specifying an interface for ntp

[valen1260]

I'd like to have my time updates occur through interface eth1, as eth0 is reserved for the internal LAN. Presently, the ntp requests (on eth0) are getting blocked by my firewall. How can I specify an interface for ntp?

[sarumont]

See man ntpd.conf. If you have your routes set correctly, a proper server entry will automatically go through your net connection.

[valen1260]

See man ntpd.conf. If you have your routes set correctly, a proper server entry will automatically go through your net connection.

I had already checked man ntpd.conf to no avail. It's possible it's there and I didn't see it, but "See man ntpd.conf" doesn't really solve that problem, either. I've also Googled it, and I can't find anything. I know better than to waste a forum's time.

I do not want ntp to be doing anything on eth0. How is that a route problem? I'm not going to hand packets between eth0 and eth1, so I do not have forwarding enabled.

Iptables, as I understand it, looks at what's traveling IN or OUT on an interface, and then filters it through a ruleset. I want to be able to change the interface being used by ntp.

Thank you for your attention, but you didn't give any answers.

[afrolinux]

I do not think you can tell directly to ntp (in /etc/ntp.conf file) in which interface to go but you could check /etc/sysconfig/network
Static IP address Configuration for each ethX and for the entry FORWARD:

FORWARD_IPV4=true - True for NAT firewall gateways and linux routers. False for everyone else - desktops and servers.

Also your iptables configuration.


iptables -A INPUT -j ACCEPT -p udp --dport 123 --sport 123 -i eth1
iptables -A OUTPUT -j ACCEPT -p udp --dport 123 --sport 123 -o eth1
iptables -A FORWARD -i eth0 -o eth1 -p udp --sport 123 --dport 123 -j ACCEPT

Cheers,

afrolinux

[valen1260]

So, is it safe to assume there are still stupid programs that can't be told where to go? And, because of such, I should reconfigure my system so that eth0 is the world interface?

[afrolinux]

See here for security and vulnerability :

http://www.kb.cert.org/vuls/id/970472


But let me ask youyou have told you to expose eth0 to Internet. As long I know if you want to sync to servers in the internet you have to open the NTP port (UDP 123) to communicate with the server. I did not say the iptables rules I have sent to you are secure I just put unexample how to handle the situation. You can harden the rules puting the source/destination IP of your host and the outside NTP server. Take it easy.

afrolinux

[valen1260]

I was just saying that since some (poorly planned) programs assume they should talk on eth0, that I should make eth0 my world interface and eth1 my private. I wouldn't open up both interfaces, just reverse their roles.

[afrolinux]

I do not think that depends on the programs at all but in the order you have in your routing table.

$ route -n
Kernel IP routing table
Destination Gateway Genmark Flags Metric Ref Use Iface
x.x.x.x x.x.x.x 255.255.255.255 UGH 1 0 180 eth0
x.x.x.x x.x.x.x 255.255.255.255 UGH 1 0 180 eth1

If you have your table like above and if linux match the first entry the packet is sent in eth0. If does not match the first and match the second it will go to the second and so on.

afrolinux

[sarumont]

So, is it safe to assume there are still stupid programs that can't be told where to go? And, because of such, I should reconfigure my system so that eth0 is the world interface?

If the program is trying to get to the Internet through the wrong interface, it's a routing table problem (as I specified in my original posts and afrolinux kindly pointed out again above). I referenced man ntpd.conf because it references how to setup your server(s). This should be correctly configured to an Internet time server (or pool).

[valen1260]

My apologies as I wipe the egg from my face. I've been knee-deep in iptables for the last few days, so that's what came to mind when you said routes. NTP is configured correctly except for interface. I'm toying with routes now.