First, I set up my firewall like this to allow everything:
sudo iptables -P INPUT ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables --flush
Then, I check if NTP is working:
sudo systemctl daemon-reload
sudo systemctl restart systemd-timesyncd
timedatectl
and I can see that it says System clock synchronized: yes
.
But then if I reboot and set up my firewall like this (reject everything except for NTP):
sudo iptables -P INPUT REJECT
sudo iptables -P OUTPUT REJECT
sudo iptables -P FORWARD REJECT
sudo iptables -A INPUT -p udp --dport 123 -j ACCEPT
sudo iptables -A OUTPUT -p udp --sport 123 -j ACCEPT
then I get System clock synchronized: no
and the clock won't sync.
Based on the above steps, I'm convinced it's the firewall that's blocking timesyncd. I have read (for example, here) that perhaps it has to do with extra ports being opened by the service or the fact that is uses SNTP instead of NTP. I have tried different combinations of rules, but with no success yet as I am not an expert with iptables.
But there must be a way to set it up such that it works without altogether disabling the firewall.
--dport
and --sport
are switched.
For the other services that I am allowing through the firewall, my machine is the server. For NTP, my machine is the client. Because the rest of my original configuration actually looked more like this:
...
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 5353 -j ACCEPT
...
sudo iptables -A OUTPUT -p tcp --sport 443 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT
sudo iptables -A OUTPUT -p udp --sport 5353 -j ACCEPT
...
I assumed that --dport
was meant to be used with INPUT
and --sport
was used with OUTPUT
. However, you have to think about what it means. To use NTP as a client, I need to allow INPUT packets that are coming from a source port of 123, not input packets that are coming to a destination port of 123. Likewise, I need to allow OUTPUT packets with destination port 123, not output with source 123.
So the answer to my question is to use this:
sudo iptables -P INPUT REJECT
sudo iptables -P OUTPUT REJECT
sudo iptables -P FORWARD REJECT
sudo iptables -A INPUT -p udp --sport 123 -j ACCEPT
sudo iptables -A OUTPUT -p udp --dport 123 -j ACCEPT