- Configuring the Firewall
- Installing and Configuring bind
- Installing and Configuring
Configuring the Firewall
Enable IP Forwarding
Normally, to enable IP forwarding, you would add an entry to /etc/sysctl.conf. With Fedora 28, however, it replaces that file each time it starts up. Instead, it is necessary to add the entry to a file in the /etc/sysctl.d/99-sysctl.conf:
vi /etc/sysctl.d/99-sysctl.conf
Add the following line to the end to ensure IP forwarding is enabled on boot:
net.ipv4.ip_forward=1
To enable IP forwarding immediately, run the following command:
sysctl -w net.ipv4.ip_forward=1
Configure the Firewall
Before configuring the firewall, you need to first identify the names of the private and public network cards. Part 1 of this series goes further into this. Once you have the names, we can set up our firewall rules. In my case, I have the following setup:
eth0 - External Internet Access
eth1 - Internal Network
First, make external be the default zone:
firewall-cmd --set-default-zone external
To verify the default zone is set, run the following command:
firewall-cmd --get-default-zone
Now, assign eth1 to the internal zone:
firewall-cmd --zone=internal --change-interface eth1
To view all zone assignments, run the following command:
firewall-cmd --get-active-zones
Next, let's allow all traffic on the internal zone:
firewall-cmd --permanent --zone=internal --set-target=ACCEPT
Finally, set up masquerading on the external interface. This is what causes the router to forward IPv4 traffic to the Internet:
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i eth1 -o eth0 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
Installing and Configuring Bind
dnf -y install bind bind-utils
Now, you need to update named.conf:
vi /etc/named.conf
Add your server's private IP address to the listen-on line:
listen-on port 53 { 127.0.0.1; 192.168.1.1; };
Add your private subnet to the allow-query line:
allow-query { localhost; 192.168.1.0/24; };
Add an allow-recursion statement and add the upstream DNS servers to a forwarders entry below the allow-query line:
allow-query { localhost; 192.168.1.0/24; };
allow-recursion { localhost; 192.168.1.0/24; };
allow-recursion { localhost; 192.168.1.0/24; };
forwarders { 8.8.8.8; 8.8.4.4; }
Add a forward statement under the recursion line:
recursion yes;
forward only;
Restart the service:
systemctl restart named
Set the service to start on boot:
systemctl enable named
Installing and Configuring DHCP
dnf -y install dhcp
Add a subnet to dhcpd.conf:
vi /etc/dhcp/dhcpd.conf
Enter the following lines:
subnet 192.168.1.0 netmask 255.255.255.0 {
option domain-name-servers 192.168.1.1;
option domain-name "mynet.local";
option routers 192.168.1.1;
range 192.168.1.100 192.168.1.245;
}
Restart the service:
systemctl restart dhcpd
Set the service to start on boot:
systemctl enable dhcpd
No comments:
Post a Comment