How to have ntpd serve only my local subnet

Question

I have a few servers with public Internet IP addresses like A.B.C.x. One of my hosts (A.B.C.10) runs ntpd and I have it syncing it's time from europe.pool.ntp.org.

Now I only want to allow hosts from my subnet (A.B.C.x) to be able to sync to A.B.C.10. By default the whole world can sync to my NTP server. How do I accomplish this?

All examples I can find assume that I'm syncing to specific IP addresses but I sync to DNS names and as far as I can tell the IP addresses that the DNS names x.europe.pool.ntp.org point to are variable. So I can't setup exceptions in my firewall and I can't use the restrict option in ntp.conf because it too only accepts IP addresses and not DNS names (Oh! and restrict applies both to clients and to servers as firewall rules do!)

Well it's a Linux host so I can use iptables which is stateful. I think I can see your point :-) but will happily wait for your iptable command because I'm no iptables expert — ndemou, Dec 27 '14 at 22:50

Kondybas · Answer 1 · 2014-12-28T09:57:23.717

6

Basic ntp.conf for localnet serving look like that

####
driftfile       /etc/ntp.drift
disable         monitor
restrict -4     default kod nomodify nopeer noquery notrap
restrict -6     default kod nomodify nopeer noquery notrap
restrict        127.0.0.1
restrict        127.127.1.0
restrict -6     ::1

restrict        10.0.0.0    mask 255.0.0.0
restrict        172.16.0.0  mask 255.240.0.0
restrict        192.168.0.0 mask 255.255.0.0

server          0.pool.ntp.org       iburst
server          1.pool.ntp.org       iburst
server          2.pool.ntp.org       iburst
####

Two longest lines deny any access to the server by default and then other restric directives allow only specific hosts and subnets.

edited Dec 28 '14 at 09:57

answered Dec 27 '14 at 23:00

Kondybas

6,964
2
20
24

I've tried you're ntp.conf but the ntp server still serves clients all over the internet. (the two longest restrict lines only deny *elevated* access to the server - they don't deny plain time query access) – ndemou Dec 27 '14 at 23:08
Try to add the verb `ignore` to the lines – Kondybas Dec 28 '14 at 00:24
`restrict` lines apply to both clients **and** servers. So if I add ignore it will also ignore replies from pool.ntp.org (see: http://support.ntp.org/bin/view/Support/AccessRestrictions#Section_6.5.1.2.1.) – ndemou Dec 28 '14 at 00:35
Have you ever tested the configuration you are posting? In addition to my previous comments I just noticed that the `restrict 10.0.0.0/8` notation contained in your answer doesn't work as expected (at least in Ubuntu 14.04 it is as if these lines are ignored). What works is this notation: `restrict 10.0.0.0 mask 255.0.0.0` which I found at ntpd's official documentation for access restrictions (see http://support.ntp.org/bin/view/Support/AccessRestrictions). – ndemou Dec 28 '14 at 00:55
2

Proposed config was just copypasted from one of my servers where it is used for a while. And I'm absolutely sure that `restrict` directives applied only to the clients while servers are still accessible by local ntpd. You have to refer to the http://support.ntp.org/bin/view/Support/AccessRestrictions for further reading. – Kondybas Dec 28 '14 at 01:20
1

And yes, I was wrong with CIDR notation as far as my servers do not provide ntp service outside localhost. – Kondybas Dec 28 '14 at 01:26
Regarding: "I'm absolutely sure that restrict directives applied only to the clients while servers are still accessible by local ntpd.": Kondybas, you are wrong. It's easy to test it. Please do and report back (I did). The very link you've given me notes at section 6.5.1.2.1 that if you've used a `restrict default ignore` line you must add additional restrict directives in order to allow access to the every single server you've defined with `server` lines (I've linked to this section in my 2nd comment). Also I'm sure your config works (I've tried it as is) but it doesn't do what I asked. – ndemou Dec 28 '14 at 15:04

score 2 · Accepted Answer · edited Dec 28 '14 at 00:44

2

You've got several options, and it depends on where firewalls are placed and/or which ones you prefer to work with. Ideally you would have a firewall that you can control on the subnet. Less ideally you'll only be dealing with a host level firewall on the NTP server. Either way the concept is the same.

For a subnet firewall:

Allow UDP port 123 out of the subnet only from A.B.C.10
Deny UDP port 123 from everything else.

For a host firewall on the NTP server:

Allow UDP port 123 from your subnet (and from localhost)
Deny UDP port 123 from everywhere else (a deny all rule later in the chain).

e.g. to allow 10.0.0.0/8:

# allow 10.0.0.0/8
iptables -A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 123 -j ACCEPT
# allow localhost
iptables -A INPUT -s 127.0.0.0/8 -p udp -m udp --dport 123 -j ACCEPT
# allow NTP packets _from_ your host to everyone else
iptables -A OUTPUT -p udp --sport 123 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
# allow replies from hosts you've sent NTP packets to
iptables -A INPUT  -p udp --sport 123 --dport 123 -m state --state ESTABLISHED -j ACCEPT
# the following is only useful if you have a policy ACCEPT for INPUT
iptables -A INPUT  -p udp -m udp --dport 123 -j DROP

edited Dec 28 '14 at 00:44

ndemou

1,315
3
17
28

answered Dec 27 '14 at 22:35

Wesley

32,690
9
82
117

Wesley I think you've misunderstood me. I want to block *foreign* hosts from all over the internet from being able to sync to my ntp server. I'll edit my question to make it more clear. – ndemou Dec 27 '14 at 22:39
@ndemou Updated. – Wesley Dec 27 '14 at 22:53
The subnet firewall solution is ideal but I need to ask the Cisco technician to fix it and this is harder than it seems :-( The host firewall solution seems wrong because it will also block replies from the ntp pool servers (they send replies back to UDP 123). I need some kind of stateful rule that will drop everything except replies to my queries (200_success comment made me first think about it). – ndemou Dec 27 '14 at 23:15
@ndemou It won't block the pool from talking to the host because established connections aren't blocked and the pool doesn't initiate the connection, your host does. – Wesley Dec 27 '14 at 23:17
Wesley, sorry for guessing instead of trying. However now that I did try I get error `Bad argument '123'` when I try `iptables -A INPUT -s 10.0.0.0/8 -p udp -dport 123 -j ACCEPT` – ndemou Dec 27 '14 at 23:22
OK got it: it should have been `--dport` instead of `-dport` – ndemou Dec 27 '14 at 23:26
1

Doh! I made the rule on the fly in my head so didn't check completely syntax. Specifics are left as an exercise for the reader. :P – Wesley Dec 27 '14 at 23:29
Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/19785/discussion-between-ndemou-and-wesley). – ndemou Dec 27 '14 at 23:33
For some reason chat is not working for me! Will continue with comments: A deny all rule later in the chain **does block replies from the pool**. As I've said there must be an iptables rule that I need to add that will `ACCEPT` replies to my NTP queries but I don't know enough about iptables to figure it out (tried `iptables -A INPUT -p udp --dport 123 -m state --state RELATED,ESTABLISHED -j ACCEPT` but it doesn't match). – ndemou Dec 27 '14 at 23:42
Thanks! I've figured it out, tested it and it works. I've edited your answer to add the commands that worked and also accepted your answer. I hope the edit wasn't improper. – ndemou Dec 28 '14 at 00:29
@ndemou Thanks, looks good. This turned from an NTP question to an iptables question, so I was debating wether to suggest making a new question, but this works best. – Wesley Dec 28 '14 at 00:45

score 1 · Answer 3 · answered Apr 08 '18 at 20:27

I didn't find these answers terribly helpful, so here is what worked for me. This is on a machine running NTP 4.2.6p5

driftfile        /var/lib/ntp/ntp.drift
statsdir /var/log/ntpstats/

restrict    default ignore

restrict        127.0.0.1
restrict        127.127.1.0
restrict -6     ::1

restrict -4     <whitelist.ip.0>    mask    255.255.255.255
restrict -4     <whitelist.ip.1>    mask    255.255.255.255
restrict -4     <whitelist.ip.2>    mask    255.255.255.255 

server      0.pool.ntp.org  iburst nomodify notrap nopeer noquery
restrict    0.pool.ntp.org  iburst nomodify notrap nopeer noquery
server      1.pool.ntp.org  iburst nomodify notrap nopeer noquery
restrict    1.pool.ntp.org  iburst nomodify notrap nopeer noquery
server      2.pool.ntp.org  iburst nomodify notrap nopeer noquery
restrict    2.pool.ntp.org  iburst nomodify notrap nopeer noquery


statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

I know this is an old thread, but thought it might help someone. In the example, you should replace whitelist.ip.0, whitelist.ip.1, whitelist.ip.2 with your whitelisted hosts. You can obviously also modify the mask argument to allow, e.g., a /24 network

It's not necessary to repeat answers which have already been given by others. — Michael Hampton, Apr 08 '18 at 23:31
I don't see the "original" answer (anymore?). To me this was helpful. — Konrad, Jun 22 '23 at 20:51

How to have ntpd serve only my local subnet

3 Answers3

Linked