[Solved] Where is iptables rule that prevents ntpd from updating time/date?

Blarty_Runfaster · October 9, 2017, 8:18pm

I found that I need to login and run this command so that the time can be set by ntpd.

iptables -D zone_wan_output 2

I'm not sure why that rule exists or if deleting it is the right solution. I am seeking advice on how to configure this correctly.

atdhvaannkcse

hnyman · October 10, 2017, 4:59am

You should first find out from iptables output, what that line actually contains. And then you should track down from where it comes. So far you have only told us that it is rule 2 in a wan chain.

In default config, the firewall allows ntpd to update quite normally.

Blarty_Runfaster · October 10, 2017, 5:09am

If by default you mean unaltered firewall setup, then I have default as I've not modified the firewall. If you mean some other default then I still don't think I've changed anything other than disabling things to make a smaller firmware.

2 zone_wan_dest_REJECT all -- anywhere anywhere /* !fw3 */

eduperez · October 10, 2017, 2:31pm

Well, looks like your defaults are different to the defaults of the rest of us...

2  zone_wan_dest_ACCEPT  all  --  anywhere  anywhere  /* !fw3 */

Blarty_Runfaster · October 10, 2017, 5:25pm

Oh good maybe this gives me some clue. Now I need to find where the rules are constructed. I think that there's some problem exposed here.

I may have diff'd the firewall in root-squashfs:/etc/config/firewall with the wrong firewall in the build. But I don't know how to modify the iptables generation/construction.

I find only one "dest wan" in the firewall and that's:

config forwarding
        option src              lan
        option dest             wan

Update: I just discovered fw3 command and will try to figure it out.

https://lede-project.org/docs/user-guide/firewall_configuration

Blarty_Runfaster · October 10, 2017, 6:51pm

Ok, I think I've figured it out. Mercy me. I had openwrt on the device previously. (chaos chalmer I thgink). I forgot that I was lugging around those original configs, including firewall. Now why did this rule suddenly cause problems for LEDE?

Thanks @tmomas I think you fixed the link!

eduperez · October 10, 2017, 7:45pm

I think everybody has that "forwarding" rule (or you could not reach internet from your LAN).
However, you must also have a WAN "zone", with a "option output 'REJECT'" rule, instead of 'ACCEPT'.

Blarty_Runfaster · October 10, 2017, 8:57pm

Yes, but on openwrt everything was working fine.

This is what it was:

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

FWIW now it is (wan6 and mtu_fix removed):

config zone
	option name 'wan'
	list network 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'