Firewalling ntpd with iptables
By default ntpd listens on all network interfaces, it requires to listen on an external interface in order to contact upstream NTP servers, if this is disabled then time syncing will be affected.
Unless a system is being used as a NTP server for other clients, only the client functionality of the ntpd daemon is needed.
Blocking NTP with a firewall is made more tricky as it uses the same source and destination port when communicating over UDP, unlike other server software.
To allow the NTP daemon to function on a system as a client only to upstream NTP servers, the following iptables firewall rules can be used:
iptables -A INPUT -i lo -p udp --destination-port 123 -j ACCEPT iptables -A INPUT -p udp --source-port 123:123 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o lo -p udp --source-port 123 -j ACCEPT iptables -A OUTPUT -p udp --destination-port 123:123 -m state --state NEW,ESTABLISHED -j ACCEPT
DROP should be the default rule for firewalls, if not then add the following additional rule:
iptables -A INPUT -p udp --destination-port 123 -j DROP
With the above rules in place the system should be able to sync time with other NTP servers but not allow other hosts to connect to itself.
First restart ntpd (slackware):
/etc/rc.d/rc.ntpd stop /etc/rc.d/rc.ntpd start
Then check the operation with the command:
ntpd -c peers remote refid st t when poll reach delay offset jitter ============================================================================== *foxtrot.zq1.de 126.96.36.199 3 u 1 64 1 37.252 -0.068 0.120 ntp0.as34288.ne 188.8.131.52 2 u 2 64 1 41.909 -0.655 0.065 localnet .BCST. 16 u - 64 0 0.000 0.000 0.002
From the output above you can see in the
when column how many seconds since the last data from a upstream NTP server was received.
Last updated: 10/05/2015