Wednesday, October 31, 2018

Creating a Fedora 28 Server Linux Router - Part 2

This is part 2 of my multi-part series in configuring router using Fedora 28 Server. It is a continuation of http://techninotes.blogspot.com/2018/10/creating-fedora-28-server-linux-router.html. This article will cover the following steps:
  • Configuring the Firewall
  • Installing and Configuring bind
  • Installing and Configuring 

Configuring the Firewall

Enable IP Forwarding


Normally, to enable IP forwarding, you would add an entry to /etc/sysctl.conf. With Fedora 28, however, it replaces that file each time it starts up. Instead, it is necessary to add the entry to a file in the /etc/sysctl.d/99-sysctl.conf:

vi /etc/sysctl.d/99-sysctl.conf

Add the following line to the end to ensure IP forwarding is enabled on boot:

net.ipv4.ip_forward=1

To enable IP forwarding immediately, run the following command:

sysctl -w net.ipv4.ip_forward=1

Configure the Firewall


Before configuring the firewall, you need to first identify the names of the private and public network cards. Part 1 of this series goes further into this. Once you have the names, we can set up our firewall rules. In my case, I have the following setup:

eth0 - External Internet Access
eth1 - Internal Network

First, make external be the default zone:

firewall-cmd --set-default-zone external

To verify the default zone is set, run the following command:

firewall-cmd --get-default-zone

Now, assign eth1 to the internal zone:

firewall-cmd --zone=internal --change-interface eth1

To view all zone assignments, run the following command:

firewall-cmd --get-active-zones

Next, let's allow all traffic on the internal zone:

firewall-cmd --permanent --zone=internal --set-target=ACCEPT

Finally, set up masquerading on the external interface. This is what causes the router to forward IPv4 traffic to the Internet:

firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i eth1 -o eth0 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

Installing and Configuring Bind


dnf -y install bind bind-utils

Now, you need to update named.conf:

vi /etc/named.conf

Add your server's private IP address to the listen-on line:

listen-on port 53 { 127.0.0.1; 192.168.1.1; };

Add your private subnet to the allow-query line:

allow-query { localhost; 192.168.1.0/24; };

Add an allow-recursion statement and add the upstream DNS servers to a forwarders entry below the allow-query line:

allow-query { localhost; 192.168.1.0/24; };
allow-recursion { localhost; 192.168.1.0/24; };
forwarders { 8.8.8.8; 8.8.4.4; }

Add a forward statement under the recursion line:

recursion yes;
forward only;

Restart the service:

systemctl restart named

Set the service to start on boot:

systemctl enable named

Installing and Configuring DHCP


dnf -y install dhcp

Add a subnet to dhcpd.conf:

vi /etc/dhcp/dhcpd.conf

Enter the following lines:

subnet 192.168.1.0 netmask 255.255.255.0 {
    option domain-name-servers 192.168.1.1;
    option domain-name "mynet.local";
    option routers 192.168.1.1;
    range 192.168.1.100 192.168.1.245;
}

Restart the service:

systemctl restart dhcpd

Set the service to start on boot:

systemctl enable dhcpd


No comments:

Post a Comment