On 06/12/16 15:00, Miroslav Lichvar wrote: > On Tue, Dec 06, 2016 at 10:06:27AM +1000, Paul Gear wrote: >> If you need conntrack for other purposes, you can exclude NTP from it >> with something like: >> >> iptables -t raw -I PREROUTING -j NOTRACK -p udp --dport 123 > > A similar rule should be in the OUTPUT chain, so responses don't > create connections. On newer kernels it looks like this: > > iptables -t raw -I OUTPUT -p udp --sport 123 -j CT --notrack > iptables -t raw -I PREROUTING -p udp --dport 123 -j CT --notrack > > This seems to be a common problem. Maybe it should be included in the > recommendations on the pool configuration page?
I would definitely encourage this. However in my case I'm not sure if it was the problem; instead, at least part of the issue I was having was because the traffic was flowing our core switch, an Extreme (Enterasys) S4, which has a flow-based architecture. Basically the traffic coming in exhausted the CPU and caused general packet loss throughout our network (which was not very fun). This morning I did drop port 123 to 203.135.184.46 on our EdgeRouters, which made the network somewhat usable, but it was only when I disabled the WAN port entirely tonight that things got back to normal. I'll follow up more in the morning. For the time being I'm going to have to leave the LeoNTP firewalled off, but once all the teachers leave I'll open it back up again. Thanks, -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
