[RndTbl] MTS blocking NTP
trevor at tecnopolis.ca
Fri Jan 25 04:55:09 CST 2019
On 2019-01-25 Trevor Cordes wrote:
> Looks like chrony (and others) lets you specify src port, but I'm
> loathe to uproot the system I know because Bell is braindead. (MTS
> didn't use to block it, and block-happy Shaw does not block it.)
Epiphany moment: iptables can probably solve this. 20 minutes later:
iptables -t mangle -A OUTPUT -o $iext -p udp --sport 123 --dport 123 -j MARK --set-mark 30
iptables -t nat -A POSTROUTING -p udp -m mark --mark 30 -j SNAT --to-source :60000-61000
Works perfectly! ntpd now syncs with peers. ntpdate doesn't need -u.
I don't need to switch to chrony. And I don't need to wait for ntpd to
add this feature*. Go take a hike Bell!!!
*http://bugs.ntp.org/show_bug.cgi?id=1109 ... looks like never
Note, it could be just 1 rule, but I used 2 to make sure that I only
SNAT packets originating from within the actual firewall/router itself,
and not packets being forwarded from within the internal LAN (PC's). I
can't figure out a way to specify "really originated locally" other
than with mark, but I'm open to ideas. It's not as easy as it sounds
with multiple interfaces on the box, unless there's a trick I'm missing.
If I wanted internal LAN PCs to also have their traffic go through, I'd
need to use a -j MASQUERADE (it's a dynamic IP) in an extra rule and
change the syntax slightly. Since all internal PCs should be set to
use the firewall as ntp server, this shouldn't be a problem (in fact
could help me id broken PC ntp setups).
More information about the Roundtable