topic Re: Help! ntpq: write to localhost failed: Operation not permitted in Operating System - Linux

Help! ntpq: write to localhost failed: Operation not permitted

zhaogui — Sat, 12 Apr 2003 06:20:42 GMT

After I implemented iptables, I cannot run ntpq and got error as shown in the subject.

But I have already opened port 123 for both ntp server and client as below,

iptables -A INPUT -p udp -j ACCEPT -s $ntpserver -d $eth0IP --dport 123
iptables -A OUTPUT -p udp -j ACCEPT -d $ntpserver -s $eth0IP --sport 123

iptables -A INPUT -p udp -j ACCEPT -s 127.0.0.1 -d $eth0IP --dport 123
iptables -A OUTPUT -p udp -j ACCEPT -d 127.0.0.1 -s $eth0IP --sport 123

iptables -A INPUT -p udp -j ACCEPT -s $ntpclient -d $eth0IP --dport 123
iptables -A OUTPUT -p udp -j ACCEPT -d $ntpclient -s $eth0IP --sport 123

Anybody can advise me on which port ntpq will use other than 123?

Thanks in advance,

Re: Help! ntpq: write to localhost failed: Operation not permitted

Balaji N — Sat, 12 Apr 2003 07:16:00 GMT

hi
not sure if this helps. but just give a try.

ntp seems to use port 123 only. but it has an entry in /etc/services for both tcp and udp. and your firewall rules is only for udp. try opening access for tcp as well and see if it helps.
++++++++++++
ntp 123/tcp
ntp 123/udp # Network Time Protocol
++++++++++++

Re: Help! ntpq: write to localhost failed: Operation not permitted

zhaogui — Sat, 12 Apr 2003 07:37:34 GMT

I am very sure we only use udp as I can see from below,
#netstat -a|grep ntp
udp 0 0 msmarketp2:ntp *:*
udp 0 0 localhost:ntp *:*
udp 0 0 *:ntp *:*

By the way, xtnpd seems working fine as shown in /var/log/messages after restart, but only ntpq doesn't work.
Apr 12 10:59:51 msmarketp2 xntpd[30397]: xntpd exiting on signal 15
Apr 12 10:59:51 msmarketp2 xntpd: xntpd shutdown succeeded
Apr 12 10:59:51 msmarketp2 xntpd[11511]: xntpd 3-5.93e Tue Feb 11 12:23:23 SGT 2
003 (1)
Apr 12 10:59:51 msmarketp2 xntpd[11511]: tickadj = 5, tick = 10000, tvu_maxslew
= 495, est. hz = 100
Apr 12 10:59:51 msmarketp2 xntpd[11511]: precision = 7 usec
Apr 12 10:59:51 msmarketp2 xntpd[11511]: read drift of 189.963 from /etc/driftfi
le
Apr 12 10:59:51 msmarketp2 xntpd: xntpd startup succeeded
Apr 12 11:04:08 msmarketp2 xntpd[11511]: synchronized to 203.117.180.36, stratum
=1

In fact I wrote a script to continuously run ntpq and at the same time I run lsof -p "pid of ntpq" and found out
that ntpq uses one of the following UDP ports
UDP *:51901
UDP *:51903
UDP *:65005
UDP *:65007

Is that correct?

Re: Help! ntpq: write to localhost failed: Operation not permitted

Balaji N — Sat, 12 Apr 2003 08:52:40 GMT

hey

sorry. completely forget how i was configuring ntp long back. i remember it very faintly.

first of all are u sure if it is a problem with your firewall. just try stoppping it and see if ntpq is running or is it reporting the same problem.

or is that xntpd is running and u r running ntpq which is causing the problem.

simply guessing and giving a shot.
-balaji

Re: Help! ntpq: write to localhost failed: Operation not permitted

zhaogui — Sat, 12 Apr 2003 09:14:54 GMT

All the while ntp and ntpq is working fine until I applied iptables rule. My iptables is shown in the attachment and ntpq will work if I take out the last two "Reject" lines.

Re: Help! ntpq: write to localhost failed: Operation not permitted

Bill Douglass — Sun, 13 Apr 2003 02:30:37 GMT

btpq wants to open a connection to the ntpd daemon running on the local machine, hence the attempt to open a connection to localhost.

Your configuration does not appear to allow connections from 127.0.0.1 to 127.0.0.1, so ntpq dies with the error you indicated. Try adding

iptables -A INPUT -p all -j ACCEPT -s 127.0.0.1 -d 127.0.0.1

This will allow processes on your machine to communicate via the loopback interface.

Re: Help! ntpq: write to localhost failed: Operation not permitted

Sergejs Svitnevs — Sun, 13 Apr 2003 04:50:52 GMT

Try addding:
iptables -A OUTPUT -p udp -m state --state NEW -m udp -i lo --sport 123 -o lo --dport 123 -j ACCEPT

Regards,
Sergejs

Re: Help! ntpq: write to localhost failed: Operation not permitted

zhaogui — Mon, 14 Apr 2003 00:02:02 GMT

It still doesn't work after adding "iptables -A INPUT -p all -j ACCEPT -s 127.0.0.1 -d 127.0.0.1"

By the way, Sergejs's commands got error "Can't use -i with OUTPUT".

I tried to add in one more line "iptables -A OUTPUT -p all -j ACCEPT -s 127.0.0.1 -d 127.0.0.1", now it WORKS!

Thank you Bill Douglass