Ping a Specific Port

Question

ndemou

Asked: 2014-12-28 14:20:48 +0800 CST2014-12-28 14:20:48 +0800 CST 2014-12-28 14:20:48 +0800 CST

How to have ntpd serve only my local subnet

772

I have a few servers with public Internet IP addresses like A.B.C.x. One of my hosts (A.B.C.10) runs ntpd and I have it syncing it's time from europe.pool.ntp.org.

Now I only want to allow hosts from my subnet (A.B.C.x) to be able to sync to A.B.C.10. By default the whole world can sync to my NTP server. How do I accomplish this?

All examples I can find assume that I'm syncing to specific IP addresses but I sync to DNS names and as far as I can tell the IP addresses that the DNS names x.europe.pool.ntp.org point to are variable. So I can't setup exceptions in my firewall and I can't use the restrict option in ntp.conf because it too only accepts IP addresses and not DNS names (Oh! and restrict applies both to clients and to servers as firewall rules do!)

3 Answers

Voted

Kondybas · Answer 1 · 2014-12-28T15:00:19+08:00

Kondybas

2014-12-28T15:00:19+08:002014-12-28T15:00:19+08:00

Basic ntp.conf for localnet serving look like that

####
driftfile       /etc/ntp.drift
disable         monitor
restrict -4     default kod nomodify nopeer noquery notrap
restrict -6     default kod nomodify nopeer noquery notrap
restrict        127.0.0.1
restrict        127.127.1.0
restrict -6     ::1

restrict        10.0.0.0    mask 255.0.0.0
restrict        172.16.0.0  mask 255.240.0.0
restrict        192.168.0.0 mask 255.255.0.0

server          0.pool.ntp.org       iburst
server          1.pool.ntp.org       iburst
server          2.pool.ntp.org       iburst
####

Two longest lines deny any access to the server by default and then other restric directives allow only specific hosts and subnets.

6

Wesley · Answer 2 · 2014-12-28T14:35:33+08:00

You've got several options, and it depends on where firewalls are placed and/or which ones you prefer to work with. Ideally you would have a firewall that you can control on the subnet. Less ideally you'll only be dealing with a host level firewall on the NTP server. Either way the concept is the same.

For a subnet firewall:

Allow UDP port 123 out of the subnet only from A.B.C.10
Deny UDP port 123 from everything else.

For a host firewall on the NTP server:

Allow UDP port 123 from your subnet (and from localhost)
Deny UDP port 123 from everywhere else (a deny all rule later in the chain).

e.g. to allow 10.0.0.0/8:

# allow 10.0.0.0/8
iptables -A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 123 -j ACCEPT
# allow localhost
iptables -A INPUT -s 127.0.0.0/8 -p udp -m udp --dport 123 -j ACCEPT
# allow NTP packets _from_ your host to everyone else
iptables -A OUTPUT -p udp --sport 123 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
# allow replies from hosts you've sent NTP packets to
iptables -A INPUT  -p udp --sport 123 --dport 123 -m state --state ESTABLISHED -j ACCEPT
# the following is only useful if you have a policy ACCEPT for INPUT
iptables -A INPUT  -p udp -m udp --dport 123 -j DROP

adam · Answer 3 · 2018-04-09T12:27:49+08:00

I didn't find these answers terribly helpful, so here is what worked for me. This is on a machine running NTP 4.2.6p5

driftfile        /var/lib/ntp/ntp.drift
statsdir /var/log/ntpstats/

restrict    default ignore

restrict        127.0.0.1
restrict        127.127.1.0
restrict -6     ::1

restrict -4     <whitelist.ip.0>    mask    255.255.255.255
restrict -4     <whitelist.ip.1>    mask    255.255.255.255
restrict -4     <whitelist.ip.2>    mask    255.255.255.255 

server      0.pool.ntp.org  iburst nomodify notrap nopeer noquery
restrict    0.pool.ntp.org  iburst nomodify notrap nopeer noquery
server      1.pool.ntp.org  iburst nomodify notrap nopeer noquery
restrict    1.pool.ntp.org  iburst nomodify notrap nopeer noquery
server      2.pool.ntp.org  iburst nomodify notrap nopeer noquery
restrict    2.pool.ntp.org  iburst nomodify notrap nopeer noquery


statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

I know this is an old thread, but thought it might help someone. In the example, you should replace whitelist.ip.0, whitelist.ip.1, whitelist.ip.2 with your whitelisted hosts. You can obviously also modify the mask argument to allow, e.g., a /24 network

How to have ntpd serve only my local subnet

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?