I have a few servers with public Internet IP addresses like
A.B.C.x. One of my hosts (
A.B.C.10) runs ntpd and I have it syncing it's time from europe.pool.ntp.org.
Now I only want to allow hosts from my subnet (
A.B.C.x) to be able to sync to
A.B.C.10. By default the whole world can sync to my NTP server. How do I accomplish this?
All examples I can find assume that I'm syncing to specific IP addresses but I sync to DNS names and as far as I can tell the IP addresses that the DNS names
x.europe.pool.ntp.org point to are variable. So I can't setup exceptions in my firewall and I can't use the
restrict option in ntp.conf because it too only accepts IP addresses and not DNS names (Oh! and
restrict applies both to clients and to servers as firewall rules do!)
You've got several options, and it depends on where firewalls are placed and/or which ones you prefer to work with. Ideally you would have a firewall that you can control on the subnet. Less ideally you'll only be dealing with a host level firewall on the NTP server. Either way the concept is the same.
For a subnet firewall:
For a host firewall on the NTP server:
e.g. to allow 10.0.0.0/8:
# allow 10.0.0.0/8 iptables -A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 123 -j ACCEPT # allow localhost iptables -A INPUT -s 127.0.0.0/8 -p udp -m udp --dport 123 -j ACCEPT # allow NTP packets _from_ your host to everyone else iptables -A OUTPUT -p udp --sport 123 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT # allow replies from hosts you've sent NTP packets to iptables -A INPUT -p udp --sport 123 --dport 123 -m state --state ESTABLISHED -j ACCEPT # the following is only useful if you have a policy ACCEPT for INPUT iptables -A INPUT -p udp -m udp --dport 123 -j DROP
ntp.conf for localnet serving look like that
#### driftfile /etc/ntp.drift disable monitor restrict -4 default kod nomodify nopeer noquery notrap restrict -6 default kod nomodify nopeer noquery notrap restrict 127.0.0.1 restrict 127.127.1.0 restrict -6 ::1 restrict 10.0.0.0 mask 255.0.0.0 restrict 172.16.0.0 mask 255.240.0.0 restrict 192.168.0.0 mask 255.255.0.0 server 0.pool.ntp.org iburst server 1.pool.ntp.org iburst server 2.pool.ntp.org iburst ####
Two longest lines deny any access to the server by default and then other
restric directives allow only specific hosts and subnets.
I didn't find these answers terribly helpful, so here is what worked for me. This is on a machine running NTP 4.2.6p5
driftfile /var/lib/ntp/ntp.drift statsdir /var/log/ntpstats/ restrict default ignore restrict 127.0.0.1 restrict 127.127.1.0 restrict -6 ::1 restrict -4 <whitelist.ip.0> mask 255.255.255.255 restrict -4 <whitelist.ip.1> mask 255.255.255.255 restrict -4 <whitelist.ip.2> mask 255.255.255.255 server 0.pool.ntp.org iburst nomodify notrap nopeer noquery restrict 0.pool.ntp.org iburst nomodify notrap nopeer noquery server 1.pool.ntp.org iburst nomodify notrap nopeer noquery restrict 1.pool.ntp.org iburst nomodify notrap nopeer noquery server 2.pool.ntp.org iburst nomodify notrap nopeer noquery restrict 2.pool.ntp.org iburst nomodify notrap nopeer noquery statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable
I know this is an old thread, but thought it might help someone. In the example, you should replace whitelist.ip.0, whitelist.ip.1, whitelist.ip.2 with your whitelisted hosts. You can obviously also modify the mask argument to allow, e.g., a /24 network