LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-08-2003, 04:46 PM   #1
peok
Member
 
Registered: Aug 2003
Location: CA, USA
Distribution: (Almost) LFS 6.1.1
Posts: 91

Rep: Reputation: 15
DHCPD setup


well, I've asked many questions on this subject, but I still haven't gotten it.

I have a pc with 2 nic's I want to be a firewall/router. Its running RH9. It will be connected via eth0 to my cable modem, and the internal network will be eth1. Two computers will have a static ip, and if any others come, they will be dynamic. The firewall/router can connect to the cable modem and get an ip, but the clients cannot obtain an ip addresss (I've only tested it with the 2 computers supposedly configured for a static ip).

My dhcpd.conf reads:

default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option netbios-name-servers 192.168.1.1;

subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.50 192.168.1.200;
}

host winpc {
hardware ethernet 00:e0:18:1e:70:1c;
fixed-address 192.168.1.2;
}

host mac {
hardware ethernet 00:03:93:90:d8:94;
fixed-address 192.168.1.3;
}


My ifcfg-eth1 reads:

DEVICE=eth1
IPADDR=192.168.1.1
NETMASK=255.255.255.0
NETWORK=192.168.1.0
BROADCAST=192.168.1.255
ONBOOT=yes


I also typed route add -host 255.255.255.255 dev eth0 because http://en.tldp.org/HOWTO/DHCP/index.html recommended doing so if working with windows clients (one is a win2k one is mac osx). I tried starting dhcpd by typing dhcpd eth1. When that didn't work I added the line

dhcpd -q eth1

to /etc/rc.d/rc.local and rebooted, which did nothing. I would set up iptables to see if that's it, but I figured since the computers couldn't even get an ip address, that wouldn't be it. I hope this is enough info to help me isolate the problem(s).
 
Old 11-08-2003, 08:44 PM   #2
homey
Senior Member
 
Registered: Oct 2003
Posts: 3,057

Rep: Reputation: 61
Starting the dhcp server is not related to setting up iptables. To start dhcp from the command line type: service dhcpd start or in Redhat you can access a nice GUI tool for several services by typing: redhat-config-services

Now as far as iptables goes, an easy start for newbies is to use a program called Firestarter .
 
Old 11-08-2003, 09:52 PM   #3
peok
Member
 
Registered: Aug 2003
Location: CA, USA
Distribution: (Almost) LFS 6.1.1
Posts: 91

Original Poster
Rep: Reputation: 15
um, the service command is interesting, but I don't have a gui installed, nor do I want one.

as far as the service command, I typed "service dhcpd start" and it printed the standard copyright thing it usually does when I type just "dhcpd" but printed "FAILED" in big red letters afterwards. Possible the probem is in my dhcpd.conf that I posted previously?
 
Old 11-08-2003, 10:12 PM   #4
homey
Senior Member
 
Registered: Oct 2003
Posts: 3,057

Rep: Reputation: 61
I don't see anything especially wrong with the config file but I'm not sure about the host parts. Here is what mine looks like....

server-name "192.168.0.1";
max-lease-time 604800;
default-lease-time 604800;
subnet 192.168.0.0 netmask 255.255.255.0 {
option domain-name-servers 192.168.0.1;
option domain-name "mydomain.com";
option broadcast-address 192.168.0.255;
option subnet-mask 255.255.255.0;
option routers 192.168.0.1;
range 192.168.0.2 192.168.0.50;
}
 
Old 11-08-2003, 10:13 PM   #5
peok
Member
 
Registered: Aug 2003
Location: CA, USA
Distribution: (Almost) LFS 6.1.1
Posts: 91

Original Poster
Rep: Reputation: 15
hey thanks for your answers homey. I noticed your options are in your subnet brackets... I'll give that a try
 
Old 11-08-2003, 10:32 PM   #6
peok
Member
 
Registered: Aug 2003
Location: CA, USA
Distribution: (Almost) LFS 6.1.1
Posts: 91

Original Poster
Rep: Reputation: 15
well, I tried to swap the order of the "option" phrases and the lease-time things in and out of the brackets, but it still says FAILED when I try to start it with "service dhcpd start" I tried putting in that "option domain-name" and "domain-name-servers" phrase, and the "server-name" but again it didn't work. No error messages either...
 
Old 11-08-2003, 10:56 PM   #7
homey
Senior Member
 
Registered: Oct 2003
Posts: 3,057

Rep: Reputation: 61
How about the file /etc/sysconfig/dhcpd ? Mine has a line like this...
DHCPDARGS=eth1 which ( I think ) tells dhcpd to use eth1 for passing out addresses.
 
Old 11-08-2003, 11:05 PM   #8
peok
Member
 
Registered: Aug 2003
Location: CA, USA
Distribution: (Almost) LFS 6.1.1
Posts: 91

Original Poster
Rep: Reputation: 15
well, mine just had "DHCPDARGS=" so I put in eth1. still failed though when I tried to start it, but I think we're getting somewhere!
 
Old 11-08-2003, 11:18 PM   #9
homey
Senior Member
 
Registered: Oct 2003
Posts: 3,057

Rep: Reputation: 61
Last shot before bedtime

How about creating an empty lease file with the command:
touch /var/state/dhcp/dhcpd.leases and restarting the server in debug mode which may help you see what is wrong.
/usr/sbin/dhcpd -d -f
 
Old 11-08-2003, 11:22 PM   #10
peok
Member
 
Registered: Aug 2003
Location: CA, USA
Distribution: (Almost) LFS 6.1.1
Posts: 91

Original Poster
Rep: Reputation: 15
thanks again for all your help homey

I've done both of those, already though, unfortunately

that debug/foreground doesn't seem to work for me though. It just prints that copyright statement thing and says exiting at the end.
 
Old 11-09-2003, 10:16 AM   #11
peok
Member
 
Registered: Aug 2003
Location: CA, USA
Distribution: (Almost) LFS 6.1.1
Posts: 91

Original Poster
Rep: Reputation: 15
This is the copyright output I've been talking about, I typed "service dhcpd start" to get this ouput but it is about the same as doing just "dhcpd"

Starting dhcpd: Internet Software Consortium DHCP Server V3.0pl1
Copyright 1995-2001 Internet Software Consortium.
All rights reserved.
For info, please visit http://www.isc.org/products/DHCP

** You must add a ddns-update-style statement to /etc/dhcpd.conf.
To get the same behaviour as in 3.0b2pl11 and previous
versions, add a line that says "ddns-update-style ad-hoc;"
Please read the dhcpd.conf manual page for more information. **

If you did not get this software from ftp.isc.org, please
get the latest from ftp.isc.org and install that before
requesting help.

If you did get this software from ftp.isc.org and have not
yet read the README, please read it before requesting help.
If you intend to request help from the dhcp-server@isc.org
mailing list, please read the section on the README about
submitting bug reports and requests for help.

Please do not under any circumstances send requests for
help directly to the authors of this software - please
send them to the appropriate mailing list as described in
the README file.

exiting.
[FAILED]
 
Old 11-09-2003, 11:44 AM   #12
homey
Senior Member
 
Registered: Oct 2003
Posts: 3,057

Rep: Reputation: 61
Quote:
** You must add a ddns-update-style statement to /etc/dhcpd.conf.
To get the same behaviour as in 3.0b2pl11 and previous
versions, add a line that says "ddns-update-style ad-hoc;"
Please read the dhcpd.conf manual page for more information. **
Sorry but the error of my ways was to leave the ddns part out. and that seems to be what it's complaining about.

In my case I use interim instead of ad-hoc. That is so dhcp can update the dns entries.

ddns-update-style interim;
ddns-updates on;
ddns-domainname "mydomain.com";
server-name "192.168.0.1";
max-lease-time 604800;
default-lease-time 604800;
subnet 192.168.0.0 netmask 255.255.255.0 {
ddns-updates on;
option domain-name-servers 192.168.0.1;
option domain-name "mydomain.com";
option broadcast-address 192.168.0.255;
option subnet-mask 255.255.255.0;
option routers 192.168.0.1;
range 192.168.0.2 192.168.0.50;
}

 
Old 11-09-2003, 01:43 PM   #13
peok
Member
 
Registered: Aug 2003
Location: CA, USA
Distribution: (Almost) LFS 6.1.1
Posts: 91

Original Poster
Rep: Reputation: 15
Yay! It worked!

Thanks homey! It worked!

Well, It gave both of my computers the correct static ip, I'll test the dynamic ip allocation later.

I'm not one who like to just type something in mindlessly, find out it works, and not wonder what it did, so... I looked though the man pages, but I could not find anything about "ddns-update-style" or the "ddns-update" things. What do they do? I guess if I knew what a "dns entry" was I might understand. What's the difference between interim and ad-hoc? Thanks again for all the help. Now I just need to learn iptables so my computers can actually get through the firewall . The man pages should do nicely for that.

And just for reference, my final dhcpd.conf reads:

ddns-update-style interim;
ddns-updates on;
server-name "192.168.1.1";
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.1.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option netbios-name-servers 192.168.1.1;
range 192.168.1.50 192.168.1.200;
}

host vaio {
hardware ethernet 00:e0:18:1e:70:1c;
fixed-address 192.168.1.2;
}

host mac {
hardware ethernet 00:03:93:90:d8:94;
fixed-address 192.168.1.3;
}
 
Old 11-09-2003, 02:10 PM   #14
homey
Senior Member
 
Registered: Oct 2003
Posts: 3,057

Rep: Reputation: 61
Glad you got it going! The update thingy allows dhcp to tell the dns server when there is a different ip address associated with a particular host name. I have never got that part to work correctly and don't really have a need for it right now so I'll wait until they get the bugs out or somebody gives me a really working method. Anywho, the best place to read up on that is man dhcp or dhcpd.conf

Now as far as your firewall goes, I do have a working script and some notes on getting that set up below.......

____________________________________________________________

Do this while logged in as Root
Save the firewall script as /etc/sysconfig/firewall.
Important: Set the permissions for root to read, write and exec. Also, read and exec for group and others.
Something like chomd 755 /etc/sysconfig/firewall aught to do it.
Edit the /etc/rc.d/rc.local file with a path to the script. /etc/sysconfig/firewall
Run the command: service iptables stop
Type: source /etc/sysconfig/firewall
Type: iptables-save > /etc/sysconfig/iptables
Run the command: service iptables restart
____________________________________________________________

#!/bin/sh
#
# The location of the iptables binary file on your system.

IPTABLES="/sbin/iptables"

# The Internet interface. For ADSL or Dialup users, this should be "ppp0".
# For a cable modem connection, this will probably be "eth0".
EXT="eth0"

# Out with the old stuff.
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X

# These will setup our policies.
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

# Use this for NAT or IP Masquerading.
echo 1 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -t nat -A POSTROUTING -o $EXT -j MASQUERADE

# This rule protects your fowarding rule.
$IPTABLES -A FORWARD -i $EXT -m state --state NEW,INVALID -j DROP

# Port forwarding looks like this.
#$IPTABLES -t nat -A PREROUTING -i $EXT -p tcp --dport 25 -j DNAT --to 192.168.0.50
#$IPTABLES -t nat -A PREROUTING -i $EXT -p tcp --dport 53 -j DNAT --to 192.168.0.50
#$IPTABLES -t nat -A PREROUTING -i $EXT -p udp --dport 53 -j DNAT --to 192.168.0.50
# These two redirect a block of ports, in both udp and tcp.
#$IPTABLES -t nat -A PREROUTING -i $EXT -p tcp --dport 2300:2400 -j DNAT --to 192.168.0.50
#$IPTABLES -t nat -A PREROUTING -i $EXT -p udp --dport 2300:2400 -j DNAT --to 192.168.0.50

# This rule will accept connections from local machines.
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -s 192.168.0.0/24 -d 0/0 -p all -j ACCEPT

# DROP bad packets.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# DROP icmp, but only after letting certain types through.
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j DROP

# To open up port 22 (SSH Access) to various IP's edit the IP's below
# and uncomment the first line.
# To enable SSH access from anywhere, uncomment the second line only.
#$IPTABLES -A INPUT -i $EXT -s 200.123.10.2 -d 0/0 -p tcp --dport 22 -j ACCEPT
#$IPTABLES -A INPUT -i $EXT -s 0/0 -d 0/0 -p tcp --dport 22 -j ACCEPT

# If you are running a Web Server, uncomment the next line to open
# up port 80 on your machine.
#$IPTABLES -A INPUT -i $EXT -s 0/0 -d 0/0 -p tcp --dport 80 -j ACCEPT

# Some basic state-matching.
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Uncomment to DROP port 137 netbios packets silently.
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j DROP

# So we don't get silent DROPs.
$IPTABLES -A INPUT -j DROP
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
dhcpd setup Josh328 Linux - Networking 3 10-21-2005 08:51 PM
dhcpd subnet declaration problems in dhcpd.conf vcrispo Linux - Networking 6 07-15-2005 10:32 AM
dhcpd dotcafe Linux - Software 2 03-23-2004 08:47 AM
DHCPD startup failure, mdk 9.2, dhcpd v3.0.1rc11 fuzzyworm Linux - Networking 1 02-14-2004 03:58 AM
dhcpd.master or dhcpd.conf rickg Linux - Networking 0 04-11-2002 03:34 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration