I think SNATing to 127.0.0.1 would break things, unless this linux
router IS your timeserver, which i believe isn't. You should SNAT to your
linux router IP not 127.0.0.1.
Also note that the order of the rules is important. If you have some
other rule with ACCEPT in PREROUTING before the DNAT rule, packet will be
allowed to go out and DNAT will never be reached. A full 'iptables -t
nat -nL -v' would help us to check this.
Last ...... are you sure protocol used for time syncing works fine when
DNATted ?? I dont know, never tried this.
Sincerily,
Leonardo Rodrigues
----- Original Message -----
From: "Folkert van Heusden" <folkert@xxxxxxxxxxxxxx>
To: <netfilter@xxxxxxxxxxxxxxxxxxx>
Sent: Sunday, June 27, 2004 4:43 PM
Subject: transparent proxying NTP
> Hi,
>
> I'm trying to do transparent proxying for NTP.
> I want to do that as some access points I have over here want to sync
their
> time to some server in Amerika. Not so efficient as I live in europe and
> have in fact my own local stratum 1 timeserver.
> So, I tried this:
> iptables -t nat -A PREROUTING -i eth1 -s ! 192.168.64.1 -p udp --dport
123 -j DNAT --to 192.168.64.1:123
> iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/16 -d
192.168.64.1 -j SNAT --to 127.0.0.1
>
> But when I do a tcpdump on ppp0 of my gateway (the adsl connection) and do
> netdate ntp.xs4all.nl from a host on my lan (192.168.64.99), I still see
> requests coming from that host to the internet!
> I guess I'm doing something obvious wrong here but I'm not sure what.
> Could someone please enlighten me?
