NTP Firewall Configuration: Open UDP Port 123
Configure firewall rules to allow NTP traffic (UDP 123)
Understanding NTP & Firewalls
Why NTP Gets Blocked
| Issue | Cause | Impact |
|---|---|---|
| Outbound blocked | Firewall blocks UDP 123 to external servers | Cannot sync with any NTP server |
| Inbound blocked | Stateful firewall drops response packets | Timeout errors, "unreachable" status |
| NAT issues | Source port changes during NAT translation | Symmetric NAT breaks NTP |
| ISP blocking | Some ISPs block UDP 123 entirely | Must use alternative methods |
Linux: iptables Configuration
Allow Outbound NTP (Client Mode)
# Allow outbound NTP requests
root@server:~# iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
# Allow inbound NTP responses (stateful)
root@server:~# iptables -A INPUT -p udp --sport 123 -j ACCEPT
# Or use connection tracking (recommended)
root@server:~# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Allow Inbound NTP (Server Mode)
# If running as NTP server, allow incoming queries
root@server:~# iptables -A INPUT -p udp --dport 123 -j ACCEPT
root@server:~# iptables -A OUTPUT -p udp --sport 123 -j ACCEPT
Save Rules Permanently
# Debian/Ubuntu
root@server:~# iptables-save > /etc/iptables/rules.v4
# RHEL/CentOS (legacy)
root@server:~# service iptables save
Linux: firewalld (RHEL/CentOS/Fedora)
Enable NTP Service
# Allow NTP permanently
root@server:~# firewall-cmd --permanent --add-service=ntp
# Reload firewall
root@server:~# firewall-cmd --reload
# Verify
root@server:~# firewall-cmd --list-services
ssh dhcpv6-client ntp
Or Open Port Directly
# Add UDP port 123
root@server:~# firewall-cmd --permanent --add-port=123/udp
root@server:~# firewall-cmd --reload
Zone-Specific Configuration
# Add to specific zone
root@server:~# firewall-cmd --zone=public --permanent --add-service=ntp
root@server:~# firewall-cmd --reload
Linux: ufw (Ubuntu/Debian)
Simple Configuration
# Allow NTP outbound and inbound
root@server:~# ufw allow 123/udp
# Check status
root@server:~# ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 123/udp ALLOW IN Anywhere
[ 2] 123/udp (v6) ALLOW IN Anywhere (v6)
Allow Only Outbound (More Secure)
# For client-only systems (outbound only)
root@server:~# ufw allow out 123/udp
Restrict to Specific Servers
# Only allow NTP to specific server
root@server:~# ufw allow out to 195.154.XXX.XXX port 123 proto udp
root@server:~# ufw allow in from 195.154.XXX.XXX port 123 proto udp
Windows Firewall
PowerShell Commands
# Allow NTP outbound
PS C:\> New-NetFirewallRule -DisplayName "NTP Outbound" -Direction Outbound -Protocol UDP -RemotePort 123 -Action Allow
# Allow NTP inbound (for responses)
PS C:\> New-NetFirewallRule -DisplayName "NTP Inbound" -Direction Inbound -Protocol UDP -LocalPort 123 -Action Allow
GUI Method
- Open
Windows Defender Firewall with Advanced Security - Click Inbound Rules → New Rule
- Select Port → UDP → Specific local ports: 123
- Select Allow the connection
- Apply to Domain, Private, Public as needed
- Name: "NTP UDP 123"
- Repeat for Outbound Rules
Check Windows Time Service
# Verify Windows Time service is using network
C:\> w32tm /query /status
C:\> w32tm /query /peers
Enterprise Firewalls
Cisco ASA
! Allow NTP from internal to external
access-list OUTSIDE_IN extended permit udp any any eq 123
access-list INSIDE_OUT extended permit udp any any eq 123
Palo Alto
# Security Policy
Source Zone: trust
Destination Zone: untrust
Application: ntp
Service: application-default
Action: Allow
pfSense / OPNsense
- Go to Firewall → Rules → LAN
- Add rule: Protocol UDP, Destination Port 123
- Action: Pass
- Description: "Allow NTP"
Testing NTP Connectivity
Test UDP Port 123
# Using netcat
root@server:~# nc -vzu ntp.rdem-systems.com 123
Connection to ntp.rdem-systems.com 123 port [udp/ntp] succeeded!
# Using nmap
root@server:~# nmap -sU -p 123 ntp.rdem-systems.com
PORT STATE SERVICE
123/udp open ntp
Test NTP Protocol
# Using ntpdate (query mode)
root@server:~# ntpdate -q ntp.rdem-systems.com
server 195.154.XXX.XXX, stratum 1, offset 0.000234, delay 0.02563
14 Jan 11:30:45 ntpdate[12345]: adjust time server 195.154.XXX.XXX offset 0.000234 sec
# Using sntp
root@server:~# sntp ntp.rdem-systems.com
Diagnose Blocked NTP
# Check for firewall drops in logs
root@server:~# dmesg | grep -i "DROP.*123"
root@server:~# journalctl -k | grep -i "DROP"
# Trace NTP packets
root@server:~# tcpdump -i any port 123 -nn
Test Your Configuration
After configuring your firewall, verify everything works:
See also: CLI testing commands · Why opening UDP/123 is required for NIS 2 compliance
Production use case: full NTP sync audit — 4.2s drift fixed (FR)