I'm looking for a way to restrict internet traffic to one of the device on my network so that it can only access NTP an nothing else.
Now the easy solution would be to just allow destination port 123 for that device, but I have a problem with that.
If I do that, isn't it possible that the device connects to a (non-NTP) server on port 123 and leaks private information?
Some more background:
I have an IoT device which I can connect to from within my local network, but it also has the feature to send data to its cloud. With no clear way to turn that off, I'd like to make sure that the data doesn't leave my local network.
At first I simply blocked internet traffic for its ip in my router (Asuswrt firmware), but in case of a restart (e.g. power outage) its time resets to an old date. Then it tries to access an NTP server to get the correct time.
I checked the ips it tries to connect to and whitelisted one using iptables on the router. The time updated successfully, but on the next restart the ips have changed. I suspect this is because the NTP server on the router is set to pool.ntp.org so the actual server list changes over time.
So I'd like to make sure that the device can only communicate with a valid, known time server, without leaving the possibility for it to connect to some random host on port 123 and send non-time related data.
Is there a way to achieve that? Maybe the packets can be inspected to ensure it only contains data related to NTP?
Alternatively I'm also open to set up a local NTP server if that solves the problem, but that would be the scope of a separate question.
Best Answer
You could try using the
iptablesstringmatch module to match the packet contents so that it matches typical NTP protocol contents, and allow only those packets that match this criteria in your rules.However, this is not 100% waterproof, you need to carefully assign the matching strings. Also, a malicious intruder could detect this and add the string to his own payload. That would be extremely unlikely.
Another option is to use an Intrusion Prevention System like Suricata, which does actual protocol analysis. However, I'm not sure if Suricata has direct capability to analyse NTP traffic.