Re: Anyone gotten either ntp or chrony working when masquerading is enabled

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ed Greshko writes:

On 01/25/15 05:47, Sam Varshavchik wrote:
> As far as I can determine, the way that firewalld sets up masquerading completely breaks both ntpd and chrony.
>
> Both servers appears to start, but their corresponding client-side tools, ntpdc or chronyc, cannot talk to them. strace shows that UDP packets to 127.0.0.1 have their source IP address rewritten to the public interface, and the server's response is lost.
>
> This bug with firewalld's masquerading rules was reported back in October, as bug 1152472.
>
> If anyone managed to get either ntpd or chrony fully functional on a server that has firewalld's masquerading enabled, I'd love to know how you did that.

It isn't 100% clear to me the configuration of which you speak.

Are you talking about a 2 interface system with the Fedora firewalld system acting as a "router" with masquerading for a set of clients "behind" it?

Yes, the server is dual-homed, with a public interface, and a LAN interface, masquerading the clients on the LAN interface.

This is a standard router configuration, identical to what countless of consumer-grade Internet routers do. They own the public IP address, configure 192.168.0.1 as the IP address of their LAN interface, and run a DHCP server on the LAN interface to configure the clients on 192.168.0.0/24, and masquerade them on the public IP address.

And where are the ntp clients in relation to the server?

They're on the LAN segment. The ntp server runs on the masquerading router, and is configured to sync with my ISP's router, and my NTP clients are configured to sync to the ntp server on the masquerading router.

As far as I can tell, the NTP clients can talk to the NTP server that's running on the router. That's not where the problem is. The problem is on the server itself, with the server's client-side tool. Neither ntpdc, nor chronyc, when executed on the server, can reach their corresponding daemon. They both try to talk to the daemon via UDP packets sent to 127.0.0.1, but with firewall-cmd's --add-masquerade, ntpd/chronyd receives packets with their source IP address rewritten to the public IP address, and drops it on the floor. I can see this happening by stracing ntpd or chronyd. They receive packets with the public IP address, even though ntpdc/chronyc send the packets to 127.0.0.1

It looks to me like --add-masquerade masquerades everything. Including IP traffic to 127.0.0.1.

I tried replacing --add-masquerade with a rich rule that enables masquerading for the LAN segment, but I was unable to get that to work. In any case, I'd think that --add-masquerade should do the right thing, here.

Attachment: pgpWB8BtFCVUs.pgp
Description: PGP signature

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux