19

When querying ntp servers with the command ntpdate, I can use the -u argument to make the source port an unrestricted port (port 1024 and above).

With ntpd, which is meant to run in the background, I can't seem to find a way to turn this option on. So the source port is always 123. It's playing around horribly with my firewall configuration.

Is there a configuration option in ntp.conf to make it use a random source port?

Cetra
  • 2,593
  • 1
  • 21
  • 27

6 Answers6

13

Doesn't sound look this is possible...see the ntp troubleshooting page:

If you're going to run ntpd, you need to fix your network/firewall/NAT so that ntpd can have full unrestricted access to UDP port 123 in both directions.

If this is not possible, you may need to run ntpd on the firewall itself, so that it can have full unrestricted access to UDP port 123 in both directions, and then have it serve time to your internal clients.

If that's not possible, your only other option may be to buy the necessary hardware to connect to one or more of your own computers and run your own Stratum 1 time server or buy a pre-packaged Stratum 1 time server.

Community
  • 1
  • 1
Andy Whitfield
  • 2,373
  • 2
  • 19
  • 22
8

I managed to solve this by replacing the official NTPD with OpenNTPD. While official NTPD is fixed to UDP port 123, OpenNTPD uses unprivileged ports.

Onestone
  • 879
  • 9
  • 7
  • 1
    I'm sorry, how do you specify which port to use? I couldn't find it in the manual – Joril Mar 24 '14 at 09:23
  • How do you monitor that openntpd is running correctly? ntpd can be queried to emit a state. once used openntpd exactly for this prio-port problem and found myself with a deaf-mute ntp which is probably defective. – michuelnik Nov 20 '14 at 15:27
3

I've had this problem before and couldn't find a solution. I ended up just adding an entry to crontab that runs ntpdate once an hour. That gives good enough resolution for anything I do, since my clock never drifts more than 1 second per hour.

davr
  • 18,877
  • 17
  • 76
  • 99
2

You can use source NAT on the host running ntpd to replace the 123 source port with a port number above 1024.

M.W.
  • 21
  • 1
  • FWIIW, my internet connections suddenly started dropping incoming packets on port 123. ```iptables -t nat -A POSTROUTING -p udp --sport 123 -j SNAT --to-source :1123``` worked for me. – Russell Stuart Feb 29 '20 at 10:26
  • Mine looks like Russel's answer, i had similar problem: `iptables -t nat -A POSTROUTING -p udp --dport 123 -m addrtype --src-type LOCAL -j SNAT --to-source :65000-65500` – ggrandes Jun 15 '20 at 10:26
1

You cannot change the NTP port but you can add an iptables cmd to redirect it through a VPN port.

Details: http://openvpn.net/archive/openvpn-users/2007-11/msg00223.html

zengr
  • 38,346
  • 37
  • 130
  • 192
  • @Downvoter: why the downvote? Its a legitimate workaround since you cannot change the NTP port. – zengr Nov 21 '14 at 01:39
1

As @Andy_Whitfield wrote, ntpd cannot do this. But there are alternatives like OpenNTPD and Chrony. AFAIK, Chrony is also used by Android.

In my setup, I use chrony. It uses an unprivileged port for asking remote servers. This technique has much more chances to pass a NAT. It's the same mechanism by the way which also ntpdate -q uses for querying the server, but only when called as an unprivileged user.

I think, the main problem why it sometimes doesn't work is that many routers have NTP implemented themselves to set their internal clock. On these devices the port is in use and thus cannot be NATed. This might even be the case if the device doesn't respond to NTP queries.

Daniel Alder
  • 5,031
  • 2
  • 45
  • 55