Am 06.03.2016 um 22:40 schrieb Pascal Hambourg:
Tobias Andresen a écrit :
Am 06.03.2016 um 21:42 schrieb Pascal Hambourg:
Why do you think you need iptables rules ? Isn't plain routing enough ?
The PCs should only be able use NTP (Port 123). They should not be able
tohave full access (i.e. internet, ...)
Then you need filtering, not NAT.
I tried following rule for one PC:
iptables -t nat -A PREROUTING -p udp --dport 123 -j DNAT
--to-destination 192.168.31.96:123
What is the purpose of this rule ? It redirects NTP packets to
192.168.31.96. How do you expect that NTP packets eventually reach
62.214.6.29 ?
iptables -t nat -A POSTROUTING -p udp --dport 123 -j MASQUERADE
Why is this rule needed ? What's between 10.0.0.95 and 62.214.6.29 ?
This is the internet connection.
I cannot achieve this by using iptables or why would you prefer plain
routing?
I thought i have to use iptables because the ntp server (62.214.6.29)
does not know who is behind 10.0.0.95
and the embedded device has to change the source and destination address...
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html