Re: NTP forwarding - Tobias Andresen

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Tobias Andresen <tobiasarp@gmx.de>
To: Pascal Hambourg <pascal@plouf.fr.eu.org>
Cc: netfilter <netfilter@vger.kernel.org>
Subject: Re: NTP forwarding
Date: Mon, 7 Mar 2016 08:24:56 +0100	[thread overview]
Message-ID: <56DD2CC8.1030902@gmx.de> (raw)
In-Reply-To: <56DCA3C6.3000101@plouf.fr.eu.org>

Am 06.03.2016 um 22:40 schrieb Pascal Hambourg:
> Tobias Andresen a écrit :
>> Am 06.03.2016 um 21:42 schrieb Pascal Hambourg:
>>> Why do you think you need iptables rules ? Isn't plain routing enough ?
>> The PCs should only be able use NTP (Port 123). They should not be able
>> tohave full access (i.e. internet, ...)
> Then you need filtering, not NAT.
>
>> I tried following rule for one PC:
>>
>> iptables -t nat -A PREROUTING -p udp --dport 123 -j DNAT
>> --to-destination 192.168.31.96:123
> What is the purpose of this rule ? It redirects NTP packets to
> 192.168.31.96. How do you expect that NTP packets eventually reach
> 62.214.6.29 ?
>
>> iptables -t nat -A POSTROUTING -p udp --dport 123 -j MASQUERADE
> Why is this rule needed ? What's between 10.0.0.95 and 62.214.6.29 ?
This is the internet connection.

I cannot achieve this by using iptables or why would you prefer plain 
routing?
I thought i have to use iptables because the ntp server (62.214.6.29) 
does not know who is behind 10.0.0.95
and the embedded device has to change the source and destination address...

next prev parent reply	other threads:[~2016-03-07  7:24 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-03-05 14:15 NTP forwarding Tobias Andresen
2016-03-06 20:42 ` Pascal Hambourg
2016-03-06 21:16   ` Tobias Andresen
2016-03-06 21:40     ` Pascal Hambourg
2016-03-07  7:24       ` Tobias Andresen [this message]
2016-03-07 19:33         ` Pascal Hambourg
2016-03-07  3:49     ` Remzi AKYÜZ
2016-03-07  7:26       ` Tobias Andresen
2016-03-07  9:24         ` Vigneswaran R
2016-03-07 10:05         ` Remzi AKYÜZ
2016-03-08 11:54 ` Karol Babioch

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56DD2CC8.1030902@gmx.de \
    --to=tobiasarp@gmx.de \
    --cc=netfilter@vger.kernel.org \
    --cc=pascal@plouf.fr.eu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.