Re: NTP forwarding

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I am thinking this is enough f for you.

At Embedded board :

iptables  -A FORWARD -p udp --dport 123  -s 192.168.31.96/30 -j ACCEPT

iptables  -A FORWARD   -s 192.168.31.96/30 -j DROP

iptables -t nat -A POSTROUTING -p udp --dport 123 -j MASQUERADE

sysctl -w net.ipv6.conf.all.forwarding=1

After that please check your all ip tables rules like as;

iptables-save

iptables -L   -vnx --line-numbers

iptables -L -t nat  -vnx --line-numbers


03/06/2016 11:16 PM tarihinde Tobias Andresen yazdı:
> Am 06.03.2016 um 21:42 schrieb Pascal Hambourg:
>> Tobias Andresen a écrit :
>>> i have following network structure:
>>>
>>>
>>>       NTP-Server (62.214.6.29)
>>>                 |
>>>                 |
>>>                 |
>>>        (eth0: 10.0.0.95)
>>>          Embedded board
>>>      (eth1: 192.168.31.95)
>>>                 |
>>>                 |
>>>                 |
>>>          Ethernet-Switch
>>>           |        |    |
>>>           |        |    |
>>>          PC1       |   PC3 (192.168.31.98)
>>> (192.168.31.96)  |
>>>                    |
>>>                   PC2
>>> (192.168.31.97)
>>>
>>>
>>> The 3 PCs shall be able to connect to the NTP server (62.214.6.29)
>>> to update their time but i cannot figure out how to configure the
>>> iptables rules
>>> on the embedded board to achieve this.
>> Why do you think you need iptables rules ? Isn't plain routing enough ?
> The PCs should only be able use NTP (Port 123). They should not be
> able tohave full access (i.e. internet, ...)
>>
>>> I have tried to forward port 123 but it does not work.
>> This statement does not contain any useful information. It does not
>> describe what you did and what happened.
>
> I tried following rule for one PC:
>
> iptables -t nat -A PREROUTING -p udp --dport 123 -j DNAT
> --to-destination 192.168.31.96:123
> iptables -t nat -A POSTROUTING -p udp --dport 123 -j MASQUERADE
>
> I know this would work only for one client but it was for testing
> purposes.
>
>
>
>
>> -- 
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@xxxxxxxxxxxxxxx
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
> -- 
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux