There was a a series of posts a couple of months ago that I found in the
archives that addressed the same situation that I cam dealing with. I
tried the solution described in those posts but unfortunately, I can't
seem to make it work. Here's the problem:
I want to redirect clients on my local network to the local time server,
so that they aren't making calls out to a public server on the internet
(it's a satellite link, bandwidth is a real problem and every little bit
I can save helps...)
My firewall box has three interfaces:
eth0 (WAN/Internet) -- connected to satellite modem
eth1 (LAN, my office clients) -- IP 192.168.1.1, serves clients on
192.168.1.0/24
eth2 (PUB, public clients) -- IP 192.168.2.1, serves clients on
192.168.2.0/24
NTP is running on the firewall, listening on eth1 and eth2.
What I want to do is each time a client on LAN or PUB tries to connect
to an external time server, I want to redirect it back to the
appropriate interface (ie, 192.168.1.1 or 192.168.2.1).
Following the instructions as described, I have this set up:
In INTERFACES I added the routeback option to the two internal interfaces:
--------------------------------------------------------------------
#ZONE INTERFACE BROADCAST OPTIONS
WAN eth0 detect
tcpflags,routefilter,nosmurfs,logmartians
LAN eth1 detect
tcpflags,dhcp,logmartians,nosmurfs,routefilter,routeback
PUB eth2 detect
tcpflags,dhcp,logmartians,nosmurfs,routefilter,routeback
--------------------------------------------------------------------
In MASQ:
--------------------------------------------------------------------
#INTERFACE SOURCE ADDRESS PROTO PORT(S)
IPSEC MARK
eth0 eth1
eth0 eth2
eth1 192.168.1.0/24!192.168.1.1 udp 123
eth2 192.168.2.0/24!192.168.2.1 udp 123
--------------------------------------------------------------------
And in RULES:
--------------------------------------------------------------------
# allow NTP time server access
NTP/ACCEPT LAN $FW
NTP/ACCEPT PUB $FW
# REDIRECT NTP traffic to local timeserver
DNAT LAN LAN:192.168.1.1 udp 123
DNAT PUB PUB:192.168.2.1 udp 123
--------------------------------------------------------------------
"shorewall check" reports no errors.
When I run "shorewall restart", output reports no problems until I get
to here:
--------------------------------------------------------------------
Starting Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Setting up ARP filtering...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Accept Source Routing...
Setting up Proxy ARP...
Setting up Traffic Control...
Preparing iptables-restore input...
Running /sbin/iptables-restore...
iptables-restore v1.3.5: Need TCP or UDP with port specification
Error occurred at line: 30
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
ERROR: iptables-restore Failed. Input is in
/var/lib/shorewall/.iptables-restore-input
Processing /etc/shorewall/stop ...
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
/sbin/shorewall: line 435: 1180 Terminated
${VARDIR}/.start $debugging start
--------------------------------------------------------------------
------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
