Building Linux L3 switch/router on x86 - Part7 - DDNS and NTP Installation and Configuration

Posted on by Radovan Brezula

In a previous tutorial we configured firewall and NAT on Linux Layer 3 switch to allow connection of LAN users to the Internet. We will continue building Linux L3 switch with configuration NTP and Dynamic DNS services on the switch. The switch will synchronize its time with public NTP server over the Internet and provide exact time to devices on LAN. Thanks to Dynamic DNS service it will be reachable with its domain name also in case of dynamically assigned public IP address. This IP address is assigned via DHCP from ISP DHCP server on a routed interface of the switch.

The introduction tutorial that explains concept of buidling LInux L3 switch is here.

Network Time Protocol NTP - Client and Server Configuration

Assuming that we are familiar how Network Time protocol is working we will install and configure NTP on the switch as following.

1. Install NTP tools

[root@swouter-x86 ~]# yum install ntp

2. NTP client onfiguration

[root@swouter-x86 ~]# vi /etc/ntp.conf

a) Specify NTP public servers or leave it to default

These are the default pre-configured public NTP servers.

server 0.rhel.pool.ntp.org
server 1.rhel.pool.ntp.org
server 2.rhel.pool.ntp.org

b) Restrict access of public NTP servers to our NTP server

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

Time will be synchronized with public NTP server but the servers are not allowed to modify the run-time configuration or query our Linux NTP server.

c) Start ntpd daemon and make ntpd daemon to be started at  boot time

root@swouter-x86 ~]# /etc/init.d/ntpd start
[root@swouter-x86 ~]# chkconfig ntpd on

d) Check if synchronization is working

[root@swouter-x86 ~]# ntpq -p
ntpq: read: Connection refused

Check /var/log/messages for any error messages.

[root@swouter-x86 ~]# tail /var/log/messages

Sep  4 14:23:34 swouter-x86 ntpd[1735]: kernel time sync status 2040
Sep  4 14:23:35 swouter-x86 ntpd[1735]: sendto(81.89.63.67) (fd=24): Operation not permitted
Sep  4 14:23:36 swouter-x86 ntpd[1735]: sendto(217.73.16.2) (fd=24): Operation not permitted
Sep  4 14:24:39 swouter-x86 ntpd[1735]: sendto(81.89.63.67) (fd=24): Operation not permitted
Sep  4 14:24:42 swouter-x86 ntpd[1735]: sendto(217.73.16.2) (fd=24): Operation not permitted
Sep  4 14:25:44 swouter-x86 ntpd[1735]: sendto(81.89.63.67) (fd=24): Operation not permitted
Sep  4 14:25:45 swouter-x86 ntpd[1735]: sendto(217.73.16.2) (fd=24): Operation not permitted
Sep  4 14:26:49 swouter-x86 ntpd[1735]: sendto(81.89.63.67) (fd=24): Operation not permitted
Sep  4 14:26:50 swouter-x86 ntpd[1735]: sendto(217.73.16.2) (fd=24): Operation not permitted
Sep  4 14:27:00 swouter-x86 ntpd[1735]: ntpd exiting on signal 15

Obviously, firewall configuration denies NTP traffic with destination UDP port 123 originating on router to reach public NTP servers in the Internet.

[root@swouter-x86 ~]# iptables -A OUTPUT -o ppp0 -p udp --dport 123 -j ACCEPT
[root@swouter-x86 ~]# iiptables -A INPUT -i ppp0 -p udp --sport 123  -j ACCEPT

Restart ntpd daemon.

[root@swouter-x86 ~]# /etc/init.d/ntpd restart
Shutting down ntpd: [FAILED]
Starting ntpd: [  OK

[root@swouter-x86 ~]# ntpq -p

remote           refid      st t when poll reach   delay   offset  jitter
=====================================================
ns2.vnet.sk     81.89.63.150     2 u  100   64    2    5.308  -63.725   0.008
*lb02.vnet.sk    194.160.23.2     2 u   32   64   77    5.185  -67.698  39.818

For correct synchronization, the delay and offset values must be non-zero and the jitter value should be under 100. After successful synchronization  a symbol *  has to be presented beside the particular NTP server.

[root@swouter-x86 ~]# date
Sun Sep  4 12:56:32 CEST 2011

Time is  updated correctly so we can start configuring NTP server.

3. NTP server configuration

a) Configure NTP server to respond  NTP queries coming only from LAN

Time will be synchronized with public NTP server but these server are not allowed to modify the run-time configuration or query our Linux NTP server. Edit file /etc/ntpd.conf and add the following lines.

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

Deny to query our NTP server from the Internet and deny to modify the run-time configuration  of our  NTP server.

restrict 0.rhel.pool.ntp.org  mask 255.255.255.255 nomodify notrap noquery
restrict 1.rhel.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
restrict 2.rhel.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery

To allow hosts on LAN to query our NTP server you need to add this rule.

restrict 172.18.0.0 mask 255.255.0.0 nomodify notrap

b) Restart ntpd daemon running on NTP server

[root@swouter-x86 ~]# /etc/init.d/ntpd restart

c) Configure iptables to allow NTP queries from hosts on LAN

We will allow inbound and outbound traffic with source and destination UDP port 123 on switch virtual interface SVI - vlan1.

[root@swouter-x86 ~]# iptables -A INPUT -i vlan1 -p udp --dport 123 -j ACCEPT
[root@swouter-x86 ~]# iptables -A OUTPUT -o vlan1 -p udp --sport 123 -j ACCEPT

3. Configure NTP on computers in LAN

The steps as very similar to configuration of NTP client on the router. Comment lines pointing to public NTP servers and put our NTP server IP address 172.18.100.150 to /etc/ntp.conf. Restart ntpd daemon and wait for synchronization. Remember our NTP server must be be synchronized with public NTP server first. After that your computer might synchronize time with our NTP server.

4. Trobleshooting

After reboot of Linux router, NTP peers were not available. It might be caused by non available public NTP server or poorly configured firewall which prevents access to server.

[root@swouter-x86 ~]# ntpq -d -p
No association ID's returned

After restarting npdd daemon peers were immediately shown in the output of ntpqd and synchronization occurred.

Explanation:
Public NTP servers cannot be reachable by their domain names during the boot of our Linux NTP server because public DNS servers are not added to /etc/resolv.conf by pppd daemon, before starting of NTP daemon.  For this reason public NTP servers should be defined by their IP address instead of domain name in /etc/ntpd.conf. This article describes a problem in more details.

Dynamic DNS /DDNS/ Configuration

Dynamic DNS is a service that allows us to use a domain name in case of public IP address is dynamically assigned from ISP DHCP server. To accomplish it our Linux L3 switch  must send http formatted query to DDNS provider in regular intervals. Thanks to those queries,  DDSN provider is informed about the public IP address of switch and stores the pair - the IP address and particular DNS name. It enables DNS queries to be answered with the public IP address of the switch.

Note: I've chosen DynDNS to provide DDNS service but feel free to use any DDNS provider you like.Be aware that the tutorial is written to shown configuration of DDNS with DynNDS service provider.

1. Register your DynDNS domain

  • Navigate to http://dyn.com/dns/dyndns-free/
  • Click on "Get it Now
  • Fill the hostname, IPv4 or IPv6 address, click Next
  • Register your account - login/password, email etc. Click "Create Account
  • The confirmation mail will be send to your email account. Click on link provided in email to activate DynDNS account
  • Click on "Activate your free DynDNS"

2. Install necessary packages

[root@swouter-x86 ~]# yum install perl-IO-Socket-SSL perl-Net-LibIDN

3. Install the latest DDNS client

[root@swouter-x86 ~]# wget http://sourceforge.net/projects/ddclient/files/ddclient/ddclient-3.8.1/ddclient-3.8.1.tar.gz/download
[root@swouter-x86 ~]# tar zxvf ddclient-3.8.1.tar.gz
[root@swouter-x86 ~]# cd ./ddclient-3.8.1

[root@swouter-x86 ddclient-3.8.1]# mkdir /etc/ddclient/
[root@swouter-x86 ddclient-3.8.1]# mkdir /var/cache/ddclient/

[root@swouter-x86 ddclient-3.8.1]# cp ddclient /usr/local/sbin
[root@swouter-x86 ddclient-3.8.1]# cp sample-etc_ddclient.conf /etc/ddclient/ddclient.conf
[root@swouter-x86 ddclient-3.8.1]# cp sample-etc_rc.d_init.d_ddclient /etc/rc.d/init.d/ddclient
[root@swouter-x86 ddclient-3.8.1]# chkconfig --add ddclient

4. Configure /etc/ddclient/dddclient.conf

Edit a file /etc/ddclient/ddclient and add the following lines.

daeomon=300
use=web
login=brezular
password=yourdyndnspassword
server=members.dyndns.org
protocol=dyndns2
brezular.dyndns.org

Now start the ddclient daemon:

[root@swouter-x86 ddclient-3.8.1]# /etc/init.d/ddclient start
Starting ddclient: WARNING:  file /etc/ddclient/ddclient.conf: file /etc/ddclient/ddclient.conf must be accessible only by its owner (fixed).
[  OK  ]

Rights for other users were kicked out and kept read and write for the owner (root).

[root@swouter-x86 ddclient-3.8.1]# ls -l /etc/ddclient/ddclient.conf
-rw-------. 1 root root 5919 Sep  3 21:12 /etc/ddclient/ddclient.conf

Check if ddclient is running

[root@swouter-x86 ddclient-3.8.1]# /etc/init.d/ddclient status
ddclient (pid  2011) is running...

5. Configure IP address updates to DynDNS provider

[root@swouter-x86 ddclient-3.8.1]# ps -aux | grep ddclient

root      2011  0.0  0.8  15124  8260 pts/0    S    21:30   0:00 ddclient - sleeping for 300 seconds

Ddclient is running in daemon mode. Parameter daemon=300 in /etc/ddclient/ddclient.conf says, that every 300 seconds ddclient is activated and it is checking for public IP address change. If the IP address is changed, update is automatically sent to ddns server. If there is not change, update is not sent.

However, the ddclient running in daemon mode should automatically send an update every month, even if no changes have been made in the ip address, in order to keep the account active.

6. Test DynDNS

[root@swouter-x86 /]# ping brezular.dyndns.org

PING brezular.dyndns.org (78.98.103.30) 56(84) bytes of data.
64 bytes from adsl-dyn30.78-98-103.t-com.sk (78.98.103.30): icmp_seq=1 ttl=64 time=0.145 ms
64 bytes from adsl-dyn30.78-98-103.t-com.sk (78.98.103.30): icmp_seq=2 ttl=64 time=0.091 ms
64 bytes from adsl-dyn30.78-98-103.t-com.sk (78.98.103.30): icmp_seq=3 ttl=64 time=0.109 ms
64 bytes from adsl-dyn30.78-98-103.t-com.sk (78.98.103.30): icmp_seq=4 ttl=64 time=0.118 ms

END.

The following articles had been intensively used during writing of this tutorial.

NTP
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch24_:_The_NTP_Server
http://www.brennan.id.au/09-Network_Time_Protocol.html
http://www.ghidinelli.com/2008/09/25/iptables-firewall-rules-for-ntpd-time-synchronization

DynDNS
http://en.wikipedia.org/wiki/Dynamic_DNS
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch19_:_Dynamic_DNS
http://www.sonoracomm.com/support/19-inet-support/232-ddclient
http://sourceforge.net/apps/trac/ddclient
http://www.ubuntugeek.com/update-ip-addresses-at-dynamic-dns-services-using-ddclient.html

 

Related Posts

Building Linux L3 switch/router on x86 - Part8 - DNS Cache Server Installation and Configuration

So far we have installed CentOS on x86 hardware, installed Open vSwitch and connected wireless […]

Building Linux L3 switch/router on x86 - Part2 - CentOS 6.0 installation

This is the second from the series of step-by-step tutorials that describe building Linux Layer […]

Building Linux L3 switch/router on x86 - Part9 - DHCP and Samba server Installation and Configuration

This is the last from the series of tutorials that shows building Linux Layer 3 […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.