# how to set up a dhcp server behind an adsl modem [solved]

## BlinkEye

i tried for two days now to get this working, but it doesn't. i can't find any useful HOWTO for beginners although i'm sure a lot of guys have done this already.

either way, here my description:

i want to set up a dhcp server which will be a router for every client in my private network. the server/router is connected to the adsl via NAT and receives ip's from 192.168.20.2-192.168.20.5 (if i don't reset the modem the server/router keeps/gets the same ip). i set my server/router up to distribute ip's, here my dhcpd.conf:

```
option domain-name "homeLAN.nowhere";

option domain-name-servers 10.10.10.1;

option routers 192.168.20.1;

default-lease-time 86400;

max-lease-time 604800;

ddns-update-style interim;

authorative;

subnet 10.10.10.0 netmask 255.255.255.0 {

 range 10.10.10.10 10.10.10.30;

 option subnet-mask 255.255.255.0;

 option broadcast-address 10.10.10.255;

}
```

my clients get ip's from 10.10.10.10 to 10.10.10.30 - and i'm able to connect to the server/router (i.e. scp, ping). 

summary:

as i understand i need to do another NAT from my server/router to the clients.

adsl-modem: 192.168.20.1

server/router: 192.168.20.2-5 (eth1), 10.10.10.1 (eth0)

client(s): 10.10.10.10-30

client route:

```
Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.20.1    *               255.255.255.255 UH    0      0        0 eth0

10.10.10.0      *               255.255.255.0   U     0      0        0 eth0

loopback        localhost       255.0.0.0       UG    0      0        0 lo

default         10.10.10.1      0.0.0.0         UG    0      0        0 eth0
```

server/router route:

```
Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.20.0    *               255.255.255.248 U     0      0        0 eth1

10.10.10.0      *               255.255.255.0   U     0      0        0 eth0

loopback        localhost       255.0.0.0       UG    0      0        0 lo

default         192.168.20.1    0.0.0.0         UG    0      0        0 eth1

```

ifconfig server/router:

```
eth0      Link encap:Ethernet  HWaddr 00:0E:A6:6A:E8:1C  

          inet addr:10.10.10.1  Bcast:10.10.10.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:3576 errors:0 dropped:0 overruns:0 frame:0

          TX packets:99 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:360427 (351.9 Kb)  TX bytes:11848 (11.5 Kb)

          Interrupt:17 Memory:fbe00000-0 

eth1      Link encap:Ethernet  HWaddr 00:E0:7D:A0:B0:90  

          inet addr:192.168.20.5  Bcast:192.168.20.7  Mask:255.255.255.248

          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:3759 errors:0 dropped:0 overruns:0 frame:0

          TX packets:3188 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:2570769 (2.4 Mb)  TX bytes:223191 (217.9 Kb)

          Interrupt:16 Base address:0x7000 

lo        Link encap:Local Loopback  

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:14 errors:0 dropped:0 overruns:0 frame:0

          TX packets:14 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:1220 (1.1 Kb)  TX bytes:1220 (1.1 Kb)

```

ifconfig client:

```
eth0      Link encap:Ethernet  HWaddr 00:E0:18:AE:5C:CF

          inet addr:10.10.10.20  Bcast:10.10.10.255  Mask:255.255.255.0

          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:19389 errors:0 dropped:0 overruns:0 frame:0

          TX packets:39668 errors:0 dropped:0 overruns:0 carrier:20

          collisions:0 txqueuelen:1000

          RX bytes:10274186 (9.7 Mb)  TX bytes:3556940 (3.3 Mb)

          Interrupt:18

lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:881 errors:0 dropped:0 overruns:0 frame:0

          TX packets:881 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:89702 (87.5 Kb)  TX bytes:89702 (87.5 Kb)
```

i'm looking for the easiest way to access WAN via my server/router from my clients.

i tried the following (don't blame me, i don't understand much of iptables): 

```
iptables -v -t nat -A POSTROUTING -o eth1 -j MASQUERADE
```

the problem remains: i can browse with lynx from the server/router but not from any of my clients.

would someone be kind enough to help me out?Last edited by BlinkEye on Fri May 21, 2004 10:59 am; edited 3 times in total

----------

## adaptr

Apart from the -v flag, that is exactly the line you need.

EDIT:

What is the 192.168.0.1 line doing in your client routing table?

That does not belong there!

Remove it - routing works on a hop-by-hop basis.

You can't push any traffic past the router - that's what a router is for!

----------

## BlinkEye

 *adaptr wrote:*   

> Apart from the -v flag, that is exactly the line you need.

 

good to know.

EDIT: the -v flag provides some output if you execute the command. this is quite useful if you don't know what is being done  :Wink: 

 *adaptr wrote:*   

> 
> 
> EDIT:
> 
> What is the 192.168.0.1 line doing in your client routing table?
> ...

 

i guess you mean the entry in my client route tables which reads 

```
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface 

192.168.20.1    *               255.255.255.255 UH    0      0        0 eth0
```

well, if you could tell me how to disable that i would gladly do it.Last edited by BlinkEye on Mon Mar 08, 2004 11:53 pm; edited 1 time in total

----------

## adaptr

It is the default route you distribute via DHCP.

This should point to the gateway on the 10.10.10.x network, nowhere else!

----------

## 9uSt00

I've set up the very same configuration, and all the additions here are extracts from my  own config files.

 *BlinkEye wrote:*   

> 
> 
> ```
> option domain-name "homeLAN.nowhere";
> 
> ...

 

I'd change it to something like this:

```
option domain-name "homeLAN.nowhere";

option domain-name-servers 10.10.10.1;

# do you really have a DNS server running on your gateway?!  if not, comment out the line above this one

# INSERT YOUR DOMAIN NAME SERVERS HERE (read from /etc/resolv.conf)

# option domain-name-servers  xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx;

default-lease-time 86400;

max-lease-time 604800;

ddns-update-style interim;

authorative;

# No service will be given on this subnet, but declaring it helps the

# DHCP server to understand the network topology.

subnet 192.168.20.0 netmask 255.255.255.0 {

}

# your subnet config

subnet 10.10.10.0 netmask 255.255.255.0 {

  # this is what you want your dhcp clients to use as default router

  option routers 10.10.10.1;

  range 10.10.10.10 10.10.10.30;

  option subnet-mask 255.255.255.0;

  option broadcast-address 10.10.10.255;

    # we want the nameservers to appear as fixed addresses

    host ns {

        fixed-address 217.13.4.24, 217.13.7.140;

    }

}
```

 *Quote:*   

> summary:
> 
> as i understand i need to do another NAT from my server/router to the clients.

 

yeah, that's a bit of a harder thing to do. First of all make sure the kernel on your router/gateway has IPforwarding set (do a 'cat /proc/sys/net/ipv4/ip_forward' the result of this should be 1). If you can't cat this at all, you need to configure your kernel to support NAT, so go to /usr/src/linux and type 'make menuconfig'.  On my server i'm running the 2.4 kernel (still), so in order to make NAT work, the following settings need to be enabled (not all of them are necessary for NAT, but they're good to have for advanced packet matching) :

```

Networking Options

   [*] Network packet filtering (replaces ipchains)

 <M>   IP: tunneling 

    IP Netfilter Configuration

        <M> Connection tracking (required for masq/NAT)

        <M> IP tables support (required for filtering/masq/NAT)

        < >   limit match support

        <M>   MAC address match support

        <M>   Packet type match support

        <M>   Multiple port match support

        <M>   LENGTH match support

        <M>   TTL match support

        <M>   stealth match support

        <M>   Connection state match support

        <M>   Connection tracking match support

        <M>   Unclean match support (EXPERIMENTAL)

        <M>   Owner match support (EXPERIMENTAL)

        <M>   Packet filtering

        <M>     REJECT target support

        <M>   Full NAT

        <M>     MASQUERADE target support

```

Make sure support for ipchains and ipfwadm are not selected

 *Quote:*   

> 
> 
> client route:
> 
> ```
> ...

 

ya, this is somewhat wrong.. but don't worry too much about that the DHCP client should set this up correctly when the DHCPd provides the correct info. Has to be said, though, that the first entry should not appear. This is the routing table on my laptop behind the server (keep in mind that my internal network is 192.168.50.0) :

```
Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.50.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0

127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo

0.0.0.0         192.168.50.1    0.0.0.0         UG    0      0        0 eth0

```

 *Quote:*   

> 
> 
> server/router route:
> 
> ```
> ...

 

that looks fine.

 *Quote:*   

> 
> 
> ifconfig server/router:
> 
> ```
> ...

 

I notice that you have your eth0 set to your internal network address. Is this on purpose?  normally eth0 is the NIC that goes out to the world (i.e. your ADSL router), Just make sure your cables are connected correctly and that your DHCPd runs on eth1 instead of eth0.  no worries, though.. it's just a manner of what you're used to.

 *Quote:*   

> 
> 
> i tried the following (don't blame me, i don't understand much of iptables): 
> 
> ```
> ...

 

heh.. here's the problem, i guess... the iptables rules need to be somewhat more complicated than that... 

here's a modified extract of my firewall script to match your settings:

```

#!/bin/bash

IPTABLES="/sbin/iptables"

EXT_NIC="eth1"

INT_NIC="eth0"

INT_IP="10.10.10.0/255.255.255.0"

                                                                                                                                                                          

echo "starting firewall..."

                                                                                                                                                                          

    ###  set default rules (DENY, ACCEPT)  ###

    ${IPTABLES} -P INPUT DROP

    ${IPTABLES} -P FORWARD ACCEPT

    ${IPTABLES} -P OUTPUT ACCEPT

                                                                                                                                                                          

    ###  allow all incoming packets from internal net  ###

    ${IPTABLES} -A INPUT -i ! ${EXT_NIC} -j ACCEPT

    ###  allow incoming realated packets on external NIC  ###

    ${IPTABLES} -A INPUT -i ${EXT_NIC} -m state --state ESTABLISHED,RELATED -j ACCEPT

                                                                                                                                                                          

    ###  enables masquerading of internal hosts  ###

    echo "* enabling ip forwarding in kernel"

    echo 1 > /proc/sys/net/ipv4/ip_forward

                                                                                                                                                                          

    echo "* enabling masquerading of internal hosts"

    ${IPTABLES} -t nat -P PREROUTING ACCEPT

    ${IPTABLES} -t nat -P POSTROUTING ACCEPT

    ${IPTABLES} -t nat -P OUTPUT ACCEPT

    ${IPTABLES} -t nat -A POSTROUTING -o ${EXT_NIC} -j MASQUERADE

```

hope that helps.  :Smile: 

----------

## adaptr

 *Quote:*   

> heh.. here's the problem, i guess... the iptables rules need to be somewhat more complicated than that...

 

Oh really ?

Why ?

----------

## BlinkEye

 *9uSt00 wrote:*   

> I'd change it to something like this:
> 
> ```
> option domain-name "homeLAN.nowhere";
> 
> ...

 

juhuuu. that did the trick. thanks a lot for this great answer/howto. i'm really glad you explained elaborately.

my final /etc/dhcp/dhcpd.conf looks like this:

```
option domain-name "homeLAN.ch";

option domain-name-servers 192.168.20.1;

option routers 192.168.20.1;

default-lease-time 86400;

max-lease-time 604800;

ddns-update-style interim;

authorative;

subnet 192.168.20.0 netmask 255.255.255.0 {

}

subnet 10.10.10.0 netmask 255.255.255.0 {

 option routers 10.10.10.1;

 range 10.10.10.10 10.10.10.30;

 option subnet-mask 255.255.255.0;

 option broadcast-address 10.10.10.255;

  host ns {

   fixed-address 192.168.20.1;

  }

}
```

really great. 

 *9uSt00 wrote:*   

> heh.. here's the problem, i guess... the iptables rules need to be somewhat more complicated than that... 

 

alltough a bit irritated adaptr is right, 

```
iptables -v -t nat -A POSTROUTING -o eth1 -j MASQUERADE
```

 does the trick. 

i see you provided a adjusted script for me. well, let's see if i figure it out. again, thank you both for the quick answers

----------

## 9uSt00

 *BlinkEye wrote:*   

>  *9uSt00 wrote:*   heh.. here's the problem, i guess... the iptables rules need to be somewhat more complicated than that...  
> 
> alltough a bit irritated adaptr is right, 
> 
> ```
> ...

 

well.. that's is the essiential part.. i have to agree.. it's been a while since i set it up. I'm glad it helped.  :Smile: 

adaptr: dude, relax.. no need to get   :Evil or Very Mad: 

9uSt00

----------

## BlinkEye

 *9uSt00 wrote:*   

> 
> 
> ```
> 
> #!/bin/bash
> ...

 

yeah. this script rocks! you saved me a lot of time. thank you for your efforts

----------

## adaptr

 *9uSt00 wrote:*   

> 
> 
> adaptr: dude, relax.. no need to get  
> 
> 

 

I did not get evil at any time - I corrected you.

You stated that his inability to connect to the internet with his clients had something to do with his firewall settings - bollocks.

The only reason his clients cannot connect is the bogus 192.168.0.1 route in the clients' routing tables.

He already had the minimal NAT required - the line I showed you.

Since I know that to be absolutely and unequivocally enough to do proper PAT on a single host, I asked you why you thought it had to be more complicated.

If you find that evil then I have of course learned my lesson  :Wink: 

----------

## 9uSt00

 *adaptr wrote:*   

>  *9uSt00 wrote:*   
> 
> adaptr: dude, relax.. no need to get  
> 
>  
> ...

 

Fair enough.. but you have to say that saying "why, why?" can be interpreted as a bit harsh.  no worries, though.. (oh, and btw i meant angry, not evil)

 *Quote:*   

> You stated that his inability to connect to the internet with his clients had something to do with his firewall settings - bollocks.
> 
> The only reason his clients cannot connect is the bogus 192.168.0.1 route in the clients' routing tables.
> 
> He already had the minimal NAT required - the line I showed you.

 

true enough, but that wasn't the only problem..

 *Quote:*   

> If you find that evil then I have of course learned my lesson 

 

ya, so did i.  i learned that that is the only iptables rule needed for forwarding.  :Smile: 

----------

## BlinkEye

any suggestion on how to secure my box while providing access from the outside? what i need is a open ssh and a http (apache) port.

so i changed 

```
${IPTABLES} -P INPUT DROP
```

to 

```
${IPTABLES} -P INPUT ACCEPT
```

but i guess this isn't a good solution as i don't have any firewalling besides this routing/nat(ting)/masquerading script.

----------

## adaptr

Changing the policy means you have essentially no security.

Any service that's listening on the box will respond to anything from the outside, which is probably not what you want.

You can easily let only those two ports through with a few additional lines:

```
iptables -A INPUT -i ${EXT_NIC} -p tcp -d ${EXT_IP} --dport 22 -j ACCEPT

iptables -A INPUT -i ${EXT_NIC} -p tcp -d ${EXT_IP} --dport 80 -j ACCEPT

iptables -A INPUT -i ${EXT_NIC} -m state --state ESTABLISHED,RELATED -j ACCEPT
```

The last line is a beautifully simple solution to having to provide a way for all packets to go back out the way they came in...

If you want to forward those ports to a machine on the LAN you will have to duplicate the first two in the nat PREROUTING chain and jump to the REDIRECT target, which will rewrite the address.

----------

## BlinkEye

this is exactly what i've been looking for. thanks for the quick reply. i'm currently trying to get through the man page of iptables as the above lines seem to have a minor mistake: 

```
Bad argument `22'

Try `iptables -h' or 'iptables --help' for more information.

Bad argument `80'

Try `iptables -h' or 'iptables --help' for more information.

```

fortunately i don't have to forward ports at the moment (or i would have asked again as i don't get iptables yet).

----------

## BlinkEye

another question: if i start the script i get the following messages:

```
# start_routing

starting firewall...

iptables: No chain/target/match by that name

* enabling ip forwarding in kernel

* enabling masquerading of internal hosts
```

is there something wrong with that?

----------

## adaptr

You may have to load the iptables modules for them specifically, since these are extensions to the basic iptables functionality.

Alternatively, maybe something went wrong in the kernel config ?

If you've built iptables as modules, could you post an lsmod ?

----------

## BlinkEye

well, maybe the problem is that i built in all iptables function?

```
# cat .config |grep CONFIG_IP

CONFIG_IP_MULTICAST=y

# CONFIG_IP_ADVANCED_ROUTER is not set

# CONFIG_IP_PNP is not set

# CONFIG_IP_MROUTE is not set

# CONFIG_IP_VS is not set

# CONFIG_IPV6 is not set

CONFIG_IP_NF_CONNTRACK=y

# CONFIG_IP_NF_FTP is not set

# CONFIG_IP_NF_IRC is not set

# CONFIG_IP_NF_TFTP is not set

# CONFIG_IP_NF_AMANDA is not set

# CONFIG_IP_NF_QUEUE is not set

CONFIG_IP_NF_IPTABLES=y

CONFIG_IP_NF_MATCH_LIMIT=y

CONFIG_IP_NF_MATCH_IPRANGE=y

CONFIG_IP_NF_MATCH_MAC=y

# CONFIG_IP_NF_MATCH_PKTTYPE is not set

# CONFIG_IP_NF_MATCH_MARK is not set

# CONFIG_IP_NF_MATCH_MULTIPORT is not set

# CONFIG_IP_NF_MATCH_TOS is not set

# CONFIG_IP_NF_MATCH_RECENT is not set

# CONFIG_IP_NF_MATCH_ECN is not set

# CONFIG_IP_NF_MATCH_DSCP is not set

# CONFIG_IP_NF_MATCH_AH_ESP is not set

CONFIG_IP_NF_MATCH_LENGTH=y

CONFIG_IP_NF_MATCH_TTL=y

# CONFIG_IP_NF_MATCH_TCPMSS is not set

# CONFIG_IP_NF_MATCH_HELPER is not set

# CONFIG_IP_NF_MATCH_STATE is not set

# CONFIG_IP_NF_MATCH_CONNTRACK is not set

CONFIG_IP_NF_MATCH_OWNER=y

CONFIG_IP_NF_FILTER=y

# CONFIG_IP_NF_TARGET_REJECT is not set

CONFIG_IP_NF_NAT=y

CONFIG_IP_NF_NAT_NEEDED=y

CONFIG_IP_NF_TARGET_MASQUERADE=y

CONFIG_IP_NF_TARGET_REDIRECT=y

CONFIG_IP_NF_TARGET_NETMAP=y

CONFIG_IP_NF_TARGET_SAME=y

# CONFIG_IP_NF_NAT_LOCAL is not set

# CONFIG_IP_NF_NAT_SNMP_BASIC is not set

# CONFIG_IP_NF_MANGLE is not set

# CONFIG_IP_NF_TARGET_LOG is not set

# CONFIG_IP_NF_TARGET_ULOG is not set

# CONFIG_IP_NF_TARGET_TCPMSS is not set

# CONFIG_IP_NF_ARPTABLES is not set

# CONFIG_IP_SCTP is not set

# CONFIG_IPX is not set

# CONFIG_IPMI_HANDLER is not set

```

i thought i built in the extension of iptables too. but if you say that your above commands work i'm able to solve this problem alone. i'll try to load the specific iptables as modules instead of built in, maybe that helps...

thanks for pointing me into the right direction!

----------

## adaptr

Well, yeah - you need at least the STATE match module  :Wink: 

----------

## BlinkEye

just to be sure i generated a firewall script from http://easyfwgen.morizot.net/gen/

and built all concerning iptable options as modules - still no luck:

```
firewall.sh

Loading kernel modules ...

FATAL: Module ip_conntrack not found.

net.ipv4.ip_forward = 1

error: 'net.ipv4.tcp_syncookies' is an unknown key

net.ipv4.conf.all.rp_filter = 1

net.ipv4.icmp_echo_ignore_broadcasts = 1

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.all.secure_redirects = 1

net.ipv4.conf.all.log_martians = 1

Flushing Tables ...

Create and populate custom rule chains ...

Process INPUT chain ...

Process FORWARD chain ...

Process OUTPUT chain ...

Load rules for nat table ...

Load rules for mangle table ...

```

so, what's wrong with that ip_conntrack module? 

these are my available modules:

```
# ls /lib/modules/2.6.5-mm6/kernel/net/ipv4/netfilter/

arp_tables.ko           ip_tables.ko       ipt_ULOG.ko       ipt_owner.ko

arpt_mangle.ko          ipt_CLASSIFY.ko    ipt_ah.ko         ipt_pkttype.ko

arptable_filter.ko      ipt_DSCP.ko        ipt_conntrack.ko  ipt_recent.ko

ip_conntrack_amanda.ko  ipt_ECN.ko         ipt_dscp.ko       ipt_state.ko

ip_conntrack_ftp.ko     ipt_LOG.ko         ipt_ecn.ko        ipt_tcpmss.ko

ip_conntrack_irc.ko     ipt_MARK.ko        ipt_esp.ko        ipt_tos.ko

ip_conntrack_tftp.ko    ipt_MASQUERADE.ko  ipt_helper.ko     ipt_ttl.ko

ip_nat_amanda.ko        ipt_NETMAP.ko      ipt_iprange.ko    iptable_filter.ko

ip_nat_ftp.ko           ipt_REDIRECT.ko    ipt_length.ko     iptable_mangle.ko

ip_nat_irc.ko           ipt_REJECT.ko      ipt_limit.ko      iptable_nat.ko

ip_nat_snmp_basic.ko    ipt_SAME.ko        ipt_mac.ko

ip_nat_tftp.ko          ipt_TCPMSS.ko      ipt_mark.ko

ip_queue.ko             ipt_TOS.ko         ipt_multiport.ko
```

and my loaded ones:

```
# lsmod

Module                  Size  Used by

ipt_MASQUERADE          3968  1

iptable_nat            24748  2 ipt_MASQUERADE

ipt_state               2176  1

iptable_filter          3072  1

ip_tables              17536  4 ipt_MASQUERADE,iptable_nat,ipt_state,iptable_filter

ppp_synctty             9472  0

ppp_async              12160  1

ppp_generic            29460  6 ppp_synctty,ppp_async

slhc                    8192  1 ppp_generic

uhci_hcd               31388  0

ehci_hcd               27400  0

ohci_hcd               19996  0

usbcore               106548  5 uhci_hcd,ehci_hcd,ohci_hcd

```

which one am i missing?

----------

## BlinkEye

as i've got off the topic more and more i continued here: https://forums.gentoo.org/viewtopic.php?p=1160123#1160123

----------

## pharaoh

This thread hooked me up too, thanks guys!

----------

