On 2019-01-25 Trevor Cordes wrote:
Looks like chrony (and others) lets you specify src port, but I'm loathe to uproot the system I know because Bell is braindead. (MTS didn't use to block it, and block-happy Shaw does not block it.)
Epiphany moment: iptables can probably solve this. 20 minutes later:
iptables -t mangle -A OUTPUT -o $iext -p udp --sport 123 --dport 123 -j MARK --set-mark 30 iptables -t nat -A POSTROUTING -p udp -m mark --mark 30 -j SNAT --to-source :60000-61000
Works perfectly! ntpd now syncs with peers. ntpdate doesn't need -u. I don't need to switch to chrony. And I don't need to wait for ntpd to add this feature*. Go take a hike Bell!!!
*http://bugs.ntp.org/show_bug.cgi?id=1109 ... looks like never
Note, it could be just 1 rule, but I used 2 to make sure that I only SNAT packets originating from within the actual firewall/router itself, and not packets being forwarded from within the internal LAN (PC's). I can't figure out a way to specify "really originated locally" other than with mark, but I'm open to ideas. It's not as easy as it sounds with multiple interfaces on the box, unless there's a trick I'm missing.
If I wanted internal LAN PCs to also have their traffic go through, I'd need to use a -j MASQUERADE (it's a dynamic IP) in an extra rule and change the syntax slightly. Since all internal PCs should be set to use the firewall as ntp server, this shouldn't be a problem (in fact could help me id broken PC ntp setups).