[CentOS] NTP server problem behind firewall

Artifex Maximus artifexor at gmail.com
Tue Sep 4 06:31:48 UTC 2012 

On Mon, Sep 3, 2012 at 4:32 PM, Giles Coochey <giles at coochey.net> wrote:
> On 03/09/2012 15:18, Artifex Maximus wrote:
>>
>> On Mon, Sep 3, 2012 at 11:15 AM, Leonard den Ottolander
>> <leonard at den.ottolander.nl> wrote:
>>>
>>> On Sun, 2012-09-02 at 07:46 +0000, Artifex Maximus wrote:
>>>>
>>>> Any idea what is wrong?
>>>
>>> The iptables rules you specify only allow clients from your local
>>> network access to your "proxy" ntp server. However, you do not specify
>>> any rules for eth1 to allow that ntp server to synchronise with the
>>> remote servers it is using. So unless you are using a local time source
>>> that might be your problem.
>>>
>>> Btw, when specifying rules for the external ntp servers you might want
>>> to specify IPs as well to restrict access.
>>
>> Thanks. You are right ntp proxy is absolutely what I want. Mine
>> description was not clean probably. So this is the setup:
>>
>> GPSNTP(10.0.1.99/24) - eth1 myserver eth0 - clients(10.0.0.0/24)
>>
>> Because GPSNTP is on a physically separated network I need this proxy
>> for my clients. My server is able to synchronize with GPSNTP so rules
>> are fine for that (because my output chain is ACCEPT per default). My
>> clients whom are cannot synchronize with my server even if I allow NTP
>> port which I do not understand.
>>
>>
> So at this stage, doing a "tcpdump -i eth0 -s 0 -w capture.cap" and getting
> one of your clients to try to sync time with your server and then repeating
> this with the firewall turned off (when it purportedly works) ought to give
> you enough information to be able to view the packet capture and see what is
> going wrong.

Thanks for the answer. I did tcpdump with turned on firewall but not
exactly what you suggest. The command was:

tcpdump -i eth0 -c 50 -nn -N -s 0 -vv port 123

and the result is:

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
65535 bytes
16:39:13.653674 IP (tos 0x0, ttl 128, id 23478, offset 0, flags
[none], proto UDP (17), length 76)
    10.0.1.178.123 > 10.0.0.99.123: [udp sum ok] NTPv3, length 48
        symmetric active, Leap indicator: clock unsynchronized (192),
Stratum 0 (unspecified), poll 4s, precision -6
        Root Delay: 0.000610, Root dispersion: 9.049407, Reference-ID: (unspec)
          Reference Timestamp:  3555678802.057624999 (2012/09/03 16:33:22)
          Originator Timestamp: 0.000000000
          Receive Timestamp:    0.000000000
          Transmit Timestamp:   3555679152.630750000 (2012/09/03 16:39:12)
            Originator - Receive Timestamp:  0.000000000
            Originator - Transmit Timestamp: 3555679152.630750000
(2012/09/03 16:39:12)

16:39:43.145984 IP (tos 0x0, ttl 128, id 24616, offset 0, flags
[none], proto UDP (17), length 76)
    10.0.0.150.123 > 10.0.0.99.123: [udp sum ok] NTPv3, length 48
        symmetric active, Leap indicator: clock unsynchronized (192),
Stratum 0 (unspecified), poll 4s, precision -6
        Root Delay: 0.000610, Root dispersion: 9.049407, Reference-ID: (unspec)
          Reference Timestamp:  3555678802.057624999 (2012/09/03 16:33:22)
          Originator Timestamp: 0.000000000
          Receive Timestamp:    0.000000000
          Transmit Timestamp:   3555679182.130750000 (2012/09/03 16:39:42)
            Originator - Receive Timestamp:  0.000000000
            Originator - Transmit Timestamp: 3555679182.130750000
(2012/09/03 16:39:42)
16:39:43.145991 IP (tos 0x0, ttl 128, id 24617, offset 0, flags
[none], proto UDP (17), length 76)
    10.0.1.178.123 > 10.0.0.99.123: [udp sum ok] NTPv3, length 48
        symmetric active, Leap indicator: clock unsynchronized (192),
Stratum 0 (unspecified), poll 4s, precision -6
        Root Delay: 0.000610, Root dispersion: 9.049407, Reference-ID: (unspec)
          Reference Timestamp:  3555678802.057624999 (2012/09/03 16:33:22)
          Originator Timestamp: 0.000000000
          Receive Timestamp:    0.000000000
          Transmit Timestamp:   3555679182.130750000 (2012/09/03 16:39:42)
            Originator - Receive Timestamp:  0.000000000
            Originator - Transmit Timestamp: 3555679182.130750000
(2012/09/03 16:39:42)
16:39:43.146020 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
UDP (17), length 76)
    10.0.0.99.123 > 10.0.0.150.123: [bad udp cksum 9133!] NTPv3, length 48
        symmetric active, Leap indicator:  (0), Stratum 2 (secondary
reference), poll 4s, precision -23
        Root Delay: 0.000625, Root dispersion: 0.043029, Reference-ID: 10.0.1.99
          Reference Timestamp:  3555677676.775420963 (2012/09/03 16:14:36)
          Originator Timestamp: 3555679182.130750000 (2012/09/03 16:39:42)
          Receive Timestamp:    3555679183.145983964 (2012/09/03 16:39:43)
          Transmit Timestamp:   3555679183.146011888 (2012/09/03 16:39:43)
            Originator - Receive Timestamp:  +1.015233964
            Originator - Transmit Timestamp: +1.015261886

The first time (16:39:13.653674) client cannot sync to the server but
second time (16:39:43.145984) that was successful even if there is a
'bad udp cksum'. BTW, is it normal? Tcpdump says there was traffic and
sync happened later so rule is OK I think.

When tried later sync needs three tries for success. Other time needs
only one. Might depend on Moon phase. It looks like I have some
network equipment related problem as well. Therefore I have to talk
with some Cisco expert.

At the moment I have problem with rsyslogd because there is no log of
denied packets but that is another story. :-)

Thanks for all of your help!

Bye,
a

More information about the CentOS mailing list