NTP, ntpdate, and ISP-based firewall

[James Ralston]

On 2004-03-05 at 14:34:00-0500 Don Levey <fedora-list at the-leveys.us> wrote:

> I've received word from my ISP that they are *not* blocking port
> 123.

Don't believe them.

> I see on my Linksys router/firewall that my packets are going out
> (it's the last step before the cable modem).  However, nothing comes
> back to it.  Not on port 123, not on any other port from those
> hosts.  The ntpdate -u gets results, however.

This almost certainly means that your ISP is blocking incoming UDP
port 123.  (The customer service droid who answered your question
probably thought you were asking whether they blocked *outbound* UDP
traffic to port 123.)

Try this:

    #! /bin/sh

    # 
    # Many cable modem ISPs firewall all incoming ports <1024.  This
    # is a problem for NTP, as ntpd uses source port 123 when talking
    # to remote NTP servers; thus, the responses coming back to source
    # port 123 are dropped by the ISP's firewall.
    # 
    # To work around the firewall, we intercept outgoing NTP packets
    # and remap the source port.  That way, the reply packet coming
    # back to use is destined to the a high (remapped) port, which the
    # ISP is unlikely to block.
    # 

    IP_ADDRESS_ETH0=`ip addr show eth0 | grep '^ *inet' | awk '{print $2}' | cut -d/ -f1`

    exec 3<&0 0</proc/sys/net/ipv4/ip_local_port_range
    read L H
    LOCAL_PORT_RANGE="${L}:${H}"
    unset L H
    exec 0<&3 3<&-

    /sbin/iptables -t nat -A POSTROUTING -o eth0 -p udp -s "${IP_ADDRESS_ETH0}" --sport 123 -j SNAT --to-source "${IP_ADDRESS_ETH0}:${LOCAL_PORT_RANGE}"

I'd bet large sums of money that once you insert the above iptables
rule, ntpd will work.  (I had to do exactly the same thing when I set
up ntpd on a computer that was behind a cable modem.)

-- 
James Ralston, Information Technology
Software Engineering Institute
Carnegie Mellon University, Pittsburgh, PA, USA