, but can't sync - FIXED!

Greg McCann greg at cambria.com
Fri Sep 9 00:21:51 UTC 2005


On 9/8/2005 at 9:36 PM John DeDourek <dedourek at unb.ca> wrote:

>This a Linux machine???

Yes, RH9.

>IMPORTANT:  tcpdump captures packets BEFORE the iptables
>filters, so it will show the incoming packet to port 123,
>even if the packet is dropped by the iptables filters.

That's good to know.  It could explain why tcpdump sees the incoming port 123 packets, but ntpd doesn't.

>Suggest you do an
>    /sbin/iptables -L -v 2>&1 | less
>and see what shows up.

Good idea - I think you might be on to something.  I was wondering a little about this, but I'm not very familiar with iptables and was surprised to find that it had been installed on this machine.

# /sbin/iptables -L -v 2>&1

Chain INPUT (policy ACCEPT 1629 packets, 127K bytes)
 pkts bytes target     prot opt in     out     source               destination
 7777  670K RH-Lokkit-0-50-INPUT  all  --  any    any     anywhere             anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RH-Lokkit-0-50-INPUT  all  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 4342 packets, 319K bytes)
pkts bytes target     prot opt in     out     source               destination

Chain RH-Lokkit-0-50-INPUT (2 references)
pkts bytes target     prot opt in     out     source               destination
   0     0 ACCEPT     udp  --  any    any     dns2.cambria.com     anywhere           udp spt:domain dpts:1025:65535
  32  5222 ACCEPT     udp  --  any    any     dns1.cambria.com     anywhere           udp spt:domain dpts:1025:65535
   3   180 ACCEPT     tcp  --  any    any     anywhere             anywhere           tcp dpt:ssh flags:SYN,RST,ACK/SYN
   0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere           tcp dpt:telnet flags:SYN,RST,ACK/SYN
2996  129K ACCEPT     all  --  lo     any     anywhere             anywhere
   3   144 REJECT     tcp  --  any    any     anywhere             anywhere           tcp dpts:0:1023 flags:SYN,RST,ACK/SYN reject-
with icmp-port-unreachable
   0     0 REJECT     tcp  --  any    any     anywhere             anywhere           tcp dpt:nfs flags:SYN,RST,ACK/SYN reject-with
icmp-port-unreachable
3114  408K REJECT     udp  --  any    any     anywhere             anywhere           udp dpts:0:1023 reject-with icmp-port-unreach
able
   0     0 REJECT     udp  --  any    any     anywhere             anywhere           udp dpt:nfs reject-with icmp-port-unreachable

   0     0 REJECT     tcp  --  any    any     anywhere             anywhere           tcp dpts:x11:6009 flags:SYN,RST,ACK/SYN rejec
t-with icmp-port-unreachable
   0     0 REJECT     tcp  --  any    any     anywhere             anywhere           tcp dpt:xfs flags:SYN,RST,ACK/SYN reject-with
icmp-port-unreachable

Digging a little deeper, I found /etc/sysconfig/iptables...

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
#       firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
COMMIT

This line looks suspicious:
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT

Let's see if inserting this after the other ACCEPT lines helps:
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 123 -j ACCEPT

# /etc/rc.d/init.d/iptables restart
Flushing all current rules and user defined chains:  OK  ]
Clearing all current rules and user defined chains:  OK  ]
Applying iptables firewall rules:   OK  ]

# ntpdate -b 65.200.108.234
8 Sep 17:00:28 ntpdate[1984]: step time server 65.200.108.234 offset 0.153072 sec

Oooh!

# ntpd
# ntpq -p
    remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
dns1.cambria.co 216.218.192.202  2 u   22   64    1    0.405    0.285   0.001

w00t!!

It works, but I noticed in the iptables config file it says "Manual customization of this file is not recommended."  Is there another place I should have configured this instead?

A thousand thanks to John, and everyone else who helped me troubleshoot this.


Greg





More information about the questions mailing list