|
|
(12 intermediate revisions by the same user not shown) |
Line 1: |
Line 1: |
| + | [[Category:Linux]] |
| + | |
| Dynamic Host Configuration Protocol. | | Dynamic Host Configuration Protocol. |
| | | |
Line 22: |
Line 24: |
| However, '''the DHCP server's IP @ must always be static!!''' | | However, '''the DHCP server's IP @ must always be static!!''' |
| | | |
| + | |
| + | If you want to use a DNS, then you can even setup the DNS server first. See [[DNS server]] |
| + | |
| + | |
| | | |
| | | |
Line 48: |
Line 54: |
| | | |
| | | |
− | =Configuration= | + | =Security= |
| | | |
| + | See [[Firewall INPUT filters#DHCP|Firewall rules for DHCP server]] |
| | | |
− | The main configuration file is '''/etc/dhcp/dhcpd.conf'''
| |
| | | |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/dhcp/dhcpd.conf
| |
− | </syntaxhighlight>
| |
| | | |
| | | |
− | You can adjust the interface the server is listening on in /etc/dhcp/dhcp3-server
| + | =Configuration= |
− | INTERFACES="eth0 eth1"
| |
| | | |
| | | |
− | ==Random IP assignation== | + | ==Configuration file== |
| | | |
− | The following configuration will accept all clients and give them a random IP @. | + | The main configuration file is '''/etc/dhcp/dhcpd.conf''' |
| | | |
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
− | # Sample /etc/dhcpd.conf
| + | vim /etc/dhcp/dhcpd.conf |
− | # (add your comments here)
| |
− | default-lease-time 600;
| |
− | max-lease-time 7200;
| |
− | option subnet-mask 255.255.255.0;
| |
− | option broadcast-address 192.168.100.255;
| |
− | option routers 192.168.100.254;
| |
− | option domain-name-servers 192.168.100.1, 192.168.100.2;
| |
− | option domain-name "mydomain.lan";
| |
− | option ntp-servers 192.168.100.254;
| |
− | | |
− | subnet 192.168.100.0 netmask 255.255.255.0 {
| |
− | range 192.168.100.10 192.168.100.100;
| |
− | range 192.168.100.150 192.168.100.200;
| |
− | }
| |
| </syntaxhighlight> | | </syntaxhighlight> |
| | | |
− | You have to adjust:
| |
− | * Network parameters - instead of 192.168.100.*
| |
− | * DHCP range(s). In the given example there are 2 ranges from 10-100 and 150-200
| |
| | | |
| + | You can adjust the interface the server is listening on in /etc/dhcp/dhcp3-server |
| + | INTERFACES="eth0 eth1" |
| | | |
| | | |
− | ==Static IP @== | + | ==Assign IP== |
− | | |
− | This new configuration will ONLY accept known clients and give them a static IP @.
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | # Sample /etc/dhcpd.conf
| |
− | # (add your comments here)
| |
− | default-lease-time 600;
| |
− | max-lease-time 7200;
| |
− | option subnet-mask 255.255.255.0;
| |
− | option broadcast-address 192.168.100.255;
| |
− | option routers 192.168.100.254;
| |
− | option domain-name-servers 192.168.100.1, 192.168.100.2;
| |
− | option domain-name "mydomain.lan";
| |
− | option ntp-servers 192.168.100.254;
| |
− | | |
− | deny unknown-clients;
| |
− | | |
− | subnet 192.168.100.0 netmask 255.255.255.0 {
| |
− | host client1 {
| |
− | hardware ethernet DD:GH:DF:E5:F7:D7;
| |
− | fixed-address 192.168.100.20;
| |
− | }
| |
− | host client2 {
| |
− | hardware ethernet 00:JJ:YU:38:AC:45;
| |
− | fixed-address 192.168.100.21;
| |
− | }
| |
− | }
| |
− | | |
− | </syntaxhighlight>
| |
− | | |
− | Note:
| |
− | | |
− | The ''deny unknown-clients;'' command is why only known clients are accepted.
| |
− | | |
− | | |
− | For each client you have to adjust:
| |
− | * MAC @
| |
− | * Set a specific static IP @
| |
− | | |
− | | |
− | ==Advanced configuration (name + netboot)==
| |
− | | |
− | In the following scenario you will configure the server to accept only specific clients, use static IP @ and set names.
| |
− | | |
− | This configuration also allow NetBoot using PXE technology.
| |
− | | |
− | | |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | #### General options ####
| |
− | | |
− | ## Domain settings
| |
− | # domain name
| |
− | option domain-name "myDomain.lan";
| |
− | # DNS IP @ (replace it by your IP server, Google DNS or your ISP DNS)
| |
− | option domain-name-servers XXX.XXX.XXX.XXX, YYY.YYY.YYY.YYY;
| |
− | # DNS update system (disable)
| |
− | ddns-update-style none;
| |
− | | |
− | ## IP lease settings
| |
− | default-lease-time 7200;
| |
− | max-lease-time 86400;
| |
− | | |
− | ## Network settings
| |
− | # DHCP server name
| |
− | server-name "dns.myDomain.lan";
| |
− | # Authoritative server = this is the official DHCP server for the local network
| |
− | authoritative;
| |
− | # Subnet-mask
| |
− | option subnet-mask 255.255.255.0;
| |
− | | |
− | | |
− | ## Security
| |
− | # Do not allow unknown clients
| |
− | deny unknown-clients;
| |
− | # Do not forward DHCP request from this server to another one using a different Network Interface
| |
− | option ip-forwarding off;
| |
− | | |
− | # Use this to send dhcp log messages to a different log file
| |
− | # you also have to hack syslog.conf to complete the redirection
| |
− | log-facility local7;
| |
− | | |
− | ### NetBoot PXE
| |
− | # Enable network boot using TFTP
| |
− | allow bootp;
| |
− | allow booting;
| |
− | | |
− | | |
− | ## Available networks
| |
− | | |
− | # Your server can manage many network. Just add new subnet{} instruction
| |
− | | |
− | # Main LAN
| |
− | subnet 192.168.100.0 netmask 255.255.255.0 {
| |
− | #### Overall settings
| |
− | # You can override the default domain set earlier
| |
− | option domain-name "myDomain.lan";
| |
− | # Broadcast address
| |
− | option broadcast-address 192.168.100.255;
| |
− | # Default gateway
| |
− | option routers 192.168.100.1;
| |
− | # Set the NTP (time server) to use
| |
− | option ntp-servers 192.168.100.1;
| |
− | | |
− | | |
− | #### DHCP range
| |
− | # Hint: if the range has only 1 address, and this is a bail (fixed address), then the range won't be used!
| |
− | range 192.168.100.5 192.168.100.5;
| |
− | | |
− | #### NETBOOT settings
| |
− | # PXE file to serve.
| |
− | # >> elilo.efi => for ia64 clients;
| |
− | # >> pxelinux.0 => for x86
| |
− | # These files should be at the root of your TFTP server
| |
− | # Note: The file name can be add in the "host" section too. Then, the "host" will override the current setting
| |
− | filename "pxelinux.0";
| |
− | # set the server that serve this NETBOOT file
| |
− | next-server 192.168.100.2;
| |
− | # Ensure that the new client (the one boot) is not stealing someone else IP @
| |
− | ping-check = 1;
| |
− | }
| |
− | | |
− | #### Managed host and fixed IP @
| |
− | # FTP server
| |
− | host ftp {
| |
− | hardware ethernet 00:0f:75:af:eb:44;
| |
− | fixed-address 192.168.100.2;
| |
− | | |
− | ### NetBoot PXE settings
| |
− | # dedicated file for the current machine:
| |
− | #filename "debian-installer/ia64/elilo.efi";
| |
− | # Set the TFTP server
| |
− | #next-server 192.168.100.2;
| |
− | }
| |
− | # WEB server
| |
− | host web {
| |
− | hardware ethernet 00:02:0d:31:d1:cc;
| |
− | fixed-address 192.168.100.3;
| |
− | }
| |
− | # EMAIL server
| |
− | host mail {
| |
− | hardware ethernet 00:02:55:d2:d1:cc;
| |
− | fixed-address 192.168.100.4;
| |
− | }
| |
− | # LAPTOP workstation
| |
− | host laptop {
| |
− | hardware ethernet 00:0e:af:31:d1:cc;
| |
− | fixed-address 192.168.100.5;
| |
− | }
| |
− | </syntaxhighlight>
| |
− | | |
− | ==Logs==
| |
− | | |
− | Logs are in '''/var/log/syslog'''
| |
− | | |
− | | |
− | | |
− | ==Leases==
| |
− | | |
− | All DHCP leases are available in:
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | vim /var/lib/dhcp3/dhcpd.leases
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | ==Manage service==
| |
− | | |
− | | |
− | You can start / restart service using:
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | service isc-dhcp-server start|restart|stop
| |
− | </syntaxhighlight>
| |
− | | |
− | OR
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | /etc/init.d/isc-dhcp-server restart
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | You can check the status using:
| |
− | <syntaxhighlight lang="bash">
| |
− | ps aux | grep dhcp
| |
− | netstat -uap | grep dhcp
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | =NetBoot using PXE and TFTP=
| |
− | | |
− | | |
− | Reminder:
| |
− | | |
− | TFTP is NOT secure at all. You should only use it into your internal network !!
| |
− | | |
− | => Don't forget to adjust your firewall rules
| |
− | | |
− | | |
− | | |
− | ==Installation==
| |
− | | |
− | '''Trivial FTP (TFTP) client'''
| |
− | <syntaxhighlight lang="bash">
| |
− | apt-get install tftp-hpa
| |
− | </syntaxhighlight>
| |
− | | |
− | '''Trivial FTP (TFTP) server'''
| |
− | <syntaxhighlight lang="bash">
| |
− | apt-get install tftpd-hpa
| |
− | </syntaxhighlight>
| |
− | | |
− | '''SysLinux [netboot utilities]'''
| |
− | <syntaxhighlight lang="bash">
| |
− | apt-get install syslinux mtools initramfs-tools
| |
− | </syntaxhighlight>
| |
− | | |
− | '''NFS support'''
| |
− | <syntaxhighlight lang="bash">
| |
− | apt-get install nfs-kernel-server nfs-common
| |
− | </syntaxhighlight>
| |
− | | |
− | '''Debootstrap (manage netboot image)'''
| |
− | <syntaxhighlight lang="bash">
| |
− | apt-get install debootstrap
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | ==Configuration==
| |
− | | |
− | | |
− | ===TFTP configuration===
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/default/tftpd-hpa
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | The TFTP server files, = the files that will be used by the TFTP clients, are in the "TFTP_DIRECTORY" instruction.
| |
− | | |
− | By default ''tftpd-hpa'' uses '''/var/lib/tftpboot'''
| |
− | | |
− | !! You should not change the default user or port number if you plan to use NetBoot !!
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | service tftpd-hpa restart
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | ===Firewall configuration===
| |
− | | |
− | Adjust your firewall script and add the following rules:
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | IPTABLES=`which iptables`
| |
− | LAN_ADDRESS="172.16.50.0/24"
| |
− | | |
− | $IPTABLES -A INPUT -p udp -s $LAN_ADDRESS --dport 69 -j ACCEPT
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | ===Test the server===
| |
− | | |
− | 1. Create a file on the server
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | vim /var/lib/tftpboot/hello.txt
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | 2. Connect to the server
| |
− | | |
− | Install TFTP client:
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | apt-get install tftp-hpa
| |
− | </syntaxhighlight>
| |
− | | |
− | Connect to the server and get file:
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | tftp 192.168.1.156
| |
− | get hello.txt
| |
− | quit
| |
− | </syntaxhighlight>
| |
| | | |
| + | You can assign dynamic and / or static IP, you can also you NetBoot settings. |
| | | |
− | Check the received file:
| + | See: |
− | | + | * [[DHCP dynamic IP assignation]] |
− | <syntaxhighlight lang="bash">
| + | * [[DHCP static IP assignation]] |
− | cat hello.txt
| + | * [[DHCP netboot configuration]] |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | ==Management==
| |
− | | |
− | Just use the "service" command:
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | service tftpd-hpa {status|restart|start|stop}
| |
− | </syntaxhighlight>
| |