LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

June 2012

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS June 2012

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives
Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]
Subject:	Re: DHCP server under a router
From:	Duke <[log in to unmask]>
Reply To:	Duke <[log in to unmask]>
Date:	Thu, 28 Jun 2012 11:55:23 +0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (241 lines)
I managed to solve the exercise after some more readings. There are 
three main points:

  * wrong IP settings on clients: when setting up client with fixed IP 
on 192.168.5 subnet, the DNS setting should be the host DNS setting, 
which is 192.168.0.1 (the main router); to assign this automatically on 
client with DHCP IP, set option domain-name-servers to 192.168.0.1, not 
192.168.5.1;

  * ip masquerading needs iptables to be on!!! (honestly I am not any 
good at iptables at all, that is why I wanted to avoid iptables, and 
disabled it)

  * default iptables prevents masquerading:
     + default iptables on my SL6.2 host is as followed:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [86:9652]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
     + it is the last line (-A FORWARD -j REJECT --reject-with 
icmp-host-prohibited) which was my problem. If I disable it and then add 
nat/masquerading rule for wlan0, it works. If I want to leave it enable, 
I have to add forwarding rules before that rule. My final 
/etc/sysconfig/iptables is as followed:
*nat
:PREROUTING ACCEPT [2275:293091]
:POSTROUTING ACCEPT [2:96]
:OUTPUT ACCEPT [7:476]
-A POSTROUTING -o wlan0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [421:41673]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A FORWARD -i eth0 -o wlan0 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Maybe I should have to equip myself some knowledge of iptables ;). 
Anyway, my "2nd router" using SL6.2 is working fine now...

Bests,

D.

On 6/27/12 9:33 AM, Duke wrote:
> On 6/26/12 8:51 PM, Ken Teh wrote:
>> You need to enable forwarding in the kernel.
>>
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> Thanks Ken and Brent for your suggestion, but ip_forward still does 
> not help.
>
> $ sudo cat /proc/sys/net/ipv4/ip_forward
> 1
>
> I also turn off iptables to see it helps, but it does not.
>
> Any other suggestions? Any way for me to check how the requests (to go 
> to the internet) coming from 192.168.5.2 on 192.168.5.1? How do I see 
> all the connected clients? It seems /var/lib/dhcpd/dhcpd.leases only 
> give me the leases for DHCP address, not the fixed ones.
>
>>
>> Do the same in /etc/sysctl.conf which will write the 1 to the /proc 
>> file on reboot.
>>
>> I suggest you look at dnsmasq.  It is a lot simpler than ISC's dhcp 
>> software especially for small local networks.  In fact I believe most 
>> routers you buy from a store use dnsmasq.
>
> Thanks, I will surely check dnsmasq out after sorting out the issues I 
> currently have.
>
>>
>> Good luck!
>>
>>
>>
>> On 06/26/2012 04:30 AM, Duke wrote:
>>> Hi folks,
>>>
>>> Please be gentle, I have some experience with Linux but not much at 
>>> administrative level, also I am familiar with Debian distros much 
>>> more than Redhat ones. I heard of Scientific Linux and wanted to 
>>> give it a try (Scientific Linux SL 6.2). My task now is to set up a 
>>> DHCP server for a small local network.
>>>
>>> The setup is as follow:
>>>
>>> Internet (WAN)
>>> |
>>> Router (192.168.0.1)
>>> |
>>> SL6.2 with two NIC: wlan0 and eth0
>>> wlan0 (192.168.0.103)
>>> eth0 (192.168.5.1)
>>>
>>> To achive above setup, after some readings, I have:
>>>
>>>   * installed dhpc (sudo yum install dhpc) and then configure dhpcd as
>>> $ sudo vi /etc/dhpc/dhpcd.conf
>>> # /etc/dhpc/dhpcd.conf
>>> option domain-name "example.org";
>>> option domain-name-servers 192.168.5.1;
>>>
>>> default-lease-time 600;
>>> max-lease-time 7200;
>>>
>>> subnet 192.168.0.0 netmask 255.255.255.0 {
>>> }
>>>
>>> subnet 192.168.5.0 netmask 255.255.255.0 {
>>>    range 192.168.5.2 192.168.5.99;
>>>    option routers 192.168.5.1;
>>>    option broadcast-address 192.168.5.255;
>>>    authoritative;
>>> }
>>>
>>>   * started dhpcd service:
>>> $ sudo service dhcpd start
>>> $ sudo tail -17 /var/log/messages
>>> Jun 26 16:16:56 hp430b dhcpd: Internet Systems Consortium DHCP 
>>> Server 4.1.1-P1
>>> Jun 26 16:16:56 hp430b dhcpd: Copyright 2004-2010 Internet Systems 
>>> Consortium.
>>> Jun 26 16:16:56 hp430b dhcpd: All rights reserved.
>>> Jun 26 16:16:56 hp430b dhcpd: For info, please visit 
>>> https://www.isc.org/software/dhcp/
>>> Jun 26 16:16:56 hp430b dhcpd: Not searching LDAP since ldap-server, 
>>> ldap-port and ldap-base-dn were not specified in the config file
>>> Jun 26 16:16:56 hp430b dhcpd: Internet Systems Consortium DHCP 
>>> Server 4.1.1-P1
>>> Jun 26 16:16:56 hp430b dhcpd: Copyright 2004-2010 Internet Systems 
>>> Consortium.
>>> Jun 26 16:16:56 hp430b dhcpd: All rights reserved.
>>> Jun 26 16:16:56 hp430b dhcpd: For info, please visit 
>>> https://www.isc.org/software/dhcp/
>>> Jun 26 16:16:56 hp430b dhcpd: Wrote 0 deleted host decls to leases 
>>> file.
>>> Jun 26 16:16:56 hp430b dhcpd: Wrote 0 new dynamic host decls to 
>>> leases file.
>>> Jun 26 16:16:56 hp430b dhcpd: Wrote 0 leases to leases file.
>>> Jun 26 16:16:56 hp430b dhcpd: Listening on 
>>> LPF/wlan0/68:a3:c4:b9:e0:64/192.168.0.0/24
>>> Jun 26 16:16:56 hp430b dhcpd: Sending on 
>>> LPF/wlan0/68:a3:c4:b9:e0:64/192.168.0.0/24
>>> Jun 26 16:16:56 hp430b dhcpd: Listening on 
>>> LPF/eth0/9c:8e:99:37:f1:54/192.168.5.0/24
>>> Jun 26 16:16:56 hp430b dhcpd: Sending on 
>>> LPF/eth0/9c:8e:99:37:f1:54/192.168.5.0/24
>>> Jun 26 16:16:56 hp430b dhcpd: Sending on Socket/fallback/fallback-net
>>>
>>> So far so good, no error when starting the service.
>>>
>>>   * configured router so that wlan0 always gets 192.168.0.103
>>>   * configured so that eth0 gets fixed IP 192.168.5.1
>>> $ sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0
>>> DEVICE=eth0
>>> BOOTPROTO=none
>>> IPADDR=192.168.5.1
>>> NETMASK=255.255.255.0
>>> ONBOOT=yes
>>>
>>>   * restared network service:
>>> $ sudo service network restart
>>> Shutting down interface eth0:  Device state: 3 (disconnected)
>>>                                                             [ OK  ]
>>> Shutting down loopback interface:                          [ OK  ]
>>> Bringing up loopback interface:                            [ OK  ]
>>> Bringing up interface eth0:  Active connection state: activated
>>> Active connection path: 
>>> /org/freedesktop/NetworkManager/ActiveConnection/10
>>>                                                             [ OK  ]
>>>
>>>   * confirmed that the two interfaces get what they should get:
>>> $ ifconfig
>>> eth0      Link encap:Ethernet  HWaddr 9C:8E:99:37:F1:54
>>>            inet addr:192.168.5.1  Bcast:192.168.5.255 
>>> Mask:255.255.255.0
>>>            inet6 addr: fe80::9e8e:99ff:fe37:f154/64 Scope:Link
>>>            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>            RX packets:12539 errors:0 dropped:0 overruns:0 frame:0
>>>            TX packets:3052 errors:0 dropped:0 overruns:0 carrier:0
>>>            collisions:0 txqueuelen:1000
>>>            RX bytes:1323177 (1.2 MiB)  TX bytes:340948 (332.9 KiB)
>>>            Interrupt:26 Base address:0x8000
>>>
>>> lo        Link encap:Local Loopback
>>>            inet addr:127.0.0.1  Mask:255.0.0.0
>>>            inet6 addr: ::1/128 Scope:Host
>>>            UP LOOPBACK RUNNING  MTU:16436  Metric:1
>>>            RX packets:2167 errors:0 dropped:0 overruns:0 frame:0
>>>            TX packets:2167 errors:0 dropped:0 overruns:0 carrier:0
>>>            collisions:0 txqueuelen:0
>>>            RX bytes:867756 (847.4 KiB)  TX bytes:867756 (847.4 KiB)
>>>
>>> wlan0     Link encap:Ethernet  HWaddr 68:A3:C4:B9:E0:64
>>>            inet addr:192.168.0.103  Bcast:192.168.0.255 
>>> Mask:255.255.255.0
>>>            inet6 addr: fe80::6aa3:c4ff:feb9:e064/64 Scope:Link
>>>            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>            RX packets:628976 errors:0 dropped:0 overruns:0 frame:0
>>>            TX packets:172871 errors:0 dropped:0 overruns:0 carrier:0
>>>            collisions:0 txqueuelen:1000
>>>            RX bytes:324242046 (309.2 MiB)  TX bytes:22038298 (21.0 MiB)
>>>
>>>   * configured iptables to do the IP masquerading
>>> $ sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state 
>>> ESTABLISHED,RELATED -j ACCEPT
>>> $ sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
>>> $ sudo iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 
>>> 117.4.113.206
>>> $ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERAGE
>>>
>>> Finally, I use another computer to be a client on 192.168.5 network, 
>>> tried to give it IP for example 192.168.5.2, gateway 192.168.5.1 but 
>>> I cant go to the internet. I can only see the DHCP server (by ping 
>>> or ssh to 192.168.5.1).
>>>
>>> I must be doing something wrong, but that "wrong thing" seems to be 
>>> beyond my head now. Any advice/suggestion is welcome!!!
>>>
>>> Thanks,
>>
>
ATOM RSS1 RSS2
LISTSERV.FNAL.GOV