transparent proxying NTP

transparent proxying NTP

[Folkert van Heusden]

Hi,

I'm trying to do transparent proxying for NTP.
I want to do that as some access points I have over here want to sync their
time to some server in Amerika. Not so efficient as I live in europe and
have in fact my own local stratum 1 timeserver.
So, I tried this:
iptables -t nat -A PREROUTING -i eth1 -s ! 192.168.64.1 -p udp --dport 123 -j DNAT --to 192.168.64.1:123
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/16 -d 192.168.64.1 -j SNAT --to 127.0.0.1

But when I do a tcpdump on ppp0 of my gateway (the adsl connection) and do
netdate ntp.xs4all.nl from a host on my lan (192.168.64.99), I still see
requests coming from that host to the internet!
I guess I'm doing something obvious wrong here but I'm not sure what.
Could someone please enlighten me?


Folkert van Heusden

+--------------------------------------------------------------------------+
| UNIX sysop? Then give MultiTail ( http://www.vanheusden.com/multitail/ ) |
| a try, it brings monitoring logfiles to a different level! See:          |
| http://www.vanheusden.com/multitail/features.html for a feature list.    |
+---------------------------------------------------= www.vanheusden.com =-+

Re: transparent proxying NTP

[Dimitar Katerinski]

Folkert van Heusden wrote:

 > Hi,
 >
 > I'm trying to do transparent proxying for NTP.
 > I want to do that as some access points I have over here want to sync their
 > time to some server in Amerika. Not so efficient as I live in europe and
 > have in fact my own local stratum 1 timeserver.
 > So, I tried this:
 > iptables -t nat -A PREROUTING -i eth1 -s ! 192.168.64.1 -p udp --dport 123 -j DNAT --to 192.168.64.1:123
 > iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/16 -d 192.168.64.1 -j SNAT --to 127.0.0.1
 >
 > But when I do a tcpdump on ppp0 of my gateway (the adsl connection) and do
 > netdate ntp.xs4all.nl from a host on my lan (192.168.64.99), I still see
 > requests coming from that host to the internet!
 > I guess I'm doing something obvious wrong here but I'm not sure what.
 > Could someone please enlighten me?
 >
 >
 > Folkert van Heusden



Hello,

Well if you think how transparent www proxy works, you may figure out how to do transparent ntp proxying.
The following rule should do the job:
iptables -t nat -A PREROUTING -i eth1 -s $LAN_SUBNET -p udp --dport 123 -j REDIRECT --to-ports 123
also I think
iptables -t nat -A PREROUTING -i eth1 -s $LAN_SUBNET -p udp --dport 123 -j DNAT --to-destination 192.168.64.1:124
might work, as I test it. You dont need the SNAT rule though. Test these and give feedback.


P.S. Sorry for sending this message right to you, my mistake.

Regards,
Dimitar

-- 
"The only thing necessary for the triumph of evil is for good men to do nothing."
                                                   --Edmund Burke.

Re: transparent proxying NTP

[Leonardo Rodrigues Magalhães]

    I think SNATing to 127.0.0.1 would break things, unless this linux
router IS your timeserver, which i believe isn't. You should SNAT to your
linux router IP not 127.0.0.1.

    Also note that the order of the rules is important. If you have some
other rule with ACCEPT in PREROUTING before the DNAT rule, packet will be
allowed to go out and DNAT will never be reached. A full 'iptables -t
nat -nL -v' would help us to check this.

    Last ...... are you sure protocol used for time syncing works fine when
DNATted ?? I dont know, never tried this.

    Sincerily,
    Leonardo Rodrigues

----- Original Message ----- 
From: "Folkert van Heusden" <folkert@vanheusden.com>
To: <netfilter@lists.netfilter.org>
Sent: Sunday, June 27, 2004 4:43 PM
Subject: transparent proxying NTP


> Hi,
>
> I'm trying to do transparent proxying for NTP.
> I want to do that as some access points I have over here want to sync
their
> time to some server in Amerika. Not so efficient as I live in europe and
> have in fact my own local stratum 1 timeserver.
> So, I tried this:
> iptables -t nat -A PREROUTING -i eth1 -s ! 192.168.64.1 -p udp --dport
123 -j DNAT --to 192.168.64.1:123
> iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/16 -d
192.168.64.1 -j SNAT --to 127.0.0.1
>
> But when I do a tcpdump on ppp0 of my gateway (the adsl connection) and do
> netdate ntp.xs4all.nl from a host on my lan (192.168.64.99), I still see
> requests coming from that host to the internet!
> I guess I'm doing something obvious wrong here but I'm not sure what.
> Could someone please enlighten me?

Re: transparent proxying NTP

[Leonardo Rodrigues Magalhães]

    If the DNATted machine is NOT the linux router that is doing the DNAT,
you WILL need the SNAT rule too. If you dont use, DNATted machine will try
to answer directly to the machine that requested the update. And that
machine is not expecting anything from that IP. So, SNATting to linux router
IP is needed if DNATting to a machine in the network.

    Sincerily,
    Leonardo Rodrigues


----- Original Message ----- 
From: "Dimitar Katerinski" <train@bofh.bg>
To: <netfilter@lists.netfilter.org>
Sent: Sunday, June 27, 2004 5:17 PM
Subject: Re: transparent proxying NTP
> Well if you think how transparent www proxy works, you may figure out how
to do transparent ntp proxying.
> The following rule should do the job:
> iptables -t nat -A PREROUTING -i eth1 -s $LAN_SUBNET -p udp --dport 123 -j
REDIRECT --to-ports 123
> also I think
> iptables -t nat -A PREROUTING -i eth1 -s $LAN_SUBNET -p udp --dport 123 -j
DNAT --to-destination 192.168.64.1:124
> might work, as I test it. You dont need the SNAT rule though. Test these
and give feedback.
>

Re: transparent proxying NTP

[Dimitar Katerinski]

Leonardo Rodrigues Magalhães wrote:
>     If the DNATted machine is NOT the linux router that is doing the DNAT,
> you WILL need the SNAT rule too. If you dont use, DNATted machine will try
> to answer directly to the machine that requested the update. And that
> machine is not expecting anything from that IP. So, SNATting to linux router
> IP is needed if DNATting to a machine in the network.
> 
>     Sincerily,
>     Leonardo Rodrigues
> 

You are right, I assumed that 192.168.64.1 is his gateway and stratum server. If it is,
then what I posted previously should work, if it is not then he should to SNAT also.

iptables -t nat -A PREROUTING -i eth1 -s $LAN_SUBNET -p udp --dport 123 -j DNAT --to-destination 192.168.64.1:124
iptables -t nat -A POSTROUTING -o eth1 -p udp --dport 123 -j SNAT --to-source $GW_LAN_IP

Right? :)

Regards,
Dimitar

-- 
"The only thing necessary for the triumph of evil is for good men to do nothing."
                                                   --Edmund Burke.

Re: transparent proxying NTP

[Dick St.Peters]

>     Last ...... are you sure protocol used for time syncing works fine when
> DNATted ?? I dont know, never tried this.

I do this a lot, and it works fine.

--
Dick St.Peters, stpeters@NetHeaven.com 

Re: transparent proxying NTP

[Folkert van Heusden]

>     I think SNATing to 127.0.0.1 would break things, unless this linux
> router IS your timeserver, which i believe isn't. You should SNAT to your
> linux router IP not 127.0.0.1.

Yes it is actually. Its load is aprox. > 2.0 most of the time but it works
:)

>     Last ...... are you sure protocol used for time syncing works fine when
> DNATted ?? I dont know, never tried this.

I don't know that yet, that is a thing I want to try. And if it doesn't
work, I'll try to write a wrapper around it.


Folkert

+--------------------------------------------------------------------------+
| UNIX sysop? Then give MultiTail ( http://www.vanheusden.com/multitail/ ) |
| a try, it brings monitoring logfiles to a different level! See:          |
| http://www.vanheusden.com/multitail/features.html for a feature list.    |
+---------------------------------------------------= www.vanheusden.com =-+

Re: transparent proxying NTP

[Folkert van Heusden]

Ah, ok. Well: my gateway is 192.168.64.1 and also runs the timeserver so I'm
doing only DNAT here then?

>     If the DNATted machine is NOT the linux router that is doing the DNAT,
> you WILL need the SNAT rule too. If you dont use, DNATted machine will try
> to answer directly to the machine that requested the update. And that
> machine is not expecting anything from that IP. So, SNATting to linux router
> IP is needed if DNATting to a machine in the network.
> ----- Original Message -----
> From: "Dimitar Katerinski" <train@bofh.bg>
> To: <netfilter@lists.netfilter.org>
> Sent: Sunday, June 27, 2004 5:17 PM
> Subject: Re: transparent proxying NTP
> > Well if you think how transparent www proxy works, you may figure out how
> to do transparent ntp proxying.
> > The following rule should do the job:
> > iptables -t nat -A PREROUTING -i eth1 -s $LAN_SUBNET -p udp --dport 123 -j
> REDIRECT --to-ports 123
> > also I think
> > iptables -t nat -A PREROUTING -i eth1 -s $LAN_SUBNET -p udp --dport 123 -j
> DNAT --to-destination 192.168.64.1:124
> > might work, as I test it. You dont need the SNAT rule though. Test these
> and give feedback.
> >
>
>



Folkert van Heusden

+--------------------------------------------------------------------------+
| UNIX sysop? Then give MultiTail ( http://www.vanheusden.com/multitail/ ) |
| a try, it brings monitoring logfiles to a different level! See:          |
| http://www.vanheusden.com/multitail/features.html for a feature list.    |
+---------------------------------------------------= www.vanheusden.com =-+

Re: transparent proxying NTP

[Dimitar Katerinski]

Folkert van Heusden wrote:
> Ah, ok. Well: my gateway is 192.168.64.1 and also runs the timeserver so I'm
> doing only DNAT here then?

Try redirect first, it should work. See my previous post.


Regards,
Dimitar


-- 
"The only thing necessary for the triumph of evil is for good men to do nothing."
                                                   --Edmund Burke.