Setting up NTP on 2 Linux boxes and one OpenBSD box

I have been tasked with getting an NTP client working on two Linux machines and an OpenBSD machine.

The machines are arranged like this:

    NTPServer
    /       \
   /         \
 L1           L2
   \         /
    \       /
     OpenBSD

I have been told to configure L1 and L2 to route packets from OpenBSD to the NTPServer (ie not to set up a new stratum). The OpenBSD box cannot see the NTPServer (ie the network configuration prohibits this - from the OpenBSD box I can't even ping the IP address of the NTPServer).

Now the bad news: I am a J2EE programmer :) I don't have much of an idea on how to proceed.

Where do I begin? I'm not looking for a full solution as obviously people don't know the network configuration, just a few pointers as to where to start. I know Linux pretty well in terms of the stuff associated with J2EE (installing Tomcat/JBoss, setting them up as services etc) but network routing is really very new to me and has always scared me (ever since I had to write some Java code to detect a BGP flip).

Edit

Ok, thanks to Google I have made some progress. All the above is wrong (apart from me being a J2EE programmer)...

With use of ifconfig, routes show, traceroute, and some internal documentation, I now have the following diagram:

    NTP
  10.21.3.169
    |     \______________
    |                    \
  10.21.3.160 (eth1)     |   
   L1                    |
  10.0.0.67 (eth0)       |
    |                    |
    |                    |
  10.0.0.65 (pcn1)       |
   OpenBSD               |
  10.0.0.51 (pcn0)       |
    |                    |
    |                    |
  10.0.0.49 (eth1) 10.21.3.159 (eth0)
                 L2

I have also checked the time on the three machines, and the Linux ones are correct while the OpenBSD one is wrong, so I think I just need to sort the routing out so that the OpenBSD box can get the time from NTP via either of the Linux boxes.

So, I think I need to add a route to the OpenBSD box to tell it that to get to our NTP server, it needs to go via L1 (it could also go via L2 but the diagram I have seen makes that look incorrect).


Your comments above make sense. But if that's so, then I would really strongly advise your employer to reconsider his or her position on NTP on the linux boxes.

I don't think that having those boxes be properly-tied-down NTP clients is less secure than having them be properly-tied-down routers. I'm fairly sure that improperly-tied-down NTP clients are more secure than routers administered by someone who doesn't know how to find an IP address: with badly-tied-down NTP clients you can affect a system clock; with a badly-configured router, you can attack a whole network.

Please don't take that personally. It's not meant to be personal: your employers would be even more at-risk if they had me, a network and firewalls chap, write their J2EE code. I'd be making elementary programming blunders all over the place, introducing potential buffer overflows and handles for SQL injection attacks, and generally ruining their lives. Is it because I'm incompetent per se? No - it's because I'd've been told to do something I have no idea how to do, in a security-critical environment.

There's an old Pope quotation,

For forms of government let fools contest
Whate'er is best administered, is best

which I think also applies to technology. If you are that uncomfortable with networks, this is probably not the best place to start learning from scratch (and a single serverfault answer is not going to substitute for a proper course in IP). At the very least, if your employers insist on you solving this with routing, make them sign something that indemnifies you against any consequences of the routers being mis-configured; see if that focusses their minds on the mistake they're about to make.