Configure Gateway, DNS, and DHCP (with PXE)

As described in my post before, I’m going to configure an ASUS server working as Gateway, DNS, and DHCP (with PXE).

LAN (eth0): 192.168.100.1; WAN (eth1): 192.168.1.254

OS: Debian 5.0.4 (Lenny)

1. Configure Dual NICs

aptitude install ifmetric

Edit /etc/network/interfaces, here is mine:

# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eth0
iface eth0 inet static
address 192.168.100.1
netmask 255.255.255.0
network 192.168.100.0
broadcast 192.168.100.255
gateway 192.168.100.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 192.168.100.1
dns-search example.com
metric 1
# The secondary network interface
allow-hotplug eth1
iface eth1 inet static
address 192.168.1.254
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 192.168.1.1
dns-search example.com
metric 0

2. DNS Service

aptitude install bind9
/etc/init.d/bind9 stop

I use IPv4 only, so update /etc/default/bind9 with:

OPTIONS="-4 -u bind"

Edit /etc/bind/named.conf.options for directory and forwarders configuration:

options {
directory "/var/cache/bind";
# DNS servers supplied by your ISP or use OpenDNS, Google free DNS.
forwarders {
208.67.222.222;
208.67.220.220;
8.8.8.8;
};
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; }; # seems useless, Debian default configuration
};

Edit /etc/bind/named.conf.local to add zones:

# defines example.com
zone "example.com" {
type master;
file "db.example.com";
};
# defines our local subnet 192.168.100.0/24
zone "100.168.192.in-addr.arpa" {
type master;
notify no;
file "db.100.168.192";
};

As shown in /etc/bind/named.conf.options, we should add DB files to /var/cache/bind/. /var/cache/bind/db.example.com :

;
; Zone file for example.com
;
; The full zone file
;
$TTL 1H
@ IN SOA example.com. root.example.com. (
2010031701 ; Serial, todays date + todays serial #
1H ; Refresh, seconds
20M ; Retry, seconds
1W ; Expire, seconds
1H ) ; Minimum, seconds
;
@ IN NS gateway.example.com.
example.com. IN MX 10 mail.example.com.
example.com. IN A 192.168.100.1
;
gateway IN A 192.168.100.1
ntp IN CNAME gateway
pdc IN A 192.168.100.2
rcs IN CNAME pdc
its IN CNAME pdc
release IN CNAME pdc
lin IN A 192.168.100.5
mail IN CNAME lin
www IN CNAME lin
win IN A 192.168.100.8
printer IN A 192.168.1.253

/var/cache/bind/db.100.168.192 :

$TTL 1H
@ IN SOA example.com. root.example.com. (
2010031701 ; Serial, todays date + todays serial #
1H ; Refresh, seconds
20M ; Retry, seconds
1W ; Expire, seconds
1H ) ; Minimum, seconds
;
@ IN NS gateway.example.com.
@ IN PTR example.com.
1 IN PTR gateway.example.com.

Please refer to references below for more information on the grammar of db.* files.

Start Bind9:

/etc/init.d/bind9 start

3. DHCP Service

aptitude install dhcp3-server

Edit /etc/default/dhcp3-server to define DHCP service on port eth0 (for LAN)

INTERFACES="eth0"

Edit /etc/dhcp3/dhcpd.conf for DHCP configuration with PXE support. It’s very easy to understand. The only thing you should notice is, TFTPD server IP is 192.168.100.5, which is another server, and “pxelinux.0” or “grldr” is the boot file.

ddns-update-style none;
option domain-name "example.com";
option domain-name-servers gateway.example.com;
default-lease-time 600;
max-lease-time 7200;
authoritative;
log-facility local7;
subnet 192.168.100.0 netmask 255.255.255.0 {
range 192.168.100.129 192.168.100.250;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.100.255;
option routers 192.168.100.1;
next-server 192.168.100.5;
#filename "pxelinux.0";
filename "grldr";
}

4. TFTPD Configuration for PXE

TFTPD service runs on Linux Development Server. You can refer to my old post “Configure TFTPD on Debian Lenny“.

If you like to use “pxelinux.0” for PXE boot, install syslinux first:

aptitude install syslinux
cp /usr/lib/syslinux/pxelinux.0 /var/lib/tftpboot/

Create configuration file /var/lib/tftpboot/pxelinux.cfg/default for pxelinux.0. I use it to load GRUB4DOS here (Download grub.exe from official site of GRUB4DOS). NOTICE: The first line must be “LABEL linux”!! Otherwise, it will complain no configuration file.

LABEL linux
MENU LABEL GRUB4DOS with PXE
kernel /grub.exe
append keeppxe

Create /home/tftpboot/menu.lst for GRUB4DOS:

color white/blue black/light-gray
timeout 30
default /default
title My ISO
map --mem (pd)/myiso.iso (0xFF)
map --hook
root (0xFF)
chainloader (0xFF)
boot
title Debian Stable Installer (network)
kernel (pd)/debian/stable/linux
initrd (pd)/debian/stable/initrd.gz
boot
title Slackware 13.0 Installer
kernel (pd)/slackware/hugesmp.s/bzImage
initrd (pd)/slackware/initrd.img
boot
title Microsoft Windows 98 DOS Disk
map --mem (pd)/bootdisk.img (fd0)
map --hook
chainloader (fd0)+1
rootnoverify (fd0)
map --floppies=1
boot
title PXELinux
pxe keep
chainloader --raw (pd)/pxelinux.0
title Command Line
commandline
title Reboot
reboot
title Halt
halt

Now, we can copy our boot ISO to /home/tftpboot/myiso.iso, download Debian Stable network installer files from http://ftp.debian.org/debian/dists/stable/main/installer-i386/current/images/netboot/debian-installer/i386/ to /home/tftpboot/debian/ folder, and get Slackware installer files from SlackDVD/kernels/hugesmp.s/bzImage & SlackDVD/isolinux/initrd.img (You can download it from the official site of course).

5. Gateway Service

Edit /etc/rc.local to add the following iptables rools:

IPT="/sbin/iptables"
# The network interface you will use
# WAN is the one connected to the internet
# LAN the one connected to your local network
WAN="eth1"
LAN="eth0"
# First we need to clear up any existing firewall rules
# and chain which might have been created
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
# Default policies: Drop any incoming packets
# accept the rest.
#$IPT -P INPUT DROP
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
# Install releated modules for iptables
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
# To be able to forward traffic from your LAN
# to the Internet, we need to tell the kernel
# to allow ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Masquerading will make machines from the LAN
# look like if they were the router
$IPT -t nat -A POSTROUTING -o $WAN -j MASQUERADE
# Do not allow other new or invalid connections to reach your internal network
$IPT -A FORWARD -i $WAN -m state --state NEW,INVALID -j DROP
# Accept any connections from the local machine
$IPT -A INPUT -i lo -j ACCEPT
# plus from your local network
$IPT -A INPUT -i $LAN -j ACCEPT
# plus from your local network
$IPT -A INPUT -i $WAN -j ACCEPT
# inform the sender that the packet was rejected
$IPT -N Rejectwall
$IPT -A Rejectwall -j REJECT
# use the following instead if you want to simulate that the host is not reachable
# for fun though
#$IPT -A Rejectwall -j REJECT --reject-with icmp-host-unreachable
$IPT -A INPUT -p icmp -j ACCEPT
# Accept ssh connections from the Internet
$IPT -A INPUT -i $WAN -p tcp --dport 22 -j ACCEPT
# Accept related and established connections
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Drop netbios from the outside, no log, just drop
#$IPT -A INPUT -p udp --sport 137 --dport 137 -j DROP
# Finally, anything which was not allowed yet
# is going to go through our Rejectwall rule
$IPT -A INPUT -j Rejectwall

Then run the script to enable it

sh /etc/rc.local

Note: I just copied the script from Internet and have a little change for my own configuration. You’d better read the manual for iptables carefully if you have other requirement.

Reference:

1. Debian Reference, Chapter 5, The ifmetric package.

2. How-To: Set up a LAN gateway with DHCP, Dynamic DNS and iptables on Debian Etch

3. Bind 9 配置 (Chinese)

4. BIND 9 Configuration Reference from BIND 9 Administrator Reference Manual

5. Iptables Tutorial

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s