DHCP Server Howto

SiegeX · 09-13-2004, 02:00 PM

The Dynamic Host Configuration Protocol (DHCP) allows you to specify network parameters on a server and have client computers query the server for their information such as IP, netmask, gateway, DNS, etc. In addition to not having to statically assign network information to numerous clients, you also do not need to specify the IP of the DHCP server as this discovery is done via broadcast packets; the caveat to this is that you must have one DHCP server per broadcast domain. In case it's not blatantly obvious, the power of DHCP is that if anything changes on your network such as the IP of a DNS server, you only need to edit one configuration file even if you have hundreds of clients.

The DHCP server I am using is called 'dhcpd' (oddly enough) and my current version is dhcp-3.0pl2-i386-1. This howto is not meant to be in-depth but rather just a general overview of some of the common features for the dhcpd server. If you need to do more esoteric configurations please man dhcpd.conf for detailed information.

The following is a common dhcpd.conf file. Below I will dissect this file and explain what each line does. Keeping with the convention of my other Linux Answers, all computer-specific information will be highlighted in blue and will most likely need to be changed.

Code:

ddns-update-style none;

subnet 192.168.1.0 netmask 255.255.255.0
{
        range 192.168.1.100 192.168.1.200;
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.1.255;
        option domain-name-servers 123.123.123.10, 123.123.123.20;
        option routers 192.168.1.1;

        host slackbox
        {
                hardware ethernet 00:50:AB:AB:AB:AB;
                fixed-address 192.168.1.7;
        }

        host winbox
        {
                hardware ethernet 00:06:CD:CD:CD:CD;
                fixed-address 192.168.1.8;
        }
}

The first thing we need to do is set a Dynamic DNS update style. Since DynDNS is beyond the scope of this howto, I am going to set the style to none but if this is something you want to do, then the manpages have tons of info on it.

Code:

ddns-update-style none;

Next we must specify what subnet and netmask we will be working on. Note that you can have many subnet configurations within the single dhcpd.conf file. Each subnet group is bound together by curly braces { }

Code:

subnet 192.168.1.0 netmask 255.255.255.0

Note that every command from here on will only pertain to the subnet specified above. This will be true until we reach the closing curly brace } as noted above.

Now we will specify what range of IP addresses we want to be made available for clients using DHCP. This option is very handy when used in conjunction with a firewall because you know exactly what IP addresses came from a client using DHCP and you can exercise restrictions upon them as necessary.

Code:

range 192.168.1.100 192.168.1.200;

This next line is going to look a bit redundant because we are setting the netmask again even though we set it in the subnet declaration above, but it's recommended in the manpages so we are going to do it.

Code:

option subnet-mask 255.255.255.0;

Next we specify the broadcast address for our subnet. This address always ends in 255 for a subnet mask of 255.255.255.0

Code:

option broadcast-address 192.168.1.255;

We will definitely want to tell our clients what servers to use for DNS in order to resolve hostnames to IP addresses

Code:

option domain-name-servers 123.123.123.10, 123.123.123.20;

The next option tells our clients what IP address to use for their gateway. This IP address generally ends in .1 but does not have to. The box with this IP should be configured as a router and be able to forward packets accordingly.

Code:

option routers 192.168.1.1;

If you wanted you could stop here but I thought I would show you a cool little feature that I like to use. Even though DHCP gives out IP address dynamically, it also has the ability to reserve an IP address for a certain computer. In this sense it's almost as if the client computer has a static IP even though it uses DHCP to get it. This is useful if you want to be able to put entries in your /etc/hosts file and not have to worry about the entry becoming invalid over time.

The first thing we must do is to specify a name for the computer as a helpful identifier

Code:

host slackbox

Note that similarly to the subnet grouping, we are now starting a sub-group as seen by the addition of the curly braces. This allows us to have multiple host definitions within one subnet group.

This next line is what allows us to uniquely identify one computer from another. The hardware ethernet address is the same as the MAC address. This information can be found by running the command ifconfig <interface> | grep HWaddr on a client computer for linux and ipconfig /all for a client computer running windows.

Code:

hardware ethernet 00:50:AB:AB:AB:AB;

And finally this next line tells the dhcpd server what IP address you always want to be assigned to this computer. Note that I intentionally make all IP's assigned this way outside of the DHCP range we specified earlier. This is not a must as the dhcp server is smart enough to not give out two IP's simultaneously but it helps in being able to quickly recognize which clients used this feature.

Code:

fixed-address 192.168.1.7;

This concludes this DHCP howto. As an added bonus I have included the init script I made for my Slackware box, however this script should work on many other distros. Please make sure you edit the 4 configuration options between the hashmark lines accordingly.

Code:

#!/bin/sh
#
# /etc/rc.d/rc.dhcpd
#
# Start/stop/restart the DHCP daemon.
#
# To make dhcpd start automatically at boot, make this
# file executable:  chmod 755 /etc/rc.d/rc.dhcpd
#
#############################################

CONFIGFILE="/etc/dhcpd.conf"
LEASEFILE="/var/state/dhcp/dhcpd.leases"
INTERFACES="eth1"
OPTIONS="-q"

#############################################

dhcpd_start() {
  if [ -x /usr/sbin/dhcpd -a -r $CONFIGFILE ]; then
    echo "Starting DHCPD..."
     /usr/sbin/dhcpd -cf $CONFIGFILE -lf $LEASEFILE $OPTIONS $INTERFACES
#     /usr/sbin/dhcpd -q $INTERFACES
  fi
}

dhcpd_stop() {
  killall dhcpd
}

dhcpd_restart() {
  dhcpd_stop
  sleep 2
  dhcpd_start
}

case "$1" in
'start')
  dhcpd_start
  ;;
'stop')
  dhcpd_stop
  ;;
'restart')
  dhcpd_restart
  ;;
*)
  # Default is "start", for backwards compatibility with previous
  # Slackware versions.  This may change to a 'usage' error someday.
  dhcpd_start
esac

To start up your brand new dhcpd server simply run the command

Code:

/etc/rc.d/rc.dhcpd start

As always, questions and comments are welcome. Enjoy!

win32sux · 09-16-2004, 09:10 AM

Quote:

Originally posted by SiegeX
...the broadcast address for our subnet. This address always ends in 255

the broadcast address varies depending on your netmask...

example:

192.168.1.255 can only be the broadcast on subnet 192.168.1.0 with a netmask of 255.255.255.0

if we had subnet 192.168.1.0 with a netmask of 255.255.255.240, then the broadcast address would be 192.168.1.15, and so forth...

SiegeX · 09-16-2004, 12:32 PM

thanks, Ive updated the howto to make it more correct.

gigli · 10-14-2004, 07:26 AM

This way of using DHCP w/ mac related to an ip is very usefull, but im getting some troubles.
How can i lock an IP address w/ a mac address. If the user try to specify another ip address on his tcp config, he cant use the gateway?

win32sux · 10-14-2004, 09:02 AM

Quote:

Originally posted by gigli
This way of using DHCP w/ mac related to an ip is very usefull, but im getting some troubles.
How can i lock an IP address w/ a mac address. If the user try to specify another ip address on his tcp config, he cant use the gateway?

you need to do that with iptables... basically, you use a rule that only allows the packet to be forwarded if it matches both the source ip and mac...

for example:

Code:

iptables -A FORWARD -s 192.168.0.2 -m mac \
--mac-source a1:b2:c3:d4:e5:f6 -j ACCEPT

this example would allow packets to be forwarded as long as they come from ip 192.168.0.2 and mac a1:b2:c3:d4:e5:f6... if the person would change either their ip or mac address, the packet would not be accepted...

PS: you might find this thread interesting:

http://www.linuxquestions.org/questi...hreadid=225598

i helped the guy on that thread with a mac address filtering iptables script...

also, search LQ, you'll find lots of info:

http://www.google.com/search?hl=en&l...rg&btnG=Search

good luck...

gigli · 10-15-2004, 11:49 AM

Guy... thx...

the blocking is running w/ all access, but MSN is'nt blocked, and if i configure my navigator to work w/ a external squid proxy (external means remote) it works too.

Look all my FW rules...

Code:

#!/bin/sh

# Variáveis
# -------------------------------------------------------
iptables=/sbin/iptables
CYBERFW=/usr/local/bin/cyber.fw
IF_EXTERNA=eth0
IF_INTERNA=eth1
MACLIST=/etc/maclist

# Ativa roteamento no kernel
# -------------------------------------------------------
echo "1" > /proc/sys/net/ipv4/ip_forward

# Proteção contra IP spoofing
# -------------------------------------------------------
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter 

# Ativa módulos
# -------------------------------------------------------
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE

# Zera regras
# -------------------------------------------------------
$iptables -F
$iptables -X
$iptables -F -t nat
$iptables -X -t nat
$iptables -F -t mangle
$iptables -X -t mangle


# Determina a política padrão 
# -------------------------------------------------------
$iptables -P INPUT DROP
$iptables -P OUTPUT DROP
$iptables -P FORWARD DROP 

for i in `cat $MACLIST`; do
STATUS=`echo $i | cut -d ';' -f 1`
IPSOURCE=`echo $i | cut -d ';' -f 3`
MACSOURCE=`echo $i | cut -d ';' -f 2`
#Se status = a então eu libera a conexao
if [ $STATUS = "a" ]; then
$iptables -t filter -A FORWARD -d 0/0 -s $IPSOURCE -m mac --mac-source $MACSOURCE -j ACCEPT
$iptables -t filter -A FORWARD -d $IPSOURCE -s 0/0 -j ACCEPT
$iptables -t nat -A POSTROUTING -s $IPSOURCE -o $IF_EXTERNA -j MASQUERADE
$iptables -t filter -A INPUT -s $IPSOURCE -d 0/0 -m mac --mac-source $MACSOURCE -j ACCEPT
$iptables -t filter -A OUTPUT -s $IPSOURCE -d 0/0 -j ACCEPT

# Se for = b então bloqueia o MAC
else
$iptables -t filter -A FORWARD -m mac --mac-source $MACSOURCE -j REJECT
$iptables -t filter -A INPUT -m mac --mac-source $MACSOURCE -j REJECT
$iptables -t filter -A OUTPUT -m mac --mac-source $MACSOURCE -j REJECT
fi
done

#################################################
# Tabela FILTER
#################################################


# Dropa pacotes TCP indesejáveis
# -------------------------------------------------------
$iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "FW: NEW sem syn: " 
$iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP 


# Dropa pacotes mal formados
# -------------------------------------------------------
$iptables -A INPUT -i $IF_EXTERNA -m unclean -j LOG --log-level 6 --log-prefix "FW: pacote mal formado: " 
$iptables -A INPUT -i $IF_EXTERNA -m unclean -j DROP 


# Aceita os pacotes que realmente devem entrar
# -------------------------------------------------------
#$iptables -A INPUT -i ! $IF_EXTERNA -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT


# Proteção contra trinoo 
# -------------------------------------------------------
$iptables -N TRINOO
$iptables -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FW: trinoo: " 
$iptables -A TRINOO -j DROP 
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 27444 -j TRINOO
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 27665 -j TRINOO
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 31335 -j TRINOO
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 34555 -j TRINOO
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 35555 -j TRINOO


# Proteção contra tronjans 
# -------------------------------------------------------
$iptables -N TROJAN
$iptables -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FW: trojan: " 
$iptables -A TROJAN -j DROP 
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 4000 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 6000 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 6006 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 16660 -j TROJAN


# Proteção contra worms
# -------------------------------------------------------
$iptables -A FORWARD -p tcp --dport 135 -i $IF_INTERNA -j REJECT


# Proteção contra syn-flood
# -------------------------------------------------------
$iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT


# Proteção contra ping da morte
# -------------------------------------------------------
$iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT


# Proteção contra port scanners
# -------------------------------------------------------
$iptables -N SCANNER 
$iptables -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FW: port scanner: " 
$iptables -A SCANNER -j DROP 
$iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i $IF_EXTERNA -j SCANNER 
$iptables -A INPUT -p tcp --tcp-flags ALL NONE -i $IF_EXTERNA -j SCANNER 
$iptables -A INPUT -p tcp --tcp-flags ALL ALL -i $IF_EXTERNA -j SCANNER 
$iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i $IF_EXTERNA -j SCANNER 
$iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $IF_EXTERNA -j SCANNER 
$iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i $IF_EXTERNA -j SCANNER 
$iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i $IF_EXTERNA -j SCANNER 


# Loga tentativa de acesso a determinadas portas
# -------------------------------------------------------
$iptables -A INPUT -p tcp --dport 21 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FW: ftp: "
$iptables -A INPUT -p tcp --dport 23 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FW: telnet: "
$iptables -A INPUT -p tcp --dport 25 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FW: smtp: "
$iptables -A INPUT -p tcp --dport 80 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FW: http: "
$iptables -A INPUT -p tcp --dport 110 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FW: pop3: "
$iptables -A INPUT -p udp --dport 111 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FW: rpc: "
$iptables -A INPUT -p tcp --dport 113 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FW: identd: "
$iptables -A INPUT -p tcp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FW: samba: "
$iptables -A INPUT -p udp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FW: samba: "
$iptables -A INPUT -p tcp --dport 161:162 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FW: snmp: "
$iptables -A INPUT -p tcp --dport 6667:6668 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FW: irc: "
$iptables -A INPUT -p tcp --dport 3128 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FW: squid: "


# Libera acesso externo a determinadas portas
# -------------------------------------------------------
$iptables -A INPUT -p tcp --dport 22 -i $IF_EXTERNA -j ACCEPT

# Libera acesso de smtp para fora apenas para o IP XXX.XXX.XXX.XXX
# -------------------------------------------------------
#$iptables -A FORWARD -p tcp -d ! XXX.XXX.XXX.XXX --dport 25 -j LOG --log-level 6 --log-prefix "FW: SMTP proibido: "
#$iptables -A FORWARD -p tcp -d ! XXX.XXX.XXX.XXX --dport 25 -j REJECT


#################################################
# Tabela NAT
#################################################


# Ativa mascaramento de saída
# -------------------------------------------------------
$iptables -A POSTROUTING -t nat -o $IF_EXTERNA -j MASQUERADE


# Proxy transparente
# -------------------------------------------------------
$iptables -t nat -A PREROUTING -i $IF_INTERNA -p tcp --dport 80 -j REDIRECT --to-port 3128
#$iptables -t nat -A PREROUTING -i $IF_INTERNA -p tcp --dport 8080 -j REDIRECT --to-port 3128


# Redireciona portas para outros servidores
# -------------------------------------------------------
#$iptables -t nat -A PREROUTING -d 192.168.200.1 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.1

#VoIP (web iface, working ports)
$iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.16.3
$iptables -t nat -A PREROUTING -p tcp --dport 5060 -j DNAT --to-destination 192.168.16.3
$iptables -t nat -A PREROUTING -p tcp --dport 5061 -j DNAT --to-destination 192.168.16.3
$iptables -t nat -A PREROUTING -p tcp --dport 5082 -j DNAT --to-destination 192.168.16.3

#VNC
$iptables -t nat -A PREROUTING -p tcp --dport 5140 -j DNAT --to-destination 192.168.16.140

#Camera server
$iptables -t nat -A PREROUTING -p tcp --dport 1999 -j DNAT --to-destination 192.168.16.116
$iptables -t nat -A PREROUTING -p udp --dport 1999 -j DNAT --to-destination 192.168.16.116
#$iptables -t nat -A PREROUTING -p tcp --dport 1350 -j DNAT --to-destination 192.168.16.116


# Redireciona portas na própria máquina
# -------------------------------------------------------
#$iptables -A PREROUTING -t nat -d 192.168.200.1 -p tcp --dport 5922 -j REDIRECT --to-ports 22

win32sux · 10-15-2004, 12:14 PM

i think you should start a new thread in another forum...

your new question has nothing to do with this thread or this forum...

good luck...

gigli · 10-15-2004, 01:51 PM

Sorry...
u r right