ntpdate -d seems successful, but ntpdate returns no server suitable

Try running it as:

ntpdate -u 0.pool.ntp.org

The -u configures ntpdate to use an unprivileged port, which it always does when you use the -d option.

Therefore, it it works with -u and -d but not without either, I'd double check your firewalls.

From the man page:

-u Direct ntpdate to use an unprivileged port for outgoing packets. This is most useful when behind a firewall that blocks incoming traffic to privileged ports, and you want to synchronize with hosts beyond the firewall. Note that the -d option always uses unprivileged ports.

add this rule in iptables:

iptables -t nat -A POSTROUTING -p udp --sport 123 -j MASQUERADE --to-ports 1025-65535