Linux EL 7 Router and Firewall
SecureCRT providing SSH Access to CentOS
Server
OS family
Linux: CentOS/RHEL 7
Working state
Public
Supported platforms x86, x64
Linux Router and Firewall
From SSN
This tutorial shows you how to setup a server for the
sole purpose of being the DHCP server and firewall
for our LAN. The purpose of having a Linux-based
server/firewall is for the flexibility and in some cases,
an improvement of bandwidth and speed outside to
the internet, though the main purpose is truly is for
flexibility.
Any Linux distribution can be used for this purpose,
but this tutorial will mainly focus on CentOS 7.x and
other derivatives (RHEL/SL/etc). This tutorial will
also focus on some security aspects when putting your
new Linux router into a 'production' state to ensure
100% uptime in and out.
If you are looking for RHEL/CentOS 6, go here.
Contents
1 Overview
1.1 Advantages to having a Linux Router
1.2 Disadvantages to having a Linux Router
1.3 Required Software and Hardware
2 Tutorial
2.1 Setting up DHCP
2.2 The firewall
2.2.1 FirewallD
2.3 SSH User Access and Restrictions
3 Extras
3.1 Renaming your Devices
3.2 Target static IP for specific host
3.3 Forwarding Ports
3.3.1 FirewallD
3.4 Denying Unknown Mac Addresses
3.5 IPv6 Tunnel
3.6 Dynamic DNS
Overview
This tutorial provides you the steps to get started in getting a Linux router setup for your LAN. It's not
only a secure option and can be grounds for modification, it's also a learning and educational experience.
In the end, it is an easy process and can be accomplished on a wide array of distributions, hardware, and
networking situations.
We only cover the basics of getting up and running. Modifications like QoS, IPv6 tunnels, DNS,
advanced firewall rules are beyond the scope of this article, but will be included as value-added at the
bottom.
Note: This guide is meant as a learning exercise to get an idea of how most configurations and other
dedicated setups typically work, from a manual stand point.
Advantages to having a Linux Router
Flexibility. You will have an available system for an in-house lab, SSH Tunneling, PXE/Cobbler, or
even means of holding a web server if you're so inclined. The only limitations are you and what you
want.
Disadvantages to having a Linux Router
You have to use a PC for it. It would make more sense to buy an on-the-self router and flash the
firmware to something that is third-party and has similar Linux aspects.
Required Software and Hardware
The software requirements:
-A Linux OS
CentOS 7 (http://www.centos.org) is what we'll use here
The hardware requirements:
You'll need a PC that can handle a minimal install of a Linux OS. The hard drive does NOT have to
be large. You'll also need two network cards. One of them CAN be built in, but you'll need an add-on
PCI ethernet card. Also, your stock-router needs its DHCP settings turned off and a static address set
in accordance to your subnet.
Tutorial
Now we will begin the process of setting up the Linux Router.
*** Warning: Potential Pitfalls! ***
-The incorrect configuration in your firewall or SSH configuration can create security holes
-Not changing your SSH port to something non-standard is a security hole. Change it or turn it off completely.
-If your system uses SELinux, leave it on. It's there for a reason. Turn it off for troubleshooting only.
-Do NOT come to me for support if you have disabled selinux
-You need to turn your store-bought router into a switch by turning off DHCP and setting a static IP to access it when
necessary.
Setting up DHCP
To start everything off, you'll need to setup a DHCP server. Not only this, you may want to disable
Network Manager. If you wish to keep it on, then do so. However, I turn it off in this tutorial for
generally good reasons.
% yum install dhcp dhcp-common -y % systemctl stop NetworkManager % systemctl disable NetworkManager % systemctl restart network % systemctl status NetworkManager NetworkManager.service - Network Manager
Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; disabled) Active: inactive (dead)
% systemctl status network
network.service - LSB: Bring up/down networking Loaded: loaded (/etc/rc.d/init.d/network)
Active: active (running) since Thu 2014-07-03 13:39:51 MST; 23h ago CGroup: /system.slice/network.service
ââ1119 /sbin/dhclient -H zera1 -1 -q -lf /var/lib/dhclient/dhclient-ca756c19-c76b-46fa-813e-ae26a3994860-ens19...
Now, we'll need to make some slight changes to our interface files. We'll start with "enp5v0", it may be
a different name for you (like ens or p3p1 etc). So change them to fit your box.
DEVICE="enp5v0"
BOOTPROTO="static" ## This will be set to static TYPE="Bridge"
NM_CONTROLLED="no" ONBOOT="yes"
IPADDR="10.100.1.1" ## Set the gateway IP you plan on using NETMASK="255.255.255.0"
After making that change, restart the network service and double check.
% systemctl restart network % ip addr show enp5v0
10: enp5v0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP link/ether --- brd ff:ff:ff:ff:ff:ff
inet 10.100.1.1/24 brd 10.100.1.255 scope global enp5v0 valid_lft forever preferred_lft forever
inet6 fe80::214:d1ff:fe23:2b2c/64 scope link valid_lft forever preferred_lft forever
Now, let's modify our /etc/dhcp/dhcpd.conf file. It'll be a generally empty file. These are the settings I
used. Make sure to read the comments.
#
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.example # see dhcpd.conf(5) man page
#
allow booting; ## Helps with PXE
allow bootp; ## Same thing, some POS controllers need this authoritative; ## Authoritative DHCP server
# deny unknown-clients;
ignore client-updates; ## Ignores requests for DNS server updates
set vendorclass = option vendor-class-identifier; ## Without this, most DHCP servers will not work -- in my case, it wouldn't. subnet 10.100.1.0 netmask 255.255.255.0 { ## Your network and mask goes here
interface enp5v0; ## Interface in which the clients will be served
option routers 10.100.1.1; ## Set this line to your router's IP, more than likely .1
option domain-name-servers 10.100.1.1; ## My DNS server is my own router. Change this to your ISP's DNS servers or google's. # option domain-name-servers 10.100.1.1,68.105.28.11,68.105.29.11,8.8.8.8,8.8.4.4; ## Example of multiple DNS servers
option domain-name "bromosapien.net"; ## If you have a domain name for your network, set it here. option subnet-mask 255.255.255.0; ## Required.
range 10.100.1.100 10.100.1.199; ## Range of IP's that systems can use. filename "/pxelinux.0"; ## PXE related
default-lease-time 21600; max-lease-time 43200;
next-server 10.100.1.1; }
After doing that, enable dhcpd and start it up.
% systemctl enable dhcpd % systemctl start dhcpd % systemctl status dhcpd
dhcpd.service - DHCPv4 Server Daemon
Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; enabled) Active: active (running) since Mon 2014-07-07 18:37:02 MST; 4s ago Docs: man:dhcpd(8)
man:dhcpd.conf(5) Main PID: 28434 (dhcpd)
CGroup: /system.slice/dhcpd.service
└─28434 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid Jul 07 18:37:02 solaire.bromosapien.net systemd[1]: Started DHCPv4 Server Daemon.
Jul 07 18:37:02 solaire.bromosapien.net dhcpd[28434]: Internet Systems Consortium DHCP Server 4.2.5 Jul 07 18:37:02 solaire.bromosapien.net dhcpd[28434]: Copyright 2004-2013 Internet Systems Consortium. Jul 07 18:37:02 solaire.bromosapien.net dhcpd[28434]: All rights reserved.
Jul 07 18:37:02 solaire.bromosapien.net dhcpd[28434]: For info, please visit https://www.isc.org/software/dhcp/ Jul 07 18:37:02 solaire.bromosapien.net dhcpd[28434]: Not searching LDAP since ldap-server, ldap-port and ld...file Jul 07 18:37:03 solaire.bromosapien.net dhcpd[28434]: Wrote 0 deleted host decls to leases file.
Jul 07 18:37:03 solaire.bromosapien.net dhcpd[28434]: Wrote 0 new dynamic host decls to leases file. Jul 07 18:37:03 solaire.bromosapien.net dhcpd[28434]: Wrote 2 leases to leases file.
Jul 07 18:37:03 solaire.bromosapien.net dhcpd[28434]: Listening on LPF/enp5v0//10.100.1.0/24 Jul 07 18:37:03 solaire.bromosapien.net dhcpd[28434]: Sending on LPF/enp5v0//10.100.1.0/24 Jul 07 18:37:03 solaire.bromosapien.net dhcpd[28434]: Sending on Socket/fallback/fallback-net Jul 07 18:37:04 solaire.bromosapien.net dhcpd[28434]: DHCPDISCOVER from (android-305df79d0...p5v0 Jul 07 18:37:05 solaire.bromosapien.net dhcpd[28434]: DHCPOFFER on 10.100.1.106 to (androi...p5v0
Jul 07 18:37:05 solaire.bromosapien.net dhcpd[28434]: DHCPREQUEST for 10.100.1.106 (10.100.1.1) from ac:22:0...p5v0 Jul 07 18:37:05 solaire.bromosapien.net dhcpd[28434]: DHCPACK on 10.100.1.106 to (android-...p5v0
Jul 07 18:37:05 solaire.bromosapien.net dhcpd[28434]: Unable to add forward map from android-305df79d03199b3...ound
And then lastly, we need to enable forwarding. RHEL 7 does it a bit differently, but you can still modify
/etc/sysctl.conf. It does give you a nifty note.
% vi /etc/sysctl.conf
# System default settings live in /usr/lib/sysctl.d/00-system.conf.
#
# For more information, see sysctl.conf(5) and sysctl.d(5). net.ipv4.ip_forward = 1
% sysctl -p
The firewall
The iptables firewall generally is pretty easy to deal with. However, since firewalld is default, you may
want to fall back to the old way.
% yum install iptables-services iptables-utils % systemctl stop firewalld.service
% systemctl disable firewalld.service % systemctl enable iptables.service
Read the comments to understand what I did below. This is a generic /etc/sysconfig/iptables file that
should work.
# Start of NAT # Add this section
*nat :PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
-A POSTROUTING -o enp3s0 -j MASQUERADE ## This is absolutely important. COMMIT ## Always end a table like this # Start of filter
# Here are your regular "rules" *filter
:INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
-A INPUT -i enp3s0 -p icmp -m icmp --icmp-type 8 -j DROP -A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp -j DROP
## Anything going from the gateway has to have come from us to come back in. -A FORWARD -i enp3s0 -o enp5v0 -m state --state RELATED,ESTABLISHED -j ACCEPT ## This makes sure that anyone on the inside can head on out.
-A FORWARD -i enp5v0 -o enp3s0 -j ACCEPT -A FORWARD -j DROP
COMMIT
Restart your firewall and you're ready. Make sure to test your clients.
% systemctl restart iptables
FirewallD
Red Hat recently introduced firewalld into their core product, basing itself on what was shipped in
Fedora. This is not a problem, but it may be a problem for others who want complete control of their
setup, like the above, and the other examples later. However, if you want to turn on NAT with firewalld,
these are the steps I do.
% firewall-cmd --change-interface=enp3s0 --zone=external --permanent % firewall-cmd --change-interface=enp5v0 --zone=internal --permanent % firewall-cmd --set-default-zone=internal
% firewall-cmd --complete-reload
By default, the external zone is the masqueraded zone.
Note: If you disable network manager like I do, you will need to specify a ZONE directive in the
interface file for your interfaces. Typically, if your default zone is internal, your modem interface will
always show up in internal. No matter what you do. That's why you have to use the directive.
...
NAME="enp3s0" DEVICE="enp3s0" ONBOOT="yes"
ZONE="external" <---- This
SSH User Access and Restrictions
So you want SSH access to your system from the inside and outside. Alright, cool. We just need to make
a couple of modifications to the sshd_config file. First and foremost, we need to change the port number
from 22. There are reasons why it should NOT be port 22. That is the most checked and attacked port of
all time. Sure, if root doesn't have a password and another account is not allowed SSH access by
password and only be SSH key, they won't get in. But, the last thing you want is your logs being filled
up with failures to login and your bandwidth/speed being reduced (though slightly) from those attacks.
Let's modify the file first.
% vi /etc/ssh/sshd_config
## Find the lines commented, and add the changes afterward. # Port 22
Port 30717
# PermitRootLogin yes PermitRootLogin no
% semanage port -a -t ssh_port_t -p tcp 30717 % systemctl restart sshd.service
Note: If you don't have semanage available, install policycoreutils-python.
Let's add a user and add them to the wheel group. Be sure to set your user a password.
% useradd pinky
Now, open up /etc/pam.d/su and take one of the comments off. We'll take the one off that says the user is
required to be in the wheel group. That user will still need to know root's password. If you want to allow
a user to get root without root's password, you may do so. However, I don't recommend doing that.
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group. auth required pam_wheel.so use_uid
auth substack system-auth auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth
password include system-auth session include system-auth session include postlogin session optional pam_xauth.so
You may now want to test the effects. An example of the 'implicit' rule.
[pinky@solaire ~]$ su
-Last login: Mon Jul 7 18:26:49 MST 2014 on pts/0 [root@solaire ~]#
Now, we'll need to make a change to the iptables firewall for our new port.
*nat :PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
-A POSTROUTING -o enp3s0 -j MASQUERADE ## This is absolutely important. COMMIT ## Always end a table like this *filter
:INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
-A INPUT -i enp3s0 -p icmp -m icmp --icmp-type 8 -j DROP -A INPUT -i lo -j ACCEPT
## ADD THIS BELOW
-A INPUT -p tcp -m state --state NEW -m tcp --dport 30717 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp -j DROP
-A FORWARD -i enp3s0 -o enp5v0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i enp5v0 -o enp3s0 -j ACCEPT
-A FORWARD -j DROP COMMIT
% systemctl restart iptables
FirewallD Users: If you use firewalld, you'll do something like so.
% firewall-cmd --zone=internal --add-port=30717/tcp --permanent % firewall-cmd --zone=internal --remove-service=ssh --permanent % firewall-cmd --zone=external --add-port=30717/tcp --permanent % firewall-cmd --zone=external --remove-service=ssh --permanent $ firewall-cmd --complete-reload
After that, you should be good! Try plugging a switch or a store bought router (configured correctly with
DHCP disabled and a static address) into the LAN port, make sure all the services have been (re)started,
and see if your clients get IP's. Do they? Now see if you can SSH into your box through your new port
with your users.
If you succeed, you're ready to go. Now just make sure you can get to the internet :)
Extras
Here we'll expand the functionality of our server. We'll have some value added things below in this
section.
Renaming your Devices
This isn't truly important, but if you want your devices to have some names that you actually understand
or know what they are, you may want to try and change them. This can technically be prevented by
using biosdevname=0 and net.ifnames=0 on the grub kernel line, either before your install your system
or on an already installed system.
But, for the sake of the example, I'll change an interface name that was generated by udev. I'll change
my outbound interface to ob0, which is attached to the modem. You can name them however you want,
and you'll need to do this for each device you rename in the long run.
% vi /etc/udev/rules.d/99-rename-net.rules
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="$(cat /sys/class/net/ens192/address)", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="ob0" % cd /etc/sysconfig/network-scripts
% mv ifcfg-ens192 ifcfg-ob0 % vi ifcfg-ob0
# Generated by dracut initrd
DEVICE="ob0" <-- Change this appropriately ONBOOT=yes
NETBOOT=yes BOOTPROTO=dhcp
HWADDR="00:0c:29:c4:ba:2b" TYPE=Ethernet
NAME="ob0" <-- Change this appropriately % init 6
% ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ob0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:c4:ba:2b brd ff:ff:ff:ff:ff:ff
inet 10.100.0.213/23 brd 10.100.1.255 scope global dynamic ob0 valid_lft 21544sec preferred_lft 21544sec
inet6 fe80::20c:29ff:fec4:ba2b/64 scope link valid_lft forever preferred_lft forever
You can do this easily by modifying /etc/dhcp/dhcpd.conf. You can add a line like...
host Healer {
hardware ethernet 00:00:00:00:00:00; fixed-address 10.100.0.110;
}
Providing the computer name after host, and then that system's mac address, you can provide the
'fixed-address' that it will get each time it connects to the network.
# service dhcpd restart
You can get the mac addresses of those PC's using either ip a sh (if they're linux) or ipconfig /all if
they're windows. Or, in the windows gui, you can look at the 'status' of an adapter, and click 'details' to
get it too.
Forwarding Ports
Forwarding ports can get complicated. But don't fret, it's not as bad as it seems. Let's say we want to
forward 6112 TCP and UDP to a host, so they can hold StarCraft/WarCraft III games. Modify
/etc/sysconfig/iptables as followed; You'll need a prerouting line and a forward line at the bottom.
*nat :PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Add the prerouting lines below... p is for protocol and m is for match # i is for interface, -j is for action/target
-A PREROUTING -i enp3s0 -p udp -m udp --dport 6112 -j DNAT --to-destination 10.100.1.101:6112 -A PREROUTING -i enp3s0 -p tcp -m tcp --dport 6112 -j DNAT --to-destination 10.100.1.101:6112 -A POSTROUTING -o enp3s0 -j MASQUERADE
COMMIT # Start of filter *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
-A INPUT -i enp3s0 -p icmp -m icmp --icmp-type 8 -j DROP -A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 30717 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp -j DROP
-A FORWARD -i enp3s0 -o enp5v0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i enp5v0 -o enp3s0 -j ACCEPT
# Add the forward lines
-A FORWARD -d 10.100.1.101 -i enp3s0 -p udp -m udp --dport 6112 -j ACCEPT -A FORWARD -d 10.100.1.101 -i enp3s0 -p tcp -m tcp --dport 6112 -j ACCEPT COMMIT
Save it, and restart the firewall via systemctl.
FirewallD
firewall-cmd --zone=external --add-forward-port=port=6112:proto=udp:toport=6112:toaddr=10.100.1.101 --permanent firewall-cmd --zone=external --add-forward-port=port=6112:proto=tcp:toport=6112:toaddr=10.100.1.101 --permanent firewall-cmd --complete-reload
Denying Unknown Mac Addresses
Let's say you don't want to use your wireless network's filters, or you decided you wanted to mess with
people who like to hope onto an unprotected wireless network... Whatever the case is, you want to
restrict clients based on mac address. You can add the following to your /etc/dhcp/dhcpd.conf.
deny unknown-clients;
After doing that, you can do like in the above section for static IP leases, make a section at the bottom
and designate the host.
host Healer {
hardware ethernet 00:00:00:00:00:00; fixed-address 10.100.1.110;
}
IPv6 Tunnel
For those who have tunnels, this might be helpful. I have a tunnel from he.net. Sixxs usually has
instructions for what they want to make their tunnels work, typically. This is what I do for my tunnel to
get it up and running, and to ensure clients on the inside of the network can get out.
First, we need to setup an interface. I typically like consistency. Since the modem interface is enp2s0 on
one of my routers, I will use enp2v0 for the tunnel interface. Technically, you can use sit0.
DEVICE="enp2v0" TYPE="sit" BOOTPROTO="none" ONBOOT="yes" IPV6INIT="yes"
IPV6TUNNELIPV4="66.220.18.42" # Your tunnel provider usually provides this IP
IPV6ADDR="2001:470:c:286::2/64" # This is your end point that does not go with your 'subnet' IPV6FORWARDING="yes"
For the internal LAN interface, which is eno1, I added in the IPv6 information for the subnet I was
given.
TYPE=Ethernet BOOTPROTO=static NAME=eno1 DEVICE=eno1 ONBOOT=yesIPADDR="10.100.0.1" NETMASK="255.255.254.0" ## IPv6 information IPV6ADDR="2001:470:d:286::1/64" IPV6INIT="yes" IPV6FORWARDING="yes"
For the firewall, I did this in the /etc/sysconfig/ip6tables file. Since there is no NAT, we just use basic
INPUT and FORWARD rules in between the sit interface and the internal LAN interface.
*filter
:INPUT ACCEPT [56:6791] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [53:8508] -A INPUT -p icmpv6 -j ACCEPT
-A INPUT -i enp2v0 -p tcp -m tcp --dport 1 -j DROP -A INPUT -i enp2v0 -p tcp -m tcp --dport 0 -j DROP -A INPUT -i lo -j ACCEPT
-A INPUT -i eno1 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s ::/0 -d ::/0 -p tcp -m state --state NEW -m tcp --dport 45521 -j ACCEPT -A INPUT -i enp2v0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp -m state --state NEW -j DROP
-A FORWARD -i enp2v0 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eno1 -o enp2v0 -j ACCEPT
-A FORWARD -i enp2v0 -o eno1 -p icmpv6 -j ACCEPT -A FORWARD -i enp2v0 -o eno1 -j DROP
COMMIT
% systemctl enable ip6tables % systemctl start ip6tables
In /etc/sysconfig/network, you'll need these lines.
NETWORKING_IPV6=yes IPV6FORWARDING=yes IPV6_DEFAULTDEV="enp2v0"
In /etc/sysctl.conf, I put this.
net.ipv6.conf.all.forwarding = 1 % sysctl -p
In your regular firewall, you'll need some rules for your "heartbeat". Some providers require a heartbeat
of some sort.
-A IN_TRU -s 66.220.2.74/32 -i ob0 -p icmp -m comment --comment "IPv6 Heartbeat" -m icmp --icmp-type 8 -j ACCEPT -A IN_TRU -s 66.220.18.42 -i ob0 -m comment --comment "IPv6 Heartbeat" -j ACCEPT
Dynamic DNS
Dynamic DNS is not all that important, but it's sometimes a fun feature to use for a network. It basically
allows clients to have their own name in DNS for easy communication with one another by name, etc.
New clients will get IP's and the bind DNS server will be updated with their names, as long as the
machine provide host names. Note: The subnet I use here is in a testing subnet and does not reflect what
was used in the actual tutorial above.
First, install the bind DNS package and then generate an rndc key.
% yum install bind
% rndc-confgen -a # This will take a few minutes depending on the amount of entropy available
If you don't have DNS already setup, you'll need to change a few options. Most of these are set to
loopback addresses. You can change them to 'any' or to the internal LAN interface IP in your network.
For me, I set them to 'any' because the outside world can query me for information.
options { ...
listen-on port 53 { any; }; listen-on-v6 port 53 { ::1 }; allow-query { any; };
... };
You will also need to add a forwarders block within options, especially if you plan on pointing your
clients to your DNS server.
options { ... forwarders { 10.100.0.1; 8.8.8.8; }; };
And then, at the bottom, you need to set an include line for your key, which includes the key block, as
well as starting your zone blocks. You will also need to change the permissions of the key.
include "/etc/rndc.key" zone "angelsofclockwork.net" { type master;
file "dynamic/angelsofclockwork.net"; allow-update { key rndc-key; }; };
zone "2.100.10.in-addr.arpa" { type master;
file "dynamic/2.100.10.in-addr.arpa"; allow-update { key rndc-key; }; };
# Save the file
% chown root:named /etc/rndc.key % chmod 640 /etc/rndc.key
Now, let's make our zone files, giving them a blank slate. We need both the forward and reverse zones.
So first, our forward zone.
$ORIGIN .
$TTL 10800 ; 3 hours
angelsofclockwork.net IN SOA angelsofclockwork.net. zera1.angelsofclockwork.net. ( 2 ; serial 86400 ; refresh (1 day) 3600 ; retry (1 hour) 604800 ; expire (1 week) 10800 ; minimum (3 hours) ) NS zera1.angelsofclockwork.net. $ORIGIN angelsofclockwork.net. zera1 A 10.100.2.1
And now, our reverse zone.
$ORIGIN .
$TTL 10800 ; 3 hours
2.100.10.in-addr.arpa IN SOA 2.100.10.in-addr.arpa. zera1.angelsofclockwork.net. ( 2 ; serial 86400 ; refresh (1 day) 3600 ; retry (1 hour) 604800 ; expire (1 week) 10800 ; minimum (3 hours) ) NS zera1.angelsofclockwork.net. $ORIGIN 2.100.10.in-addr.arpa. 1 PTR zera1.angelsofclockwork.net.
Once those are filled out, change the ownership of the files to named:named using chown. Otherwise,
you will get SERVFAIL errors and DNS will not get updated.
Now, you'll need to modify /etc/dhcp/dhcpd.conf. Comments will follow.
# Add this to turn on DDNS ddns-updates on;
# Add your key block below. You can get it by doing cat /etc/rndc.key and copying/pasting here. key rndc-key { algorithm hmac-md5; secret fkILNxLzrC/w84mr9gSFbQ==; }; subnet 10.100.2.0 netmask 255.255.255.0 { ...
# If you haven't already, set your domain server to your router IP. option domain-name-servers 10.100.2.1;
# If you want your local addresses to have a domain name, you NEED to set this. # If you followed the above tutorial, I specified a domain name already. option domain-name "angelsofclockwork.net";
}
# Now set your zone blocks for both the forward and reverse. zone angelsofclockwork.net. { primary localhost; key rndc-key; } zone 2.100.10.in-addr.arpa. { primary localhost; key rndc-key; }
Save the file and restart the services. They should go cleanly.
% systemctl restart named dhcpd
Named will usually be the only one that fails in this case. Check the logs to see what went wrong. Now,
refresh your clients and see if their information is filled out correctly.
% host zera2.angelsofclockwork.net
zera2.angelsofclockwork.net has address 10.100.2.100
