[RndTbl] MTS blocking NTP

Trevor Cordes trevor at tecnopolis.ca
Fri Jan 25 04:55:09 CST 2019

On 2019-01-25 Trevor Cordes wrote:
> Looks like chrony (and others) lets you specify src port, but I'm
> loathe to uproot the system I know because Bell is braindead.  (MTS
> didn't use to block it, and block-happy Shaw does not block it.)

Epiphany moment: iptables can probably solve this.  20 minutes later:

iptables -t mangle -A OUTPUT -o $iext -p udp --sport 123 --dport 123 -j MARK --set-mark 30
iptables -t nat -A POSTROUTING -p udp -m mark --mark 30 -j SNAT --to-source :60000-61000

Works perfectly!  ntpd now syncs with peers.  ntpdate doesn't need -u.
I don't need to switch to chrony.  And I don't need to wait for ntpd to
add this feature*.  Go take a hike Bell!!!

*http://bugs.ntp.org/show_bug.cgi?id=1109  ... looks like never

Note, it could be just 1 rule, but I used 2 to make sure that I only
SNAT packets originating from within the actual firewall/router itself,
and not packets being forwarded from within the internal LAN (PC's).  I
can't figure out a way to specify "really originated locally" other
than with mark, but I'm open to ideas.  It's not as easy as it sounds
with multiple interfaces on the box, unless there's a trick I'm missing.

If I wanted internal LAN PCs to also have their traffic go through, I'd
need to use a -j MASQUERADE (it's a dynamic IP) in an extra rule and
change the syntax slightly.  Since all internal PCs should be set to
use the firewall as ntp server, this shouldn't be a problem (in fact
could help me id broken PC ntp setups).

More information about the Roundtable mailing list