Difference between revisions of "DHCP server installation"

(Security)
Line 56: Line 56:
 
=Security=
 
=Security=
  
You should edit your firewall to match the current rules:
+
See [[Firewall INPUT filters#DHCP|Firewall rules for DHCP server]]
 
 
<syntaxhighlight lang="bash">
 
    IPTABLES=`which iptables`
 
    LAN_ADDRESS="172.16.50.0/24"
 
 
 
    # Allow LAN communication
 
    # ... Required for NFS and the NetBoot ...
 
    $IPTABLES -A INPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT
 
    $IPTABLES -A OUTPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT
 
 
 
    ########################
 
    # INPUT filters
 
    ########################
 
 
 
    ##### DHCP client ######
 
    # Broadcast IP request
 
    $IPTABLES -A OUTPUT -p udp -d 255.255.255.255 --sport 68 --dport 67 -j ACCEPT
 
    # Send / reply to IPs requests
 
    $IPTABLES -A INPUT -p udp -s 255.255.255.255 --sport 67 --dport 68 -j ACCEPT
 
 
 
    ###### DHCP server ######
 
    # UDP (can also run on TCP) >> received client's requests
 
    $IPTABLES -A INPUT -p udp --sport 68 --dport 67 -j ACCEPT
 
    $IPTABLES -A INPUT -p tcp --sport 68 --dport 67 -j ACCEPT
 
 
 
    # NetBoot - TFTP server
 
    $IPTABLES -A INPUT -p udp -s $LAN_ADDRESS --dport 69 -j ACCEPT
 
 
 
 
 
    ########################
 
    # OUTPUT filters
 
    ########################
 
    # DHCP [udp]
 
    $IPTABLES -A OUTPUT -p udp --dport 67 -j ACCEPT
 
    $IPTABLES -A OUTPUT -p udp --dport 68 -j ACCEPT
 
    # DHCP [tcp]
 
    $IPTABLES -A OUTPUT -p tcp --dport 67 -j ACCEPT
 
    $IPTABLES -A OUTPUT -p tcp --dport 68 -j ACCEPT
 
 
 
    # TFTP NetBoot
 
    $IPTABLES -A OUTPUT -p udp --dport 69 -j ACCEPT
 
 
 
</syntaxhighlight>
 
 
 
Don't forget to adjust your network number ''172.16.50.0/24''
 
 
 
 
 
  
 
=Configuration=
 
=Configuration=

Revision as of 20:47, 8 August 2014


Dynamic Host Configuration Protocol.


Note:

Since Ubuntu 11.10 the DHCP3-server is available in the "isc-dhcp-server" package.


Sources

You can find more information about that topic over here:


Requirement

A DHCP server can provided static or dynamic address.

However, the DHCP server's IP @ must always be static!!


If you want to use a DNS, then you can even setup the DNS server first. See DNS server



Installation

DHCP server

apt-get install isc-dhcp-server


You will be asked a few questions:

  • On what network interfaces should the DHCP server listen? <-- eth0
  • Please configure the DHCP server as soon as the installation finishes. <-- Ok
  • The version 3 DHCP server is now non-authoritative by default <-- Ok


At the end of the installation you will see errors like these: * Generating /etc/default/dhcp3-server...

  • Starting DHCP server: dhcpd3 failed to start - check syslog for diagnostics.
  • invoke-rc.d: initscript dhcp3-server, action "start" failed.

That's OK because we did not have the chance yet to configure our DHCP server.


Security

See Firewall rules for DHCP server

Configuration

The main configuration file is /etc/dhcp/dhcpd.conf

vim /etc/dhcp/dhcpd.conf


You can adjust the interface the server is listening on in /etc/dhcp/dhcp3-server INTERFACES="eth0 eth1"


Random IP assignation

The following configuration will accept all clients and give them a random IP @.

# Sample /etc/dhcpd.conf
# (add your comments here) 
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 172.16.50.255;
option routers 172.16.50.254;
# Put your own DNS server or your ISP | Google servers
option domain-name-servers 172.16.50.2, 8.8.8.8;
# Put your domain name - if you have one
option domain-name "mydomain.lan";
option ntp-servers 172.16.50.254;

subnet 172.16.50.0 netmask 255.255.255.0 {
  range 172.16.50.10 172.16.50.100;
  range 172.16.50.150 172.16.50.200;
}

You have to adjust:

  • Network parameters - instead of 172.16.50.*
  • DHCP range(s). In the given example there are 2 ranges from 10-100 and 150-200


Static IP @

This new configuration will ONLY accept known clients and give them a static IP @.

# Sample /etc/dhcpd.conf
# (add your comments here) 
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 172.16.50.255;
option routers 172.16.50.254;
option domain-name-servers 172.16.50.2, 8.8.8.8;
option domain-name "mydomain.lan";
option ntp-servers 172.16.50.254;

deny unknown-clients;

subnet 172.16.50.0 netmask 255.255.255.0 {
    host client1 {
        hardware ethernet DD:GH:DF:E5:F7:D7;
        fixed-address 172.16.50.20;
    }
    host client2 {
        hardware ethernet 00:JJ:YU:38:AC:45;
        fixed-address 172.16.50.21;
    }
}

Note:

The deny unknown-clients; command is why only known clients are accepted.


For each client you have to adjust:

  • MAC @
  • Set a specific static IP @


Advanced configuration (name + netboot)

In the following scenario you will configure the server to accept only specific clients, use static IP @ and set names.

This configuration also allow NetBoot using PXE technology.


#### General options ####

## Domain settings
# domain name
option domain-name "myDomain.lan";
# DNS IP @ (replace it by your IP server, Google DNS or your ISP DNS) 
option domain-name-servers XXX.XXX.XXX.XXX, YYY.YYY.YYY.YYY;
# DNS update system (disable)
ddns-update-style none;

## IP lease settings
default-lease-time 7200;
max-lease-time 86400;

## Network settings
# DHCP server name
server-name "dns.myDomain.lan";
# Authoritative server = this is the official DHCP server for the local network
authoritative;
# Subnet-mask
option subnet-mask 255.255.255.0;


## Security
# Do not allow unknown clients 
deny unknown-clients;
# Do not forward DHCP request from this server to another one using a different Network Interface
option ip-forwarding off;

# Use this to send dhcp log messages to a different log file 
# you also have to hack syslog.conf to complete the redirection
log-facility local7;

### NetBoot PXE
# Enable network boot using TFTP 
allow bootp;
allow booting;


## Available networks

# Your server can manage many network. Just add new subnet{} instruction

# Main LAN
subnet 172.16.50.0 netmask 255.255.255.0 {
  #### Overall settings
  # You can override the default domain set earlier
  option domain-name "myDomain.lan";
  # Broadcast address
  option broadcast-address 172.16.50.255;
  # Default gateway
  option routers 172.16.50.1;
  # Set the NTP (time server) to use
  option ntp-servers 172.16.50.1;


  #### DHCP range
  # Hint: if the range has only 1 address, and this is a bail (fixed address), then the range won't be used!
  range 172.16.50.5 172.16.50.5;

  #### NETBOOT settings 
  # PXE file to serve.
  #   >> elilo.efi   => for ia64 clients; 
  #   >> pxelinux.0  => for x86
  # These files should be at the root of your TFTP server
  # Note: The file name can be add in the "host" section too. Then, the "host" will override the current setting
  filename "pxelinux.0";
  # set the server that serve this NETBOOT file
  next-server 172.16.50.2;
  # Ensure that the new client (the one boot) is not stealing someone else IP @
  ping-check = 1;
}

#### Managed host and fixed IP @
# FTP server
host ftp {
  hardware ethernet 00:0f:75:af:eb:44;
  fixed-address 172.16.50.2;
  option host-name "ftp";

  ### NetBoot PXE settings
  # dedicated file for the current machine:
  #filename "debian-installer/ia64/elilo.efi";
  # Set the TFTP server
  #next-server 172.16.50.2;
} 
# WEB server
host web {
  hardware ethernet 00:02:0d:31:d1:cc;
  fixed-address 172.16.50.3;
  option host-name "web";
}
# EMAIL server
host mail {
  hardware ethernet 00:02:55:d2:d1:cc;
  fixed-address 172.16.50.4;
  option host-name "mail";
}
# LAPTOP workstation
host laptop {
  hardware ethernet 00:0e:af:31:d1:cc;
  fixed-address 172.16.50.5;
  option host-name "laptop";
}


Be aware that the "option host-name ..." may be discard by most clients.


Logs

Logs are in /var/log/syslog


Leases

All DHCP leases are available in:

vim /var/lib/dhcp3/dhcpd.leases


Manage service

You can start / restart service using:

service isc-dhcp-server start|restart|stop

OR

/etc/init.d/isc-dhcp-server restart


You can check the status using:

ps aux | grep dhcp
netstat -uap | grep dhcp



Add new host

Every time you need to install you host you have to:

Edit the configuration file:

vim /etc/dhcp/dhcpd.conf


Add new host at the end of the file :

host myNewHost {
  hardware ethernet 00:0e:af:31:d1:cc;
  fixed-address 172.16.50.60;
  option host-name "myNewHost";
}

==> Don't forget to the given IP @ must match the DNS server declaration !



Restart the DHCP server :

/etc/init.d/isc-dhcp-server restart


NetBoot

To setup the netboot, see NetBoot server.