We have an FC4 server running squid and mail relay, basically a gateway, for our LAN, and I'm trying to set it up as an NTP server. It's behind a load balancing with a firewall so I have firewall off (i.e. firewall is not the issue here, unless there's more firewall than I realize) and I have SELinux off as well.

I can get ntpd started fine, and in /var/log/messages I see this:

Aug 23 15:01:40 elmer ntpdate[5047]: step time server x.x.x.x offset -0.022521 sec
Aug 23 15:01:40 elmer ntpd[5051]: ntpd 4.2.0a@1.1190-r Thu Apr 14 07:45:36 EDT 2005 (1)
Aug 23 15:01:40 elmer ntpd[5051]: precision = 1.000 usec
Aug 23 15:01:40 elmer ntpd[5051]: Listening on interface wildcard, 0.0.0.0#123
Aug 23 15:01:40 elmer ntpd[5051]: Listening on interface wildcard, ::#123
Aug 23 15:01:40 elmer ntpd[5051]: Listening on interface lo, 127.0.0.1#123
Aug 23 15:01:40 elmer ntpd[5051]: Listening on interface eth0, 10.1.3.3#123
Aug 23 15:01:40 elmer ntpd[5051]: Listening on interface eth1, 192.168.1.115#123
Aug 23 15:01:40 elmer ntpd[5051]: kernel time sync status 0040
Aug 23 15:01:40 elmer ntpd[5051]: frequency initialized 0.000 PPM from /var/lib/ntp/drift

so it appears that it is listening on port 123. But when I run a portscan from another computer it doesn't appear that port 123 is open:

G5_iMac[jonbaker]:~$ nc -v -w 2 -z 192.168.1.115 100-200
elmer.wgm [192.168.1.115] 139 (netbios-ssn) open
elmer.wgm [192.168.1.115] 111 (sunrpc) open

The iptables rules is in a script that runs on startup, the actual section that executes is this:

# Clearing any existing rules and setting default policy
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -F INPUT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -F OUTPUT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F FORWARD
/sbin/iptables -t nat -F

# Squid rule
/sbin/iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to-port 3128

# FWD: Allow all connections OUT and only existing and related ones IN
/sbin/iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

# Enabling SNAT (MASQUERADE) functionality on $EXTIF
/sbin/iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

# Open port 123 for ntp services
/sbin/iptables -A INPUT -p udp --dport 123 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --sport 123 -j ACCEPT

But, when I try to sync time using ntpdate I get this message:

24 Aug 10:00:13 ntpdate[10834]: no server suitable for synchronization found

Any idea what might be breaking this? I can ssh into the server fine, and it has apache running and serving web pages fine as well. This seems to be the only thing that's not working.

Thanks -

NTP is a UDP protocol, so a port scan won't necessarily detect it because UDP is a sessionless protocol (i.e. it doesn't maintain an open session between hosts, it just sends out datagrams and hopes that they get to the remote host).

The ntpdate issue - this is probably because you haven't configured an upstream NTP server to synchronise with. This is in /etc/ntp/ntpservers, or you can configure it using system-config-date (which is actually preferred, according to the comment in the ntpservers file).

I think I found it, it looks like DHCP is deleting all my ntp configuration files. I changed both network ports to static (DHCP was assigning a static IP to the MAC address anyway) so we'll see if that fixes it.