For my residential service, I changed ISPs to Zoom/Armstrong. Just after that, my NTP daemons stopped working. I dug deep and diagnosed the problem:
Unprivileged ports are getting out. When i run 'ntpdate' for example, I go out on a high, unprivleged port, and get a response on UDP 123. That's fine. The 'ntpd' daemon though, expects to go out on 123 and get its reply there as well. This must be a common problem, because it's directly addressed in the NTP troubleshooting guide.
Just to see what would happen, I wrote a detailed email to the general support address at Armstrong. They replied almost immediately with a complete technical answer! They have everything <1024 blocked, except for a few ports to support outbound VPN.
So, the question:
Can I use IPtables to essentially re-write my outbound UDP 123 up to 2123 or something like that? If I do, does there need to be a corresponding 2123->123 rule to translate the reply? This seems like NAT, but with ports, not addresses. I tried, but can't seem to get iptables to do what I want. I'm not sure if it's my lack of skill, or if I'm trying the wrong solution.
True, I could run ntpdate from cron, but that loses all of the adjustment smarts of NTP.
Try this rule (untested):
You can probably do that with the mangle table, but more normally why not use the state module? I think this is kind of the standard iptables config that has the following rule:
This way holes will get punched in the firewall for return traffic...
Edit:
Oh, I missed that is your ISP blocking, well that is just a crap ISP, keeping this answer up in case it helps someone else who finds this question with a similar issue, but not your particular one.