why not just use NTP/REDIRECT in rules and nothing in masq ?
On Thu, May 14, 2009 at 7:25 AM, Jeff Gregor <[email protected]> wrote:
> There was a a series of posts a couple of months ago that I found in the
> archives that addressed the same situation that I cam dealing with. I
> tried the solution described in those posts but unfortunately, I can't
> seem to make it work. Here's the problem:
>
> I want to redirect clients on my local network to the local time server,
> so that they aren't making calls out to a public server on the internet
> (it's a satellite link, bandwidth is a real problem and every little bit
> I can save helps...)
> My firewall box has three interfaces:
> eth0 (WAN/Internet) -- connected to satellite modem
> eth1 (LAN, my office clients) -- IP 192.168.1.1, serves clients on
> 192.168.1.0/24
> eth2 (PUB, public clients) -- IP 192.168.2.1, serves clients on
> 192.168.2.0/24
> NTP is running on the firewall, listening on eth1 and eth2.
> What I want to do is each time a client on LAN or PUB tries to connect
> to an external time server, I want to redirect it back to the
> appropriate interface (ie, 192.168.1.1 or 192.168.2.1).
>
> Following the instructions as described, I have this set up:
> In INTERFACES I added the routeback option to the two internal interfaces:
> --------------------------------------------------------------------
> #ZONE INTERFACE BROADCAST OPTIONS
> WAN eth0 detect
> tcpflags,routefilter,nosmurfs,logmartians
> LAN eth1 detect
> tcpflags,dhcp,logmartians,nosmurfs,routefilter,routeback
> PUB eth2 detect
> tcpflags,dhcp,logmartians,nosmurfs,routefilter,routeback
> --------------------------------------------------------------------
>
> In MASQ:
> --------------------------------------------------------------------
> #INTERFACE SOURCE ADDRESS PROTO PORT(S)
> IPSEC MARK
> eth0 eth1
> eth0 eth2
> eth1 192.168.1.0/24!192.168.1.1 udp 123
> eth2 192.168.2.0/24!192.168.2.1 udp 123
> --------------------------------------------------------------------
>
> And in RULES:
> --------------------------------------------------------------------
> # allow NTP time server access
> NTP/ACCEPT LAN $FW
> NTP/ACCEPT PUB $FW
> # REDIRECT NTP traffic to local timeserver
> DNAT LAN LAN:192.168.1.1 udp 123
> DNAT PUB PUB:192.168.2.1 udp 123
> --------------------------------------------------------------------
>
> "shorewall check" reports no errors.
> When I run "shorewall restart", output reports no problems until I get
> to here:
> --------------------------------------------------------------------
> Starting Shorewall....
> Initializing...
> Processing /etc/shorewall/init ...
> Setting up ARP filtering...
> Setting up Route Filtering...
> Setting up Martian Logging...
> Setting up Accept Source Routing...
> Setting up Proxy ARP...
> Setting up Traffic Control...
> Preparing iptables-restore input...
> Running /sbin/iptables-restore...
> iptables-restore v1.3.5: Need TCP or UDP with port specification
> Error occurred at line: 30
> Try `iptables-restore -h' or 'iptables-restore --help' for more information.
> ERROR: iptables-restore Failed. Input is in
> /var/lib/shorewall/.iptables-restore-input
> Processing /etc/shorewall/stop ...
> IP Forwarding Enabled
> Processing /etc/shorewall/stopped ...
> /sbin/shorewall: line 435: 1180 Terminated
> ${VARDIR}/.start $debugging start
> --------------------------------------------------------------------
>
>
>
>
>
> ------------------------------------------------------------------------------
> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
> production scanning environment may not be a perfect world - but thanks to
> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
> Series Scanner you'll get full speed at 300 dpi even with all image
> processing features enabled. http://p.sf.net/sfu/kodak-com
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
--
(\_/) This is Bunny. Copy and paste Bunny
(='.'=) into your signature to help him gain
(")_(") world domination.
------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
