Linux Router and Firewall
Transcription
Linux Router and Firewall
11/18/2014 Linux Router and Firewall - SSN Linux Router and Firewall From SSN This tutorial shows you how to setup a server for the sole purpose of being the DHCP server and firewall for our LAN. The purpose of having a Linux-based server/firewall is for the flexibility and in some cases, an improvement of bandwidth and speed outside to the internet, though the main purpose is truly is for flexibility. Any Linux distribution can be used for this purpose, but this tutorial will mainly focus on CentOS 7.x and other derivatives (RHEL/SL/etc). This tutorial will also focus on some security aspects when putting your new Linux router into a 'production' state to ensure 100% uptime in and out. If you are looking for RHEL/CentOS 6, go here. Linux EL 7 Router and Firewall SecureCRT providing SSH Access to CentOS Server OS family Linux: CentOS/RHEL 7 Working state Public Supported platforms x86, x64 Contents 1 Overview 1.1 Advantages to having a Linux Router 1.2 Disadvantages to having a Linux Router 1.3 Required Software and Hardware 2 Tutorial 2.1 Setting up DHCP 2.2 The firewall 2.2.1 FirewallD 2.3 SSH User Access and Restrictions 3 Extras 3.1 Renaming your Devices 3.2 Target static IP for specific host 3.3 Forwarding Ports 3.3.1 FirewallD 3.4 Denying Unknown Mac Addresses 3.5 IPv6 Tunnel 3.6 Dynamic DNS Overview This tutorial provides you the steps to get started in getting a Linux router setup for your LAN. It's not only a secure option and can be grounds for modification, it's also a learning and educational experience. In the end, it is an easy process and can be accomplished on a wide array of distributions, hardware, and http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall 1/14 11/18/2014 Linux Router and Firewall - SSN networking situations. We only cover the basics of getting up and running. Modifications like QoS, IPv6 tunnels, DNS, advanced firewall rules are beyond the scope of this article, but will be included as value-added at the bottom. Note: This guide is meant as a learning exercise to get an idea of how most configurations and other dedicated setups typically work, from a manual stand point. Advantages to having a Linux Router Flexibility. You will have an available system for an in-house lab, SSH Tunneling, PXE/Cobbler, or even means of holding a web server if you're so inclined. The only limitations are you and what you want. Disadvantages to having a Linux Router You have to use a PC for it. It would make more sense to buy an on-the-self router and flash the firmware to something that is third-party and has similar Linux aspects. Required Software and Hardware The software requirements: -A Linux OS CentOS 7 (http://www.centos.org) is what we'll use here The hardware requirements: You'll need a PC that can handle a minimal install of a Linux OS. The hard drive does NOT have to be large. You'll also need two network cards. One of them CAN be built in, but you'll need an add-on PCI ethernet card. Also, your stock-router needs its DHCP settings turned off and a static address set in accordance to your subnet. Tutorial Now we will begin the process of setting up the Linux Router. *** Warning: Potential Pitfalls! *** -The incorrect configuration in your firewall or SSH configuration can create security holes -Not changing your SSH port to something non-standard is a security hole. Change it or turn it off completely. -If your system uses SELinux, leave it on. It's there for a reason. Turn it off for troubleshooting only. -Do NOT come to me for support if you have disabled selinux -You need to turn your store-bought router into a switch by turning off DHCP and setting a static IP to access it when necessary. -Do NOT plug the Linux Router into the internet slot. Plug it into the 1-4 slots, instead. http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall 2/14 11/18/2014 Linux Router and Firewall - SSN Setting up DHCP To start everything off, you'll need to setup a DHCP server. Not only this, you may want to disable Network Manager. If you wish to keep it on, then do so. However, I turn it off in this tutorial for generally good reasons. % yum install dhcp dhcp-common -y % systemctl stop NetworkManager % systemctl disable NetworkManager % systemctl restart network % systemctl status NetworkManager NetworkManager.service - Network Manager Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; disabled) Active: inactive (dead) % systemctl status network network.service - LSB: Bring up/down networking Loaded: loaded (/etc/rc.d/init.d/network) Active: active (running) since Thu 2014-07-03 13:39:51 MST; 23h ago CGroup: /system.slice/network.service ââ1119 /sbin/dhclient -H zera1 -1 -q -lf /var/lib/dhclient/dhclient-ca756c19-c76b-46fa-813e-ae26a3994860-ens1 Now, we'll need to make some slight changes to our interface files. We'll start with "enp5v0", it may be a different name for you (like ens or p3p1 etc). So change them to fit your box. DEVICE="enp5v0" BOOTPROTO="static" TYPE="Bridge" NM_CONTROLLED="no" ONBOOT="yes" IPADDR="10.100.1.1" NETMASK="255.255.255.0" ## This will be set to static ## Set the gateway IP you plan on using After making that change, restart the network service and double check. % systemctl restart network % ip addr show enp5v0 10: enp5v0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP link/ether ------------ brd ff:ff:ff:ff:ff:ff inet 10.100.1.1/24 brd 10.100.1.255 scope global enp5v0 valid_lft forever preferred_lft forever inet6 fe80::214:d1ff:fe23:2b2c/64 scope link valid_lft forever preferred_lft forever Now, let's modify our /etc/dhcp/dhcpd.conf file. It'll be a generally empty file. These are the settings I used. Make sure to read the comments. # # DHCP Server Configuration file. # see /usr/share/doc/dhcp*/dhcpd.conf.example # see dhcpd.conf(5) man page # ddns-update-style interim; ## This matters more if you plan on having dynamic DNS. http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall 3/14 11/18/2014 Linux Router and Firewall - SSN allow booting; allow bootp; authoritative; # deny unknown-clients; ## Helps with PXE ## Same thing, some POS controllers need this ## Authoritative DHCP server ignore client-updates; ## Ignores requests for DNS server updates set vendorclass = option vendor-class-identifier; ## Without this, most DHCP servers will not work -- in my case, it wou subnet 10.100.1.0 netmask 255.255.255.0 interface option routers option domain-name-servers # option domain-name-servers option domain-name option subnet-mask range filename default-lease-time max-lease-time next-server } { ## Your network and mask goes here enp5v0; ## Interface in which the clients will be served 10.100.1.1; ## Set this line to your router's IP, more than likely 10.100.1.1; ## My DNS server is my own router. Change this to your 10.100.1.1,68.105.28.11,68.105.29.11,8.8.8.8,8.8.4.4; ## Example of multiple DN "bromosapien.net"; ## If you have a domain name for your network, set it h 255.255.255.0; ## Required. 10.100.1.100 10.100.1.199; ## Range of IP's that systems can use. "/pxelinux.0"; ## PXE related 21600; 43200; 10.100.1.1; After doing that, enable dhcpd and start it up. % systemctl enable dhcpd % systemctl start dhcpd % systemctl status dhcpd dhcpd.service - DHCPv4 Server Daemon Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; enabled) Active: active (running) since Mon 2014-07-07 18:37:02 MST; 4s ago Docs: man:dhcpd(8) man:dhcpd.conf(5) Main PID: 28434 (dhcpd) CGroup: /system.slice/dhcpd.service └─28434 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul 07 07 07 07 07 07 07 07 07 07 07 07 07 07 07 07 07 18:37:02 18:37:02 18:37:02 18:37:02 18:37:02 18:37:02 18:37:03 18:37:03 18:37:03 18:37:03 18:37:03 18:37:03 18:37:04 18:37:05 18:37:05 18:37:05 18:37:05 solaire.bromosapien.net solaire.bromosapien.net solaire.bromosapien.net solaire.bromosapien.net solaire.bromosapien.net solaire.bromosapien.net solaire.bromosapien.net solaire.bromosapien.net solaire.bromosapien.net solaire.bromosapien.net solaire.bromosapien.net solaire.bromosapien.net solaire.bromosapien.net solaire.bromosapien.net solaire.bromosapien.net solaire.bromosapien.net solaire.bromosapien.net systemd[1]: Started DHCPv4 Server Daemon. dhcpd[28434]: Internet Systems Consortium DHCP Server 4.2.5 dhcpd[28434]: Copyright 2004-2013 Internet Systems Consortium. dhcpd[28434]: All rights reserved. dhcpd[28434]: For info, please visit https://www.isc.org/software/dhcp/ dhcpd[28434]: Not searching LDAP since ldap-server, ldap-port and ld...file dhcpd[28434]: Wrote 0 deleted host decls to leases file. dhcpd[28434]: Wrote 0 new dynamic host decls to leases file. dhcpd[28434]: Wrote 2 leases to leases file. dhcpd[28434]: Listening on LPF/enp5v0//10.100.1.0/24 dhcpd[28434]: Sending on LPF/enp5v0//10.100.1.0/24 dhcpd[28434]: Sending on Socket/fallback/fallback-net dhcpd[28434]: DHCPDISCOVER from (android-305df79d0...p5v0 dhcpd[28434]: DHCPOFFER on 10.100.1.106 to (androi...p5v0 dhcpd[28434]: DHCPREQUEST for 10.100.1.106 (10.100.1.1) from ac:22:0...p5v0 dhcpd[28434]: DHCPACK on 10.100.1.106 to (android-...p5v0 dhcpd[28434]: Unable to add forward map from android-305df79d03199b3...ound And then lastly, we need to enable forwarding. RHEL 7 does it a bit differently, but you can still modify /etc/sysctl.conf. It does give you a nifty note. % vi /etc/sysctl.conf # System default settings live in /usr/lib/sysctl.d/00-system.conf. # To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall 4/14 11/18/2014 Linux Router and Firewall - SSN # # For more information, see sysctl.conf(5) and sysctl.d(5). net.ipv4.ip_forward = 1 % sysctl -p The firewall The iptables firewall generally is pretty easy to deal with. However, since firewalld is default, you may want to fall back to the old way. % % % % yum install iptables-services iptables-utils systemctl stop firewalld.service systemctl disable firewalld.service systemctl enable iptables.service Read the comments to understand what I did below. This is a generic /etc/sysconfig/iptables file that should work. # Start of NAT # Add this section *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -o enp3s0 -j MASQUERADE ## This is absolutely important. COMMIT ## Always end a table like this # Start of filter # Here are your regular "rules" *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i enp3s0 -p icmp -m icmp --icmp-type 8 -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp -j DROP ## Anything going from the gateway has to have come from us to come back in. -A FORWARD -i enp3s0 -o enp5v0 -m state --state RELATED,ESTABLISHED -j ACCEPT ## This makes sure that anyone on the inside can head on out. -A FORWARD -i enp5v0 -o enp3s0 -j ACCEPT -A FORWARD -j DROP COMMIT Restart your firewall and you're ready. Make sure to test your clients. % systemctl restart iptables FirewallD Red Hat recently introduced firewalld into their core product, basing itself on what was shipped in Fedora. This is not a problem, but it may be a problem for others who want complete control of their setup, like the above, and the other examples later. However, if you want to turn on NAT with firewalld, http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall 5/14 11/18/2014 Linux Router and Firewall - SSN these are the steps I do. % % % % firewall-cmd firewall-cmd firewall-cmd firewall-cmd --change-interface=enp3s0 --zone=external --permanent --change-interface=enp5v0 --zone=internal --permanent --set-default-zone=internal --complete-reload By default, the external zone is the masqueraded zone. Note: If you disable network manager like I do, you will need to specify a ZONE directive in the interface file for your interfaces. Typically, if your default zone is internal, your modem interface will always show up in internal. No matter what you do. That's why you have to use the directive. ... NAME="enp3s0" DEVICE="enp3s0" ONBOOT="yes" ZONE="external" <---- This SSH User Access and Restrictions So you want SSH access to your system from the inside and outside. Alright, cool. We just need to make a couple of modifications to the sshd_config file. First and foremost, we need to change the port number from 22. There are reasons why it should NOT be port 22. That is the most checked and attacked port of all time. Sure, if root doesn't have a password and another account is not allowed SSH access by password and only be SSH key, they won't get in. But, the last thing you want is your logs being filled up with failures to login and your bandwidth/speed being reduced (though slightly) from those attacks. Let's modify the file first. % vi /etc/ssh/sshd_config ## Find the lines commented, and add the changes afterward. # Port 22 Port 30717 # PermitRootLogin yes PermitRootLogin no % semanage port -a -t ssh_port_t -p tcp 30717 % systemctl restart sshd.service Note: If you don't have semanage available, install policycoreutils-python. Let's add a user and add them to the wheel group. Be sure to set your user a password. % useradd pinky % usermod -aG wheel pinky http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall 6/14 11/18/2014 Linux Router and Firewall - SSN Now, open up /etc/pam.d/su and take one of the comments off. We'll take the one off that says the user is required to be in the wheel group. That user will still need to know root's password. If you want to allow a user to get root without root's password, you may do so. However, I don't recommend doing that. #%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. auth required pam_wheel.so use_uid auth substack system-auth auth include postlogin account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session include postlogin session optional pam_xauth.so You may now want to test the effects. An example of the 'implicit' rule. [pinky@solaire ~]$ su Last login: Mon Jul 7 18:26:49 MST 2014 on pts/0 [root@solaire ~]# Now, we'll need to make a change to the iptables firewall for our new port. *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -o enp3s0 -j MASQUERADE ## This is absolutely important. COMMIT ## Always end a table like this *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i enp3s0 -p icmp -m icmp --icmp-type 8 -j DROP -A INPUT -i lo -j ACCEPT ## ADD THIS BELOW -A INPUT -p tcp -m state --state NEW -m tcp --dport 30717 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp -j DROP -A FORWARD -i enp3s0 -o enp5v0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i enp5v0 -o enp3s0 -j ACCEPT -A FORWARD -j DROP COMMIT % systemctl restart iptables FirewallD Users: If you use firewalld, you'll do something like so. % % % % $ firewall-cmd firewall-cmd firewall-cmd firewall-cmd firewall-cmd --zone=internal --add-port=30717/tcp --zone=internal --remove-service=ssh --zone=external --add-port=30717/tcp --zone=external --remove-service=ssh --complete-reload --permanent --permanent --permanent --permanent http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall 7/14 11/18/2014 Linux Router and Firewall - SSN After that, you should be good! Try plugging a switch or a store bought router (configured correctly with DHCP disabled and a static address) into the LAN port, make sure all the services have been (re)started, and see if your clients get IP's. Do they? Now see if you can SSH into your box through your new port with your users. If you succeed, you're ready to go. Now just make sure you can get to the internet :) Extras Here we'll expand the functionality of our server. We'll have some value added things below in this section. Renaming your Devices This isn't truly important, but if you want your devices to have some names that you actually understand or know what they are, you may want to try and change them. This can technically be prevented by using biosdevname=0 and net.ifnames=0 on the grub kernel line, either before your install your system or on an already installed system. But, for the sake of the example, I'll change an interface name that was generated by udev. I'll change my outbound interface to ob0, which is attached to the modem. You can name them however you want, and you'll need to do this for each device you rename in the long run. % vi /etc/udev/rules.d/99-rename-net.rules SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="$(cat /sys/class/net/ens192/address)", ATTR{dev_id}=="0x % cd /etc/sysconfig/network-scripts % mv ifcfg-ens192 ifcfg-ob0 % vi ifcfg-ob0 # Generated by dracut initrd DEVICE="ob0" <-- Change this appropriately ONBOOT=yes NETBOOT=yes BOOTPROTO=dhcp HWADDR="00:0c:29:c4:ba:2b" TYPE=Ethernet NAME="ob0" <-- Change this appropriately % init 6 % ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ob0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:c4:ba:2b brd ff:ff:ff:ff:ff:ff inet 10.100.0.213/23 brd 10.100.1.255 scope global dynamic ob0 valid_lft 21544sec preferred_lft 21544sec inet6 fe80::20c:29ff:fec4:ba2b/64 scope link valid_lft forever preferred_lft forever Target static IP for specific host http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall 8/14 11/18/2014 Linux Router and Firewall - SSN You can do this easily by modifying /etc/dhcp/dhcpd.conf. You can add a line like... host Healer { hardware ethernet 00:00:00:00:00:00; fixed-address 10.100.0.110; } Providing the computer name after host, and then that system's mac address, you can provide the 'fixedaddress' that it will get each time it connects to the network. # service dhcpd restart You can get the mac addresses of those PC's using either ip a sh (if they're linux) or ipconfig /all if they're windows. Or, in the windows gui, you can look at the 'status' of an adapter, and click 'details' to get it too. Forwarding Ports Forwarding ports can get complicated. But don't fret, it's not as bad as it seems. Let's say we want to forward 6112 TCP and UDP to a host, so they can hold StarCraft/WarCraft III games. Modify /etc/sysconfig/iptables as followed; You'll need a prerouting line and a forward line at the bottom. *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # Add the prerouting lines below... p is for protocol and m is for match # i is for interface, -j is for action/target -A PREROUTING -i enp3s0 -p udp -m udp --dport 6112 -j DNAT --to-destination 10.100.1.101:6112 -A PREROUTING -i enp3s0 -p tcp -m tcp --dport 6112 -j DNAT --to-destination 10.100.1.101:6112 -A POSTROUTING -o enp3s0 -j MASQUERADE COMMIT # Start of filter *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i enp3s0 -p icmp -m icmp --icmp-type 8 -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 30717 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp -j DROP -A FORWARD -i enp3s0 -o enp5v0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i enp5v0 -o enp3s0 -j ACCEPT # Add the forward lines -A FORWARD -d 10.100.1.101 -i enp3s0 -p udp -m udp --dport 6112 -j ACCEPT -A FORWARD -d 10.100.1.101 -i enp3s0 -p tcp -m tcp --dport 6112 -j ACCEPT COMMIT Save it, and restart the firewall via systemctl. FirewallD To perform this in firewalld, you can do something like this. http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall 9/14 11/18/2014 Linux Router and Firewall - SSN firewall-cmd --zone=external --add-forward-port=port=6112:proto=udp:toport=6112:toaddr=10.100.1.101 --permanent firewall-cmd --zone=external --add-forward-port=port=6112:proto=tcp:toport=6112:toaddr=10.100.1.101 --permanent firewall-cmd --complete-reload Denying Unknown Mac Addresses Let's say you don't want to use your wireless network's filters, or you decided you wanted to mess with people who like to hope onto an unprotected wireless network... Whatever the case is, you want to restrict clients based on mac address. You can add the following to your /etc/dhcp/dhcpd.conf. deny unknown-clients; After doing that, you can do like in the above section for static IP leases, make a section at the bottom and designate the host. host Healer { hardware ethernet 00:00:00:00:00:00; fixed-address 10.100.1.110; } IPv6 Tunnel For those who have tunnels, this might be helpful. I have a tunnel from he.net. Sixxs usually has instructions for what they want to make their tunnels work, typically. This is what I do for my tunnel to get it up and running, and to ensure clients on the inside of the network can get out. First, we need to setup an interface. I typically like consistency. Since the modem interface is enp2s0 on one of my routers, I will use enp2v0 for the tunnel interface. Technically, you can use sit0. DEVICE="enp2v0" TYPE="sit" BOOTPROTO="none" ONBOOT="yes" IPV6INIT="yes" IPV6TUNNELIPV4="66.220.18.42" IPV6ADDR="2001:470:c:286::2/64" IPV6FORWARDING="yes" # Your tunnel provider usually provides this IP # This is your end point that does not go with your 'subnet' For the internal LAN interface, which is eno1, I added in the IPv6 information for the subnet I was given. TYPE=Ethernet BOOTPROTO=static NAME=eno1 DEVICE=eno1 ONBOOT=yes http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall 10/14 11/18/2014 Linux Router and Firewall - SSN IPADDR="10.100.0.1" NETMASK="255.255.254.0" ## IPv6 information IPV6ADDR="2001:470:d:286::1/64" IPV6INIT="yes" IPV6FORWARDING="yes" For the firewall, I did this in the /etc/sysconfig/ip6tables file. Since there is no NAT, we just use basic INPUT and FORWARD rules in between the sit interface and the internal LAN interface. *filter :INPUT ACCEPT [56:6791] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [53:8508] -A INPUT -p icmpv6 -j ACCEPT -A INPUT -i enp2v0 -p tcp -m tcp --dport 1 -j DROP -A INPUT -i enp2v0 -p tcp -m tcp --dport 0 -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -i eno1 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -s ::/0 -d ::/0 -p tcp -m state --state NEW -m tcp --dport 45521 -j ACCEPT -A INPUT -i enp2v0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp -m state --state NEW -j DROP -A FORWARD -i enp2v0 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eno1 -o enp2v0 -j ACCEPT -A FORWARD -i enp2v0 -o eno1 -p icmpv6 -j ACCEPT -A FORWARD -i enp2v0 -o eno1 -j DROP COMMIT % systemctl enable ip6tables % systemctl start ip6tables In /etc/sysconfig/network, you'll need these lines. NETWORKING_IPV6=yes IPV6FORWARDING=yes IPV6_DEFAULTDEV="enp2v0" In /etc/sysctl.conf, I put this. net.ipv6.conf.all.forwarding = 1 % sysctl -p In your regular firewall, you'll need some rules for your "heartbeat". Some providers require a heartbeat of some sort. -A IN_TRU -s 66.220.2.74/32 -i ob0 -p icmp -m comment --comment "IPv6 Heartbeat" -m icmp --icmp-type 8 -j ACCEPT -A IN_TRU -s 66.220.18.42 -i ob0 -m comment --comment "IPv6 Heartbeat" -j ACCEPT http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall 11/14 11/18/2014 Linux Router and Firewall - SSN Dynamic DNS Dynamic DNS is not all that important, but it's sometimes a fun feature to use for a network. It basically allows clients to have their own name in DNS for easy communication with one another by name, etc. New clients will get IP's and the bind DNS server will be updated with their names, as long as the machine provide host names. Note: The subnet I use here is in a testing subnet and does not reflect what was used in the actual tutorial above. First, install the bind DNS package and then generate an rndc key. % yum install bind % rndc-confgen -a # This will take a few minutes depending on the amount of entropy available If you don't have DNS already setup, you'll need to change a few options. Most of these are set to loopback addresses. You can change them to 'any' or to the internal LAN interface IP in your network. For me, I set them to 'any' because the outside world can query me for information. options { ... listen-on port 53 { any; }; listen-on-v6 port 53 { ::1 }; allow-query { any; }; ... }; You will also need to add a forwarders block within options, especially if you plan on pointing your clients to your DNS server. options { ... forwarders { 10.100.0.1; 8.8.8.8; }; }; And then, at the bottom, you need to set an include line for your key, which includes the key block, as well as starting your zone blocks. You will also need to change the permissions of the key. include "/etc/rndc.key" zone "angelsofclockwork.net" { type master; file "dynamic/angelsofclockwork.net"; allow-update { key rndc-key; }; }; zone "2.100.10.in-addr.arpa" { type master; file "dynamic/2.100.10.in-addr.arpa"; allow-update { key rndc-key; }; }; http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall 12/14 11/18/2014 Linux Router and Firewall - SSN # Save the file % chown root:named /etc/rndc.key % chmod 640 /etc/rndc.key Now, let's make our zone files, giving them a blank slate. We need both the forward and reverse zones. So first, our forward zone. $ORIGIN . $TTL 10800 ; 3 hours angelsofclockwork.net IN SOA NS $ORIGIN angelsofclockwork.net. zera1 A angelsofclockwork.net. zera1.angelsofclockwork.net. ( 2 ; serial 86400 ; refresh (1 day) 3600 ; retry (1 hour) 604800 ; expire (1 week) 10800 ; minimum (3 hours) ) zera1.angelsofclockwork.net. 10.100.2.1 And now, our reverse zone. $ORIGIN . $TTL 10800 ; 3 hours 2.100.10.in-addr.arpa IN SOA NS $ORIGIN 2.100.10.in-addr.arpa. 1 PTR 2.100.10.in-addr.arpa. zera1.angelsofclockwork.net. ( 2 ; serial 86400 ; refresh (1 day) 3600 ; retry (1 hour) 604800 ; expire (1 week) 10800 ; minimum (3 hours) ) zera1.angelsofclockwork.net. zera1.angelsofclockwork.net. Once those are filled out, change the ownership of the files to named:named using chown. Otherwise, you will get SERVFAIL errors and DNS will not get updated. Now, you'll need to modify /etc/dhcp/dhcpd.conf. Comments will follow. # Add this to turn on DDNS ddns-updates on; # Add your key block below. You can get it by doing cat /etc/rndc.key and copying/pasting here. key rndc-key { algorithm hmac-md5; secret fkILNxLzrC/w84mr9gSFbQ==; }; subnet 10.100.2.0 netmask 255.255.255.0 { ... # If you haven't already, set your domain server to your router IP. option domain-name-servers 10.100.2.1; # If you want your local addresses to have a domain name, you NEED to set this. # If you followed the above tutorial, I specified a domain name already. option domain-name "angelsofclockwork.net"; ... http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall 13/14 11/18/2014 Linux Router and Firewall - SSN } # Now set your zone blocks for both the forward and reverse. zone angelsofclockwork.net. { primary localhost; key rndc-key; } zone 2.100.10.in-addr.arpa. { primary localhost; key rndc-key; } Save the file and restart the services. They should go cleanly. % systemctl restart named dhcpd Named will usually be the only one that fails in this case. Check the logs to see what went wrong. Now, refresh your clients and see if their information is filled out correctly. % host zera2.angelsofclockwork.net zera2.angelsofclockwork.net has address 10.100.2.100 Retrieved from "http://www.bromosapien.net:8080/media/index.php? title=Linux_Router_and_Firewall&oldid=1831" Category: Operating Systems This page was last modified on 3 November 2014, at 07:25. http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall 14/14