Ah, ok. Well: my gateway is 192.168.64.1 and also runs the timeserver so I'm doing only DNAT here then? > If the DNATted machine is NOT the linux router that is doing the DNAT, > you WILL need the SNAT rule too. If you dont use, DNATted machine will try > to answer directly to the machine that requested the update. And that > machine is not expecting anything from that IP. So, SNATting to linux router > IP is needed if DNATting to a machine in the network. > ----- Original Message ----- > From: "Dimitar Katerinski" <train@xxxxxxx> > To: <netfilter@xxxxxxxxxxxxxxxxxxx> > Sent: Sunday, June 27, 2004 5:17 PM > Subject: Re: transparent proxying NTP > > Well if you think how transparent www proxy works, you may figure out how > to do transparent ntp proxying. > > The following rule should do the job: > > iptables -t nat -A PREROUTING -i eth1 -s $LAN_SUBNET -p udp --dport 123 -j > REDIRECT --to-ports 123 > > also I think > > iptables -t nat -A PREROUTING -i eth1 -s $LAN_SUBNET -p udp --dport 123 -j > DNAT --to-destination 192.168.64.1:124 > > might work, as I test it. You dont need the SNAT rule though. Test these > and give feedback. > > > > Folkert van Heusden +--------------------------------------------------------------------------+ | UNIX sysop? Then give MultiTail ( http://www.vanheusden.com/multitail/ ) | | a try, it brings monitoring logfiles to a different level! See: | | http://www.vanheusden.com/multitail/features.html for a feature list. | +---------------------------------------------------= www.vanheusden.com =-+
