[ntp:questions] Re: IPTable Rule to allow NTP thru ?

Maarten Wiltink maarten at kittensandcats.net
Sat Aug 19 11:13:14 UTC 2006


"Jeff Boyce" <jboyce at meridianenv.com> wrote in message
news:001901c6c318$b03f2ec0$6970a8c0 at jeff...

> I am hoping that someone can explain to me what I need to add or
> change to my firewall settings to allow ntp to synchronize to an
> outside time source.


> My objective is to have a server in my office synchronize to an
> outside time server, ...

> My general network setup is a dsl line coming into an ActionTec
> dsl modem gateway doing NAT.

Okay. I'm going to work from what I understand from the above: you
have an NTP server with external connections behind a NATting gateway.

The server must talk to its external associations. Allow it to send
from UDP/123[0] to UDP/123, and to receive the replies[1]. You can
limit this to only the servers it should talk to if you are feeling
paranoid. This does not play nice with dynamic schemes, though, in
particular the pool.

The gateway must allow this traffic. If the rule is to allow and NAT
all traffic from inside to outside, it already will.

The clients must talk to the server. So it must accept NTP traffic
(UDP/123[0] to UDP/123 again), and reply.

My own configuration is slightly different because the primary NTP
server is _on_ the gateway, and I use ipchains. It basically looks
like this:

ipchains -A input  -i ppp0 -p udp -s <pubntp> 123 -d <public> 123 -j ACCEPT
ipchains -A output -i ppp0 -p udp -s <public> 123 -d <pubntp> 123 -j ACCEPT

ppp0 is the Internet-facing interface; <ntppub> are ntp-[a-d].xs4all.nl,
my ISP's NTP servers (named that only through a hosts file), <public> is
kittensandcats.xs4all.nl, my public IP address (on ppp0), and NTP traffic
between the gateway and those four NTP servers is allowed.

Perhaps more useful are the following lines left over from the time when
my secondary internal NTP server still used the pool:

ipchains -A forward -i ppp0 -p udp -s <npt1in> 123 -d class-A/1 123 -j MASQ
ipchains -A forward -i ppp0 -p udp -s <ntp1in> 123 -d class-B/2 123 -j MASQ
ipchains -A forward -i ppp0 -p udp -s <ntp1in> 123 -d class-C/3 123 -j MASQ

<ntp1in> is ntp1.kittensandcats.net, the secondary internal NTP server,
class-[ABC] are network ranges of public unicast IP addresses (also from
the hosts file), and NTP traffic from the server to most everywhere
outside is allowed - note that MASQing automagically un-transforms traffic
recognised as return traffic.

Groetjes,
Maarten Wiltink

[0] By default, an NTP client will talk (UDP) _from_ port 123. This
    can be reconfigured to use unprivileged ports.
[1] Most firewalls can pretend a UDP exchange is a connection, and
    allow replies to the initial query with a single setting.





More information about the questions mailing list