What are the iptables rules to permit ntp?
"out and back" implies you are an NTP client and want to talk to a server i'd imagine by default you can do this; if you haven't set up a firewall to block everything, and have iptables set up at all, you'll have a "allow related/established" rule which means replies to outgoing requests are allowed automatically
in any case, NTP is UDP port 123, so, assuming you are a CLIENT and want to access NTP servers you'd do:
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --sport 123 -j ACCEPT
these will append the rules to the end of your OUTPUT and INPUT chains
Assuming you want to be a server, you'd do
iptables -A INPUT -p udp --dport 123 -j ACCEPT
iptables -A OUTPUT -p udp --sport 123 -j ACCEPT
I have a script which implements all my firewall rules, and I call it from /etc/rc.local which runs on startup on my machine (ubuntu 8.04 LTS)
EDIT: You've clarified that this is because you are a client. In ubuntu's default configuration, you shouldn't have to alter any firewall settings to do this. What firewall configuration have you done? If nothing, I'm inclinced to believe that this isn't a firewall issue.
Related videos on Youtube
John Mee
Updated on September 17, 2022Comments
-
John Mee over 1 year
My server's clock is wrong because the firewall doesn't permit ntp traffic. What are the iptables rules required to allow the ntp client to get out and back?
Any suggestions how to implement those rules on Ubuntu also appreciated.
-
Ignacio Vazquez-Abrams about 14 yearsYou mean so that your machine can act as a NTP server?
-
John Mee about 14 yearsActing as client.
-
-
Admin over 11 yearsThere is a problem with the rule: > iptables -A INPUT -p udp --sport 123 -j ACCEPT With the above rule someone can connect to another protected port on your server, though connect is not the right term because it is udp. I will return and edit this once I find the answer.
-
frymaster over 11 yearsLike I said, most clients will have a "allow related/established" rule - that is better because it makes a note of your outgoing query (to port 123 from port somethingRandom) and will allow the incoming packet from that IP from port 123 to port somethingRandom only
-
xi.lin almost 7 yearsIt seems that even when I'm trying to be a Client only, I have to add this rule
iptables -A INPUT -p udp --dport 123 -j ACCEPT
in my case