HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   HOWTO-Related Questions (http://www.howtoforge.com/forums/forumdisplay.php?f=2)
-   -   How to create a dhcp server for intranet (with multi-homed alias)? (http://www.howtoforge.com/forums/showthread.php?t=20792)

zenny 27th February 2008 14:40

[SOLVED]: How to create a dhcp server for intranet (with multi-homed alias)?
 
To make clear what I want to do, I explain my network:

1. GW+firewall (public IP address)
2. mail and web server (public IP address)
3. Several workstation with public IP adresses

I want to make one of the workstation as a DHCP server and gateway for lan with a single NIC (multi homing like eth0 for internet and eth0:0 for the intranet)

I installed dnsmasq on the workstation that I am using and the multi homed it. Specified interface=eth0:0 in dnsmasq.conf. added necessary parameters for eth0:0 in the /etc/network/interfaces. Then installed firehol and created a configuration (firehol.conf) like this:

# Require release 5 of FireHOL configuration directives
version 5

# A space separated list of all the IPs on the internet, I trust
office="gw.mydomain.tld"

# The IP address of this Linux and LAN for the rest of the world
public_ip="aaa.xxx.yyy.zzz"


# My LAN. Everything is allowed here.
interface eth0:0 lan
policy accept # The default is 'drop'.


# Make sure the traffic coming in, comes from valid Internet IPs,
# and that is targeting my public IP
interface eth0 internet src not "$UNROUTABLE_IPS" dst "$public_ip"
# Protect me from various kinds of attacks.
protection strong

# Public servers.
server smtp accept
server http accept
server ftp accept
server ssh accept src "$office"

# Make sure idents do not timeout.
server ident reject with tcp-reset

# This is also a workstation.
client all accept


# Route the LAN requests to the internet.
router lan2internet inface eth0:0 outface eth0

# Masquerading on outface.
masquerade

# Route all requests from inface to outface
# and their replies back.
route all accept

Still I could not achieve to make the standalone workstation as DHCP server and gateway for the intranet using multi-homed alias. Comments appreciated

zenny 27th February 2008 16:27

After changing the firehol.conf as output by ' /etc/init.d/firehol helpme > /tmp/firehol.conf', I could get access to the internet, but it does NOT seem broadcasting (using dnsmasq) dhcp address to the localnet using eth0:0 :( How can I identify a reason why the DHCP is not broadcasted? wondering)

[QUOTE][# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
xxx.yyy.zzz.aaa * 255.255.255.192 U 0 0 0 eth0
192.168.7.0 * 255.255.255.0 U 0 0 0 eth0
default gw.mydomain.tld 0.0.0.0 UG 0 0 0 eth0
/QUOTE]

The firehol.conf looks like this now:

Quote:


#!/sbin/firehol
# ------------------------------------------------------------------------------
# This feature is under construction -- use it with care.
# *** NEVER USE THIS CONFIG AS-IS ***
#
# : firehol.sh,v 1.256 2007/05/22 22:52:53 ktsaou Exp $
# (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
# FireHOL is distributed under GPL.
# Home Page: http://firehol.sourceforge.net
#
# ------------------------------------------------------------------------------
# FireHOL controls your firewall. You should want to get updates quickly.
# Subscribe (at the home page) to get notified of new releases.
# ------------------------------------------------------------------------------
#
# This config will have the same effect as NO PROTECTION!
# Everything that found to be running, is allowed.
#
# Date: Wed Feb 27 14:25:37 CET 2008 on host multiwork
#
# The TODOs bellow, are YOUR to-dos!

### DEBUG: Processing interface 'eth0'
### DEBUG: Processing IP 192.168.7.2 of interface 'eth0'
### DEBUG: Is 192.168.7.2 part of network 192.168.7.0/24? yes
### DEBUG: Is 192.168.7.2 part of network xxx.yyy.zzz.128/26? no

# Interface No 1.
# The purpose of this interface is to control the traffic
# on the eth0 interface with IP 192.168.7.2 (net: "192.168.7.0/24").
# TODO: Change "interface1" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
# TODO: Remove 'dst 192.168.7.2' if this is dynamically assigned.
interface eth0 interface1 src "192.168.7.0/24" dst 192.168.7.2

# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy reject

# If you don't trust the clients behind eth0 (net "192.168.7.0/24"),
# add something like this.
# > protection strong

# Here are the services listening on eth0.
# TODO: Normally, you will have to remove those not needed.
server cups accept
server dhcp accept
server dns accept
server ICMP accept

# The following eth0 server ports are not known by FireHOL:
# udp/33222
# TODO: If you need any of them, you should define new services.
# (see Adding Services at the web site - http://firehol.sf.net).

# The following means that this machine can REQUEST anything via eth0.
# TODO: On production servers, avoid this and allow only the
# client services you really need.
client all accept

### DEBUG: Is xxx.yyy.zzz.190 part of network 192.168.7.0/24? no
### DEBUG: Processing IP xxx.yyy.zzz.157 of interface 'eth0'
### DEBUG: Is xxx.yyy.zzz.157 part of network 192.168.7.0/24? no
### DEBUG: Is xxx.yyy.zzz.157 part of network xxx.yyy.zzz.128/26? yes

# Interface No 2.
# The purpose of this interface is to control the traffic
# on the eth0 interface with IP xxx.yyy.zzz.157 (net: "xxx.yyy.zzz.128/26").
# TODO: Change "interface2" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
# TODO: Remove 'dst xxx.yyy.zzz.157' if this is dynamically assigned.
interface eth0 interface2 src "xxx.yyy.zzz.128/26" dst xxx.yyy.zzz.157

# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy drop

# If you don't trust the clients behind eth0 (net "xxx.yyy.zzz.128/26"),
# add something like this.
protection strong

# Here are the services listening on eth0.
# TODO: Normally, you will have to remove those not needed.
server cups accept
server dhcp accept
server dns accept
server ICMP accept

# The following eth0 server ports are not known by FireHOL:
# udp/33222
# TODO: If you need any of them, you should define new services.
# (see Adding Services at the web site - http://firehol.sf.net).

# The following means that this machine can REQUEST anything via eth0.
# TODO: On production servers, avoid this and allow only the
# client services you really need.
client all accept

### DEBUG: Is xxx.yyy.zzz.190 part of network xxx.yyy.zzz.128/26? yes
### DEBUG: Default gateway xxx.yyy.zzz.190 is part of network xxx.yyy.zzz.128/26

# Interface No 3.
# The purpose of this interface is to control the traffic
# from/to unknown networks behind the default gateway xxx.yyy.zzz.190 .
# TODO: Change "interface3" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
# TODO: Remove 'dst xxx.yyy.zzz.157' if this is dynamically assigned.
interface eth0 interface3 src not "${UNROUTABLE_IPS} xxx.yyy.zzz.128/26" dst xxx.yyy.zzz.157

# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy drop

# If you don't trust the clients behind eth0 (net not "${UNROUTABLE_IPS} xxx.yyy.zzz.128/26"),
# add something like this.
# > protection strong

# Here are the services listening on eth0.
# TODO: Normally, you will have to remove those not needed.
server cups accept
server dhcp accept
server dns accept
server ICMP accept

# The following eth0 server ports are not known by FireHOL:
# udp/33222
# TODO: If you need any of them, you should define new services.
# (see Adding Services at the web site - http://firehol.sf.net).

# The following means that this machine can REQUEST anything via eth0.
# TODO: On production servers, avoid this and allow only the
# client services you really need.
client all accept


# The above 3 interfaces were found active at this moment.
# Add more interfaces that can potentially be activated in the future.
# FireHOL will not complain if you setup a firewall on an interface that is
# not active when you activate the firewall.
# If you don't setup an interface, FireHOL will drop all traffic from or to
# this interface, if and when it becomes available.
# Also, if an interface name dynamically changes (i.e. ppp0 may become ppp1)
# you can use the plus (+) character to match all of them (i.e. ppp+).



# No router statements have been produced, because your server
# is not configured for forwarding traffic.


Any suggestion welcome! Thanks

zenny 28th February 2008 10:40

The dnsmasq started broadcasting after I added the following in the /etc/dnsmasq.conf:

Quote:

listen-address=127.0.0.1
Quote:

interface=eth0
interface=eth0:0

However, the client machine could not access to the Inernet. I made needed change for the /etc/resolv.conf (also replaced with opendns.org servers without any result).

I am wondering what is preventing the client machine to access Internet!

falko 28th February 2008 20:22

Please check the client settings with
Code:

ifconfig
and
Code:

route -nee
What are the outputs of
Code:

ping -c2 google.de
and
Code:

ping -c2 216.239.59.104
?

zenny 29th February 2008 13:02

Thanks Falko, please find below what you asked for (everything in the client machine).

Quote:

Originally Posted by falko
Please check the client settings with
Code:

ifconfig
Quote:

eth0 Link encap:Ethernet HWaddr 00:0F:FE:48:D4:94
inet addr:192.168.7.101 Bcast:192.168.7.255 Mask:255.255.255.0
inet6 addr: fe80::20f:feff:fe48:d494/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:238 errors:0 dropped:0 overruns:0 frame:0
TX packets:100 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:27179 (26.5 KB) TX bytes:10065 (9.8 KB)
Base address:0x1100 Memory:f0500000-f0520000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:356 errors:0 dropped:0 overruns:0 frame:0
TX packets:356 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:684472 (668.4 KB) TX bytes:684472 (668.4 KB)
and
Code:

route -nee
Quote:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface MSS Window irtt
192.168.7.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0 0 0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0 0 0 0
0.0.0.0 192.168.7.2 0.0.0.0 UG 0 0 0 eth0 0 0 0
What are the outputs of
Code:

ping -c2 google.de
Quote:

PING google.de (66.249.93.104) 56(84) bytes of data.
From 192.168.7.2: icmp_seq=1 Redirect Host(New nexthop: gw.mydomain.tld (xxx.yyy.zzz.190))
From 192.168.7.2: icmp_seq=2 Redirect Host(New nexthop: gw.mydomain.tld (xxx.yyy.zzz.190))PING google.de (66.249.93.104) 56(84) bytes of data.
From 192.168.7.2: icmp_seq=1 Redirect Host(New nexthop: gw.mydomain.tld (xxx.yyy.zzz.190))
From 192.168.7.2: icmp_seq=2 Redirect Host(New nexthop: gw.mydomain.tld (xxx.yyy.zzz.190))
and
Code:

ping -c2 216.239.59.104
?

Quote:

PING 216.239.59.104 (216.239.59.104) 56(84) bytes of data.
From 192.168.7.2: icmp_seq=1 Redirect Host(New nexthop: xxx.yyy.zzz.190)
From 192.168.7.2: icmp_seq=2 Redirect Host(New nexthop: xxx.yyy.zzz.190)

--- 216.239.59.104 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1000ms

zenny 29th February 2008 14:45

I would like to add that there is a firewall at gw.mydomain.tld and it has in its firewall script (ip_chains) assigned two IP ranges for public and private. public IPs. xxx.yyy.56.zzz and private IPs are xxx.yyy.39.zzz

And the machine that I am using as a dhcp server is in the 39 range which will further broadcast dhcp to its subnet. Just to make it clear.

falko 29th February 2008 14:46

Is 192.168.7.2 the correct gateway? Is this gateway connected directly to the internet?

zenny 29th February 2008 15:10

192.168.7.2 is not connected to the internet. but assigned to eth0:0 interface. eth0 has a public static IP but uses gw.mydomain.tld as gateway.

The machine that I would like to create a local DHCP server (using dnsmasq) to create a parallel network to the existing one is behind the gw.mydomain.tld and the gw has its own firewall.

zenny 29th February 2008 16:16

Dear Falko:

Now the client machines could access the network after I did install ipmasq:

%apt-get install ipmasq
%dpkg-reconfigure ipmasq
%/etc/init.d/ipmasq start

Thanks Falko.


All times are GMT +2. The time now is 14:32.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.