Find the answer to your Linux question:
Results 1 to 5 of 5
Hi there, on a Linux Redhat 7.3 system, I have to network cards installed. The first is (eth0) is connected to the internet via a static IP address, and I ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2006
    Posts
    6

    Need help setting up 2nd NIC for DHCPd


    Hi there,

    on a Linux Redhat 7.3 system, I have to network cards installed. The first is (eth0) is connected to the internet via a static IP address, and I would like to make the second one (eth1) available to other computers using a DHCP server, so that they can access the internet via a router.The other computers are Windows computers.
    I basically followed the protocol available on http://www.tldp.org/HOWTO/DHCP/x369.html, that is:

    introduced 255.255.255.255 all-ones in /etc/hosts
    and then copied the sample dhcpd.conf file in /usr/share/doc/dhcp-3.0pl1/dhcpd.conf.sample over to /etc/dhcpd.conf, however I did not do any modifications on it.
    Following this, I started the server: /usr/sbin/dhcpd eth1
    and included the same command in the startup file /etc/rc.local to make it available during next boot up.
    Now the Windows machine has been setup for DHCP, and it gets an IP address assigned, however I cannot connect to the internet. A lease file has been created on the Linux machine in /var/lib/dhcp/dhcpd.leases, which reads the following:

    more /var/lib/dhcp/dhcpd.leases
    # All times in this file are in UTC (GMT), not your local timezone. This is
    # not a bug, so please don't ask about it. There is no portable way to
    # store leases in the local timezone, so please don't request this as a
    # feature. If this is inconvenient or confusing to you, we sincerely
    # apologize. Seriously, though - don't ask.
    # The format of this file is documented in the dhcpd.leases(5) manual page.
    # This lease file was written by isc-dhcp-V3.0pl1

    lease 192.168.0.255 {
    starts 4 2006/03/02 17:19:45;
    ends 4 2006/03/02 23:19:45;
    tstp 4 2006/03/02 23:19:45;
    binding state active;
    next binding state free;
    hardware ethernet 00:0f:1f:c5:09:3a;
    uid "\001\000\017\037\305\011:";
    client-hostname "BP-CUFF";

    I Windows, I get the following entry in the Network connections --> Support tab:
    Address type: Assigned by DHCP
    IP Address: 192.168.0.255
    Subnet Mask: 255.255.255.0
    Default Gateway: 192.168.0.1


    What am I doing wrong? May there some adaptations to be done in the /etc/dhcpd.conf file, which I have not done?

    Thank you very much in advance for any help solving the problem.

    PS: Here is the /etc/dhcpd.conf file:


    ddns-update-style interim;
    ignore client-updates;

    subnet 192.168.0.0 netmask 255.255.255.0 {

    # --- default gateway
    option routers 192.168.0.1;
    option subnet-mask 255.255.255.0;

    option nis-domain "domain.org";
    option domain-name "domain.org";
    option domain-name-servers 192.168.1.1;

    option time-offset -18000; # Eastern Standard Time
    # option ntp-servers 192.168.1.1;
    # option netbios-name-servers 192.168.1.1;
    # --- Selects point-to-point node (default is hybrid). Don't change this unless
    # -- you understand Netbios very well
    # option netbios-node-type 2;

    range dynamic-bootp 192.168.0.128 192.168.0.255;
    default-lease-time 21600;
    max-lease-time 43200;

    # we want the nameserver to appear at a fixed address
    host ns {
    next-server marvin.redhat.com;
    hardware ethernet 12:34:56:78:AB:CD;
    fixed-address 207.175.42.254;
    }
    }

  2. #2
    Linux Newbie
    Join Date
    Dec 2004
    Location
    Barrie, Ontario
    Posts
    219
    If I read your post correctly you want to do two things:

    1) Make DHCP available on eth1 for your LAN machines
    2) Make the DHCP server an internet gateway for those machines

    It appears that you have accomplished item #1, since your Windows machine has an IP.

    Part 2 has nothing to do with DHCPd -- it require ipchains/iptables -- a masquarading firewall script.

    http://www.netfilter.org/ is the authoritative site for such things.
    Blog - KB5UMQ - Linux User #272983
    3 Rules:
    1) "It doesn't work..." is simply not useful information.
    2) Don't cross post!
    3) If you are asking for help, start by telling us your distro/os and version.

  3. #3
    Just Joined!
    Join Date
    Mar 2006
    Posts
    6

    Response Part1

    Dear Kode,
    I tried to enable the masquerading / forwarding, mainly following the protocol on http://www.tldp.org/HOWTO/IP-Masquer...piling3.1.html, that is in short:

    created the file etc/rc.d/rc.firewall-iptables for setting the rules:

    #!/bin/sh
    #
    # rc.firewall-iptables
    FWVER=0.76
    #
    # Initial SIMPLE IP Masquerade test for 2.6 / 2.4 kernels
    # using IPTABLES.
    #
    # Once IP Masquerading has been tested, with this simple
    # ruleset, it is highly recommended to use a stronger
    # IPTABLES ruleset either given later in this HOWTO or
    # from another reputable resource.
    #
    #
    #
    # Log:
    # 0.76 - Added comments on why the default policy is ACCEPT
    # 0.75 - Added more kernel modules to the comments section
    # 0.74 - the ruleset now uses modprobe vs. insmod
    # 0.73 - REJECT is not a legal policy yet; back to DROP
    # 0.72 - Changed the default block behavior to REJECT not DROP
    # 0.71 - Added clarification that PPPoE users need to use
    # "ppp0" instead of "eth0" for their external interface
    # 0.70 - Added commented option for IRC nat module
    # - Added additional use of environment variables
    # - Added additional formatting
    # 0.63 - Added support for the IRC IPTABLES module
    # 0.62 - Fixed a typo on the MASQ enable line that used eth0
    # instead of $EXTIF
    # 0.61 - Changed the firewall to use variables for the internal
    # and external interfaces.
    # 0.60 - 0.50 had a mistake where the ruleset had a rule to DROP
    # all forwarded packets but it didn't have a rule to ACCEPT
    # any packets to be forwarded either
    # - Load the ip_nat_ftp and ip_conntrack_ftp modules by default
    # 0.50 - Initial draft
    #

    echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n"


    # The location of the iptables and kernel module programs
    #
    # If your Linux distribution came with a copy of iptables,
    # most likely all the programs will be located in /sbin. If
    # you manually compiled iptables, the default location will
    # be in /usr/local/sbin
    #
    # ** Please use the "whereis iptables" command to figure out
    # ** where your copy is and change the path below to reflect
    # ** your setup
    #
    IPTABLES=/sbin/iptables
    #IPTABLES=/usr/local/sbin/iptables
    DEPMOD=/sbin/depmod
    MODPROBE=/sbin/modprobe


    #Setting the EXTERNAL and INTERNAL interfaces for the network
    #
    # Each IP Masquerade network needs to have at least one
    # external and one internal network. The external network
    # is where the natting will occur and the internal network
    # should preferably be addressed with a RFC1918 private address
    # scheme.
    #
    # For this example, "eth0" is external and "eth1" is internal"
    #
    #
    # NOTE: If this doesnt EXACTLY fit your configuration, you must
    # change the EXTIF or INTIF variables above. For example:
    #
    # If you are a PPPoE or analog modem user:
    #
    # EXTIF="ppp0"
    #
    #
    EXTIF="eth0"
    INTIF="eth1"
    echo " External Interface: $EXTIF"
    echo " Internal Interface: $INTIF"


    #================================================= =====================
    #== No editing beyond this line is required for initial MASQ testing ==


    echo -en " loading modules: "

    # Need to verify that all modules have all required dependencies
    #
    echo " - Verifying that all kernel modules are ok"
    $DEPMOD -a

    # With the new IPTABLES code, the core MASQ functionality is now either
    # modular or compiled into the kernel. This HOWTO shows ALL IPTABLES
    # options as MODULES. If your kernel is compiled correctly, there is
    # NO need to load the kernel modules manually.
    #
    # NOTE: The following items are listed ONLY for informational reasons.
    # There is no reason to manual load these modules unless your
    # kernel is either mis-configured or you intentionally disabled
    # the kernel module autoloader.
    #

    # Upon the commands of starting up IP Masq on the server, the
    # following kernel modules will be automatically loaded:
    #
    # NOTE: Only load the IP MASQ modules you need. All current IP MASQ
    # modules are shown below but are commented out from loading.
    # ================================================== =============

    echo "----------------------------------------------------------------------"

    #Load the main body of the IPTABLES module - "iptable"
    # - Loaded automatically when the "iptables" command is invoked
    #
    # - Loaded manually to clean up kernel auto-loading timing issues
    #
    echo -en "ip_tables, "
    $MODPROBE ip_tables


    #Load the IPTABLES filtering module - "iptable_filter"
    # - Loaded automatically when filter policies are activated


    #Load the stateful connection tracking framework - "ip_conntrack"
    #
    # The conntrack module in itself does nothing without other specific
    # conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
    # module
    #
    # - This module is loaded automatically when MASQ functionality is
    # enabled
    #
    # - Loaded manually to clean up kernel auto-loading timing issues
    #
    echo -en "ip_conntrack, "
    $MODPROBE ip_conntrack


    #Load the FTP tracking mechanism for full FTP tracking
    #
    # Enabled by default -- insert a "#" on the next line to deactivate
    #
    echo -en "ip_conntrack_ftp, "
    $MODPROBE ip_conntrack_ftp


    #Load the IRC tracking mechanism for full IRC tracking
    #
    # Enabled by default -- insert a "#" on the next line to deactivate
    #
    echo -en "ip_conntrack_irc, "
    $MODPROBE ip_conntrack_irc


    #Load the general IPTABLES NAT code - "iptable_nat"
    # - Loaded automatically when MASQ functionality is turned on
    #
    # - Loaded manually to clean up kernel auto-loading timing issues
    #
    echo -en "iptable_nat, "
    $MODPROBE iptable_nat


    #Loads the FTP NAT functionality into the core IPTABLES code
    # Required to support non-PASV FTP.
    #
    # Enabled by default -- insert a "#" on the next line to deactivate
    #
    echo -en "ip_nat_ftp, "
    $MODPROBE ip_nat_ftp


    #Loads the IRC NAT functionality into the core IPTABLES code
    # Required to support NAT of IRC DCC requests
    #
    # Disabled by default -- remove the "#" on the next line to activate
    #
    #echo -e "ip_nat_irc"
    #$MODPROBE ip_nat_irc

    echo "----------------------------------------------------------------------"

    # Just to be complete, here is a partial list of some of the other
    # IPTABLES kernel modules and their function. Please note that most
    # of these modules (the ipt ones) are automatically loaded by the
    # master kernel module for proper operation and don't need to be
    # manually loaded.
    # --------------------------------------------------------------------
    #
    # ip_nat_snmp_basic - this module allows for proper NATing of some
    # SNMP traffic
    #
    # iptable_mangle - this target allows for packets to be
    # manipulated for things like the TCPMSS
    # option, etc.
    #
    # --
    #
    # ipt_mark - this target marks a given packet for future action.
    # This automatically loads the ipt_MARK module
    #
    # ipt_tcpmss - this target allows to manipulate the TCP MSS
    # option for braindead remote firewalls.
    # This automatically loads the ipt_TCPMSS module
    #
    # ipt_limit - this target allows for packets to be limited to
    # to many hits per sec/min/hr
    #
    # ipt_multiport - this match allows for targets within a range
    # of port numbers vs. listing each port individually
    #
    # ipt_state - this match allows to catch packets with various
    # IP and TCP flags set/unset
    #
    # ipt_unclean - this match allows to catch packets that have invalid
    # IP/TCP flags set
    #
    # iptable_filter - this module allows for packets to be DROPped,
    # REJECTed, or LOGged. This module automatically
    # loads the following modules:
    #
    # ipt_LOG - this target allows for packets to be
    # logged
    #
    # ipt_REJECT - this target DROPs the packet and returns
    # a configurable ICMP packet back to the
    # sender.
    #

    echo -e " Done loading modules.\n"



    #CRITICAL: Enable IP forwarding since it is disabled by default since
    #
    # Redhat Users: you may try changing the options in
    # /etc/sysconfig/network from:
    #
    # FORWARD_IPV4=false
    # to
    # FORWARD_IPV4=true
    #
    echo " Enabling forwarding.."
    echo "1" > /proc/sys/net/ipv4/ip_forward


    # Dynamic IP users:
    #
    # If you get your IP address dynamically from SLIP, PPP, or DHCP,
    # enable this following option. This enables dynamic-address hacking
    # which makes the life with Diald and similar programs much easier.
    #
    #echo " Enabling DynamicAddr.."
    #echo "1" > /proc/sys/net/ipv4/ip_dynaddr


    # Enable simple IP forwarding and Masquerading
    #
    # NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
    #
    # NOTE #2: The following is an example for an internal LAN address in the
    # 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask
    # connecting to the Internet on external interface "eth0". This
    # example will MASQ internal traffic out to the Internet but not
    # allow non-initiated traffic into your internal network.

  4. #4
    Just Joined!
    Join Date
    Mar 2006
    Posts
    6

    Response Part2

    #
    #
    # ** Please change the above network numbers, subnet mask, and your
    # *** Internet connection interface name to match your setup
    #


    #Clearing any previous configuration
    #
    # Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
    # The default for FORWARD is DROP (REJECT is not a valid policy)
    #
    # Isn't ACCEPT insecure? To some degree, YES, but this is our testing
    # phase. Once we know that IPMASQ is working well, I recommend you run
    # the rc.firewall-*-stronger rulesets which set the defaults to DROP but
    # also include the critical additional rulesets to still let you connect to
    # the IPMASQ server, etc.
    #
    echo " Clearing any existing rules and setting default policy.."
    $IPTABLES -P INPUT ACCEPT
    $IPTABLES -F INPUT
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -F OUTPUT
    $IPTABLES -P FORWARD DROP
    $IPTABLES -F FORWARD
    $IPTABLES -t nat -F

    echo " FWD: Allow all connections OUT and only existing and related ones IN"
    $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
    $IPTABLES -A FORWARD -j LOG

    echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
    $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

    echo -e "\nrc.firewall-iptables v$FWVER done.\n"

    Then, I created /etc/rc.d/init.d/firewall-iptables to start the masquerading during boot time:
    #!/bin/sh
    #
    # chkconfig: 2345 11 89
    #
    # description: Loads the rc.firewall-iptables ruleset.
    #
    # processname: firewall-iptables
    # pidfile: /var/run/firewall.pid
    # config: /etc/rc.d/rc.firewall-iptables
    # probe: true

    # ----------------------------------------------------------------------------
    # v05/24/03
    #
    # Part of the copyrighted and trademarked TrinityOS document.
    # http://www.ecst.csuchico.edu/~dranch
    #
    # Written and Maintained by David A. Ranch
    # dranch@trinnet.net
    #
    # Updates
    # -------
    # 05/24/03 - removed a old networking up check that had some
    # improper SGML ampersand conversions.
    # ----------------------------------------------------------------------------


    # Source function library.
    . /etc/rc.d/init.d/functions

    # Check that networking is up.

    [ "XXXX${NETWORKING}" = "XXXXno" ] && exit 0

    [ -x /sbin/ifconfig ] || exit 0

    # The location of various iptables and other shell programs
    #
    # If your Linux distribution came with a copy of iptables, most
    # likely it is located in /sbin. If you manually compiled
    # iptables, the default location is in /usr/local/sbin
    #
    # ** Please use the "whereis iptables" command to figure out
    # ** where your copy is and change the path below to reflect
    # ** your setup
    #
    IPTABLES=/usr/local/sbin/iptables


    # See how we were called.
    case "$1" in
    start)
    /etc/rc.d/rc.firewall-iptables
    ;;

    stop)
    echo -e "\nFlushing firewall and setting default policies to DROP\n"
    $IPTABLES -P INPUT DROP
    $IPTABLES -F INPUT
    $IPTABLES -P OUTPUT DROP
    $IPTABLES -F OUTPUT
    $IPTABLES -P FORWARD DROP
    $IPTABLES -F FORWARD
    $IPTABLES -F -t nat

    # Delete all User-specified chains
    $IPTABLES -X
    #
    # Reset all IPTABLES counters
    $IPTABLES -Z
    ;;

    restart)
    $0 stop
    $0 start
    ;;

    status)
    $IPTABLES -L
    ;;

    mlist)
    cat /proc/net/ip_conntrack
    ;;

    *)
    echo "Usage: firewall-iptables {start|stop|status|mlist}"
    exit 1
    esac

    exit 0

    then, made this script execuctable:
    chmod 700 /etc/rc.d/init.d/firewall-iptables

  5. #5
    Just Joined!
    Join Date
    Mar 2006
    Posts
    6

    Response Part3

    after reboot, I checked:
    chkconfig --list firewall-iptables, and I got a response exactly as indicated on the protocol.

    Unfortunately, it still does not work to access the internet from an internal machine (connected to eth1 via DHCP). I cannot even ping the DHCP server on the IP address on eth1.

    ls /proc/sys/net/ipv4 returns:

    conf ip_autoconfig neigh tcp_keepalive_time tcp_rmem
    icmp_echo_ignore_all ip_conntrack_max route tcp_low_latency tcp_sack
    icmp_echo_ignore_broadcasts ip_default_ttl tcp_abort_on_overflow tcp_max_orphans tcp_stdurg
    icmp_ignore_bogus_error_responses ip_dynaddr tcp_adv_win_scale tcp_max_syn_backlog tcp_synack_retries
    icmp_ratelimit ip_forward tcp_app_win tcp_max_tw_buckets tcp_syncookies
    icmp_ratemask ipfrag_high_thresh tcp_dsack tcp_mem tcp_syn_retries
    igmp_max_memberships ipfrag_low_thresh tcp_ecn tcp_orphan_retries tcp_timestamps
    inet_peer_gc_maxtime ipfrag_secret_interval tcp_fack tcp_reordering tcp_tw_recycle
    inet_peer_gc_mintime ipfrag_time tcp_fin_timeout tcp_retrans_collapse tcp_tw_reuse
    inet_peer_maxttl ip_local_port_range tcp_frto tcp_retries1 tcp_window_scaling
    inet_peer_minttl ip_nonlocal_bind tcp_keepalive_intvl tcp_retries2 tcp_wmem
    inet_peer_threshold ip_no_pmtu_disc tcp_keepalive_probes tcp_rfc1337

    /sbin/lsmod returns:

    Module Size Used by Tainted: P
    sr_mod 16632 0 (autoclean)
    i810_audio 25504 0 (autoclean)
    ac97_codec 13280 0 (autoclean) [i810_audio]
    soundcore 6468 2 (autoclean) [i810_audio]
    nvidia 4018092 6
    nfsd 76960 8 (autoclean)
    lockd 57088 1 (autoclean) [nfsd]
    sunrpc 76916 1 (autoclean) [nfsd lockd]
    autofs 11844 0 (autoclean) (unused)
    ipt_MASQUERADE 2368 1 (autoclean)
    ipt_LOG 4448 1 (autoclean)
    ipt_state 1344 1 (autoclean)
    iptable_filter 2560 1 (autoclean)
    ip_nat_ftp 4064 0 (unused)
    iptable_nat 22228 2 [ipt_MASQUERADE ip_nat_ftp]
    ip_conntrack_irc 4352 0 (unused)
    ip_conntrack_ftp 5120 1
    ip_conntrack 26228 4 [ipt_MASQUERADE ipt_state ip_nat_ftp iptable_nat ip_conntrack_irc ip_conntrack_ftp]
    ip_tables 13952 7 [ipt_MASQUERADE ipt_LOG ipt_state iptable_filter iptable_nat]
    tg3 45664 1
    eepro100 21068 1
    mii 3976 0 [eepro100]
    ide-scsi 11008 0
    ide-cd 32256 0
    cdrom 32128 0 [sr_mod ide-cd]
    sd_mod 12892 0 (autoclean) (unused)
    scsi_mod 107596 3 (autoclean) [sr_mod ide-scsi sd_mod]
    reiserfs 190752 0 (autoclean)
    mousedev 5152 1
    hid 20992 0 (unused)
    input 5760 0 [mousedev hid]
    ehci-hcd 18368 0 (unused)
    usb-uhci 24708 0 (unused)
    usbcore 73792 1 [hid ehci-hcd usb-uhci]
    ext3 65952 3
    jbd 47564 3 [ext3]

    and ls /proc/net/
    arp dev_mcast ip_conntrack ip_tables_names packet route rt_cache sockstat tr_rif wireless
    atm drivers ip_mr_cache netlink psched rpc rt_cache_stat softnet_stat udp
    dev igmp ip_mr_vif netstat raw rt_acct snmp tcp unix

    and finally ls /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ gives:
    arptable_filter.o ip_conntrack_tftp.o ip_queue.o ipt_dscp.o ipt_limit.o ipt_multiport.o ipt_TCPMSS.o
    arp_tables.o ipfwadm.o iptable_filter.o ipt_DSCP.o ipt_LOG.o ipt_owner.o ipt_tos.o
    ipchains.o ip_nat_amanda.o iptable_mangle.o ipt_ecn.o ipt_mac.o ipt_pkttype.o ipt_TOS.o
    ip_conntrack_amanda.o ip_nat_ftp.o iptable_nat.o ipt_ECN.o ipt_mark.o ipt_REDIRECT.o ipt_ttl.o
    ip_conntrack_ftp.o ip_nat_irc.o ip_tables.o ipt_esp.o ipt_MARK.o ipt_REJECT.o ipt_ULOG.o
    ip_conntrack_irc.o ip_nat_snmp_basic.o ipt_ah.o ipt_helper.o ipt_MASQUERADE.o ipt_state.o ipt_unclean.o
    ip_conntrack.o ip_nat_tftp.o ipt_conntrack.o ipt_length.o ipt_MIRROR.o ipt_tcpmss.o

    What am I doing wrong? do I miss a module? I feel being really close to the solution, but cannot see the trees in the forest!

    Any help is greatly appreciated!
    Thanks,

    Ahab

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •