|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
DHCP is another one of our key services. The Dynamic Host Control Protocol as it is known, is the service that assigns all the local IP addresses to our internal computers. This is the default for most firewalled networks. To start off, we'll install DHCPD, the DHCP daemon:
Firewall:~# apt-get install dhcp
|
|
|
Alternative Alert! - DHCPD
You guessed it, more options. We've got loads of alternatives here, just do an apt-cache search dhcp if you don't believe me. Other available options are dhcp3-server, the newer version of the ISC we're going to use, as well as others. Even DNSMasq that we installed earlier can do DHCP serving if you wish.
|
|
|
|
|
|
Our configuration file for this daemon is /etc/dhcpd.conf
Firewall:~# nano -w /etc/dhcpd.conf
If you're running a network on a domain you can set the domain-name option. If not, or you don't know what it is, comment it out. As usual, any line starting with a # is a comment, and won't be processed.
The DHCP server configuration file has two "sections". The global options are configured outside of everything else, and are applied by default to any subnets you may configure. Then there are the "subnet" subsections. The rules in these sections only apply to the specific subnet in question, and override the global settings.
For starters, let's make the default-lease-time and max-lease-time longer. These settings simply tell the server and the client how long an address is valid on the network. After this time, the address must be renewed with the server. On a corporate network with lots of changing hosts, this value should be smaller to allow for better use of the address space. On our home network, computers rarely change, so a small number just creates extra traffic. Make the number larger reduces network overhead since computers can keep their addresses longer. I use the following:
default-lease-time 86400;
max-lease-time 604800;
This should default to one day and one week respectively.
Now we have to configure our local subnet. If you remember, our internal IP address was 192.168.1.1, meaning all our local computers should be on the 192.168.1.0/24 subnet. Here's the full configuration:
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.99;
option domain-name-servers 192.168.1.1;
option netbios-name-servers 192.168.1.110;
option routers 192.168.1.1;
}
Let's break this down: the first line declares that we're servicing subnet 192.168.1.0/24, our local network. These rules override global rules and apply only to that network.
The 1st option, range tells the server what range of addresses it should assign from. Here, clients will receive addresses between 192.168.1.10 and 192.168.1.99 inclusively.
The 2nd option, domain-name-servers, tells the hosts what DNS servers to use. This option gives hosts the firewall's address. This is assuming you have a DNS proxy set up as we did in the last step with DNSMasq. If there is no DNS service running on your firewall, you will need to use your ISPs DNS server addresses instead. You can also skip this step entirely and manually configure every client with DNS settings.
The 3rd rule, netbios-name-servers specifies what are often better known as WINS servers. These servers allow local clients to look up local machines based on their netbios names. This option should be left out unless you have a WINS/Netbios server on your local network. If you don't know what this is, skip it.
The final option, routers, is very important. It specifies the address of your gateway, 192.168.1.1. This tells all hosts which machine is the default gateway for the network, ie where to send all outgoing traffic.
Don't forget to close the subnet with a closing bracket "}".
By nature, DHCP may assign any address in the pool to any machine. Say you have a machine whose address you want to remain constant over time. Our DHCP server can accommodate that as well. To do so, we have to create a host record:
host webserver {
hardware ethernet 0:0:A0:B1:D3:C4;
fixed-address 192.168.1.130;
}
This creates a static host entry. It should go outside of any subnets in the configuration file. The hardware ethernet line must match the MAC address of the computer you want the IP address assigned to. The fixed-address portion simply assigns the given address to the computer with the matching MAC.
Finally, you'll want to tell DHCP which interface to listen to on startup. This can be done in /etc/default/dhcp.
Firewall:~# nano -w /etc/default/dhcp
Look for the INTERFACES= line near the top. Make sure the interface between the quotes matches the name of our internal interface, not our internet interface.
INTERFACES="eth1"
Once that's taken care of, you can start DHCPD.
Firewall:~# /etc/init.d/dhcp start
Your hosts should now be able to pull valid local addresses from the firewall. If you get any errors, check /var/log/syslog to see what went wrong.
|
|
|
|
|
|
Proceed to Step 9 - SSH |
|
|
|
|
|
|
|
|
|
|
| Copyright © 2006 Matt LaPlante. All rights reserved. |
|
Page created in 0.0024 seconds.
|
|
