What's new

Redirect external NTP calls to local NTP server?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

cmkelley

Very Senior Member
Except of course, NTP calls from the NTP server itself. :)

I have a local NTP server on my network (not the router itself). For silliness where specific ntp servers are hard-coded into devices, is it possible to redirect all ntp traffic to my local server and allowing only my local ntp server itself (which has a fixed IP) to reach out to the external internet?

Seems like an IPTables thing? Is it simple or difficult? We seem to have a couple IPTables wizards here.
 
I use this...it seems to work (I think)
Code:
iptables -t nat -A PREROUTING -p udp -m udp --dport 123 -j DNAT --to-destination 10.14.16.1

It's been a while since I actually tested it, so it may no longer (or never did) work fully!
 
Last edited:
Except of course, NTP calls from the NTP server itself. :)

I have a local NTP server on my network (not the router itself). For silliness where specific ntp servers are hard-coded into devices, is it possible to redirect all ntp traffic to my local server and allowing only my local ntp server itself (which has a fixed IP) to reach out to the external internet?

Seems like an IPTables thing? Is it simple or difficult? We seem to have a couple IPTables wizards here.

Do a search for raspberrypi ntp. It has the instruction that work. I got it working on my ntp server. All my devices are automatically routed to it.
 
Do a search for raspberrypi ntp. It has the instruction that work. I got it working on my ntp server. All my devices are automatically routed to it.
You'd have thought I would have thought of that, since my NTP server is an R-Pi. 'Doh!
 
I use this...it seems to work (I think)
Code:
iptables -t nat -A PREROUTING -p udp -m udp --dport 123 -j DNAT --to-destination 10.14.16.1

It's been a while since I actually tested it, so it may no longer (or never did) work fully!
Thanks Jack, I'll give it a try!
 
I use this...it seems to work (I think)
Code:
iptables -t nat -A PREROUTING -p udp -m udp --dport 123 -j DNAT --to-destination 10.14.16.1

It's been a while since I actually tested it, so it may no longer (or never did) work fully!
Granted, I know zero about iptables, but unless there's underlying magic, how does that allow the one NTP server to reach external servers? Doesn't it just reflect the NTP server's requests back to itself?
 
Granted, I know zero about iptables, but unless there's underlying magic, how does that allow the one NTP server to reach external servers? Doesn't it just reflect the NTP server's requests back to itself?
Good question - it seems OK on my setup since ntpd is running on the router - might need to specify interfaces for the rule
 
Granted, I know zero about iptables, but unless there's underlying magic, how does that allow the one NTP server to reach external servers? Doesn't it just reflect the NTP server's requests back to itself?
Exactly right. I think Jack's assumption was that your internal NTP didn't rely on NTP for itself. i.e. it has a GPS receiver or some such. There's been a few projects like that. If your internal NTP server uses NTP itself then you'd have to make an exception for its IP address.
 
Exactly right. I think Jack's assumption was that your internal NTP didn't rely on NTP for itself. i.e. it has a GPS receiver or some such. There's been a few projects like that. If your internal NTP server uses NTP itself then you'd have to make an exception for its IP address.
Like this?
Code:
iptables -t nat -A PREROUTING -p udp -m udp --dport 123 ! -s 10.14.16.10 -j DNAT --to-destination 10.14.16.1
 
Exactly right. I think Jack's assumption was that your internal NTP didn't rely on NTP for itself. i.e. it has a GPS receiver or some such. There's been a few projects like that. If your internal NTP server uses NTP itself then you'd have to make an exception for its IP address.
Yes, my internal NTP does get time primarily from a GPS receiver, but it also goes out and gets internet time, just in case something stupid happens like one of our cats chewing through the GPS antenna cable. :)
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top