Recipe 19.4. Adding Access Controls

19.4.1 Problem

You want to be sure your local clients look like clients, and not ntp servers. You want them to receive time service only, and from only the specified servers.

19.4.2 Solution

Add some access rules in /etc/ntp.conf, or you may add a couple of iptables rules to the client's firewall to allow time service only, and to disallow everything else.

To use ntp's access controls, add these lines to /etc/ntp.conf:

# default access policy

# this denies all ntp traffic that is not

# explicitly allowed

restrict default ignore

   

# allow time service from this server

# do not allow peering

# do not allow runtime configuration changes

# do not allow remote logging

restrict 192.168.1.101 nopeer nomodify notrap

   

# we trust localhost

restrict 127.0.0.0 mask 255.0.0.0

Remember to restart ntpd after making changes to ntp.conf.

An alternative to adding access rules to ntp.conf is to use these iptables rules. If the client machines are running iptables, add these rules to create a client that accepts only time service and rejects everything else:

iptables -A INPUT -p udp --dport 123 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -p udp --dport 123 -j REJECT

The first rule accepts all responses to sent ntp packets, and the second denies all others. Any host attempting to initiate a connection will be blocked, but responses to the client's own requests will be allowed.

19.4.3 Discussion

Here are some of the ntp.conf configuration options explained:

peer [hostname or IP]

The specified host is polled in symmetric active mode, which means peers synchronize each other. Never peer with a public time server.

server [hostname or IP]

The specified server is polled in client mode, so that only the client machine receives time synchronization.

restrict

Define restrictions on specific hosts, and override defaults. When a default is specified, restrict [host] with no options is the same as allow all [host].

ignore

Ignore all ntp packets.

nomodify

Do not allow runtime configuration changes. Queries that return information are permitted.

nopeer

Do not allow peering. This means the only servers allowed to supply time service are the ones specified by the server directive, and other hosts cannot use use this machine as a time server.

notrap

Do not trap mode 6 control messages. In effect, this disables remote logging.

noquery

Ignore all NTP mode 6 and 7 packets. In other words, do not allow queries, remote logging, or runtime configuration requests. Time service is not affected.

The main reasons for using access controls are to prevent your clients from becoming the timekeepers to the world, and to keep order and sanity in your network.

19.4.4 See Also

• Your local documentation at /usr/share/doc/ntp-doc/html, or online at http://www.ntp.org/documentation.html

• The home page for the pool.ntp.org project (http://www.pool.ntp.org)

• The ntp.org web site (http://www.ntp.org)

• The Usenet group comp.protocols.time.ntp