[CentOS] Setting up NTP server

Tue Dec 4 23:58:03 UTC 2012
SilverTip257 <silvertip257 at gmail.com>

On Tue, Dec 4, 2012 at 2:29 PM, Rajagopal Swaminathan <
raju.rajsand at gmail.com> wrote:

> Greetings,
>
> Please treat this post with kid gloves as I am bit rusty of the late on
> centos and last NTP server that I worked on was during centos 5.1 days.
>
> I am going to have to install centos 6.3 in coming week in all windows
> environment.
>
> This box will be the tunning glpi and ocs-inventory.
>
> I am planning to have two NICs: one facing the raw internet and other on a
> Private LAN.


It's not necessary to have two NICs unless you're setting it up as your
firewall.  Do as you see fit.


>
I want this box  (as NTP Client) to get time through NTP from raw internet
> using ADSL.
>

Take a look at /etc/ntp.conf ... it has comments that document it well.
Add time sources (servers) to your ntp.conf [0].  I've read recommendations
to have at least eight time sources, but definitely have three (CentOS
defaults to three).
It's generally recommended to select servers from the public NTP pool [1].
Consider adding restrictions [2] to go along with each time source to
secure it.


> I want this box to be the primary NTP server for the private LAN.
>

If you're using DHCP to assign addresses then you can set the ntp server
option. Since you have a group of servers I find it unlikely you're using
DHCP.  You'll probably have to use Group Policy or any other method to set
the time server on your Windows boxes.


> none of the packet should traverse pass from LAN to Internet or vice versa.
> IOW, no routing should be there.
>
> If it work perhaps at a future date, may be an instance of squid proxy.
>
> I dont mind all the ports being open for the Private LAN or is that a bad
> idea?
>

It's best practice to implement firewall rules that only open up what needs
to be accessible.
Certainly add an iptables rule for UDP port 123 that allows your LAN
subnet(s).


> I am not sure if there is a DNS in this whole scenario
>

I strongly suggest you refer to your internal NTP server by its domain
name.  This will make it easy to point clients at a different physical host
by updating a DNS record.


> And yes all the windows boxens (few w2k3, XP) in the LAN would have to
> synchronise time with this centos bo
>
> Is it possible?
>
> If so, how would typical config files for eth0, eth2, firewall(s) look
> like?
>
>
So it seems...
Are you making this box into a firewall / NAT host?

[0] http://support.ntp.org/bin/view/Support/ConfiguringNTP
[1] http://www.pool.ntp.org/en/
[2] http://support.ntp.org/bin/view/Support/AccessRestrictions

> --
> Regards,
>
> Rajagopal
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

---~~.~~---
Mike
//  SilverTip257  //