On Tue, Dec 06, 2016 at 10:06:27AM +1000, Paul Gear wrote: > If you need conntrack for other purposes, you can exclude NTP from it > with something like: > > iptables -t raw -I PREROUTING -j NOTRACK -p udp --dport 123
A similar rule should be in the OUTPUT chain, so responses don't create connections. On newer kernels it looks like this: iptables -t raw -I OUTPUT -p udp --sport 123 -j CT --notrack iptables -t raw -I PREROUTING -p udp --dport 123 -j CT --notrack This seems to be a common problem. Maybe it should be included in the recommendations on the pool configuration page? -- Miroslav Lichvar _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
