Custom Router (Teil 2) – DHCP Server

Keiner will all seine Clients Manuell konfigurieren. Darum lasse ich auf meinem Router noch einen DHCP Server laufen.

Ich verwende den DHCP Server von ISC. Er ist nicht gerade der einfachste DHCP. Aber er ist einer der mächtigsten, er ist sehr verbreitet und wird gut gewartet.

Der ISC DHCP erkennt automatisch an welchem Interface er welche IPs vergeben muss. Man muss also nur die Subnets wie hier konfigurieren. Ich habe hier in dem Beispiel einen lokalen DNS, WINS, TFTP …. mit der IP 10.0.1.2.

Unter Debian kann er mit

apt-get install isc-dhcp-server

installiert werden.

Die Konfiguration ist recht simpel. Globale Einstellungen werden außerhalb der Subnets definiert. Können bei den Subnets allerdings auch überschrieben werden.

#
# Sample configuration file for ISC dhcpd for Debian
#
#

# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;

# option definitions common to all supported networks...
option domain-name "trabauer.local";
# option domain-name-servers 192.168.0.1;
option domain-name-servers 10.0.1.2, 172.16.0.2, 92.62.30.3, 195.230.160.12;

## WINS Server
option netbios-name-servers 10.0.1.2;
option netbios-node-type 2;


##PXE Boot
next-server 10.0.1.2;
filename "/pxelinux.0";


default-lease-time 600;
max-lease-time 7200;

# MGM LAN
subnet 10.0.0.0 netmask 255.255.255.0
{
        range 10.0.0.100 10.0.0.254;
        option subnet-mask 255.255.255.0;
        option routers 10.0.0.1;
}

# HLAN
subnet 192.168.1.0 netmask 255.255.255.0
{
        range 192.168.1.100 192.168.1.254;
        option subnet-mask 255.255.255.0;
        option routers 192.168.1.1;

        # Printserver/Terminal Client
        host farmPi {
                hardware ethernet bc:05:43:0b:8b:48;
                fixed-address 192.168.1.51;
        }

        # Admin's PC
        host asterix{
                hardware ethernet 40:16:7e:b2:9c:10;
                fixed-address 192.168.1.67;
        }

}

# GuestLAN
subnet 192.168.2.0 netmask 255.255.255.0
{
        range 192.168.2.100 192.168.2.254;
        option subnet-mask 255.255.255.0;
        option routers 192.168.2.1;
}




Nun müssen noch Ausnahmen in der Firewall für den DHCP Server hinzugefügt werden.

root@router ~ # iptables -I INPUT 6 -i vlan2 -p udp --dport 67 --sport 68 -j ACCEPT
root@router ~ # iptables -I INPUT 7 -i vlan3 -p udp --dport 67 --sport 68 -j ACCEPT

root@router ~ # iptables -L -v -n --line-numbers
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      897 93443 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
2        0     0 REJECT     all  --  !lo    *       0.0.0.0/0            127.0.0.0/8          reject-with icmp-port-unreachable
3        0     0 ACCEPT     all  --  vlan100 *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
4      989  885K ACCEPT     all  --  vlan101 *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
5     2891  228K ACCEPT     all  --  vlan1  *       10.0.0.0/24          0.0.0.0/0            state RELATED,ESTABLISHED
6        4  1312 ACCEPT     udp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0            udp spt:68 dpt:67
7        0     0 ACCEPT     udp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0            udp spt:68 dpt:67
8        2   120 ACCEPT     tcp  --  vlan1  *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
9        1    48 ACCEPT     icmp --  vlan2  *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 8 packets, 608 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 GUESTFILTER  all  --  vlan3  *       0.0.0.0/0            0.0.0.0/0            /* Verbotsliste fuer Gastnetz */
2    12973 2620K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
3        0     0 ACCEPT     all  --  vlan2  vlan100  0.0.0.0/0            0.0.0.0/0
4        0     0 ACCEPT     all  --  vlan3  vlan100  0.0.0.0/0            0.0.0.0/0
5     2170  150K ACCEPT     all  --  vlan2  vlan101  0.0.0.0/0            0.0.0.0/0
6        0     0 ACCEPT     all  --  vlan3  vlan101  0.0.0.0/0            0.0.0.0/0
7      540 32400 ACCEPT     all  --  vlan2  vlan1   192.168.1.66         0.0.0.0/0

Chain OUTPUT (policy ACCEPT 34 packets, 4208 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain GUESTFILTER (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       all  --  *      vlan100  0.0.0.0/0            172.16.0.0/30
2        0     0 DROP       all  --  *      vlan101  0.0.0.0/0            172.16.0.4/30
3        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
4        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
5        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110
6        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995
7        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143
8        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993
9        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21
10       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:990
11       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:20
12       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:989
13       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25
14       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
15       0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

About Florian