What are the iptables rules to permit ntp?

27

4

My server's clock is wrong because the firewall doesn't permit ntp traffic. What are the iptables rules required to allow the ntp client to get out and back?

Any suggestions how to implement those rules on Ubuntu also appreciated.

John Mee

Posted 2010-05-16T14:07:32.983

Reputation: 838

You mean so that your machine can act as a NTP server? – Ignacio Vazquez-Abrams – 2010-05-16T14:48:27.267

1Acting as client. – John Mee – 2010-05-17T01:46:59.093

Answers

37

"out and back" implies you are an NTP client and want to talk to a server i'd imagine by default you can do this; if you haven't set up a firewall to block everything, and have iptables set up at all, you'll have a "allow related/established" rule which means replies to outgoing requests are allowed automatically

in any case, NTP is UDP port 123, so, assuming you are a CLIENT and want to access NTP servers you'd do:

iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --sport 123 -j ACCEPT

these will append the rules to the end of your OUTPUT and INPUT chains

Assuming you want to be a server, you'd do

iptables -A INPUT -p udp --dport 123 -j ACCEPT
iptables -A OUTPUT -p udp --sport 123 -j ACCEPT

I have a script which implements all my firewall rules, and I call it from /etc/rc.local which runs on startup on my machine (ubuntu 8.04 LTS)

EDIT: You've clarified that this is because you are a client. In ubuntu's default configuration, you shouldn't have to alter any firewall settings to do this. What firewall configuration have you done? If nothing, I'm inclinced to believe that this isn't a firewall issue.

frymaster

Posted 2010-05-16T14:07:32.983

Reputation: 582

It seems that even when I'm trying to be a Client only, I have to add this rule iptables -A INPUT -p udp --dport 123 -j ACCEPT in my case – xi.lin – 2017-06-02T08:11:08.460

There is a problem with the rule: > iptables -A INPUT -p udp --sport 123 -j ACCEPT With the above rule someone can connect to another protected port on your server, though connect is not the right term because it is udp. I will return and edit this once I find the answer. – None – 2013-01-18T23:52:40.333

Like I said, most clients will have a "allow related/established" rule - that is better because it makes a note of your outgoing query (to port 123 from port somethingRandom) and will allow the incoming packet from that IP from port 123 to port somethingRandom only – frymaster – 2013-01-24T01:47:51.633

Asked: 2010-05-16T14:07:32.983

Viewed: 76 483 times

Active: 2013-01-18T23:52:40.333