Firewalling ntpd with iptables

By default ntpd listens on all network interfaces, it requires to listen on an external interface in order to contact upstream NTP servers, if this is disabled then time syncing will be affected.

Unless a system is being used as a NTP server for other clients, only the client functionality of the ntpd daemon is needed.

Blocking NTP with a firewall is made more tricky as it uses the same source and destination port when communicating over UDP, unlike other server software.

To allow the NTP daemon to function on a system as a client only to upstream NTP servers, the following iptables firewall rules can be used:

iptables -A INPUT -i lo -p udp --destination-port 123 -j ACCEPT
iptables -A INPUT -p udp --source-port 123:123 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o lo -p udp --source-port 123 -j ACCEPT
iptables -A OUTPUT -p udp --destination-port 123:123 -m state --state NEW,ESTABLISHED -j ACCEPT

DROP should be the default rule for firewalls, if not then add the following additional rule:

iptables -A INPUT -p udp --destination-port 123 -j DROP

With the above rules in place the system should be able to sync time with other NTP servers but not allow other hosts to connect to itself.

Testing

First restart ntpd (slackware):

/etc/rc.d/rc.ntpd stop
/etc/rc.d/rc.ntpd start

Then check the operation with the command:

ntpd -c peers

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*foxtrot.zq1.de  161.62.157.173   3 u    1   64    1   37.252   -0.068   0.120
 ntp0.as34288.ne 85.158.25.72     2 u    2   64    1   41.909   -0.655   0.065
 localnet        .BCST.          16 u    -   64    0    0.000    0.000   0.002

From the output above you can see in the when column how many seconds since the last data from a upstream NTP server was received.

Last updated: 10/05/2015