Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > HOWTO-Related Questions

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 27th February 2008, 13:40
zenny zenny is offline
Senior Member
 
Join Date: Nov 2006
Posts: 176
Thanks: 20
Thanked 6 Times in 6 Posts
Default [SOLVED]: How to create a dhcp server for intranet (with multi-homed alias)?

To make clear what I want to do, I explain my network:

1. GW+firewall (public IP address)
2. mail and web server (public IP address)
3. Several workstation with public IP adresses

I want to make one of the workstation as a DHCP server and gateway for lan with a single NIC (multi homing like eth0 for internet and eth0:0 for the intranet)

I installed dnsmasq on the workstation that I am using and the multi homed it. Specified interface=eth0:0 in dnsmasq.conf. added necessary parameters for eth0:0 in the /etc/network/interfaces. Then installed firehol and created a configuration (firehol.conf) like this:

# Require release 5 of FireHOL configuration directives
version 5

# A space separated list of all the IPs on the internet, I trust
office="gw.mydomain.tld"

# The IP address of this Linux and LAN for the rest of the world
public_ip="aaa.xxx.yyy.zzz"


# My LAN. Everything is allowed here.
interface eth0:0 lan
policy accept # The default is 'drop'.


# Make sure the traffic coming in, comes from valid Internet IPs,
# and that is targeting my public IP
interface eth0 internet src not "$UNROUTABLE_IPS" dst "$public_ip"
# Protect me from various kinds of attacks.
protection strong

# Public servers.
server smtp accept
server http accept
server ftp accept
server ssh accept src "$office"

# Make sure idents do not timeout.
server ident reject with tcp-reset

# This is also a workstation.
client all accept


# Route the LAN requests to the internet.
router lan2internet inface eth0:0 outface eth0

# Masquerading on outface.
masquerade

# Route all requests from inface to outface
# and their replies back.
route all accept

Still I could not achieve to make the standalone workstation as DHCP server and gateway for the intranet using multi-homed alias. Comments appreciated

Last edited by zenny; 29th February 2008 at 15:17. Reason: SOLVED
Reply With Quote
Sponsored Links
  #2  
Old 27th February 2008, 15:27
zenny zenny is offline
Senior Member
 
Join Date: Nov 2006
Posts: 176
Thanks: 20
Thanked 6 Times in 6 Posts
Default

After changing the firehol.conf as output by ' /etc/init.d/firehol helpme > /tmp/firehol.conf', I could get access to the internet, but it does NOT seem broadcasting (using dnsmasq) dhcp address to the localnet using eth0:0 How can I identify a reason why the DHCP is not broadcasted? wondering)

[QUOTE][# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
xxx.yyy.zzz.aaa * 255.255.255.192 U 0 0 0 eth0
192.168.7.0 * 255.255.255.0 U 0 0 0 eth0
default gw.mydomain.tld 0.0.0.0 UG 0 0 0 eth0
/QUOTE]

The firehol.conf looks like this now:

Quote:

#!/sbin/firehol
# ------------------------------------------------------------------------------
# This feature is under construction -- use it with care.
# *** NEVER USE THIS CONFIG AS-IS ***
#
# : firehol.sh,v 1.256 2007/05/22 22:52:53 ktsaou Exp $
# (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
# FireHOL is distributed under GPL.
# Home Page: http://firehol.sourceforge.net
#
# ------------------------------------------------------------------------------
# FireHOL controls your firewall. You should want to get updates quickly.
# Subscribe (at the home page) to get notified of new releases.
# ------------------------------------------------------------------------------
#
# This config will have the same effect as NO PROTECTION!
# Everything that found to be running, is allowed.
#
# Date: Wed Feb 27 14:25:37 CET 2008 on host multiwork
#
# The TODOs bellow, are YOUR to-dos!

### DEBUG: Processing interface 'eth0'
### DEBUG: Processing IP 192.168.7.2 of interface 'eth0'
### DEBUG: Is 192.168.7.2 part of network 192.168.7.0/24? yes
### DEBUG: Is 192.168.7.2 part of network xxx.yyy.zzz.128/26? no

# Interface No 1.
# The purpose of this interface is to control the traffic
# on the eth0 interface with IP 192.168.7.2 (net: "192.168.7.0/24").
# TODO: Change "interface1" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
# TODO: Remove 'dst 192.168.7.2' if this is dynamically assigned.
interface eth0 interface1 src "192.168.7.0/24" dst 192.168.7.2

# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy reject

# If you don't trust the clients behind eth0 (net "192.168.7.0/24"),
# add something like this.
# > protection strong

# Here are the services listening on eth0.
# TODO: Normally, you will have to remove those not needed.
server cups accept
server dhcp accept
server dns accept
server ICMP accept

# The following eth0 server ports are not known by FireHOL:
# udp/33222
# TODO: If you need any of them, you should define new services.
# (see Adding Services at the web site - http://firehol.sf.net).

# The following means that this machine can REQUEST anything via eth0.
# TODO: On production servers, avoid this and allow only the
# client services you really need.
client all accept

### DEBUG: Is xxx.yyy.zzz.190 part of network 192.168.7.0/24? no
### DEBUG: Processing IP xxx.yyy.zzz.157 of interface 'eth0'
### DEBUG: Is xxx.yyy.zzz.157 part of network 192.168.7.0/24? no
### DEBUG: Is xxx.yyy.zzz.157 part of network xxx.yyy.zzz.128/26? yes

# Interface No 2.
# The purpose of this interface is to control the traffic
# on the eth0 interface with IP xxx.yyy.zzz.157 (net: "xxx.yyy.zzz.128/26").
# TODO: Change "interface2" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
# TODO: Remove 'dst xxx.yyy.zzz.157' if this is dynamically assigned.
interface eth0 interface2 src "xxx.yyy.zzz.128/26" dst xxx.yyy.zzz.157

# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy drop

# If you don't trust the clients behind eth0 (net "xxx.yyy.zzz.128/26"),
# add something like this.
protection strong

# Here are the services listening on eth0.
# TODO: Normally, you will have to remove those not needed.
server cups accept
server dhcp accept
server dns accept
server ICMP accept

# The following eth0 server ports are not known by FireHOL:
# udp/33222
# TODO: If you need any of them, you should define new services.
# (see Adding Services at the web site - http://firehol.sf.net).

# The following means that this machine can REQUEST anything via eth0.
# TODO: On production servers, avoid this and allow only the
# client services you really need.
client all accept

### DEBUG: Is xxx.yyy.zzz.190 part of network xxx.yyy.zzz.128/26? yes
### DEBUG: Default gateway xxx.yyy.zzz.190 is part of network xxx.yyy.zzz.128/26

# Interface No 3.
# The purpose of this interface is to control the traffic
# from/to unknown networks behind the default gateway xxx.yyy.zzz.190 .
# TODO: Change "interface3" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
# TODO: Remove 'dst xxx.yyy.zzz.157' if this is dynamically assigned.
interface eth0 interface3 src not "${UNROUTABLE_IPS} xxx.yyy.zzz.128/26" dst xxx.yyy.zzz.157

# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy drop

# If you don't trust the clients behind eth0 (net not "${UNROUTABLE_IPS} xxx.yyy.zzz.128/26"),
# add something like this.
# > protection strong

# Here are the services listening on eth0.
# TODO: Normally, you will have to remove those not needed.
server cups accept
server dhcp accept
server dns accept
server ICMP accept

# The following eth0 server ports are not known by FireHOL:
# udp/33222
# TODO: If you need any of them, you should define new services.
# (see Adding Services at the web site - http://firehol.sf.net).

# The following means that this machine can REQUEST anything via eth0.
# TODO: On production servers, avoid this and allow only the
# client services you really need.
client all accept


# The above 3 interfaces were found active at this moment.
# Add more interfaces that can potentially be activated in the future.
# FireHOL will not complain if you setup a firewall on an interface that is
# not active when you activate the firewall.
# If you don't setup an interface, FireHOL will drop all traffic from or to
# this interface, if and when it becomes available.
# Also, if an interface name dynamically changes (i.e. ppp0 may become ppp1)
# you can use the plus (+) character to match all of them (i.e. ppp+).



# No router statements have been produced, because your server
# is not configured for forwarding traffic.

Any suggestion welcome! Thanks
Reply With Quote
  #3  
Old 28th February 2008, 09:40
zenny zenny is offline
Senior Member
 
Join Date: Nov 2006
Posts: 176
Thanks: 20
Thanked 6 Times in 6 Posts
Default

The dnsmasq started broadcasting after I added the following in the /etc/dnsmasq.conf:

Quote:
listen-address=127.0.0.1
Quote:
interface=eth0
interface=eth0:0

However, the client machine could not access to the Inernet. I made needed change for the /etc/resolv.conf (also replaced with opendns.org servers without any result).

I am wondering what is preventing the client machine to access Internet!

Last edited by zenny; 28th February 2008 at 13:40.
Reply With Quote
  #4  
Old 28th February 2008, 19:22
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

Please check the client settings with
Code:
ifconfig
and
Code:
route -nee
What are the outputs of
Code:
ping -c2 google.de
and
Code:
ping -c2 216.239.59.104
?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 29th February 2008, 12:02
zenny zenny is offline
Senior Member
 
Join Date: Nov 2006
Posts: 176
Thanks: 20
Thanked 6 Times in 6 Posts
Default

Thanks Falko, please find below what you asked for (everything in the client machine).

Quote:
Originally Posted by falko
Please check the client settings with
Code:
ifconfig
Quote:
eth0 Link encap:Ethernet HWaddr 00:0F:FE:484:94
inet addr:192.168.7.101 Bcast:192.168.7.255 Mask:255.255.255.0
inet6 addr: fe80::20f:feff:fe48:d494/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:238 errors:0 dropped:0 overruns:0 frame:0
TX packets:100 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:27179 (26.5 KB) TX bytes:10065 (9.8 KB)
Base address:0x1100 Memory:f0500000-f0520000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:356 errors:0 dropped:0 overruns:0 frame:0
TX packets:356 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:684472 (668.4 KB) TX bytes:684472 (668.4 KB)
and
Code:
route -nee
Quote:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface MSS Window irtt
192.168.7.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0 0 0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0 0 0 0
0.0.0.0 192.168.7.2 0.0.0.0 UG 0 0 0 eth0 0 0 0
What are the outputs of
Code:
ping -c2 google.de
Quote:
PING google.de (66.249.93.104) 56(84) bytes of data.
From 192.168.7.2: icmp_seq=1 Redirect Host(New nexthop: gw.mydomain.tld (xxx.yyy.zzz.190))
From 192.168.7.2: icmp_seq=2 Redirect Host(New nexthop: gw.mydomain.tld (xxx.yyy.zzz.190))PING google.de (66.249.93.104) 56(84) bytes of data.
From 192.168.7.2: icmp_seq=1 Redirect Host(New nexthop: gw.mydomain.tld (xxx.yyy.zzz.190))
From 192.168.7.2: icmp_seq=2 Redirect Host(New nexthop: gw.mydomain.tld (xxx.yyy.zzz.190))
and
Code:
ping -c2 216.239.59.104
?
Quote:
PING 216.239.59.104 (216.239.59.104) 56(84) bytes of data.
From 192.168.7.2: icmp_seq=1 Redirect Host(New nexthop: xxx.yyy.zzz.190)
From 192.168.7.2: icmp_seq=2 Redirect Host(New nexthop: xxx.yyy.zzz.190)

--- 216.239.59.104 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1000ms
Reply With Quote
  #6  
Old 29th February 2008, 13:45
zenny zenny is offline
Senior Member
 
Join Date: Nov 2006
Posts: 176
Thanks: 20
Thanked 6 Times in 6 Posts
Default

I would like to add that there is a firewall at gw.mydomain.tld and it has in its firewall script (ip_chains) assigned two IP ranges for public and private. public IPs. xxx.yyy.56.zzz and private IPs are xxx.yyy.39.zzz

And the machine that I am using as a dhcp server is in the 39 range which will further broadcast dhcp to its subnet. Just to make it clear.
Reply With Quote
  #7  
Old 29th February 2008, 13:46
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

Is 192.168.7.2 the correct gateway? Is this gateway connected directly to the internet?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
zenny (29th February 2008)
  #8  
Old 29th February 2008, 14:10
zenny zenny is offline
Senior Member
 
Join Date: Nov 2006
Posts: 176
Thanks: 20
Thanked 6 Times in 6 Posts
Default

192.168.7.2 is not connected to the internet. but assigned to eth0:0 interface. eth0 has a public static IP but uses gw.mydomain.tld as gateway.

The machine that I would like to create a local DHCP server (using dnsmasq) to create a parallel network to the existing one is behind the gw.mydomain.tld and the gw has its own firewall.
Reply With Quote
  #9  
Old 29th February 2008, 15:16
zenny zenny is offline
Senior Member
 
Join Date: Nov 2006
Posts: 176
Thanks: 20
Thanked 6 Times in 6 Posts
 
Default

Dear Falko:

Now the client machines could access the network after I did install ipmasq:

%apt-get install ipmasq
%dpkg-reconfigure ipmasq
%/etc/init.d/ipmasq start

Thanks Falko.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Statistic not working mzo Installation/Configuration 49 20th April 2011 12:19
postfix bounced email question daveb Server Operation 8 3rd February 2008 20:32
Public and private network + High Availability Apache Cluster teleted HOWTO-Related Questions 11 28th January 2008 14:29
Administrator receive empty mail ??? Stanev General 16 7th April 2006 20:56
Mail not working Roadracer Installation/Configuration 16 30th December 2005 23:40


All times are GMT +2. The time now is 04:15.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.