The following examples for /etc/ntp.conf and Linux ipchains rules are for synchronizing an xntpd Internet time daemon to external publically available clocks, and making the results available to a corporate LAN (192.168.1.0/24). If your log files are full of:

xntpd[337]: recvfrom() fd=4: Connection refused

and your ntpdate attempts are rebuffed with:

no server suitable for synchronization found

this example should get you on the right track.


Run-time configuration for ntp.conf

 server 127.127.1.1 prefer
 fudge 127.127.1.1 stratum 5
 
 
 # fictitious
 server 129.11.22.33
 server 130.22.33.44
 server 131.33.44.55
 
 restrict default ignore
 
 # fictitious
 restrict 129.11.22.33   nomodify noquery
 restrict 130.22.33.44   nomodify noquery
 restrict 131.33.44.55   nomodify noquery

 restrict 192.168.1.0   mask 255.255.255.0   nomodify
 restrict 127.0.0.1     # req'd because of the default 'restrict' above.
 
 enable auth monitor
 
 driftfile /var/db/ntp.drift
 statsdir  /var/db/ntpstats/
 
 filegen peerstats file peerstats type day enable
 filegen loopstats file loopstats type day enable
 filegen clockstats file clockstats type day enable
 
 

Firewall requirements

ipchains rules for Linux 2.2.x servers.

 # Allow xntpd daemon to talk to external public xntpd
 # (123.45.67.8 is not real; do not use it)
 #
 ipchains  -A input -j ACCEPT -p tcp -s 123.45.67.8 123 -d 192.168.1.1
 ipchains  -A input -j ACCEPT -p udp -s 123.45.67.8 123 -d 192.168.1.1
 
 # ALLOW NTP time calls from our local subnets:
 #
 ipchains -A input -j ACCEPT -p tcp -s 192.168.1.0/24 -d 192.168.1.1 123
 ipchains -A input -j ACCEPT -p udp -s 192.168.2.0/25 -d 192.168.1.1 123
 
 ipchains -A input -j ACCEPT -p tcp -s 192.168.1.0/24 -d 192.168.1.1 123
 ipchains -A input -j ACCEPT -p udp -s 192.168.2.0/25 -d 192.168.1.1 123
 
Problems

If you're still not able to get ntpdate to run from your LAN:

  1. Wait five or six minutes to ensure that your local xntpd server has had time to stabilize.

  2. Check that you don't have an xntpd daemon running on the workstation from which you are testing.

  3. Check for hints in the syslog output relating to the ipchains configuration, and in any other firewall between your clients and the server.

Comments and clarifications on this document are welcome.




Intro Information Assurance Miscellaneous


 
Page URI:   http://digipro.com/Papers/xntpd.shtml
Last Changed:   06:35 Thursday, March 4th, 2010

Copyright, "DigiPro Digital Productions, 1993-2017"
DigiPro is a federally registered trademark of DigiPro Digital Productions