[ntp:questions] Re: IPTable Rule to allow NTP thru ?

Moe Trin ibuprofin at painkiller.example.tld
Wed Aug 23 00:48:30 UTC 2006


On Mon, 21 Aug 2006, in the Usenet newsgroup comp.protocols.time.ntp, in article
<006c01c6c541$726a6800$6970a8c0 at jeff>, Jeff Boyce wrote:

>>> I believe that ntp would work properly if I had the right firewall
>>> setting.

Minor problem - what are you using to configure the firewall. There are
dozens of tools about, but the firewall itself is part of the kernel.

>>> It appears that the IPtables rules on the server is blocking the ntp
>>> communication.  Do I need to have both an INPUT and OUTPUT rule in
>>> iptables, or just one of these?  

For synchronizing to an _external_ server, your client system needs only
a OUTPUT rule. On a _server_ you'd need an OUTPUT rule to talk to other
servers, and an INPUT rule to allow (your) clients to talk to you.

A little old (and it ignores NTP), but look at the following HOWTOs which
may be on your system, or are widely available on the web:

         85507 Aug 20  2001 Firewall-HOWTO
        287057 Jul 23  2002 Security-Quickstart-Redhat-HOWTO

The latter is probably more useful.

>> The documentation for the firewall appears to have been written for
>> someone who already knows a great deal about it!!!

Picky, picky!

>I am a linux novice, but am the only one in my office with the capability to
>manage our computer systems.  Can you point me to where this script file is
>that would have the firewall rule, so I can see if it is there and then just
>us it?

Did you install that package? The package is probably ntp-4.2.0.a. n Find
a command line, end enter the command

   rpm -q ntp

which queries the package manager to see if the ntp package is installed.

Boot scripts are found in /etc/init.d/ and  below.

>I have mostly started ntp from the gnome services gui and not the command
>line, so I don't know if that makes a difference on whether it would
>implement a script to insert a firewall rule in iptables or not.

The GUI is doing extremely simplified control functions. If they work
for you - fine. The system is actually using command line scripts to
do the dirty work.

>But I am suspecting that what you describe is not the case for my system.
>I did recently reboot my server after a kernel update and when ntp
>restarted during reboot there messages indicating that the firewall was
>blocking it.

I don't know if you are using the default package that came with Red Hat,
or you installed a more recent version on your own. If the latter, the
customized script will be missing.

By the way, a simple way to see what's going on is to use a package
sniffer to see what packets are being blocked. To cull things down
a bit, the NTP server is listening on UDP port 123. Thus, something
like

  /usr/sbin/tcpdump -ni eth0 udp port 123 >> /tmp/udp.watch

should catch packets to/from port 123 using the UDP protocol on the
eth0 interface.

>This was one of the clues that helped me determine that the firewall was my
>main problem with making ntp operational.

  /sbin/iptables -L

will list all of the rules.

        Old guy




More information about the questions mailing list