You should first find out from iptables output, what that line actually contains. And then you should track down from where it comes. So far you have only told us that it is rule 2 in a wan chain.
In default config, the firewall allows ntpd to update quite normally.
If by default you mean unaltered firewall setup, then I have default as I've not modified the firewall. If you mean some other default then I still don't think I've changed anything other than disabling things to make a smaller firmware.
2 zone_wan_dest_REJECT all -- anywhere anywhere /* !fw3 */
Oh good maybe this gives me some clue. Now I need to find where the rules are constructed. I think that there's some problem exposed here.
I may have diff'd the firewall in root-squashfs:/etc/config/firewall with the wrong firewall in the build. But I don't know how to modify the iptables generation/construction.
I find only one "dest wan" in the firewall and that's:
config forwarding
option src lan
option dest wan
Update: I just discovered fw3 command and will try to figure it out.
Ok, I think I've figured it out. Mercy me. I had openwrt on the device previously. (chaos chalmer I thgink). I forgot that I was lugging around those original configs, including firewall. Now why did this rule suddenly cause problems for LEDE?
I think everybody has that "forwarding" rule (or you could not reach internet from your LAN).
However, you must also have a WAN "zone", with a "option output 'REJECT'" rule, instead of 'ACCEPT'.