NTP SNAT ?
John Dalbec
jdalbec@cboss.com
Sun, 27 Jan 2002 20:44:45 -0500
On Sunday, January 27, 2002, at 06:56 PM, Stephen Kelly wrote:
>> iptables -t nat -A POSTROUTING -s <local net> -p udp --sport
>> ntp --dport
>> ntp -o eth1 -j MASQUERADE --to-ports 49123-49152
>> This works well for hosts behind the NAT box but not for the NAT box
>> itself. I tried removing the '-s <local net>' and reloading
>> my ruleset,
>> but the local packets were still not being masqueraded.
>
> Why not try setting an additional rule to specify the source as the
> external interface of your firewall.
>
> eg iptables -t nat -A POSTROUTING -s <external fw ip> -p udp --sport
> ntp --dport ntp -o eth1 -j MASQUERADE --to-ports 49123-49152
No luck, but ... -j SNAT --to-source <external fw ip>:49123-49152 works.
Go figure. Now I just have to script keeping my <external fw ip> up to
date with DHCP.
Thanks,
John