Join Log in
Score:0
user278965 avatar Ubuntu

iptables with NTP

ro flag
user278965

I am using iptables to filter the traffic and also chronyd to synchronize the system time. However, I am not getting it to work, somehow chronyd cannot access the NTP server.

Here are my iptables rules:

# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -i eth0 -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 123 -j ACCEPT

And here is me trying to sync the system time:

# chronyd -4 -q 'server 0.openembedded.pool.ntp.org iburst'
2021-01-27T09:06:15Z chronyd version 3.5 starting (+CMDMON +NTP +REFCLOCK +RTC -PRIVDROP -SCFILTER -SIGND +ASYNCDNS -SECHASH +IPV6 -DEBUG)
2021-01-27T09:06:15Z No suitable source for synchronisation
2021-01-27T09:06:15Z chronyd exiting

When I clear all the rules, the above sync command works without any problems.

113
0 + 0
ntp
Score:1
Doug Smythies avatar Ubuntu
gn flag
Doug Smythies

When your computer tries to access the NTP server the source port will be indeterminate and the destination on the server will be 123. So, the opposite of what you currently have. Do this instead:

# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -i eth0 -p udp -m udp --sport 123 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 123 -j ACCEPT

EDIT: From comment questions:

For the INPUT chain --sport 123 means the port on the remote machine, and for the OUTPUT chain --dport 123 means the port on the remote machine.

One rule can work on multiple network interfaces by not specifying a network interface, although I do not understand why you would want to do that. So (untested):

-A INPUT -p udp -m udp --sport 123 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
0 + 0
Doug Smythies avatar
gn flag
Doug Smythies
edited the answer to include further answers.
0
Reply
Jags avatar
kp flag
Jags
Thank you so much for clarifications @doug-smythies
0
Reply
user278965 avatar
ro flag
user278965
@DougSmythies I have tried that as well but it doesn't work (the chronyd command fails as before). FYI: We have two interfaces and want to sync time only over eth0 (though I tried without eth0, the same outcome).
0
Reply
user278965 avatar
ro flag
user278965
I had also to enable port 53 for the DNS look up, then it worked.
0
Reply
Doug Smythies avatar
gn flag
Doug Smythies
Yes, I meant to mention that you would likely need to allow some other things for minimal operation. I assume you are using static IP addresses, otherwise you'll need to allow ports 67 and 68. Typically, one allows whatever outgoing traffic and RELATED,ESTABLISHED incoming.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.