Wednesday, October 31, 2018

Creating a Fedora 28 Server Linux Router - Part 2

This is part 2 of my multi-part series in configuring router using Fedora 28 Server. It is a continuation of http://techninotes.blogspot.com/2018/10/creating-fedora-28-server-linux-router.html. This article will cover the following steps:
  • Configuring the Firewall
  • Installing and Configuring bind
  • Installing and Configuring 

Configuring the Firewall

Enable IP Forwarding


Normally, to enable IP forwarding, you would add an entry to /etc/sysctl.conf. With Fedora 28, however, it replaces that file each time it starts up. Instead, it is necessary to add the entry to a file in the /etc/sysctl.d/99-sysctl.conf:

vi /etc/sysctl.d/99-sysctl.conf

Add the following line to the end to ensure IP forwarding is enabled on boot:

net.ipv4.ip_forward=1

To enable IP forwarding immediately, run the following command:

sysctl -w net.ipv4.ip_forward=1

Configure the Firewall


Before configuring the firewall, you need to first identify the names of the private and public network cards. Part 1 of this series goes further into this. Once you have the names, we can set up our firewall rules. In my case, I have the following setup:

eth0 - External Internet Access
eth1 - Internal Network

First, make external be the default zone:

firewall-cmd --set-default-zone external

To verify the default zone is set, run the following command:

firewall-cmd --get-default-zone

Now, assign eth1 to the internal zone:

firewall-cmd --zone=internal --change-interface eth1

To view all zone assignments, run the following command:

firewall-cmd --get-active-zones

Next, let's allow all traffic on the internal zone:

firewall-cmd --permanent --zone=internal --set-target=ACCEPT

Finally, set up masquerading on the external interface. This is what causes the router to forward IPv4 traffic to the Internet:

firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i eth1 -o eth0 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

Installing and Configuring Bind


dnf -y install bind bind-utils

Now, you need to update named.conf:

vi /etc/named.conf

Add your server's private IP address to the listen-on line:

listen-on port 53 { 127.0.0.1; 192.168.1.1; };

Add your private subnet to the allow-query line:

allow-query { localhost; 192.168.1.0/24; };

Add an allow-recursion statement and add the upstream DNS servers to a forwarders entry below the allow-query line:

allow-query { localhost; 192.168.1.0/24; };
allow-recursion { localhost; 192.168.1.0/24; };
forwarders { 8.8.8.8; 8.8.4.4; }

Add a forward statement under the recursion line:

recursion yes;
forward only;

Restart the service:

systemctl restart named

Set the service to start on boot:

systemctl enable named

Installing and Configuring DHCP


dnf -y install dhcp

Add a subnet to dhcpd.conf:

vi /etc/dhcp/dhcpd.conf

Enter the following lines:

subnet 192.168.1.0 netmask 255.255.255.0 {
    option domain-name-servers 192.168.1.1;
    option domain-name "mynet.local";
    option routers 192.168.1.1;
    range 192.168.1.100 192.168.1.245;
}

Restart the service:

systemctl restart dhcpd

Set the service to start on boot:

systemctl enable dhcpd


Posted by at No comments:

Tuesday, October 30, 2018

Creating a Fedora 28 Server Linux Router - Part 1

Linux has some very powerful routing capabilities. It is also very performant and it uses very few resources. These, and countless other benefits make it an excellent choice for a router operating system. Choosing a distribution can be a challenge, however.

I have built routers using pfSense, DD-WRT, Ubuntu, Debian, and CentOS. Each of these has pros and cons. pfSense and DD-WRT have web applications that can be used to configure the router. Ubuntu and Debian are easy to get up and running quickly. CentOS has wide support. Fedora has much newer packages available, and also has wide support.

As a side note, Ubuntu is built on top of Debian. CentOS is built on top of Fedora. Debian and Fedora have been around for a very long time, and they have very large numbers of users.

After having created so many different routers, my current favorite is Fedora. It has been very predictable and stable - both are good qualities to have in a router operating system. This article will take you step-by-step through the process of building a router using Fedora.

Prerequisites


Here are my recommended prerequisites. I am just making these up based on past experiences:
  • 16 GB Hard Disk
  • 2 GB RAM
  • 2 CPU Cores
  • 2 Network Cards

Installation


Download and install Fedora Server from https://getfedora.org/en/server/. If you plan on booting from a USB drive, download the Fedora Media Writer from https://getfedora.org/en/workstation/download/. Note that although the page says Download Fedora 28 Workstation, the download link currently points to the Media Writer.


Post Installation Steps


Configure Static IP Address


Fedora 28 stores its network configuration scripts under /etc/sysconfig/network-scripts. For each network card that is detected, a script will be created with the prefix
ifcfg-. For example, my computer has two network cards: eth0 and eth1. eth0 is connected to the public Internet and eth1 is connected to my private network. Two files exist called ifcfg-eth0 and ifcfg-eth1.

To configure an IP address for a given interface, open the appropriate file in a text editor. By default, it is set to use DHCP to obtain an IP address. Add the following entries:

IPADDR=192.168.1.1
PREFIX=24


Install Updates


To install all available updates, type dnf upgrade at the console.






Posted by at No comments:
Labels: , ,

Sunday, October 14, 2018

Ubuntu 18.04 Won't Resolve DNS

DNS Resolution Failure and Fix

 I noticed after doing both fresh installations and upgrades of Ubuntu Server 18.04, DNS was either really slow, or it would not resolve at all. The symptoms were random. I searched high and low on the Internet. It took me a long time to find a solution.

By default, when installing Ubuntu, it will create a symbolic link from /etc/resolv.conf to /run/systemd/resolve/stub-resolv.conf. If DNS resolutions are failing, one solution is to remap this link. Point it to to /run/systemd/resolve/resolv.conf instead.  The following commands will move the link:

sudo rm /etc/resolv.conf
sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf

If you are experiencing long delays while performing DNS lookups, the previous commands should resolve the issue. To see what file your symbolic link is pointing to, run the following command.

ls -al /etc/resolv.conf

If it points to /run/systemd/resolve/resolve.conf then it should work just fine.
Posted by at No comments:
Subscribe to: Posts (Atom)