NTP Time Server on FC4
We have an FC4 server running squid and mail relay, basically a gateway, for our LAN, and I'm trying to set it up as an NTP server. It's behind a load balancing with a firewall so I have firewall off (i.e. firewall is not the issue here, unless there's more firewall than I realize) and I have SELinux off as well.
I can get ntpd started fine, and in /var/log/messages I see this: Aug 23 15:01:40 elmer ntpdate[5047]: step time server x.x.x.x offset -0.022521 sec Aug 23 15:01:40 elmer ntpd[5051]: ntpd 4.2.0a@1.1190-r Thu Apr 14 07:45:36 EDT 2005 (1) Aug 23 15:01:40 elmer ntpd[5051]: precision = 1.000 usec Aug 23 15:01:40 elmer ntpd[5051]: Listening on interface wildcard, 0.0.0.0#123 Aug 23 15:01:40 elmer ntpd[5051]: Listening on interface wildcard, ::#123 Aug 23 15:01:40 elmer ntpd[5051]: Listening on interface lo, 127.0.0.1#123 Aug 23 15:01:40 elmer ntpd[5051]: Listening on interface eth0, 10.1.3.3#123 Aug 23 15:01:40 elmer ntpd[5051]: Listening on interface eth1, 192.168.1.115#123 Aug 23 15:01:40 elmer ntpd[5051]: kernel time sync status 0040 Aug 23 15:01:40 elmer ntpd[5051]: frequency initialized 0.000 PPM from /var/lib/ntp/drift so it appears that it is listening on port 123. But when I run a portscan from another computer it doesn't appear that port 123 is open: G5_iMac[jonbaker]:~$ nc -v -w 2 -z 192.168.1.115 100-200 elmer.wgm [192.168.1.115] 139 (netbios-ssn) open elmer.wgm [192.168.1.115] 111 (sunrpc) open The iptables rules is in a script that runs on startup, the actual section that executes is this: # Clearing any existing rules and setting default policy /sbin/iptables -P INPUT ACCEPT /sbin/iptables -F INPUT /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -F OUTPUT /sbin/iptables -P FORWARD DROP /sbin/iptables -F FORWARD /sbin/iptables -t nat -F # Squid rule /sbin/iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to-port 3128 # FWD: Allow all connections OUT and only existing and related ones IN /sbin/iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT # Enabling SNAT (MASQUERADE) functionality on $EXTIF /sbin/iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE # Open port 123 for ntp services /sbin/iptables -A INPUT -p udp --dport 123 -j ACCEPT /sbin/iptables -A OUTPUT -p udp --sport 123 -j ACCEPT But, when I try to sync time using ntpdate I get this message: 24 Aug 10:00:13 ntpdate[10834]: no server suitable for synchronization found Any idea what might be breaking this? I can ssh into the server fine, and it has apache running and serving web pages fine as well. This seems to be the only thing that's not working. Thanks - |
NTP is a UDP protocol, so a port scan won't necessarily detect it because UDP is a sessionless protocol (i.e. it doesn't maintain an open session between hosts, it just sends out datagrams and hopes that they get to the remote host).
The ntpdate issue - this is probably because you haven't configured an upstream NTP server to synchronise with. This is in /etc/ntp/ntpservers, or you can configure it using system-config-date (which is actually preferred, according to the comment in the ntpservers file). |
I think I found it, it looks like DHCP is deleting all my ntp configuration files. I changed both network ports to static (DHCP was assigning a static IP to the MAC address anyway) so we'll see if that fixes it.
|
All times are GMT -5. The time now is 12:54 AM. |