Port(s) Protocol Service Details Source; 123: udp: NTP: Network Time Protocol (NTP) - used for time synchronization Security Concerns: It provides both information and possible avenue of attack for intruders. Info gathered can include system uptime, time since reset, time server pkt, I/O & memory statistics and ntp peer list. ZyXEL routers are easy to navigate and setup. They are of high quality and speed. To Open a Port on a ZyXEL Router. Typically, ZyXEL routers are fairly easy to configure, but their port forwarding section is a little more challenging. Normally, a ZyXEL router refers to a port forward as a NAT/SUA Server, which can be a bit confusing.
I have the following setup:
The idea is to allow the NTPD client (not OpenNTP) on the OpenBSD box to get the time from the NTP server by using port forwarding on the OpenBSD box and iptables on the Linux box.
I am at the stage where the following is true:
- The OpenBSD box's pf.conf has been set up correctly such that running
tcpdump udp
on the Linux box shows the correct traffic from the OpenBSD box when I runntpd -d -s
- The Linux box's iptables configuration has been set up correctly such that running
ntpd -d -s
on the OpenBSD box, the traffic shows up usingtcpdump udp
on the NTP server
But nothing comes back - there is no traffic on either machine in the other direction.
The iptables rules I am using on the Linux machine are:
Which seems correct to me. There is also an 'accept state RELATED/ESTABLISHED' rule in the IPTables configuration that was there before I started this work.
What am I doing wrong? Is there something missing? Perhaps some extra rules for the reply?
I have followed the advice in @gromit's answer and @MadHatter's comments, and have the following information to add:
On the Linux box, running cat /proc/sys/net/ipv4/ip_forward
gives 1
. Running ntpd -d -s
on the OpenBSD box with tcpdump
monitoring eth0
and 'eth1
on the Linux box (in different terminals, at the same time) gives the following output.
OpenBSD
Linux Box
tcpdump -n -n -i eth0 port 123
tcpdump -n -n -i eth1 port 123
So it looks like the routing is still not right on the Linux box - the reply is coming back from the NTP box but is not being sent to OpenBSD.
Just for clarity, the iptables routing that I have added now looks like this:
Leaving that final iptables
line out seems to make no difference to the tcpdump
output.
I have now got the following IPtables entries, and I am able to update the clock on the OpenBSD box:
However the second prerouting and second filter commands seem like overkill to me, as, as I understand it, they forward all UDP packets from port 123 on the NTP server. I have a feeling that this means that all NTP replies that go to the Linux box (ie including when the Linux box itself asks for the time) will get forwarded to the OpenBSD box.
2 Answers
this looks like you have a routing problem.
Does the system serving the time (3.169) know how to connect to the requesting system?
If not add the following to the linux box's iptables:
Now it looks like the ntp packages are coming back and the time is synced.
It would be easier if the ntp daemon and the redirect would run on the same system. Then you could use the '-j REDIRECT' feature of iptables that does the whole magic for you, but it works only at the localhost.
KR,
Gromit
Quickest way to find if it's an iptables rule blocking the request: Run 'watch iptables -L -n -v' on the right table (with -t nat / whichever), then run the ntpdate command repeatedly on the client. You should see the iptables counters incrementing on the line blocking the packets, if it is indeed an iptables BLOCK issue or similar.
Jeff McJunkinJeff McJunkin