How to allow only NTP using iptables?
I'm looking for a way to restrict internet traffic to one of the device on my network so that it can only access NTP an nothing else. Now the easy solution would be to just allow destination port 123 for that device, but I have a problem with that. If I do that, isn't it possible that the device connects to a (non-NTP) server on port 123 and leaks private information?
Some more background:
I have an IoT device which I can connect to from within my local network, but it also has the feature to send data to its cloud. With no clear way to turn that off, I'd like to make sure that the data doesn't leave my local network.
At first I simply blocked internet traffic for its ip in my router (Asuswrt firmware), but in case of a restart (e.g. power outage) its time resets to an old date. Then it tries to access an NTP server to get the correct time.
I checked the ips it tries to connect to and whitelisted one using iptables on the router. The time updated successfully, but on the next restart the ips have changed. I suspect this is because the NTP server on the router is set to pool.ntp.org
so the actual server list changes over time.
So I'd like to make sure that the device can only communicate with a valid, known time server, without leaving the possibility for it to connect to some random host on port 123 and send non-time related data.
Is there a way to achieve that? Maybe the packets can be inspected to ensure it only contains data related to NTP?
Alternatively I'm also open to set up a local NTP server if that solves the problem, but that would be the scope of a separate question.
You could try using the iptables
string
match module to match the packet contents so that it matches typical NTP protocol contents, and allow only those packets that match this criteria in your rules.
However, this is not 100% waterproof, you need to carefully assign the matching strings. Also, a malicious intruder could detect this and add the string to his own payload. That would be extremely unlikely.
Another option is to use an Intrusion Prevention System like Suricata, which does actual protocol analysis. However, I'm not sure if Suricata has direct capability to analyse NTP traffic.
So goal is allow NTP, and not allow exfiltration.
My solution would be to redirect all UDP 123 traffic to a known NTP server, maybe even internal. That way any NTP requests would only have NTP data or failures.
If exfiltration is the main concern, remember that DNS queries also is a possible risk.