Difference between revisions of "DHCP server installation"

(NetBoot using PXE and TFTP)
Line 289: Line 289:
 
TFTP is NOT secure at all. You should only use it into your internal network !!
 
TFTP is NOT secure at all. You should only use it into your internal network !!
  
Adjust your firewall rules.
+
=> Don't forget to adjust your firewall rules
  
  
Line 337: Line 337:
 
!! You should not change the default user or port number if you plan to use NetBoot !!
 
!! You should not change the default user or port number if you plan to use NetBoot !!
  
 +
<syntaxhighlight lang="bash">
 +
service tftpd-hpa restart
 +
</syntaxhighlight>
  
  
Line 353: Line 356:
  
 
===Test the server===
 
===Test the server===
Now tftp server is up and running
 
  
Testing the tftp server
+
1. Create a file on the server  
 +
 
 +
<syntaxhighlight lang="bash">
 +
vim /var/lib/tftpboot/hello.txt
 +
</syntaxhighlight>
  
Create a file named hello.txt with some content in /tftpboot path of the tftp server
 
  
ls -l /tftpboot/
+
 
total 4
+
2. Connect to the server
-rw-rw-r-- 1 ganesh ganesh 0 Sep 4 12:38 hello.txt
+
 
 +
Install TFTP client:
 +
 
 +
<syntaxhighlight lang="bash">
 +
apt-get install tftp-hpa
 +
</syntaxhighlight>
 +
 
 +
Connect to the server and get file:
 +
 
 +
<syntaxhighlight lang="bash">
 +
tftp 192.168.1.156
 +
get hello.txt
 +
quit
 +
</syntaxhighlight>
 +
 
 +
 
 +
Check the received file:
 +
 
 +
<syntaxhighlight lang="bash">
 +
cat hello.txt
 +
</syntaxhighlight>
 +
 
  
  

Revision as of 11:21, 22 May 2014

Dynamic Host Configuration Protocol.


Note:

Since Ubuntu 11.10 the DHCP3-server is available in the "isc-dhcp-server" package.


Sources

You can find more information about that topic over here:


Requirement

A DHCP server can provided static or dynamic address.

However, the DHCP server's IP @ must always be static!!


Installation

DHCP server

apt-get install isc-dhcp-server


You will be asked a few questions:

  • On what network interfaces should the DHCP server listen? <-- eth0
  • Please configure the DHCP server as soon as the installation finishes. <-- Ok
  • The version 3 DHCP server is now non-authoritative by default <-- Ok


At the end of the installation you will see errors like these: * Generating /etc/default/dhcp3-server...

  • Starting DHCP server: dhcpd3 failed to start - check syslog for diagnostics.
  • invoke-rc.d: initscript dhcp3-server, action "start" failed.

That's OK because we did not have the chance yet to configure our DHCP server.


Configuration

The main configuration file is /etc/dhcp/dhcpd.conf

vim /etc/dhcp/dhcpd.conf


You can adjust the interface the server is listening on in /etc/dhcp/dhcp3-server INTERFACES="eth0 eth1"


Random IP assignation

The following configuration will accept all clients and give them a random IP @.

# Sample /etc/dhcpd.conf
# (add your comments here) 
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.100.255;
option routers 192.168.100.254;
option domain-name-servers 192.168.100.1, 192.168.100.2;
option domain-name "mydomain.lan";
option ntp-servers 192.168.100.254;

subnet 192.168.100.0 netmask 255.255.255.0 {
  range 192.168.100.10 192.168.100.100;
  range 192.168.100.150 192.168.100.200;
}

You have to adjust:

  • Network parameters - instead of 192.168.100.*
  • DHCP range(s). In the given example there are 2 ranges from 10-100 and 150-200


Static IP @

This new configuration will ONLY accept known clients and give them a static IP @.

# Sample /etc/dhcpd.conf
# (add your comments here) 
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.100.255;
option routers 192.168.100.254;
option domain-name-servers 192.168.100.1, 192.168.100.2;
option domain-name "mydomain.lan";
option ntp-servers 192.168.100.254;

deny unknown-clients;

subnet 192.168.100.0 netmask 255.255.255.0 {
    host client1 {
        hardware ethernet DD:GH:DF:E5:F7:D7;
        fixed-address 192.168.100.20;
    }
    host client2 {
        hardware ethernet 00:JJ:YU:38:AC:45;
        fixed-address 192.168.100.21;
    }
}

Note:

The deny unknown-clients; command is why only known clients are accepted.


For each client you have to adjust:

  • MAC @
  • Set a specific static IP @


Advanced configuration (name + netboot)

In the following scenario you will configure the server to accept only specific clients, use static IP @ and set names.

This configuration also allow NetBoot using PXE technology.


#### General options ####

## Domain settings
# domain name
option domain-name "myDomain.lan";
# DNS IP @ (replace it by your IP server, Google DNS or your ISP DNS) 
option domain-name-servers XXX.XXX.XXX.XXX, YYY.YYY.YYY.YYY;
# DNS update system (disable)
ddns-update-style none;

## IP lease settings
default-lease-time 7200;
max-lease-time 86400;

## Network settings
# DHCP server name
server-name "dns.myDomain.lan";
# Authoritative server = this is the official DHCP server for the local network
authoritative;
# Subnet-mask
option subnet-mask 255.255.255.0;


## Security
# Do not allow unknown clients 
deny unknown-clients;
# Do not forward DHCP request from this server to another one using a different Network Interface
option ip-forwarding off;

# Use this to send dhcp log messages to a different log file 
# you also have to hack syslog.conf to complete the redirection
log-facility local7;

### NetBoot PXE
# Enable network boot using TFTP 
allow bootp;
allow booting;


## Available networks

# Your server can manage many network. Just add new subnet{} instruction

# Main LAN
subnet 192.168.100.0 netmask 255.255.255.0 {
  #### Overall settings
  # You can override the default domain set earlier
  option domain-name "myDomain.lan";
  # Broadcast address
  option broadcast-address 192.168.100.255;
  # Default gateway
  option routers 192.168.100.1;
  # Set the NTP (time server) to use
  option ntp-servers 192.168.100.1;


  #### DHCP range
  # Hint: if the range has only 1 address, and this is a bail (fixed address), then the range won't be used!
  range 192.168.100.5 192.168.100.5;

  #### NETBOOT settings 
  # PXE file to serve.
  #   >> elilo.efi   => for ia64 clients; 
  #   >> pxelinux.0  => for x86
  # These files should be at the root of your TFTP server
  # Note: The file name can be add in the "host" section too. Then, the "host" will override the current setting
  filename "pxelinux.0";
  # set the server that serve this NETBOOT file
  next-server 192.168.100.2;
  # Ensure that the new client (the one boot) is not stealing someone else IP @
  ping-check = 1;
}

#### Managed host and fixed IP @
# FTP server
host ftp {
  hardware ethernet 00:0f:75:af:eb:44;
  fixed-address 192.168.100.2;

  ### NetBoot PXE settings
  # dedicated file for the current machine:
  #filename "debian-installer/ia64/elilo.efi";
  # Set the TFTP server
  #next-server 192.168.100.2;
} 
# WEB server
host web {
  hardware ethernet 00:02:0d:31:d1:cc;
  fixed-address 192.168.100.3;
}
# EMAIL server
host mail {
  hardware ethernet 00:02:55:d2:d1:cc;
  fixed-address 192.168.100.4;
}
# LAPTOP workstation
host laptop {
  hardware ethernet 00:0e:af:31:d1:cc;
  fixed-address 192.168.100.5;
}

Logs

Logs are in /var/log/syslog


Leases

All DHCP leases are available in:

vim /var/lib/dhcp3/dhcpd.leases


Manage service

You can start / restart service using:

service isc-dhcp-server start|restart|stop

OR

/etc/init.d/isc-dhcp-server restart


You can check the status using:

ps aux | grep dhcp
netstat -uap | grep dhcp


NetBoot using PXE and TFTP

Reminder:

TFTP is NOT secure at all. You should only use it into your internal network !!

=> Don't forget to adjust your firewall rules


Installation

Trivial FTP (TFTP) client

apt-get install tftp-hpa

Trivial FTP (TFTP) server

apt-get install tftpd-hpa

SysLinux [netboot utilities]

apt-get install syslinux mtools initramfs-tools

NFS support

apt-get install nfs-kernel-server nfs-common

Debootstrap (manage netboot image)

apt-get install debootstrap


Configuration

TFTP configuration

vim /etc/default/tftpd-hpa


The TFTP server files, = the files that will be used by the TFTP clients, are in the "TFTP_DIRECTORY" instruction.

By default tftpd-hpa uses /var/lib/tftpboot

!! You should not change the default user or port number if you plan to use NetBoot !!

service tftpd-hpa restart


Firewall configuration

Adjust your firewall script and add the following rules:

IPTABLES=`which iptables`
LAN_ADDRESS="172.16.50.0/24"

$IPTABLES -A INPUT -p udp -s $LAN_ADDRESS --dport 69 -j ACCEPT


Test the server

1. Create a file on the server

vim /var/lib/tftpboot/hello.txt


2. Connect to the server

Install TFTP client:

apt-get install tftp-hpa

Connect to the server and get file:

tftp 192.168.1.156
get hello.txt
quit


Check the received file:

cat hello.txt


Management

Just use the "service" command:

service tftpd-hpa {status|restart|start|stop}