Difference between revisions of "DHCP server installation"
| Line 58: | Line 58: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
IPTABLES=`which iptables` | IPTABLES=`which iptables` | ||
| − | LAN_ADDRESS=" | + | LAN_ADDRESS="172.16.50.0/24" |
# Allow LAN communication | # Allow LAN communication | ||
| Line 99: | Line 99: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| − | Don't forget to adjust your network number '' | + | Don't forget to adjust your network number ''172.16.50.0/24'' |
| Line 127: | Line 127: | ||
max-lease-time 7200; | max-lease-time 7200; | ||
option subnet-mask 255.255.255.0; | option subnet-mask 255.255.255.0; | ||
| − | option broadcast-address | + | option broadcast-address 172.16.50.255; |
| − | option routers | + | option routers 172.16.50.254; |
# Put your own DNS server or your ISP | Google servers | # Put your own DNS server or your ISP | Google servers | ||
| − | option domain-name-servers | + | option domain-name-servers 172.16.50.2, 8.8.8.8; |
# Put your domain name - if you have one | # Put your domain name - if you have one | ||
option domain-name "mydomain.lan"; | option domain-name "mydomain.lan"; | ||
| − | option ntp-servers | + | option ntp-servers 172.16.50.254; |
| − | subnet | + | subnet 172.16.50.0 netmask 255.255.255.0 { |
| − | range | + | range 172.16.50.10 172.16.50.100; |
| − | range | + | range 172.16.50.150 172.16.50.200; |
} | } | ||
</syntaxhighlight> | </syntaxhighlight> | ||
You have to adjust: | You have to adjust: | ||
| − | * Network parameters - instead of | + | * Network parameters - instead of 172.16.50.* |
* DHCP range(s). In the given example there are 2 ranges from 10-100 and 150-200 | * DHCP range(s). In the given example there are 2 ranges from 10-100 and 150-200 | ||
| Line 157: | Line 157: | ||
max-lease-time 7200; | max-lease-time 7200; | ||
option subnet-mask 255.255.255.0; | option subnet-mask 255.255.255.0; | ||
| − | option broadcast-address | + | option broadcast-address 172.16.50.255; |
| − | option routers | + | option routers 172.16.50.254; |
| − | option domain-name-servers | + | option domain-name-servers 172.16.50.2, 8.8.8.8; |
option domain-name "mydomain.lan"; | option domain-name "mydomain.lan"; | ||
| − | option ntp-servers | + | option ntp-servers 172.16.50.254; |
deny unknown-clients; | deny unknown-clients; | ||
| − | subnet | + | subnet 172.16.50.0 netmask 255.255.255.0 { |
host client1 { | host client1 { | ||
hardware ethernet DD:GH:DF:E5:F7:D7; | hardware ethernet DD:GH:DF:E5:F7:D7; | ||
| − | fixed-address | + | fixed-address 172.16.50.20; |
} | } | ||
host client2 { | host client2 { | ||
hardware ethernet 00:JJ:YU:38:AC:45; | hardware ethernet 00:JJ:YU:38:AC:45; | ||
| − | fixed-address | + | fixed-address 172.16.50.21; |
} | } | ||
} | } | ||
| Line 241: | Line 241: | ||
# Main LAN | # Main LAN | ||
| − | subnet | + | subnet 172.16.50.0 netmask 255.255.255.0 { |
#### Overall settings | #### Overall settings | ||
# You can override the default domain set earlier | # You can override the default domain set earlier | ||
option domain-name "myDomain.lan"; | option domain-name "myDomain.lan"; | ||
# Broadcast address | # Broadcast address | ||
| − | option broadcast-address | + | option broadcast-address 172.16.50.255; |
# Default gateway | # Default gateway | ||
| − | option routers | + | option routers 172.16.50.1; |
# Set the NTP (time server) to use | # Set the NTP (time server) to use | ||
| − | option ntp-servers | + | option ntp-servers 172.16.50.1; |
#### DHCP range | #### DHCP range | ||
# Hint: if the range has only 1 address, and this is a bail (fixed address), then the range won't be used! | # Hint: if the range has only 1 address, and this is a bail (fixed address), then the range won't be used! | ||
| − | range | + | range 172.16.50.5 172.16.50.5; |
#### NETBOOT settings | #### NETBOOT settings | ||
| Line 265: | Line 265: | ||
filename "pxelinux.0"; | filename "pxelinux.0"; | ||
# set the server that serve this NETBOOT file | # set the server that serve this NETBOOT file | ||
| − | next-server | + | next-server 172.16.50.2; |
# Ensure that the new client (the one boot) is not stealing someone else IP @ | # Ensure that the new client (the one boot) is not stealing someone else IP @ | ||
ping-check = 1; | ping-check = 1; | ||
| Line 274: | Line 274: | ||
host ftp { | host ftp { | ||
hardware ethernet 00:0f:75:af:eb:44; | hardware ethernet 00:0f:75:af:eb:44; | ||
| − | fixed-address | + | fixed-address 172.16.50.2; |
option host-name "ftp"; | option host-name "ftp"; | ||
| Line 281: | Line 281: | ||
#filename "debian-installer/ia64/elilo.efi"; | #filename "debian-installer/ia64/elilo.efi"; | ||
# Set the TFTP server | # Set the TFTP server | ||
| − | #next-server | + | #next-server 172.16.50.2; |
} | } | ||
# WEB server | # WEB server | ||
host web { | host web { | ||
hardware ethernet 00:02:0d:31:d1:cc; | hardware ethernet 00:02:0d:31:d1:cc; | ||
| − | fixed-address | + | fixed-address 172.16.50.3; |
option host-name "web"; | option host-name "web"; | ||
} | } | ||
| Line 292: | Line 292: | ||
host mail { | host mail { | ||
hardware ethernet 00:02:55:d2:d1:cc; | hardware ethernet 00:02:55:d2:d1:cc; | ||
| − | fixed-address | + | fixed-address 172.16.50.4; |
option host-name "mail"; | option host-name "mail"; | ||
} | } | ||
| Line 298: | Line 298: | ||
host laptop { | host laptop { | ||
hardware ethernet 00:0e:af:31:d1:cc; | hardware ethernet 00:0e:af:31:d1:cc; | ||
| − | fixed-address | + | fixed-address 172.16.50.5; |
option host-name "laptop"; | option host-name "laptop"; | ||
} | } | ||
| Line 366: | Line 366: | ||
host myNewHost { | host myNewHost { | ||
hardware ethernet 00:0e:af:31:d1:cc; | hardware ethernet 00:0e:af:31:d1:cc; | ||
| − | fixed-address | + | fixed-address 172.16.50.60; |
option host-name "myNewHost"; | option host-name "myNewHost"; | ||
} | } | ||
Revision as of 14:12, 5 June 2014
Dynamic Host Configuration Protocol.
Note:
Since Ubuntu 11.10 the DHCP3-server is available in the "isc-dhcp-server" package.
Contents
Sources
You can find more information about that topic over here:
Requirement
A DHCP server can provided static or dynamic address.
However, the DHCP server's IP @ must always be static!!
If you want to use a DNS, then you can even setup the DNS server first. See DNS server
Installation
DHCP server
apt-get install isc-dhcp-server
You will be asked a few questions:
- On what network interfaces should the DHCP server listen? <-- eth0
- Please configure the DHCP server as soon as the installation finishes. <-- Ok
- The version 3 DHCP server is now non-authoritative by default <-- Ok
At the end of the installation you will see errors like these:
* Generating /etc/default/dhcp3-server...
- Starting DHCP server: dhcpd3 failed to start - check syslog for diagnostics.
- invoke-rc.d: initscript dhcp3-server, action "start" failed.
That's OK because we did not have the chance yet to configure our DHCP server.
Security
You should edit your firewall to match the current rules:
IPTABLES=`which iptables`
LAN_ADDRESS="172.16.50.0/24"
# Allow LAN communication
# ... Required for NFS and the NetBoot ...
$IPTABLES -A INPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT
$IPTABLES -A OUTPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT
########################
# INPUT filters
########################
##### DHCP client ######
# Broadcast IP request
$IPTABLES -A OUTPUT -p udp -d 255.255.255.255 --sport 68 --dport 67 -j ACCEPT
# Send / reply to IPs requests
$IPTABLES -A INPUT -p udp -s 255.255.255.255 --sport 67 --dport 68 -j ACCEPT
###### DHCP server ######
# UDP (can also run on TCP) >> received client's requests
$IPTABLES -A INPUT -p udp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 68 --dport 67 -j ACCEPT
# NetBoot - TFTP server
$IPTABLES -A INPUT -p udp -s $LAN_ADDRESS --dport 69 -j ACCEPT
########################
# OUTPUT filters
########################
# DHCP [udp]
$IPTABLES -A OUTPUT -p udp --dport 67 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 68 -j ACCEPT
# DHCP [tcp]
$IPTABLES -A OUTPUT -p tcp --dport 67 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 68 -j ACCEPT
# TFTP NetBoot
$IPTABLES -A OUTPUT -p udp --dport 69 -j ACCEPTDon't forget to adjust your network number 172.16.50.0/24
Configuration
The main configuration file is /etc/dhcp/dhcpd.conf
vim /etc/dhcp/dhcpd.conf
You can adjust the interface the server is listening on in /etc/dhcp/dhcp3-server
INTERFACES="eth0 eth1"
Random IP assignation
The following configuration will accept all clients and give them a random IP @.
# Sample /etc/dhcpd.conf
# (add your comments here)
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 172.16.50.255;
option routers 172.16.50.254;
# Put your own DNS server or your ISP | Google servers
option domain-name-servers 172.16.50.2, 8.8.8.8;
# Put your domain name - if you have one
option domain-name "mydomain.lan";
option ntp-servers 172.16.50.254;
subnet 172.16.50.0 netmask 255.255.255.0 {
range 172.16.50.10 172.16.50.100;
range 172.16.50.150 172.16.50.200;
}You have to adjust:
- Network parameters - instead of 172.16.50.*
- DHCP range(s). In the given example there are 2 ranges from 10-100 and 150-200
Static IP @
This new configuration will ONLY accept known clients and give them a static IP @.
# Sample /etc/dhcpd.conf
# (add your comments here)
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 172.16.50.255;
option routers 172.16.50.254;
option domain-name-servers 172.16.50.2, 8.8.8.8;
option domain-name "mydomain.lan";
option ntp-servers 172.16.50.254;
deny unknown-clients;
subnet 172.16.50.0 netmask 255.255.255.0 {
host client1 {
hardware ethernet DD:GH:DF:E5:F7:D7;
fixed-address 172.16.50.20;
}
host client2 {
hardware ethernet 00:JJ:YU:38:AC:45;
fixed-address 172.16.50.21;
}
}Note:
The deny unknown-clients; command is why only known clients are accepted.
For each client you have to adjust:
- MAC @
- Set a specific static IP @
Advanced configuration (name + netboot)
In the following scenario you will configure the server to accept only specific clients, use static IP @ and set names.
This configuration also allow NetBoot using PXE technology.
#### General options ####
## Domain settings
# domain name
option domain-name "myDomain.lan";
# DNS IP @ (replace it by your IP server, Google DNS or your ISP DNS)
option domain-name-servers XXX.XXX.XXX.XXX, YYY.YYY.YYY.YYY;
# DNS update system (disable)
ddns-update-style none;
## IP lease settings
default-lease-time 7200;
max-lease-time 86400;
## Network settings
# DHCP server name
server-name "dns.myDomain.lan";
# Authoritative server = this is the official DHCP server for the local network
authoritative;
# Subnet-mask
option subnet-mask 255.255.255.0;
## Security
# Do not allow unknown clients
deny unknown-clients;
# Do not forward DHCP request from this server to another one using a different Network Interface
option ip-forwarding off;
# Use this to send dhcp log messages to a different log file
# you also have to hack syslog.conf to complete the redirection
log-facility local7;
### NetBoot PXE
# Enable network boot using TFTP
allow bootp;
allow booting;
## Available networks
# Your server can manage many network. Just add new subnet{} instruction
# Main LAN
subnet 172.16.50.0 netmask 255.255.255.0 {
#### Overall settings
# You can override the default domain set earlier
option domain-name "myDomain.lan";
# Broadcast address
option broadcast-address 172.16.50.255;
# Default gateway
option routers 172.16.50.1;
# Set the NTP (time server) to use
option ntp-servers 172.16.50.1;
#### DHCP range
# Hint: if the range has only 1 address, and this is a bail (fixed address), then the range won't be used!
range 172.16.50.5 172.16.50.5;
#### NETBOOT settings
# PXE file to serve.
# >> elilo.efi => for ia64 clients;
# >> pxelinux.0 => for x86
# These files should be at the root of your TFTP server
# Note: The file name can be add in the "host" section too. Then, the "host" will override the current setting
filename "pxelinux.0";
# set the server that serve this NETBOOT file
next-server 172.16.50.2;
# Ensure that the new client (the one boot) is not stealing someone else IP @
ping-check = 1;
}
#### Managed host and fixed IP @
# FTP server
host ftp {
hardware ethernet 00:0f:75:af:eb:44;
fixed-address 172.16.50.2;
option host-name "ftp";
### NetBoot PXE settings
# dedicated file for the current machine:
#filename "debian-installer/ia64/elilo.efi";
# Set the TFTP server
#next-server 172.16.50.2;
}
# WEB server
host web {
hardware ethernet 00:02:0d:31:d1:cc;
fixed-address 172.16.50.3;
option host-name "web";
}
# EMAIL server
host mail {
hardware ethernet 00:02:55:d2:d1:cc;
fixed-address 172.16.50.4;
option host-name "mail";
}
# LAPTOP workstation
host laptop {
hardware ethernet 00:0e:af:31:d1:cc;
fixed-address 172.16.50.5;
option host-name "laptop";
}
Be aware that the "option host-name ..." may be discard by most clients.
Logs
Logs are in /var/log/syslog
Leases
All DHCP leases are available in:
vim /var/lib/dhcp3/dhcpd.leases
Manage service
You can start / restart service using:
service isc-dhcp-server start|restart|stopOR
/etc/init.d/isc-dhcp-server restart
You can check the status using:
ps aux | grep dhcp
netstat -uap | grep dhcp
Add new host
Every time you need to install you host you have to:
Edit the configuration file:
vim /etc/dhcp/dhcpd.conf
Add new host at the end of the file :
host myNewHost {
hardware ethernet 00:0e:af:31:d1:cc;
fixed-address 172.16.50.60;
option host-name "myNewHost";
}==> Don't forget to the given IP @ must match the DNS server declaration !
Restart the DHCP server :
/etc/init.d/isc-dhcp-server restart
NetBoot
To setup the netboot, see NetBoot server.
