我正在嘗試為本地網路設定 NTP 伺服器,但 ntpd 拒絕與外部伺服器同步。
# ntptrace
localhost: stratum 16, offset 0.000000, synch distance 0.396285
# ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
31.135.95.60 .INIT. 16 u - 1024 0 0.000 0.000 0.000
31.131.249.26 .INIT. 16 u - 1024 0 0.000 0.000 0.000
91.122.42.73 .INIT. 16 u - 1024 0 0.000 0.000 0.000
194.190.168.1 .INIT. 16 u - 1024 0 0.000 0.000 0.000
我使用的配置幾乎是預設的:
# grep ^[^#] /etc/ntp.conf
server 0.gentoo.pool.ntp.org
server 1.gentoo.pool.ntp.org
server 2.gentoo.pool.ntp.org
server 3.gentoo.pool.ntp.org
driftfile /var/lib/ntp/ntp.drift
restrict default nomodify nopeer noquery limited kod
restrict 127.0.0.1
restrict [::1]
restrict 192.168.0.0 mask 255.255.255.0 nomodify nopeer notrap
disable monitor
奇怪的是,我在 LAN 內有另一個 NTP 伺服器,它運行良好且同步良好,所以我沒有責怪 123 UDP 端口,但要確保我已在我嘗試啟動的網關上顯式打開它ntpd。
# iptables -L -n -v
Chain INPUT (policy ACCEPT 839K packets, 836M bytes)
pkts bytes target prot opt in out source destination
31696 3023K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3435 273K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT udp -- !br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 reject-with icmp-port-unreachable
0 0 REJECT udp -- !br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 reject-with icmp-port-unreachable
0 0 ACCEPT tcp -- br1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- br1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- br1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- br1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- br1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:123
0 0 DROP tcp -- br1 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1023
204 15504 DROP udp -- br1 * 0.0.0.0/0 0.0.0.0/0 udp dpts:0:1023
0 0 DROP tcp -- br1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2049
0 0 DROP udp -- br1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:2049
0 0 DROP tcp -- br1 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:32765:32768
0 0 DROP udp -- br1 * 0.0.0.0/0 0.0.0.0/0 udp dpts:32765:32768
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- br0 * 0.0.0.0/0 192.168.0.0/16
21579 1859K ACCEPT all -- br0 * 192.168.0.0/16 0.0.0.0/0
21307 6910K ACCEPT all -- br1 * 0.0.0.0/0 192.168.0.0/16
Chain OUTPUT (policy ACCEPT 762K packets, 151M bytes)
pkts bytes target prot opt in out source destination
br0 是 LAN,br1 是 WAN。
嘗試連接到第 2 層伺服器(在另一台伺服器上看到,其中 ntpd 工作正常):
# ntpdate -d 95.213.132.250
2 May 07:35:30 ntpdate[9987]: ntpdate [email protected] Fri May 1 20:36:27 UTC 2015 (1)
transmit(95.213.132.250)
receive(95.213.132.250)
transmit(95.213.132.250)
receive(95.213.132.250)
transmit(95.213.132.250)
receive(95.213.132.250)
transmit(95.213.132.250)
receive(95.213.132.250)
server 95.213.132.250, port 123
stratum 2, precision -21, leap 00, trust 000
refid [95.213.132.250], delay 0.03688, dispersion 0.00314
transmitted 4, in filter 4
reference time: d8eeccd9.08f19253 Sat, May 2 2015 7:11:05.034
originate timestamp: d8eed298.9d09bba6 Sat, May 2 2015 7:35:36.613
transmit timestamp: d8eed298.9ae29d48 Sat, May 2 2015 7:35:36.605
filter delay: 0.04114 0.04720 0.04874 0.03688
0.00000 0.00000 0.00000 0.00000
filter offset: 0.004748 0.008231 0.008865 0.002733
0.000000 0.000000 0.000000 0.000000
delay 0.03688, dispersion 0.00314
offset 0.002733
2 May 07:35:36 ntpdate[9987]: adjust time server 95.213.132.250 offset 0.002733 sec
嘗試從 ntpd 取得一些輸出
# ntpd -gqd
2 May 07:45:35 ntpd[20292]: ntpd [email protected] Fri May 1 20:36:26 UTC 2015 (1): Starting
2 May 07:45:35 ntpd[20292]: Command line: ntpd -gqd
2 May 07:45:35 ntpd[20292]: proto: precision = 0.051 usec (-24)
2 May 07:45:35 ntpd[20292]: Listen and drop on 0 v4wildcard 0.0.0.0:123
2 May 07:45:35 ntpd[20292]: Listen normally on 1 lo 127.0.0.1:123
2 May 07:45:35 ntpd[20292]: Listen normally on 2 br0 192.168.0.1:123
2 May 07:45:35 ntpd[20292]: Listen normally on 3 br0 192.168.0.9:123
2 May 07:45:35 ntpd[20292]: Listen normally on 4 br0 192.168.0.17:123
2 May 07:45:35 ntpd[20292]: Listen normally on 5 br1 192.168.42.250:123
2 May 07:45:35 ntpd[20292]: Listening on routing socket on fd #22 for interface updates
2 May 07:45:35 ntpd[20292]: restrict: ignoring line 51, address/host '[::1]' unusable.
^C 2 May 07:45:44 ntpd[20292]: ntpd exiting on signal 2 (Interrupt)
2 May 07:45:44 ntpd[20292]: 46.8.40.31 local addr 192.168.42.250 -> <null>
2 May 07:45:44 ntpd[20292]: 217.70.19.12 local addr 192.168.42.250 -> <null>
2 May 07:45:44 ntpd[20292]: 89.208.145.140 local addr 192.168.42.250 -> <null>
2 May 07:45:44 ntpd[20292]: 31.135.95.60 local addr 192.168.42.250 -> <null>
正如一開始所看到的^C,守護程序被手動中斷,因為它沒有以應有的方式退出(在另一台伺服器上,ntpd 在報告時間變化的限制訊息後退出)
無論我做什麼,經過多次重新啟動後,漂移都不會改變:
# cat /var/lib/ntp/ntp.drift
-7.037
答案1
您的防火牆規則不允許 NTP。線路
0 0 ACCEPT tcp -- br1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:123
一切都很好,但 NTP 是一種 UDP 服務。改變協議,事情應該會變得更好。您的FORWARD規則更加寬鬆(本質上是permit any any),這就是 LAN 內的主機同步正常的原因。
答案2
我在 ntpd 上遇到了類似的問題[電子郵件受保護]在 OpenWrt 22.03.3 下,在我的例子中,ntpd 錯誤地綁定到介面或處理來自介面的資料。作為解決方法,您必須新增到 conf 檔案:
介面監聽 ethX
其中 ethX 是 ntpd 應該監聽 NTP 伺服器應答的介面