[Solved] Where is iptables rule that prevents ntpd from updating time/date?

I found that I need to login and run this command so that the time can be set by ntpd.

iptables -D zone_wan_output 2

I'm not sure why that rule exists or if deleting it is the right solution. I am seeking advice on how to configure this correctly.


You should first find out from iptables output, what that line actually contains. And then you should track down from where it comes. So far you have only told us that it is rule 2 in a wan chain.

In default config, the firewall allows ntpd to update quite normally.

If by default you mean unaltered firewall setup, then I have default as I've not modified the firewall. If you mean some other default then I still don't think I've changed anything other than disabling things to make a smaller firmware.

2 zone_wan_dest_REJECT all -- anywhere anywhere /* !fw3 */

Well, looks like your defaults are different to the defaults of the rest of us...

2  zone_wan_dest_ACCEPT  all  --  anywhere  anywhere  /* !fw3 */

Oh good maybe this gives me some clue. Now I need to find where the rules are constructed. I think that there's some problem exposed here.

I may have diff'd the firewall in root-squashfs:/etc/config/firewall with the wrong firewall in the build. But I don't know how to modify the iptables generation/construction.

I find only one "dest wan" in the firewall and that's:

config forwarding
        option src              lan
        option dest             wan

Update: I just discovered fw3 command and will try to figure it out.


Ok, I think I've figured it out. Mercy me. I had openwrt on the device previously. (chaos chalmer I thgink). I forgot that I was lugging around those original configs, including firewall. Now why did this rule suddenly cause problems for LEDE?

Thanks @tmomas I think you fixed the link! :+1:

I think everybody has that "forwarding" rule (or you could not reach internet from your LAN).
However, you must also have a WAN "zone", with a "option output 'REJECT'" rule, instead of 'ACCEPT'.

Yes, but on openwrt everything was working fine.

This is what it was:

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

FWIW now it is (wan6 and mtu_fix removed):

config zone
	option name 'wan'
	list network 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'