Shorewall users - May 2009 - Redirecting NTP traffic from public time server to local server

There was a a series of posts a couple of months ago that I found in the 
archives that addressed the same situation that I cam dealing with. I 
tried the solution described in those posts but unfortunately, I can''t 
seem to make it work. Here''s the problem:

I want to redirect clients on my local network to the local time server, 
so that they aren''t making calls out to a public server on the internet
(it''s a satellite link, bandwidth is a real problem and every little
bit
I can save helps...)
My firewall box has three interfaces:
    eth0 (WAN/Internet) -- connected to satellite modem
    eth1 (LAN, my office clients) -- IP 192.168.1.1, serves clients on 
192.168.1.0/24
    eth2 (PUB, public clients) -- IP 192.168.2.1, serves clients on 
192.168.2.0/24
NTP is running on the firewall, listening on eth1 and eth2.
What I want to do is each time a client on LAN or PUB tries to connect 
to an external time server, I want to redirect it back to the 
appropriate interface (ie, 192.168.1.1 or 192.168.2.1).

Following the instructions as described, I have this set up:
In INTERFACES I added the routeback option to the two internal interfaces:
--------------------------------------------------------------------
#ZONE   INTERFACE       BROADCAST       OPTIONS
WAN     eth0            detect          
tcpflags,routefilter,nosmurfs,logmartians
LAN     eth1            detect          
tcpflags,dhcp,logmartians,nosmurfs,routefilter,routeback
PUB     eth2            detect          
tcpflags,dhcp,logmartians,nosmurfs,routefilter,routeback
--------------------------------------------------------------------

In MASQ:
--------------------------------------------------------------------
#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S) 
IPSEC   MARK
eth0                    eth1
eth0                    eth2
eth1                   192.168.1.0/24!192.168.1.1      udp     123
eth2                   192.168.2.0/24!192.168.2.1      udp     123
--------------------------------------------------------------------

And in RULES:
--------------------------------------------------------------------
# allow NTP time server access
NTP/ACCEPT      LAN             $FW
NTP/ACCEPT      PUB             $FW
# REDIRECT NTP traffic to local timeserver
DNAT           LAN             LAN:192.168.1.1 udp     123
DNAT           PUB             PUB:192.168.2.1 udp     123
--------------------------------------------------------------------

"shorewall check" reports no errors.
When I run "shorewall restart", output reports no problems until I get
to here:
--------------------------------------------------------------------
Starting Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Setting up ARP filtering...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Accept Source Routing...
Setting up Proxy ARP...
Setting up Traffic Control...
Preparing iptables-restore input...
Running /sbin/iptables-restore...
iptables-restore v1.3.5: Need TCP or UDP with port specification
Error occurred at line: 30
Try `iptables-restore -h'' or ''iptables-restore
--help'' for more information.
   ERROR: iptables-restore Failed. Input is in 
/var/lib/shorewall/.iptables-restore-input
Processing /etc/shorewall/stop ...
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
/sbin/shorewall: line 435:  1180 Terminated              
${VARDIR}/.start $debugging start
--------------------------------------------------------------------





------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there''s a perfect scanner to get the job done! With the NEW
KODAK i700
Series Scanner you''ll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com

why not just use NTP/REDIRECT in rules and nothing in masq ?

On Thu, May 14, 2009 at 7:25 AM, Jeff Gregor <cpbecket@berkshire.net>
wrote:
> There was a a series of posts a couple of months ago that I found in the
> archives that addressed the same situation that I cam dealing with. I
> tried the solution described in those posts but unfortunately, I can't
> seem to make it work. Here's the problem:
>
> I want to redirect clients on my local network to the local time server,
> so that they aren't making calls out to a public server on the internet
> (it's a satellite link, bandwidth is a real problem and every little
bit
> I can save helps...)
> My firewall box has three interfaces:
>    eth0 (WAN/Internet) -- connected to satellite modem
>    eth1 (LAN, my office clients) -- IP 192.168.1.1, serves clients on
> 192.168.1.0/24
>    eth2 (PUB, public clients) -- IP 192.168.2.1, serves clients on
> 192.168.2.0/24
> NTP is running on the firewall, listening on eth1 and eth2.
> What I want to do is each time a client on LAN or PUB tries to connect
> to an external time server, I want to redirect it back to the
> appropriate interface (ie, 192.168.1.1 or 192.168.2.1).
>
> Following the instructions as described, I have this set up:
> In INTERFACES I added the routeback option to the two internal interfaces:
> --------------------------------------------------------------------
> #ZONE   INTERFACE       BROADCAST       OPTIONS
> WAN     eth0            detect
> tcpflags,routefilter,nosmurfs,logmartians
> LAN     eth1            detect
> tcpflags,dhcp,logmartians,nosmurfs,routefilter,routeback
> PUB     eth2            detect
> tcpflags,dhcp,logmartians,nosmurfs,routefilter,routeback
> --------------------------------------------------------------------
>
> In MASQ:
> --------------------------------------------------------------------
> #INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S)
> IPSEC   MARK
> eth0                    eth1
> eth0                    eth2
> eth1                   192.168.1.0/24!192.168.1.1      udp     123
> eth2                   192.168.2.0/24!192.168.2.1      udp     123
> --------------------------------------------------------------------
>
> And in RULES:
> --------------------------------------------------------------------
> # allow NTP time server access
> NTP/ACCEPT      LAN             $FW
> NTP/ACCEPT      PUB             $FW
> # REDIRECT NTP traffic to local timeserver
> DNAT           LAN             LAN:192.168.1.1 udp     123
> DNAT           PUB             PUB:192.168.2.1 udp     123
> --------------------------------------------------------------------
>
> "shorewall check" reports no errors.
> When I run "shorewall restart", output reports no problems until
I get
> to here:
> --------------------------------------------------------------------
> Starting Shorewall....
> Initializing...
> Processing /etc/shorewall/init ...
> Setting up ARP filtering...
> Setting up Route Filtering...
> Setting up Martian Logging...
> Setting up Accept Source Routing...
> Setting up Proxy ARP...
> Setting up Traffic Control...
> Preparing iptables-restore input...
> Running /sbin/iptables-restore...
> iptables-restore v1.3.5: Need TCP or UDP with port specification
> Error occurred at line: 30
> Try `iptables-restore -h' or 'iptables-restore --help' for more
information.
>   ERROR: iptables-restore Failed. Input is in
> /var/lib/shorewall/.iptables-restore-input
> Processing /etc/shorewall/stop ...
> IP Forwarding Enabled
> Processing /etc/shorewall/stopped ...
> /sbin/shorewall: line 435:  1180 Terminated
> ${VARDIR}/.start $debugging start
> --------------------------------------------------------------------
>
>
>
>
>
>
------------------------------------------------------------------------------
> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
> production scanning environment may not be a perfect world - but thanks to
> Kodak, there's a perfect scanner to get the job done! With the NEW
KODAK i700
> Series Scanner you'll get full speed at 300 dpi even with all image
> processing features enabled. http://p.sf.net/sfu/kodak-com
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>


-- 
 (\_/)  This is Bunny. Copy and paste Bunny
(='.'=) into your signature to help him gain
(")_(") world domination.

------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK
i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Jeff Gregor wrote:
> I want to redirect clients on my local network to the local time server, 
> so that they aren''t making calls out to a public server on the
internet
> (it''s a satellite link, bandwidth is a real problem and every
little bit
> I can save helps...)
> My firewall box has three interfaces:
>     eth0 (WAN/Internet) -- connected to satellite modem
>     eth1 (LAN, my office clients) -- IP 192.168.1.1, serves clients on 
> 192.168.1.0/24
>     eth2 (PUB, public clients) -- IP 192.168.2.1, serves clients on 
> 192.168.2.0/24
> NTP is running on the firewall, listening on eth1 and eth2.
> What I want to do is each time a client on LAN or PUB tries to connect 
> to an external time server, I want to redirect it back to the 
> appropriate interface (ie, 192.168.1.1 or 192.168.2.1).
I agree with Christ Sclacta -- just use NTP/REDIRECT.
> 
> In MASQ:
> --------------------------------------------------------------------
> #INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S) 
> IPSEC   MARK
> eth0                    eth1
> eth0                    eth2
> eth1                   192.168.1.0/24!192.168.1.1      udp     123
> eth2                   192.168.2.0/24!192.168.2.1      udp     123
The last two entries are totally invalid and are the cause of your
problem (Hint -- you omitted the ADDRESS column).
> --------------------------------------------------------------------
> 
> And in RULES:
> 
> "shorewall check" reports no errors.
When using Shorewall-shell, the "check" command is nearly worthless.
That is one of the reasons (among many) that I wrote Shorewall-perl and
why I urge you to migrate to Shorewall-perl at your first opportunity.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables 
unlimited royalty-free distribution of the report engine 
for externally facing server and web deployment. 
http://p.sf.net/sfu/businessobjects

Tom Eastep wrote:
> Jeff Gregor wrote:
> 
>> I want to redirect clients on my local network to the local time
server,
>> so that they aren''t making calls out to a public server on the
internet
>> (it''s a satellite link, bandwidth is a real problem and every
little bit
>> I can save helps...)
>> My firewall box has three interfaces:
>>     eth0 (WAN/Internet) -- connected to satellite modem
>>     eth1 (LAN, my office clients) -- IP 192.168.1.1, serves clients on 
>> 192.168.1.0/24
>>     eth2 (PUB, public clients) -- IP 192.168.2.1, serves clients on 
>> 192.168.2.0/24
>> NTP is running on the firewall, listening on eth1 and eth2.
>> What I want to do is each time a client on LAN or PUB tries to connect 
>> to an external time server, I want to redirect it back to the 
>> appropriate interface (ie, 192.168.1.1 or 192.168.2.1).
> 
> I agree with Christ Sclacta -- just use NTP/REDIRECT.
For the record, here is what you want in the rules:

REDIRECT        lan     123             udp     123
REDIRECT        pub     123             udp     123

Simple & easy - i use this all the time and it works well for me.

If you have systems on those LANs which use NTP rather than SNTP (the
cut-down version used by Windows), then you probably want to make
exceptions for them.

Paul


------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables 
unlimited royalty-free distribution of the report engine 
for externally facing server and web deployment. 
http://p.sf.net/sfu/businessobjects

Paul Gear wrote:
> Tom Eastep wrote:
>   
>> Jeff Gregor wrote:
>>
>>     
>>> I want to redirect clients on my local network to the local time
server,
>>> so that they aren''t making calls out to a public server on
the internet
>>> (it''s a satellite link, bandwidth is a real problem and
every little bit
>>> I can save helps...)
>>> My firewall box has three interfaces:
>>>     eth0 (WAN/Internet) -- connected to satellite modem
>>>     eth1 (LAN, my office clients) -- IP 192.168.1.1, serves clients
on
>>> 192.168.1.0/24
>>>     eth2 (PUB, public clients) -- IP 192.168.2.1, serves clients on
>>> 192.168.2.0/24
>>> NTP is running on the firewall, listening on eth1 and eth2.
>>> What I want to do is each time a client on LAN or PUB tries to
connect
>>> to an external time server, I want to redirect it back to the 
>>> appropriate interface (ie, 192.168.1.1 or 192.168.2.1).
>>>       
>> I agree with Christ Sclacta -- just use NTP/REDIRECT.
>>     
>
> For the record, here is what you want in the rules:
>
> REDIRECT        lan     123             udp     123
> REDIRECT        pub     123             udp     123
>
> Simple & easy - i use this all the time and it works well for me.
>
> If you have systems on those LANs which use NTP rather than SNTP (the
> cut-down version used by Windows), then you probably want to make
> exceptions for them.
>
> Paul
>
>
>
>   
Heh - I must have been suffering from a really profound brain cramp, 
making it much harder than it needed to be. Thanks to all for the 
suggestions, it works perfectly. :-)

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables 
unlimited royalty-free distribution of the report engine 
for externally facing server and web deployment. 
http://p.sf.net/sfu/businessobjects