[ntp:questions] Re: IPTable Rule to allow NTP thru ?
ibuprofin at painkiller.example.tld
Wed Aug 23 00:48:30 UTC 2006
On Mon, 21 Aug 2006, in the Usenet newsgroup comp.protocols.time.ntp, in article
<006c01c6c541$726a6800$6970a8c0 at jeff>, Jeff Boyce wrote:
>>> I believe that ntp would work properly if I had the right firewall
Minor problem - what are you using to configure the firewall. There are
dozens of tools about, but the firewall itself is part of the kernel.
>>> It appears that the IPtables rules on the server is blocking the ntp
>>> communication. Do I need to have both an INPUT and OUTPUT rule in
>>> iptables, or just one of these?
For synchronizing to an _external_ server, your client system needs only
a OUTPUT rule. On a _server_ you'd need an OUTPUT rule to talk to other
servers, and an INPUT rule to allow (your) clients to talk to you.
A little old (and it ignores NTP), but look at the following HOWTOs which
may be on your system, or are widely available on the web:
85507 Aug 20 2001 Firewall-HOWTO
287057 Jul 23 2002 Security-Quickstart-Redhat-HOWTO
The latter is probably more useful.
>> The documentation for the firewall appears to have been written for
>> someone who already knows a great deal about it!!!
>I am a linux novice, but am the only one in my office with the capability to
>manage our computer systems. Can you point me to where this script file is
>that would have the firewall rule, so I can see if it is there and then just
Did you install that package? The package is probably ntp-4.2.0.a. n Find
a command line, end enter the command
rpm -q ntp
which queries the package manager to see if the ntp package is installed.
Boot scripts are found in /etc/init.d/ and below.
>I have mostly started ntp from the gnome services gui and not the command
>line, so I don't know if that makes a difference on whether it would
>implement a script to insert a firewall rule in iptables or not.
The GUI is doing extremely simplified control functions. If they work
for you - fine. The system is actually using command line scripts to
do the dirty work.
>But I am suspecting that what you describe is not the case for my system.
>I did recently reboot my server after a kernel update and when ntp
>restarted during reboot there messages indicating that the firewall was
I don't know if you are using the default package that came with Red Hat,
or you installed a more recent version on your own. If the latter, the
customized script will be missing.
By the way, a simple way to see what's going on is to use a package
sniffer to see what packets are being blocked. To cull things down
a bit, the NTP server is listening on UDP port 123. Thus, something
/usr/sbin/tcpdump -ni eth0 udp port 123 >> /tmp/udp.watch
should catch packets to/from port 123 using the UDP protocol on the
>This was one of the clues that helped me determine that the firewall was my
>main problem with making ntp operational.
will list all of the rules.
More information about the questions