opensuse v11.4 (server), v12.2 (clients)
I wish to set the server as a NTP time server. It is sync’ing fine as a client to a number of external servers and I would prefer to have it be the only one seeking external data.
The firewall port, 123, is open. Using telnet, though, to test the service (“telnet time-server 123”), the connection is refused, implying that the host is not being a NTP server.
How do I change the configuration to be a NTP server?
NTP is using UDP, not TCP. You can use “ntpq -p time-server” to quickly check it as long as there is no access restrictions.
NTP is using UDP, not TCP.
Ah, yes, of course.
Here is what I get when I query my system. sma-server3 is the host I wish to be a time server. The results indicate that it is not set up correctly.
$ /usr/sbin/ntpq -p localhost
remote refid st t when poll reach delay offset jitter
==============================================================================
sma-server3.sma 140.142.16.34 2 u 9 64 0 0.000 0.000 0.000
*bigben.cac.wash .GPS. 1 u 30 64 377 94.979 1635.52 340.306
And /etc/ntp.conf from sma-server3?
grep -Ev '^#|^$' /etc/ntp.conf
$ grep -Ev ‘^#|^$’ /etc/ntp.conf
driftfile /var/lib/ntp/drift/ntp.drift
logfile /var/log/ntp
keys /etc/ntp.keys
trustedkey 1
requestkey 1
server bigben.cac.washington.edu iburst
server ntp.nasa.gov iburst
server time-a.timefreq.bldrdoc.gov iburst
server pool.ntp.org iburst
Does “ntpq -p” on sma-server3 shows that it is in sync? If yes, it is most likely port blocking issue. Check “iptables -L -v -n” on both hosts; to be on safe side, check also “iptables -L -n -v -t nat”. Is there any firewall/NAT between two servers?
$ ntpq -p sma-server3
remote refid st t when poll reach delay offset jitter
==============================================================================
+bigben.cac.wash .GPS. 1 u 73 64 1 95.501 580.087 362.399
+ntp-nasa.arc.na .GPS. 1 u 22 64 1 130.432 713.769 428.484
*time-a.timefreq .ACTS. 1 u 32 64 1 100.151 665.082 419.913
+name1.glorb.com 128.174.38.133 2 u 61 64 1 124.695 610.208 404.442
$ iptables -L -v -n |grep 123
1 60 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:123 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP '
2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:123
352 26716 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
$ iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 57383 packets, 6095K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 33927 packets, 3942K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 27986 packets, 2150K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 27986 packets, 2150K bytes)
pkts bytes target prot opt in out source destination
Is there any firewall/NAT between two servers?
Each host is running a firewall. The server has port 123 opened. There are no intermediate hosts involved.
And client?
Your ntp.conf is fine. Whatever problem you have is most likely in iptables configuration. Check with tcpdump/tshark/wireshark whether any request is seen on server at all and whether it sends a reply. Check with tcpdump/tshark/wireshark whether client sees this reply. If packets are actually flowing in both directions, you can start looking at ntpd configuration again.
This site describes quite clearly how to change the configuration file to allow local access as a time server.
<http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:Ch24:_The_NTP_Server>