Installing dhcpd on your LAN interface under Red Hat 7.3
Sins committed in Dec 2002, but Jan K. Labanowski, jkl@ccl.net
Disclaimer: all stuff below is a nonsense, and you cannot rely on any
of this. Only laywers can tell you how to install your software reliably,
or how to sue someone for giving you the wrong advice. The advice below
is wrong, and you should not use it, and you cannot sue me either, since
you have been warned that this is nonsense. You can also post it wherever
you want, provided that you include this notice, or remove any trace
of my identity from this memo. -- Jan Labanowski, jkl@ccl.net.
Please send corrections to me at jkl@ccl.net and be lenient on me
if I do not answer -- I am kind of busy lately.
You may often prefer to have an option that your firewall acts also as
DHCP server, i.e., it assigns a dynamic, temporary IP address to a computer
when it requests it, e.g., when it boots. Note that static and dynamic
IP addresses can coexists safely on the LAN. You need to specify the range
of addresses to be used for static addressing, and select a range of
addresses to be used for dynamic assignment. In my case, I use static
addresses for the desktop computers (which do not move), and the dynamic
addresses for the laptops. Static addresses have the advantage since you
can assign some services to them (e.g., print server, NFS server, etc)
and they will not change their IP addresses. However, when your computer
is a client by definition (e.g., a laptop which you carry to work,
to hotels, and then bring home), the DHCP is very handy.
Installing dhcpd
To do this, you need to install dhcp (namely, dhcpd -- DHCP daemon).
DO not confuse this with a dhcpcd (DHCP client daemon). The DHCP is the
server which provides the IP addresses for computers which request it.
The DHCP Client daemon is the program running on the computer which
requests the address, and renews/maintains it.
I used the RPM package: dhcp-2.0pl5-8.i386.rpm which is available
on the 2nd CD in RH 7.3 distribution under RedHat/RPMS. You can also
get it from the net, e.g.:
ftp://rpmfind.net/linux/redhat/7.3/en/os/i386/RedHat/RPMS/dhcp-2.0pl5-8.i386.rpm
Being a root, I unpacked it as:
rpm -Uhv dhcp-2.0pl5-8.i386.rpm
By default it will come inactive on boot. You need to add a few things.
dhcpd.conf
The /etc/dhcpd.conf file:
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.127 192.168.0.254;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
option routers 192.168.0.1;
option domain-name-servers 192.159.44.10, 211.158.23.19;
option domain-name "mylan";
This assumes that you will be returning addresses for the "nonroutable"
subnet: 192.168.0.0. Only addresses in the range from 192.168.0.127
to 192.168.0.254 will be served. This way you can use addresses in the
range: 192.168.0.2 to 192.168.0.126 for your computers with static assigned
addresses. The routers option relates to the IP address of your
router interface (in my case eth1) which is connected to the internal
LAN. In my case, it has the IP address: 192.168.0.1. The domain-name-servers
is a VERY IMPORTANT ENTRY. It is intentionally BOGUS in the above
example (note that digits are larger than 7 in the example above).
You take these numbers from the file: /etc/resolv.conf on
your firewall. Those are usually assigned by your Internet Service
Provider. You can also run your own DNS server, and then you give
its address here (e.g., if you ran it on the firewall [bad idea], than
it would be 192.168.0.1). Domain name in the above example is what you
want to assigne to your internal network internally. It does not matter
for the world outside, since they only see your firewall, and the
name/address assigned to it.
/etc/sysconfig/dhcpd
The /etc/sysconfig/dhcpdf contains parameters to be entered
on the command line of dhcpd when it is started. In my case, I only give
there the interface name on which I want DHCP to run. In my case,
my LAN is attached to the eth1 interface of my firewal, so this is
where it need to be:
# Command line options here
DHCPDARGS=eth1
/etc/rc.d/init.d/dhcpd
The script which starts the DHCP server on boot-up is located in
/etc/rc.d/init.d/dhcpd with other startup scripts of RH7.3 linux.
You do not need to edit the script, and look for the line:
# chkconfig: - 65 35
or something similar. Change it to:
# chkconfig: 345 65 35
The boot-up links for DHCP are usually inactive, so you need to add them.
What I did is:
cd /etc/rc.d
find . -name "[SK]*dhcpd" -exec rm {} \; # this deletes old links
cd init.d
chkconfig --add dhcpd
chkconfig --list dhcpd
You should see "on" at runlevels: 3, 4, and 5.
Your firewall script
By default, the firewall will usually block the broadcasts and will
not allow your LAN computers to query the DHCP for address.
You need to put something like this close to the top of your
firewall script, to allow for the DHCP to serve your LAN
$IPTABLES -t nat -A PREROUTING -i eth1 -p UDP -s 192.168.0.1 \
--sport 68 --dport 67 -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p UDP -s 0.0.0.0/32 --sport 67 \
-d 255.255.255.255/32 --dport 68 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p UDP -s 0.0.0.0/32 --sport 68 \
-d 255.255.255.255/32 --dport 67 -m state --state NEW,ESTABLISHED \
-j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p UDP -s any/0--sport 67 -d 192.168.0.1 \
--dport 68 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p UDP -s 192.168.0.1 --sport 68
-d any/0 --dport 67 -m state --state NEW,ESTABLISHED -j ACCEPT
Rgds
$IPTABLES -A OUTPUT -o eth1 -p tcp -s 0.0.0.0/32 --sport 67 -d 255.255.255.255/32 --dport 68 -j ACCEPT
$IPTABLES -A OUTPUT -o $internal_int -p udp -s $internal_ip --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
$IPTABLES -A INPUT -i $internal_int -p tcp --sport 68 --dport 67 -j ACC\EPT
$IPTABLES -A INPUT -i $internal_int -p udp --sport 68 --dport 67 -j ACCEPT
The
http://www.nobell.org/~gjm/linux/gateway/
|
