On 8/30/2011 11:22, Rob wrote:
Also make sure that you have no NAT or connection-tracking firewall
between your server and the internet.
(NAT would actually be acceptable when it is a statically configured
one-to-one address translation, not one that ends up building a session
table like a connection-tracking firewall does)
Really, it will break your router or firewall when you try to go live
without make sure this is OK.
I'd actually like to know more about this.
Given a router running typical DNAT (perhaps via iptables) would it not
be acceptable to map a single port across the firewall? Example
(assuming a single WAN interface on eth0 and ntpd on internal 192.168.1.15:
iptables -t nat -A PREROUTING -p udp -i eth0 --dport 123 -j DNAT
--to-destination 192.168.1.15
iptables -A FORWARDING -p udp -i eth0 --dport 123 -j ACCEPT -d 192.168.1.5
My understanding is that this should reliably work since it would
perform a static mapping of a single port onto the server behind the
router. Connection tracking over UDP and a static mapping should also
be easier because the ports are usually reused.
_______________________________________________
questions mailing list
[email protected]
http://lists.ntp.org/listinfo/questions
