[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ntpd listening on alias interfaces seems non-trivial

On Mon, 2004-01-19 at 12:59, Donovan Baarda wrote:
> On Mon, 2004-01-19 at 12:08, John Ackermann N8UR wrote:
> > --On Monday, January 19, 2004 12:01:59 +1100 Donovan Baarda 
> > <abo@minkirri.apana.org.au> wrote:
> > 
> > > Another possibility is to use NAT to re-map the response on the way
> > > out... once again, if anyone gets this working, please post how you did
> > > it.
> > 
> > I don't know if this is quite you're looking for, but I had no trouble 
> > using Linux "ipmasqadm portfwd" to open port 123 for tcp and udp on my 
> > firewall.  I'm going from a public IP address to a private namespace and 
> > that seems to work (or at least, my friend testing on the outside is able 
> > to get time from me).
> For those not using ipmasqadm, the following iptables rule run somewhere
> appropriate during startup on the machine running ntpd should do the
> trick;
> $ iptables -t nat -A POSTROUTING -p udp -s <eth-ip> -sport ntp \
> -j SNAT --to <alias-ip>
> This will only SNAT the outgoing ntp udp packets from the <eth-ip>
> address so they are changed to come from the <alias-ip> address.

Actually, I just tried this and it didn't work. The responses are now
coming from the right IP address, but the ntpdate client is still not
happy because the UDP packet response must include the original <eth-ip>
IP address.

Back to the drawing board :-( looks like the only way to fix this is by
fixing ntp.

Donovan Baarda <abo@minkirri.apana.org.au>

Reply to: