how to forward ntp traffic to default gateway instead of vpn tunnel
Clash Royale CLAN TAG#URR8PPP
I have a small Raspberry Pi server connected to an openvpn provider, used as a VPN gateway. Almost everything works fine with the following iptables
rules:
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
However, the VPN provider blocks NTP traffic (udp port 123).
How do I make iptables route all NTP traffic via the default gateway (which is 192.168.1.1 on eth0)?
iptables vpn ntp
|
show 3 more comments
I have a small Raspberry Pi server connected to an openvpn provider, used as a VPN gateway. Almost everything works fine with the following iptables
rules:
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
However, the VPN provider blocks NTP traffic (udp port 123).
How do I make iptables route all NTP traffic via the default gateway (which is 192.168.1.1 on eth0)?
iptables vpn ntp
have you considered running an ntp daemon on 192.168.1.1 and configuring all your LAN clients to use that?
– cas
Jun 4 '16 at 10:58
Tried that too, however the ntpd tries to access public NTP servers via VPN tunnel, of course without success. Tried to specify a server list in vpn.conf that should be exluded from routing via tunnel. This solution is unstable for me, as these servers might go offline at some point.
– Branislav Zlatkovic
Jun 4 '16 at 11:09
Does your router have another connection to the internet? if so, why is it routing ntp traffic via the Rpi? is the Rpi itself your router? i'm trying to understand your network structure...
– cas
Jun 4 '16 at 11:31
The default internet gateway on the LAN is a dd-wrt router at 192.168.1.1 Rpi is connected to the LAN on eth0, and using the default gateway to connect to the VPN. Rpi is set up as a router to/from the VPN. Some specific devices on the LAN that I want to go online though VPN have Rpi's address as their gateway. Rpi routes all traffic to the VPN by default, so I need only udp port 123 (NTP) to go via 192.168.1.1 instead to the VPN tun0.
– Branislav Zlatkovic
Jun 4 '16 at 11:37
ok, so why is your dd-wrt routing ntp packets via the rpi?
– cas
Jun 4 '16 at 11:39
|
show 3 more comments
I have a small Raspberry Pi server connected to an openvpn provider, used as a VPN gateway. Almost everything works fine with the following iptables
rules:
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
However, the VPN provider blocks NTP traffic (udp port 123).
How do I make iptables route all NTP traffic via the default gateway (which is 192.168.1.1 on eth0)?
iptables vpn ntp
I have a small Raspberry Pi server connected to an openvpn provider, used as a VPN gateway. Almost everything works fine with the following iptables
rules:
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
However, the VPN provider blocks NTP traffic (udp port 123).
How do I make iptables route all NTP traffic via the default gateway (which is 192.168.1.1 on eth0)?
iptables vpn ntp
iptables vpn ntp
edited Jun 4 '16 at 10:58
cas
39.5k455103
39.5k455103
asked Jun 4 '16 at 10:29
Branislav ZlatkovicBranislav Zlatkovic
11
11
have you considered running an ntp daemon on 192.168.1.1 and configuring all your LAN clients to use that?
– cas
Jun 4 '16 at 10:58
Tried that too, however the ntpd tries to access public NTP servers via VPN tunnel, of course without success. Tried to specify a server list in vpn.conf that should be exluded from routing via tunnel. This solution is unstable for me, as these servers might go offline at some point.
– Branislav Zlatkovic
Jun 4 '16 at 11:09
Does your router have another connection to the internet? if so, why is it routing ntp traffic via the Rpi? is the Rpi itself your router? i'm trying to understand your network structure...
– cas
Jun 4 '16 at 11:31
The default internet gateway on the LAN is a dd-wrt router at 192.168.1.1 Rpi is connected to the LAN on eth0, and using the default gateway to connect to the VPN. Rpi is set up as a router to/from the VPN. Some specific devices on the LAN that I want to go online though VPN have Rpi's address as their gateway. Rpi routes all traffic to the VPN by default, so I need only udp port 123 (NTP) to go via 192.168.1.1 instead to the VPN tun0.
– Branislav Zlatkovic
Jun 4 '16 at 11:37
ok, so why is your dd-wrt routing ntp packets via the rpi?
– cas
Jun 4 '16 at 11:39
|
show 3 more comments
have you considered running an ntp daemon on 192.168.1.1 and configuring all your LAN clients to use that?
– cas
Jun 4 '16 at 10:58
Tried that too, however the ntpd tries to access public NTP servers via VPN tunnel, of course without success. Tried to specify a server list in vpn.conf that should be exluded from routing via tunnel. This solution is unstable for me, as these servers might go offline at some point.
– Branislav Zlatkovic
Jun 4 '16 at 11:09
Does your router have another connection to the internet? if so, why is it routing ntp traffic via the Rpi? is the Rpi itself your router? i'm trying to understand your network structure...
– cas
Jun 4 '16 at 11:31
The default internet gateway on the LAN is a dd-wrt router at 192.168.1.1 Rpi is connected to the LAN on eth0, and using the default gateway to connect to the VPN. Rpi is set up as a router to/from the VPN. Some specific devices on the LAN that I want to go online though VPN have Rpi's address as their gateway. Rpi routes all traffic to the VPN by default, so I need only udp port 123 (NTP) to go via 192.168.1.1 instead to the VPN tun0.
– Branislav Zlatkovic
Jun 4 '16 at 11:37
ok, so why is your dd-wrt routing ntp packets via the rpi?
– cas
Jun 4 '16 at 11:39
have you considered running an ntp daemon on 192.168.1.1 and configuring all your LAN clients to use that?
– cas
Jun 4 '16 at 10:58
have you considered running an ntp daemon on 192.168.1.1 and configuring all your LAN clients to use that?
– cas
Jun 4 '16 at 10:58
Tried that too, however the ntpd tries to access public NTP servers via VPN tunnel, of course without success. Tried to specify a server list in vpn.conf that should be exluded from routing via tunnel. This solution is unstable for me, as these servers might go offline at some point.
– Branislav Zlatkovic
Jun 4 '16 at 11:09
Tried that too, however the ntpd tries to access public NTP servers via VPN tunnel, of course without success. Tried to specify a server list in vpn.conf that should be exluded from routing via tunnel. This solution is unstable for me, as these servers might go offline at some point.
– Branislav Zlatkovic
Jun 4 '16 at 11:09
Does your router have another connection to the internet? if so, why is it routing ntp traffic via the Rpi? is the Rpi itself your router? i'm trying to understand your network structure...
– cas
Jun 4 '16 at 11:31
Does your router have another connection to the internet? if so, why is it routing ntp traffic via the Rpi? is the Rpi itself your router? i'm trying to understand your network structure...
– cas
Jun 4 '16 at 11:31
The default internet gateway on the LAN is a dd-wrt router at 192.168.1.1 Rpi is connected to the LAN on eth0, and using the default gateway to connect to the VPN. Rpi is set up as a router to/from the VPN. Some specific devices on the LAN that I want to go online though VPN have Rpi's address as their gateway. Rpi routes all traffic to the VPN by default, so I need only udp port 123 (NTP) to go via 192.168.1.1 instead to the VPN tun0.
– Branislav Zlatkovic
Jun 4 '16 at 11:37
The default internet gateway on the LAN is a dd-wrt router at 192.168.1.1 Rpi is connected to the LAN on eth0, and using the default gateway to connect to the VPN. Rpi is set up as a router to/from the VPN. Some specific devices on the LAN that I want to go online though VPN have Rpi's address as their gateway. Rpi routes all traffic to the VPN by default, so I need only udp port 123 (NTP) to go via 192.168.1.1 instead to the VPN tun0.
– Branislav Zlatkovic
Jun 4 '16 at 11:37
ok, so why is your dd-wrt routing ntp packets via the rpi?
– cas
Jun 4 '16 at 11:39
ok, so why is your dd-wrt routing ntp packets via the rpi?
– cas
Jun 4 '16 at 11:39
|
show 3 more comments
1 Answer
1
active
oldest
votes
Policy routing to rescue. At your RPi as root do the following:
# echo 100 direct >> /etc/iproute2/rt_tables
# ip rule add fwmark 123 table direct
# ip route add default via 192.168.1.1 dev eth0 table direct
# iptables -t mangle -A OUTPUT -p udp --dport 123 -j MARK --set-mark 123
Unfortunately this doesn't work either from Rpi or any device that has Rpi as a router. Running tcpdump on eth0 shows this for ntp requests made by Rpi: IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12 IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12
– Branislav Zlatkovic
Jun 4 '16 at 12:36
It should not do this for other devices as you did not mention that RPi should forward ntp traffic for others as well. To allow forwarding you should add the same rule to PREROUTING in a mangle table as well. Also, check that your ntp client is bound to eth0 at RPi
– Serge
Jun 4 '16 at 12:44
Adding the same rule to PREROUTING did the trick for others. For the ntpd on Rpi, the following rule did the trick: iptables -A POSTROUTING -t nat -o eth0 -p udp --dport 123 -j SNAT --to 192.168.1.2 One more question, how to make ip rule and ip route persistent?
– Branislav Zlatkovic
Jun 4 '16 at 13:36
to set routes you have to customize /etc/sysconfig/network-scripts/route-eth0 or whatever way appropriate to your system. The riles are not flushed during interface state transitions as far as I remember, so rc.local or other suitable place would be good.
– Serge
Jun 4 '16 at 14:30
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f287627%2fhow-to-forward-ntp-traffic-to-default-gateway-instead-of-vpn-tunnel%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Policy routing to rescue. At your RPi as root do the following:
# echo 100 direct >> /etc/iproute2/rt_tables
# ip rule add fwmark 123 table direct
# ip route add default via 192.168.1.1 dev eth0 table direct
# iptables -t mangle -A OUTPUT -p udp --dport 123 -j MARK --set-mark 123
Unfortunately this doesn't work either from Rpi or any device that has Rpi as a router. Running tcpdump on eth0 shows this for ntp requests made by Rpi: IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12 IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12
– Branislav Zlatkovic
Jun 4 '16 at 12:36
It should not do this for other devices as you did not mention that RPi should forward ntp traffic for others as well. To allow forwarding you should add the same rule to PREROUTING in a mangle table as well. Also, check that your ntp client is bound to eth0 at RPi
– Serge
Jun 4 '16 at 12:44
Adding the same rule to PREROUTING did the trick for others. For the ntpd on Rpi, the following rule did the trick: iptables -A POSTROUTING -t nat -o eth0 -p udp --dport 123 -j SNAT --to 192.168.1.2 One more question, how to make ip rule and ip route persistent?
– Branislav Zlatkovic
Jun 4 '16 at 13:36
to set routes you have to customize /etc/sysconfig/network-scripts/route-eth0 or whatever way appropriate to your system. The riles are not flushed during interface state transitions as far as I remember, so rc.local or other suitable place would be good.
– Serge
Jun 4 '16 at 14:30
add a comment |
Policy routing to rescue. At your RPi as root do the following:
# echo 100 direct >> /etc/iproute2/rt_tables
# ip rule add fwmark 123 table direct
# ip route add default via 192.168.1.1 dev eth0 table direct
# iptables -t mangle -A OUTPUT -p udp --dport 123 -j MARK --set-mark 123
Unfortunately this doesn't work either from Rpi or any device that has Rpi as a router. Running tcpdump on eth0 shows this for ntp requests made by Rpi: IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12 IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12
– Branislav Zlatkovic
Jun 4 '16 at 12:36
It should not do this for other devices as you did not mention that RPi should forward ntp traffic for others as well. To allow forwarding you should add the same rule to PREROUTING in a mangle table as well. Also, check that your ntp client is bound to eth0 at RPi
– Serge
Jun 4 '16 at 12:44
Adding the same rule to PREROUTING did the trick for others. For the ntpd on Rpi, the following rule did the trick: iptables -A POSTROUTING -t nat -o eth0 -p udp --dport 123 -j SNAT --to 192.168.1.2 One more question, how to make ip rule and ip route persistent?
– Branislav Zlatkovic
Jun 4 '16 at 13:36
to set routes you have to customize /etc/sysconfig/network-scripts/route-eth0 or whatever way appropriate to your system. The riles are not flushed during interface state transitions as far as I remember, so rc.local or other suitable place would be good.
– Serge
Jun 4 '16 at 14:30
add a comment |
Policy routing to rescue. At your RPi as root do the following:
# echo 100 direct >> /etc/iproute2/rt_tables
# ip rule add fwmark 123 table direct
# ip route add default via 192.168.1.1 dev eth0 table direct
# iptables -t mangle -A OUTPUT -p udp --dport 123 -j MARK --set-mark 123
Policy routing to rescue. At your RPi as root do the following:
# echo 100 direct >> /etc/iproute2/rt_tables
# ip rule add fwmark 123 table direct
# ip route add default via 192.168.1.1 dev eth0 table direct
# iptables -t mangle -A OUTPUT -p udp --dport 123 -j MARK --set-mark 123
answered Jun 4 '16 at 12:26
SergeSerge
5,73521326
5,73521326
Unfortunately this doesn't work either from Rpi or any device that has Rpi as a router. Running tcpdump on eth0 shows this for ntp requests made by Rpi: IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12 IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12
– Branislav Zlatkovic
Jun 4 '16 at 12:36
It should not do this for other devices as you did not mention that RPi should forward ntp traffic for others as well. To allow forwarding you should add the same rule to PREROUTING in a mangle table as well. Also, check that your ntp client is bound to eth0 at RPi
– Serge
Jun 4 '16 at 12:44
Adding the same rule to PREROUTING did the trick for others. For the ntpd on Rpi, the following rule did the trick: iptables -A POSTROUTING -t nat -o eth0 -p udp --dport 123 -j SNAT --to 192.168.1.2 One more question, how to make ip rule and ip route persistent?
– Branislav Zlatkovic
Jun 4 '16 at 13:36
to set routes you have to customize /etc/sysconfig/network-scripts/route-eth0 or whatever way appropriate to your system. The riles are not flushed during interface state transitions as far as I remember, so rc.local or other suitable place would be good.
– Serge
Jun 4 '16 at 14:30
add a comment |
Unfortunately this doesn't work either from Rpi or any device that has Rpi as a router. Running tcpdump on eth0 shows this for ntp requests made by Rpi: IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12 IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12
– Branislav Zlatkovic
Jun 4 '16 at 12:36
It should not do this for other devices as you did not mention that RPi should forward ntp traffic for others as well. To allow forwarding you should add the same rule to PREROUTING in a mangle table as well. Also, check that your ntp client is bound to eth0 at RPi
– Serge
Jun 4 '16 at 12:44
Adding the same rule to PREROUTING did the trick for others. For the ntpd on Rpi, the following rule did the trick: iptables -A POSTROUTING -t nat -o eth0 -p udp --dport 123 -j SNAT --to 192.168.1.2 One more question, how to make ip rule and ip route persistent?
– Branislav Zlatkovic
Jun 4 '16 at 13:36
to set routes you have to customize /etc/sysconfig/network-scripts/route-eth0 or whatever way appropriate to your system. The riles are not flushed during interface state transitions as far as I remember, so rc.local or other suitable place would be good.
– Serge
Jun 4 '16 at 14:30
Unfortunately this doesn't work either from Rpi or any device that has Rpi as a router. Running tcpdump on eth0 shows this for ntp requests made by Rpi: IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12 IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12
– Branislav Zlatkovic
Jun 4 '16 at 12:36
Unfortunately this doesn't work either from Rpi or any device that has Rpi as a router. Running tcpdump on eth0 shows this for ntp requests made by Rpi: IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12 IP 10.125.14.6.56940 > 78.46.37.9.123: NTPv2, Reserved, length 12
– Branislav Zlatkovic
Jun 4 '16 at 12:36
It should not do this for other devices as you did not mention that RPi should forward ntp traffic for others as well. To allow forwarding you should add the same rule to PREROUTING in a mangle table as well. Also, check that your ntp client is bound to eth0 at RPi
– Serge
Jun 4 '16 at 12:44
It should not do this for other devices as you did not mention that RPi should forward ntp traffic for others as well. To allow forwarding you should add the same rule to PREROUTING in a mangle table as well. Also, check that your ntp client is bound to eth0 at RPi
– Serge
Jun 4 '16 at 12:44
Adding the same rule to PREROUTING did the trick for others. For the ntpd on Rpi, the following rule did the trick: iptables -A POSTROUTING -t nat -o eth0 -p udp --dport 123 -j SNAT --to 192.168.1.2 One more question, how to make ip rule and ip route persistent?
– Branislav Zlatkovic
Jun 4 '16 at 13:36
Adding the same rule to PREROUTING did the trick for others. For the ntpd on Rpi, the following rule did the trick: iptables -A POSTROUTING -t nat -o eth0 -p udp --dport 123 -j SNAT --to 192.168.1.2 One more question, how to make ip rule and ip route persistent?
– Branislav Zlatkovic
Jun 4 '16 at 13:36
to set routes you have to customize /etc/sysconfig/network-scripts/route-eth0 or whatever way appropriate to your system. The riles are not flushed during interface state transitions as far as I remember, so rc.local or other suitable place would be good.
– Serge
Jun 4 '16 at 14:30
to set routes you have to customize /etc/sysconfig/network-scripts/route-eth0 or whatever way appropriate to your system. The riles are not flushed during interface state transitions as far as I remember, so rc.local or other suitable place would be good.
– Serge
Jun 4 '16 at 14:30
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f287627%2fhow-to-forward-ntp-traffic-to-default-gateway-instead-of-vpn-tunnel%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
have you considered running an ntp daemon on 192.168.1.1 and configuring all your LAN clients to use that?
– cas
Jun 4 '16 at 10:58
Tried that too, however the ntpd tries to access public NTP servers via VPN tunnel, of course without success. Tried to specify a server list in vpn.conf that should be exluded from routing via tunnel. This solution is unstable for me, as these servers might go offline at some point.
– Branislav Zlatkovic
Jun 4 '16 at 11:09
Does your router have another connection to the internet? if so, why is it routing ntp traffic via the Rpi? is the Rpi itself your router? i'm trying to understand your network structure...
– cas
Jun 4 '16 at 11:31
The default internet gateway on the LAN is a dd-wrt router at 192.168.1.1 Rpi is connected to the LAN on eth0, and using the default gateway to connect to the VPN. Rpi is set up as a router to/from the VPN. Some specific devices on the LAN that I want to go online though VPN have Rpi's address as their gateway. Rpi routes all traffic to the VPN by default, so I need only udp port 123 (NTP) to go via 192.168.1.1 instead to the VPN tun0.
– Branislav Zlatkovic
Jun 4 '16 at 11:37
ok, so why is your dd-wrt routing ntp packets via the rpi?
– cas
Jun 4 '16 at 11:39