Re: IPTable Rule to allow NTP thru ? - NTP

This is a discussion on Re: IPTable Rule to allow NTP thru ? - NTP ; >Jeff Boyce wrote: > >> Greetings - >> >> I am hoping that someone can explain to me what I need to add or change >> to my firewall settings to allow ntp to synchronize to an outside time >> ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Re: IPTable Rule to allow NTP thru ?

  1. Re: IPTable Rule to allow NTP thru ?

    >Jeff Boyce wrote:
    >
    >> Greetings -
    >>
    >> I am hoping that someone can explain to me what I need to add or change
    >> to my firewall settings to allow ntp to synchronize to an outside time
    >> source. An example would be great, an explanation with the example would
    >> be super. My objective is to have a server in my office synchronize to
    >> an outside time server, then the desktop PC's would synchronize to the
    >> server. I have the desktop PC's configured properly, but my server is
    >> not communicating to an external time server. I would like to fix this
    >> as my server looses almost 2 minutes a month. I have read all the
    >> documentation on configuring ntp and have followed the discussions on
    >> this list for the past few months. I believe that ntp would work
    >> properly if I had the right firewall setting. I can give additional
    >> information on how I came to this conclusion if necessary.
    >>
    >> My general network setup is a dsl line coming into an ActionTec dsl
    >> modem gateway doing NAT. The dsl gateway has a simple firewall
    >> configuration utility which is set to allow ntp through. The gateway is
    >> then connected into my network switch (Dell 24 port unmanaged switch) in
    >> which my server (Dell PE2600) is also connected. The server is running
    >> RHEL 3, completely up to date. It appears that the IPtables rules on
    >> the server is blocking the ntp communication. Do I need to have both an
    >> INPUT and OUTPUT rule in iptables, or just one of these? I searched
    >> through the ntp.org site and could not find any firewall examples.
    >> Other google searches turned up a lot of conflicting information, some
    >> indicated that I did not need an INPUT rule because I am not a time
    >> server to the public. I want to be careful about changing my iptables
    >> as I understand I could cause more problems not knowing exactly what I
    >> am doing. My current iptables rules are pretty basic since we rely on
    >> the gateway firewall. I can forward a copy of my iptables rules to
    >> someone willing to help me, but did not want to post it publicly. If
    >> anyone can provide a firewall rule example and an explanation of the

    > rule I would appreciate it. Thanks.
    >>
    >> Jeff Boyce
    >> www.meridianenv.com
    >>

    >
    >Richard B. Gilbert replied:
    >
    >The stock RHEL 3 comes with an old version of nptd and a script that
    >starts it. That script makes changes to the firewall to allow NTP when
    >it starts. When the script shuts it down the firewall is restored. You
    >don't have to use the antique ntpd but you do have to use the script
    >unless you know enough to successfully tinker with the firewall.
    >
    >The documentation for the firewall appears to have been written for
    >someone who already knows a great deal about it!!!


    I am a linux novice, but am the only one in my office with the capability to
    manage our computer systems. Can you point me to where this script file is
    that would have the firewall rule, so I can see if it is there and then just
    us it? I have mostly started ntp from the gnome services gui and not the
    command line, so I don't know if that makes a difference on whether it would
    implement a script to insert a firewall rule in iptables or not. But I am
    suspecting that what you describe is not the case for my system. I did
    recently reboot my server after a kernel update and when ntp restarted
    during reboot there messages indicating that the firewall was blocking it.
    This was one of the clues that helped me determine that the firewall was my
    main problem with making ntp operational.

    Jeff Boyce

    _______________________________________________
    questions mailing list
    questions@lists.ntp.isc.org
    https://lists.ntp.isc.org/mailman/listinfo/questions


  2. Re: IPTable Rule to allow NTP thru ?

    Jeff Boyce wrote:

    >> Jeff Boyce wrote:
    >>
    >>> Greetings -
    >>>
    >>> I am hoping that someone can explain to me what I need to add or change
    >>> to my firewall settings to allow ntp to synchronize to an outside time
    >>> source. An example would be great, an explanation with the example would
    >>> be super. My objective is to have a server in my office synchronize to
    >>> an outside time server, then the desktop PC's would synchronize to the
    >>> server. I have the desktop PC's configured properly, but my server is
    >>> not communicating to an external time server. I would like to fix this
    >>> as my server looses almost 2 minutes a month. I have read all the
    >>> documentation on configuring ntp and have followed the discussions on
    >>> this list for the past few months. I believe that ntp would work
    >>> properly if I had the right firewall setting. I can give additional
    >>> information on how I came to this conclusion if necessary.
    >>>
    >>> My general network setup is a dsl line coming into an ActionTec dsl
    >>> modem gateway doing NAT. The dsl gateway has a simple firewall
    >>> configuration utility which is set to allow ntp through. The gateway is
    >>> then connected into my network switch (Dell 24 port unmanaged switch) in
    >>> which my server (Dell PE2600) is also connected. The server is running
    >>> RHEL 3, completely up to date. It appears that the IPtables rules on
    >>> the server is blocking the ntp communication. Do I need to have both an
    >>> INPUT and OUTPUT rule in iptables, or just one of these? I searched
    >>> through the ntp.org site and could not find any firewall examples.
    >>> Other google searches turned up a lot of conflicting information, some
    >>> indicated that I did not need an INPUT rule because I am not a time
    >>> server to the public. I want to be careful about changing my iptables
    >>> as I understand I could cause more problems not knowing exactly what I
    >>> am doing. My current iptables rules are pretty basic since we rely on
    >>> the gateway firewall. I can forward a copy of my iptables rules to
    >>> someone willing to help me, but did not want to post it publicly. If
    >>> anyone can provide a firewall rule example and an explanation of the

    >>
    >> rule I would appreciate it. Thanks.
    >>
    >>>
    >>> Jeff Boyce
    >>> www.meridianenv.com
    >>>

    >>
    >> Richard B. Gilbert replied:
    >>
    >> The stock RHEL 3 comes with an old version of nptd and a script that
    >> starts it. That script makes changes to the firewall to allow NTP when
    >> it starts. When the script shuts it down the firewall is restored. You
    >> don't have to use the antique ntpd but you do have to use the script
    >> unless you know enough to successfully tinker with the firewall.
    >>
    >> The documentation for the firewall appears to have been written for
    >> someone who already knows a great deal about it!!!

    >
    >
    > I am a linux novice,


    Me too! But I do have some Unix background that I have found most
    helpful. Linux is not Unix and Unix is not Linux but the two are much
    alike in many ways.

    > but am the only one in my office with the
    > capability to manage our computer systems. Can you point me to where
    > this script file is that would have the firewall rule, so I can see if
    > it is there and then just us it?


    /etc/init.d/ntpd

    > I have mostly started ntp from the
    > gnome services gui and not the command line, so I don't know if that
    > makes a difference on whether it would implement a script to insert a
    > firewall rule in iptables or not. But I am suspecting that what you
    > describe is not the case for my system. I did recently reboot my server
    > after a kernel update and when ntp restarted during reboot there
    > messages indicating that the firewall was blocking it.


    I see messages when I start ntpd but I believe that is the script
    opening the firewall to allow ntpd. I suspect that the GUI you are
    using executes the script and that the firewall is, in fact being opened.

    Try to capture those messages. If they really say that the firewall is
    blocking NTP, post them. If not, look elsewhere in your configuration
    for the problem.

  3. Re: IPTable Rule to allow NTP thru ?

    On Mon, 21 Aug 2006, in the Usenet newsgroup comp.protocols.time.ntp, in article
    <006c01c6c541$726a6800$6970a8c0@jeff>, Jeff Boyce wrote:

    >>> I believe that ntp would work properly if I had the right firewall
    >>> setting.


    Minor problem - what are you using to configure the firewall. There are
    dozens of tools about, but the firewall itself is part of the kernel.

    >>> It appears that the IPtables rules on the server is blocking the ntp
    >>> communication. Do I need to have both an INPUT and OUTPUT rule in
    >>> iptables, or just one of these?


    For synchronizing to an _external_ server, your client system needs only
    a OUTPUT rule. On a _server_ you'd need an OUTPUT rule to talk to other
    servers, and an INPUT rule to allow (your) clients to talk to you.

    A little old (and it ignores NTP), but look at the following HOWTOs which
    may be on your system, or are widely available on the web:

    85507 Aug 20 2001 Firewall-HOWTO
    287057 Jul 23 2002 Security-Quickstart-Redhat-HOWTO

    The latter is probably more useful.

    >> The documentation for the firewall appears to have been written for
    >> someone who already knows a great deal about it!!!


    Picky, picky!

    >I am a linux novice, but am the only one in my office with the capability to
    >manage our computer systems. Can you point me to where this script file is
    >that would have the firewall rule, so I can see if it is there and then just
    >us it?


    Did you install that package? The package is probably ntp-4.2.0.a. n Find
    a command line, end enter the command

    rpm -q ntp

    which queries the package manager to see if the ntp package is installed.

    Boot scripts are found in /etc/init.d/ and below.

    >I have mostly started ntp from the gnome services gui and not the command
    >line, so I don't know if that makes a difference on whether it would
    >implement a script to insert a firewall rule in iptables or not.


    The GUI is doing extremely simplified control functions. If they work
    for you - fine. The system is actually using command line scripts to
    do the dirty work.

    >But I am suspecting that what you describe is not the case for my system.
    >I did recently reboot my server after a kernel update and when ntp
    >restarted during reboot there messages indicating that the firewall was
    >blocking it.


    I don't know if you are using the default package that came with Red Hat,
    or you installed a more recent version on your own. If the latter, the
    customized script will be missing.

    By the way, a simple way to see what's going on is to use a package
    sniffer to see what packets are being blocked. To cull things down
    a bit, the NTP server is listening on UDP port 123. Thus, something
    like

    /usr/sbin/tcpdump -ni eth0 udp port 123 >> /tmp/udp.watch

    should catch packets to/from port 123 using the UDP protocol on the
    eth0 interface.

    >This was one of the clues that helped me determine that the firewall was my
    >main problem with making ntp operational.


    /sbin/iptables -L

    will list all of the rules.

    Old guy

+ Reply to Thread