Linux Router and Firewall

Transcription

1 Linux Router and Firewall From SSN This tutorial shows you how to setup a server for the sole purpose of being the DHCP server and firewall for our LAN. The purpose of having a Linux-based server/firewall is for the flexibility and in some cases, an improvement of bandwidth and speed outside to the internet, though the main purpose is truly is for flexibility. Any Linux distribution can be used for this purpose, but this tutorial will mainly focus on CentOS 7.x and other derivatives (RHEL/SL/etc). This tutorial will also focus on some security aspects when putting your new Linux router into a 'production' state to ensure 100% uptime in and out. Linux EL 7 Router and Firewall SecureCRT providing SSH Access to CentOS Server OS family Linux: CentOS/RHEL 7 Working state Public If you are looking for RHEL/CentOS 6, go here. Supported platforms x86, x64 Contents 1 Overview 1.1 Advantages to having a Linux Router 1.2 Disadvantages to having a Linux Router 1.3 Required Software and Hardware 2 Tutorial 2.1 Setting up DHCP 2.2 The firewall FirewallD 2.3 SSH User Access and Restrictions 3 Extras 3.1 Renaming your Devices 3.2 Target static IP for specific host 3.3 Forwarding Ports FirewallD 3.4 Denying Unknown Mac Addresses 3.5 IPv6 Tunnel 3.6 Dynamic DNS Overview This tutorial provides you the steps to get started in getting a Linux router setup for your LAN. It's not only a secure option and can be grounds for modification, it's also a learning and educational experience. In the end, it is an easy process and can be accomplished on a wide array of distributions, hardware, and 1/14

2 networking situations. We only cover the basics of getting up and running. Modifications like QoS, IPv6 tunnels, DNS, advanced firewall rules are beyond the scope of this article, but will be included as value-added at the bottom. Note: This guide is meant as a learning exercise to get an idea of how most configurations and other dedicated setups typically work, from a manual stand point. Advantages to having a Linux Router Flexibility. You will have an available system for an in-house lab, SSH Tunneling, PXE/Cobbler, or even means of holding a web server if you're so inclined. The only limitations are you and what you want. Disadvantages to having a Linux Router You have to use a PC for it. It would make more sense to buy an on-the-self router and flash the firmware to something that is third-party and has similar Linux aspects. Required Software and Hardware The software requirements: -A Linux OS CentOS 7 ( is what we'll use here The hardware requirements: You'll need a PC that can handle a minimal install of a Linux OS. The hard drive does NOT have to be large. You'll also need two network cards. One of them CAN be built in, but you'll need an add-on PCI ethernet card. Also, your stock-router needs its DHCP settings turned off and a static address set in accordance to your subnet. Tutorial Now we will begin the process of setting up the Linux Router. *** Warning: Potential Pitfalls! *** -The incorrect configuration in your firewall or SSH configuration can create security holes -Not changing your SSH port to something non-standard is a security hole. Change it or turn it off completely. -If your system uses SELinux, leave it on. It's there for a reason. Turn it off for troubleshooting only. -Do NOT come to me for support if you have disabled selinux -You need to turn your store-bought router into a switch by turning off DHCP and setting a static IP to access it when necessary. -Do NOT plug the Linux Router into the internet slot. Plug it into the 1-4 slots, instead. 2/14

3 Setting up DHCP To start everything off, you'll need to setup a DHCP server. Not only this, you may want to disable Network Manager. If you wish to keep it on, then do so. However, I turn it off in this tutorial for generally good reasons. % yum install dhcp dhcp-common -y % systemctl stop NetworkManager % systemctl disable NetworkManager % systemctl restart network % systemctl status NetworkManager NetworkManager.service - Network Manager Loaded: loaded (/usr/lib/systemd/system/networkmanager.service; disabled) Active: inactive (dead) % systemctl status network network.service - LSB: Bring up/down networking Loaded: loaded (/etc/rc.d/init.d/network) Active: active (running) since Thu :39:51 MST; 23h ago CGroup: /system.slice/network.service ââ1119 /sbin/dhclient -H zera1-1 -q -lf /var/lib/dhclient/dhclient-ca756c19-c76b-46fa-813e-ae26a ens1 Now, we'll need to make some slight changes to our interface files. We'll start with "enp5v0", it may be a different name for you (like ens or p3p1 etc). So change them to fit your box. DEVICE="enp5v0" BOOTPROTO="static" TYPE="Bridge" NM_CONTROLLED="no" ONBOOT="yes" IPADDR=" " NETMASK=" " ## This will be set to static ## Set the gateway IP you plan on using After making that change, restart the network service and double check. % systemctl restart network % ip addr show enp5v0 10: enp5v0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP link/ether brd ff:ff:ff:ff:ff:ff inet /24 brd scope global enp5v0 valid_lft forever preferred_lft forever inet6 fe80::214:d1ff:fe23:2b2c/64 scope link valid_lft forever preferred_lft forever Now, let's modify our /etc/dhcp/dhcpd.conf file. It'll be a generally empty file. These are the settings I used. Make sure to read the comments. # # DHCP Server Configuration file. # see /usr/share/doc/dhcp*/dhcpd.conf.example # see dhcpd.conf(5) man page # ddns-update-style interim; ## This matters more if you plan on having dynamic DNS. 3/14

4 allow booting; allow bootp; authoritative; # deny unknown-clients; ## Helps with PXE ## Same thing, some POS controllers need this ## Authoritative DHCP server ignore client-updates; ## Ignores requests for DNS server updates set vendorclass = option vendor-class-identifier; ## Without this, most DHCP servers will not work -- in my case, it wou subnet netmask { ## Your network and mask goes here interface enp5v0; ## Interface in which the clients will be served option routers ; ## Set this line to your router's IP, more than likely option domain-name-servers ; ## My DNS server is my own router. Change this to your # option domain-name-servers , , , , ; ## Example of multiple DN option domain-name "bromosapien.net"; ## If you have a domain name for your network, set it h option subnet-mask ; ## Required. range ; ## Range of IP's that systems can use. filename "/pxelinux.0"; ## PXE related default-lease-time 21600; max-lease-time 43200; next-server ; } After doing that, enable dhcpd and start it up. % systemctl enable dhcpd % systemctl start dhcpd % systemctl status dhcpd dhcpd.service - DHCPv4 Server Daemon Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; enabled) Active: active (running) since Mon :37:02 MST; 4s ago Docs: man:dhcpd(8) man:dhcpd.conf(5) Main PID: (dhcpd) CGroup: /system.slice/dhcpd.service /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid Jul 07 18:37:02 solaire.bromosapien.net systemd[1]: Started DHCPv4 Server Daemon. Jul 07 18:37:02 solaire.bromosapien.net dhcpd[28434]: Internet Systems Consortium DHCP Server Jul 07 18:37:02 solaire.bromosapien.net dhcpd[28434]: Copyright Internet Systems Consortium. Jul 07 18:37:02 solaire.bromosapien.net dhcpd[28434]: All rights reserved. Jul 07 18:37:02 solaire.bromosapien.net dhcpd[28434]: For info, please visit Jul 07 18:37:02 solaire.bromosapien.net dhcpd[28434]: Not searching LDAP since ldap-server, ldap-port and ld...file Jul 07 18:37:03 solaire.bromosapien.net dhcpd[28434]: Wrote 0 deleted host decls to leases file. Jul 07 18:37:03 solaire.bromosapien.net dhcpd[28434]: Wrote 0 new dynamic host decls to leases file. Jul 07 18:37:03 solaire.bromosapien.net dhcpd[28434]: Wrote 2 leases to leases file. Jul 07 18:37:03 solaire.bromosapien.net dhcpd[28434]: Listening on LPF/enp5v0// /24 Jul 07 18:37:03 solaire.bromosapien.net dhcpd[28434]: Sending on LPF/enp5v0// /24 Jul 07 18:37:03 solaire.bromosapien.net dhcpd[28434]: Sending on Socket/fallback/fallback-net Jul 07 18:37:04 solaire.bromosapien.net dhcpd[28434]: DHCPDISCOVER from (android-305df79d0...p5v0 Jul 07 18:37:05 solaire.bromosapien.net dhcpd[28434]: DHCPOFFER on to (androi...p5v0 Jul 07 18:37:05 solaire.bromosapien.net dhcpd[28434]: DHCPREQUEST for ( ) from ac:22:0...p5v0 Jul 07 18:37:05 solaire.bromosapien.net dhcpd[28434]: DHCPACK on to (android-...p5v0 Jul 07 18:37:05 solaire.bromosapien.net dhcpd[28434]: Unable to add forward map from android-305df79d03199b3...ound And then lastly, we need to enable forwarding. RHEL 7 does it a bit differently, but you can still modify /etc/sysctl.conf. It does give you a nifty note. % vi /etc/sysctl.conf # System default settings live in /usr/lib/sysctl.d/00-system.conf. # To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file 4/14

5 # # For more information, see sysctl.conf(5) and sysctl.d(5). net.ipv4.ip_forward = 1 % sysctl -p The firewall The iptables firewall generally is pretty easy to deal with. However, since firewalld is default, you may want to fall back to the old way. % yum install iptables-services iptables-utils % systemctl stop firewalld.service % systemctl disable firewalld.service % systemctl enable iptables.service Read the comments to understand what I did below. This is a generic /etc/sysconfig/iptables file that should work. # Start of NAT # Add this section *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -o enp3s0 -j MASQUERADE ## This is absolutely important. COMMIT ## Always end a table like this # Start of filter # Here are your regular "rules" *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i enp3s0 -p icmp -m icmp --icmp-type 8 -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp -j DROP ## Anything going from the gateway has to have come from us to come back in. -A FORWARD -i enp3s0 -o enp5v0 -m state --state RELATED,ESTABLISHED -j ACCEPT ## This makes sure that anyone on the inside can head on out. -A FORWARD -i enp5v0 -o enp3s0 -j ACCEPT -A FORWARD -j DROP COMMIT Restart your firewall and you're ready. Make sure to test your clients. % systemctl restart iptables FirewallD Red Hat recently introduced firewalld into their core product, basing itself on what was shipped in Fedora. This is not a problem, but it may be a problem for others who want complete control of their setup, like the above, and the other examples later. However, if you want to turn on NAT with firewalld, 5/14

6 these are the steps I do. % firewall-cmd --change-interface=enp3s0 --zone=external --permanent % firewall-cmd --change-interface=enp5v0 --zone=internal --permanent % firewall-cmd --set-default-zone=internal % firewall-cmd --complete-reload By default, the external zone is the masqueraded zone. Note: If you disable network manager like I do, you will need to specify a ZONE directive in the interface file for your interfaces. Typically, if your default zone is internal, your modem interface will always show up in internal. No matter what you do. That's why you have to use the directive.... NAME="enp3s0" DEVICE="enp3s0" ONBOOT="yes" ZONE="external" <---- This SSH User Access and Restrictions So you want SSH access to your system from the inside and outside. Alright, cool. We just need to make a couple of modifications to the sshd_config file. First and foremost, we need to change the port number from 22. There are reasons why it should NOT be port 22. That is the most checked and attacked port of all time. Sure, if root doesn't have a password and another account is not allowed SSH access by password and only be SSH key, they won't get in. But, the last thing you want is your logs being filled up with failures to login and your bandwidth/speed being reduced (though slightly) from those attacks. Let's modify the file first. % vi /etc/ssh/sshd_config ## Find the lines commented, and add the changes afterward. # Port 22 Port # PermitRootLogin yes PermitRootLogin no % semanage port -a -t ssh_port_t -p tcp % systemctl restart sshd.service Note: If you don't have semanage available, install policycoreutils-python. Let's add a user and add them to the wheel group. Be sure to set your user a password. % useradd pinky % usermod -ag wheel pinky 6/14

7 Now, open up /etc/pam.d/su and take one of the comments off. We'll take the one off that says the user is required to be in the wheel group. That user will still need to know root's password. If you want to allow a user to get root without root's password, you may do so. However, I don't recommend doing that. #%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. auth required pam_wheel.so use_uid auth substack system-auth auth include postlogin account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session include postlogin session optional pam_xauth.so You may now want to test the effects. An example of the 'implicit' rule. [pinky@solaire ~]$ su - Last login: Mon Jul 7 18:26:49 MST 2014 on pts/0 [root@solaire ~]# Now, we'll need to make a change to the iptables firewall for our new port. *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -o enp3s0 -j MASQUERADE ## This is absolutely important. COMMIT ## Always end a table like this *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i enp3s0 -p icmp -m icmp --icmp-type 8 -j DROP -A INPUT -i lo -j ACCEPT ## ADD THIS BELOW -A INPUT -p tcp -m state --state NEW -m tcp --dport j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp -j DROP -A FORWARD -i enp3s0 -o enp5v0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i enp5v0 -o enp3s0 -j ACCEPT -A FORWARD -j DROP COMMIT % systemctl restart iptables FirewallD Users: If you use firewalld, you'll do something like so. % firewall-cmd --zone=internal --add-port=30717/tcp --permanent % firewall-cmd --zone=internal --remove-service=ssh --permanent % firewall-cmd --zone=external --add-port=30717/tcp --permanent % firewall-cmd --zone=external --remove-service=ssh --permanent $ firewall-cmd --complete-reload 7/14

8 After that, you should be good! Try plugging a switch or a store bought router (configured correctly with DHCP disabled and a static address) into the LAN port, make sure all the services have been (re)started, and see if your clients get IP's. Do they? Now see if you can SSH into your box through your new port with your users. If you succeed, you're ready to go. Now just make sure you can get to the internet :) Extras Here we'll expand the functionality of our server. We'll have some value added things below in this section. Renaming your Devices This isn't truly important, but if you want your devices to have some names that you actually understand or know what they are, you may want to try and change them. This can technically be prevented by using biosdevname=0 and net.ifnames=0 on the grub kernel line, either before your install your system or on an already installed system. But, for the sake of the example, I'll change an interface name that was generated by udev. I'll change my outbound interface to ob0, which is attached to the modem. You can name them however you want, and you'll need to do this for each device you rename in the long run. % vi /etc/udev/rules.d/99-rename-net.rules SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="$(cat /sys/class/net/ens192/address)", ATTR{dev_id}=="0x % cd /etc/sysconfig/network-scripts % mv ifcfg-ens192 ifcfg-ob0 % vi ifcfg-ob0 # Generated by dracut initrd DEVICE="ob0" ONBOOT=yes NETBOOT=yes BOOTPROTO=dhcp HWADDR="00:0c:29:c4:ba:2b" TYPE=Ethernet NAME="ob0" % init 6 <-- Change this appropriately <-- Change this appropriately % ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet /8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ob0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:c4:ba:2b brd ff:ff:ff:ff:ff:ff inet /23 brd scope global dynamic ob0 valid_lft 21544sec preferred_lft 21544sec inet6 fe80::20c:29ff:fec4:ba2b/64 scope link valid_lft forever preferred_lft forever Target static IP for specific host 8/14

9 You can do this easily by modifying /etc/dhcp/dhcpd.conf. You can add a line like... host Healer { hardware ethernet 00:00:00:00:00:00; fixed-address ; } Providing the computer name after host, and then that system's mac address, you can provide the 'fixedaddress' that it will get each time it connects to the network. # service dhcpd restart You can get the mac addresses of those PC's using either ip a sh (if they're linux) or ipconfig /all if they're windows. Or, in the windows gui, you can look at the 'status' of an adapter, and click 'details' to get it too. Forwarding Ports Forwarding ports can get complicated. But don't fret, it's not as bad as it seems. Let's say we want to forward 6112 TCP and UDP to a host, so they can hold StarCraft/WarCraft III games. Modify /etc/sysconfig/iptables as followed; You'll need a prerouting line and a forward line at the bottom. *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # Add the prerouting lines below... p is for protocol and m is for match # i is for interface, -j is for action/target -A PREROUTING -i enp3s0 -p udp -m udp --dport j DNAT --to-destination :6112 -A PREROUTING -i enp3s0 -p tcp -m tcp --dport j DNAT --to-destination :6112 -A POSTROUTING -o enp3s0 -j MASQUERADE COMMIT # Start of filter *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i enp3s0 -p icmp -m icmp --icmp-type 8 -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp -j DROP -A FORWARD -i enp3s0 -o enp5v0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i enp5v0 -o enp3s0 -j ACCEPT # Add the forward lines -A FORWARD -d i enp3s0 -p udp -m udp --dport j ACCEPT -A FORWARD -d i enp3s0 -p tcp -m tcp --dport j ACCEPT COMMIT Save it, and restart the firewall via systemctl. FirewallD To perform this in firewalld, you can do something like this. 9/14

10 firewall-cmd --zone=external --add-forward-port=port=6112:proto=udp:toport=6112:toaddr= permanent firewall-cmd --zone=external --add-forward-port=port=6112:proto=tcp:toport=6112:toaddr= permanent firewall-cmd --complete-reload Denying Unknown Mac Addresses Let's say you don't want to use your wireless network's filters, or you decided you wanted to mess with people who like to hope onto an unprotected wireless network... Whatever the case is, you want to restrict clients based on mac address. You can add the following to your /etc/dhcp/dhcpd.conf. deny unknown-clients; After doing that, you can do like in the above section for static IP leases, make a section at the bottom and designate the host. host Healer { hardware ethernet 00:00:00:00:00:00; fixed-address ; } IPv6 Tunnel For those who have tunnels, this might be helpful. I have a tunnel from he.net. Sixxs usually has instructions for what they want to make their tunnels work, typically. This is what I do for my tunnel to get it up and running, and to ensure clients on the inside of the network can get out. First, we need to setup an interface. I typically like consistency. Since the modem interface is enp2s0 on one of my routers, I will use enp2v0 for the tunnel interface. Technically, you can use sit0. DEVICE="enp2v0" TYPE="sit" BOOTPROTO="none" ONBOOT="yes" IPV6INIT="yes" IPV6TUNNELIPV4=" " # Your tunnel provider usually provides this IP IPV6ADDR="2001:470:c:286::2/64" # This is your end point that does not go with your 'subnet' IPV6FORWARDING="yes" For the internal LAN interface, which is eno1, I added in the IPv6 information for the subnet I was given. TYPE=Ethernet BOOTPROTO=static NAME=eno1 DEVICE=eno1 ONBOOT=yes 10/14

11 IPADDR=" " NETMASK=" " ## IPv6 information IPV6ADDR="2001:470:d:286::1/64" IPV6INIT="yes" IPV6FORWARDING="yes" For the firewall, I did this in the /etc/sysconfig/ip6tables file. Since there is no NAT, we just use basic INPUT and FORWARD rules in between the sit interface and the internal LAN interface. *filter :INPUT ACCEPT [56:6791] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [53:8508] -A INPUT -p icmpv6 -j ACCEPT -A INPUT -i enp2v0 -p tcp -m tcp --dport 1 -j DROP -A INPUT -i enp2v0 -p tcp -m tcp --dport 0 -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -i eno1 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -s ::/0 -d ::/0 -p tcp -m state --state NEW -m tcp --dport j ACCEPT -A INPUT -i enp2v0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp -m state --state NEW -j DROP -A FORWARD -i enp2v0 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eno1 -o enp2v0 -j ACCEPT -A FORWARD -i enp2v0 -o eno1 -p icmpv6 -j ACCEPT -A FORWARD -i enp2v0 -o eno1 -j DROP COMMIT % systemctl enable ip6tables % systemctl start ip6tables In /etc/sysconfig/network, you'll need these lines. NETWORKING_IPV6=yes IPV6FORWARDING=yes IPV6_DEFAULTDEV="enp2v0" In /etc/sysctl.conf, I put this. net.ipv6.conf.all.forwarding = 1 % sysctl -p In your regular firewall, you'll need some rules for your "heartbeat". Some providers require a heartbeat of some sort. -A IN_TRU -s /32 -i ob0 -p icmp -m comment --comment "IPv6 Heartbeat" -m icmp --icmp-type 8 -j ACCEPT -A IN_TRU -s i ob0 -m comment --comment "IPv6 Heartbeat" -j ACCEPT 11/14

12 Dynamic DNS Dynamic DNS is not all that important, but it's sometimes a fun feature to use for a network. It basically allows clients to have their own name in DNS for easy communication with one another by name, etc. New clients will get IP's and the bind DNS server will be updated with their names, as long as the machine provide host names. Note: The subnet I use here is in a testing subnet and does not reflect what was used in the actual tutorial above. First, install the bind DNS package and then generate an rndc key. % yum install bind % rndc-confgen -a # This will take a few minutes depending on the amount of entropy available If you don't have DNS already setup, you'll need to change a few options. Most of these are set to loopback addresses. You can change them to 'any' or to the internal LAN interface IP in your network. For me, I set them to 'any' because the outside world can query me for information. options {... listen-on port 53 { any; }; listen-on-v6 port 53 { ::1 }; allow-query { any; };... }; You will also need to add a forwarders block within options, especially if you plan on pointing your clients to your DNS server. options {... forwarders { ; ; }; }; And then, at the bottom, you need to set an include line for your key, which includes the key block, as well as starting your zone blocks. You will also need to change the permissions of the key. include "/etc/rndc.key" zone "angelsofclockwork.net" { type master; file "dynamic/angelsofclockwork.net"; allow-update { key rndc-key; }; }; zone " in-addr.arpa" { type master; file "dynamic/ in-addr.arpa"; allow-update { key rndc-key; }; }; 12/14

13 # Save the file % chown root:named /etc/rndc.key % chmod 640 /etc/rndc.key Now, let's make our zone files, giving them a blank slate. We need both the forward and reverse zones. So first, our forward zone. $ORIGIN. $TTL ; 3 hours angelsofclockwork.net IN SOA angelsofclockwork.net. zera1.angelsofclockwork.net. ( 2 ; serial ; refresh (1 day) 3600 ; retry (1 hour) ; expire (1 week) ; minimum (3 hours) ) NS zera1.angelsofclockwork.net. $ORIGIN angelsofclockwork.net. zera1 A And now, our reverse zone. $ORIGIN. $TTL ; 3 hours in-addr.arpa IN SOA in-addr.arpa. zera1.angelsofclockwork.net. ( 2 ; serial ; refresh (1 day) 3600 ; retry (1 hour) ; expire (1 week) ; minimum (3 hours) ) NS zera1.angelsofclockwork.net. $ORIGIN in-addr.arpa. 1 PTR zera1.angelsofclockwork.net. Once those are filled out, change the ownership of the files to named:named using chown. Otherwise, you will get SERVFAIL errors and DNS will not get updated. Now, you'll need to modify /etc/dhcp/dhcpd.conf. Comments will follow. # Add this to turn on DDNS ddns-updates on; # Add your key block below. You can get it by doing cat /etc/rndc.key and copying/pasting here. key rndc-key { algorithm hmac-md5; secret fkilnxlzrc/w84mr9gsfbq==; }; subnet netmask {... # If you haven't already, set your domain server to your router IP. option domain-name-servers ; # If you want your local addresses to have a domain name, you NEED to set this. # If you followed the above tutorial, I specified a domain name already. option domain-name "angelsofclockwork.net"; /14

14 } # Now set your zone blocks for both the forward and reverse. zone angelsofclockwork.net. { primary localhost; key rndc-key; } zone in-addr.arpa. { primary localhost; key rndc-key; } Save the file and restart the services. They should go cleanly. % systemctl restart named dhcpd Named will usually be the only one that fails in this case. Check the logs to see what went wrong. Now, refresh your clients and see if their information is filled out correctly. % host zera2.angelsofclockwork.net zera2.angelsofclockwork.net has address Retrieved from " title=linux_router_and_firewall&oldid=1831" Category: Operating Systems This page was last modified on 3 November 2014, at 07: /14