1748008 Members
4439 Online
108757 Solutions
New Discussion

Re: NTP server linux

 
chindi
Respected Contributor

NTP server linux

hi ,

 

We need to configure linux centos as NTP server.

I have tried but womehow am not ble to get the same.

 

My server details below ;

 

[root@centsvr etc]# uname -a
Linux centsvr 2.6.18-194.el5xen #1 SMP Fri Apr 2 15:34:40 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux

 

Please find my ntp.conf below on server ;

 

[root@centsvr etc]# cat ntp.conf
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict -6 ::1
restrict default ignore

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.centos.pool.ntp.org
#server 1.centos.pool.ntp.org
#server 2.centos.pool.ntp.org

#server 0.in.pool.ntp.org
#server 1.asia.pool.ntp.org
#server 0.asia.pool.ntp.org
server 0.asia.pool.ntp.org
restrict 0.asia.pool.ntp.org notrap noquery
server 1.asia.pool.ntp.org
restrict 1.asia.pool.ntp.org notrap noquery
logfile /var/log/ntpd.log
restrict 10.1.1.0 mask 255.255.255.0 nomodify notrap
#broadcast 192.168.1.255 key 42 # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 key 42 # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 key 42 # manycast client

# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available.
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10

# Drift file. Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
driftfile /var/lib/ntp/drift

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys

# Specify the key identifiers which are trusted.
#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.
#requestkey 8

# Specify the key identifier to use with the ntpq utility.
#controlkey 8

 

 

When am trying ;

[root@centsvr etc]# ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
61.110.197.50 .INIT. 16 u - 64 0 0.000 0.000 0.000
62.201.215.14 .INIT. 16 u - 64 0 0.000 0.000 0.000
*127.127.1.0 .LOCL. 10 l 47 64 377 0.000 0.000 0.002

 

Does this means that i have configured ntp server correctly ??

also ;

 

[root@centsvr sysconfig]# cat iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 177 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 6000:6010 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
COMMIT

 

Is iptable entry correct do i have to put o/p entry too ???

 

[root@centsvr etc]# ntpdate 0.asia.pool.ntp.org
23 Aug 15:49:03 ntpdate[13294]: the NTP socket is in use, exiting
[root@centsvr etc]# /etc/init.d/ntpd stop
Shutting down ntpd: [ OK ]
[root@centsvr etc]# ntpdate 0.asia.pool.ntp.org
23 Aug 15:49:36 ntpdate[13302]: no server suitable for synchronization found
[root@centsvr etc]# ping 0.asia.pool.ntp.org
PING 0.asia.pool.ntp.org (78.111.50.1) 56(84) bytes of data.
64 bytes from host-1.net50.sol.az (78.111.50.1): icmp_seq=1 ttl=238 time=216 ms
64 bytes from host-1.net50.sol.az (78.111.50.1): icmp_seq=2 ttl=238 time=216 ms
64 bytes from host-1.net50.sol.az (78.111.50.1): icmp_seq=3 ttl=238 time=221 ms
64 bytes from host-1.net50.sol.az (78.111.50.1): icmp_seq=4 ttl=238 time=216 ms

1 REPLY 1
Matti_Kurkela
Honored Contributor

Re: NTP server linux

Your ntpq -pn output indicates that ntpd is trying to query the *.asia.pool.ntp.org servers, but failing to get any response at all. Only the local clock has been used successfully.

 

The problem is that your iptables ruleset is stopping the incoming NTP protocol messages. The ordering of iptables rules is very important: in your ruleset, the rule for allowing NTP traffic (UDP port 123) has the right syntax, but it is after a rule that rejects all traffic that has not been accepted by a previous rule. So your NTP rule will never be effective in that location.

 

To fix it, move the "accept NTP" rule before the "reject everything (that has not already been accepted)" rule:

[...]
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 6000:6010 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

 

MK