# building my Firewall/NAT Machine, Lost at Step 1.

## metalhedd

Ok, I must be a total idiot, because I've had this working before, But now I can't find any documentation on what exactly to do.  I'm trying to install on a machine with 2 nics, one connected to the internet, getting an IP From DHCP. the other I want to be a DHCP Server. then have it do NAT iptables, etc.  I Dont know how to go about getting the DHCP Server on eth1 set up.  I'm not even sure what has to go in my /etc/conf.d/net  l'il help?

----------

## splooge

emerge dhcpd

Nothing goes in the /etc/conf.d/net file for this.

Here's what my /etc/dhcp/dhcpd.conf file looks like:

```
authoritative;

ddns-update-style ad-hoc;

log-facility local7;

subnet 10.1.1.0 netmask 255.255.255.0 {

  range 10.1.1.100 10.1.1.200;

  option domain-name-servers 10.1.1.1;

  option domain-name "pwned.com";

  option routers 10.1.1.1;

  option broadcast-address 10.1.1.255;

  default-lease-time 600;

  max-lease-time 7200;

}
```

----------

## metalhedd

ok, I can understand that part.. but i dont see how I can just leave /etc/conf.d/net as it is... how does dhcpd know to use eth1 instead of eth0?

----------

## metalhedd

```
metalbox init.d # emerge dhcpd

Calculating dependencies

emerge: there are no masked or unmasked ebuilds to satisfy "dhcpd".

```

[/code]

----------

## jukka

 *metalhedd wrote:*   

> 
> 
> ```
> metalbox init.d # emerge dhcpd
> 
> ...

 

try dhcp, not dhcpd

----------

## splooge

 *metalhedd wrote:*   

> ok, I can understand that part.. but i dont see how I can just leave /etc/conf.d/net as it is... how does dhcpd know to use eth1 instead of eth0?

 

I don't know.  Maybe cause it's not going to serve 10.1.1.x addresses on the interface 10.1.1.x doesn't exist on?  I'm not sure, I don't have two ethernet cards, just an eth0 and a ppp0.

----------

## splooge

Actually:

```
mail dhcp # ps ax | grep dhcp

 1033 ?        S      0:03 /usr/sbin/dhcpd eth0
```

----------

## metalhedd

right, but its the net.ethX scripts that start dhcpd...

so they need to know what interface to start it on.

----------

## jukka

 *metalhedd wrote:*   

> Ok, I must be a total idiot,

 

cool, i'm not alone!  :Wink: 

 *Quote:*   

> I'm trying to install on a machine with 2 nics, one connected to the internet, getting an IP From DHCP. the other I want to be a DHCP Server. then have it do NAT iptables, etc.

 

ok, what have you already done so far? both interfaces up and running? if your kernel doesn't see both interfaces after boot and you're sure to have compiled the correct drivers, you may have to pass some kernel options at boot time. e.g.

```
ether=10,0x1040,eth0 ether=11,0x1080,eth1
```

(see /usr/src/linux/Documentation/kernel-parameters.txt)

 *Quote:*   

> I Dont know how to go about getting the DHCP Server on eth1 set up.

 

here is a sample /etc/dhcp/dhcpd.conf (the one from splooge doesn't use multiple subnets as you are going to have):

```
authoritative;

ddns-update-style none;

log-facility local7;

option domain-name "example.com";

option domain-name-servers ns1.example.com, ns2.example.com;

default-lease-time 600;

max-lease-time 7200;

# your external subnet (internet), connected to eth0

# (you have to define such a subnet, otherwise dhcpd complains...

# just define it empty)

subnet <your_ext_net> netmask <your_ext_netmask> {

}

# your internal subnet (lan), connected to eth1

# example using class c range with 24 bit netmask

subnet 192.168.1.0 netmask 255.255.255.0 {

  range 192.168.1.100 192.168.1.149;

  option broadcast-address 192.168.1.255;

  option routers defgw.example.com;

}
```

then, edit /etc/conf.d/dhcp to set the var IFACE=eth1

hmm, i have a very similar setup here, also running dhcpd on eth1:

```

# netstat -aun

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State      

udp        0      0 0.0.0.0:67              0.0.0.0:*
```

so dhcpd seems to use INADDR_ANY whatever interface option you pass it... maybe someone is bored enough to check this in the sources?  :Wink: 

 *Quote:*   

> I'm not even sure what has to go in my /etc/conf.d/net  l'il help?

 

you want to get your ip for eth0 from dhcp, so: iface_eth0="dhcp" - don't forget to comment out all other *_eth0 variables.

eth1 you configure manually, so set the vars iface_eth1 and maybe other *_eth1 vars.

if you are ready with this, you can start building your ip tables. you know where you can find help for such a task  :Wink: 

hth, jukka

----------

## metalhedd

ok that makes a little more sense, atm, I am building the system in my desktop system, si I haven't even booted it in the right machine yet. i wanna get as much configured as I can before I do that.

----------

## jukka

 *metalhedd wrote:*   

> right, but its the net.ethX scripts that start dhcpd...
> 
> so they need to know what interface to start it on.

 

no, it's /etc/init.d/dhcp. only the dhcp client is started from net.ethX.

----------

## metalhedd

ok, i'm kinda lost with the example dhcpd.conf,   more specifically this part:

subnet <your_ext_net> netmask <your_ext_netmask> 

my external net is obtained by dhcp. so what would I put there?

also the 

option routers defgw.example.com

what does it do.. do I need it? I dont have a real domain name attached to this machine.  so will it just be ignored?

also in the conf.d/net you said to configure the eth1 vars manually, i'm not sure what to put in them? or which "other *_eth1" vars need to be changed.

thanks for the help so far though, i think i'm getting somewhere.

----------

## splooge

Me thinks you're getting the dhcp client and server mixed up =)

If you want to serve DHCP requests on eth1, edit your /etc/init.d/dhcp script to do so.  Add this to the top of the file:

IFACE=eth1

It really is that simple, maybe you should just try it instead of battling it out in your head.

Edit:

option routers 10.1.1.1 sets the gateway to 10.1.1.1 on the dhcp clients.

 *Quote:*   

> ok, i'm kinda lost with the example dhcpd.conf, more specifically this part: 
> 
> subnet <your_ext_net> netmask <your_ext_netmask> 
> 
> my external net is obtained by dhcp. so what would I put there?

 

I think he meant internal net and internal netmask (didn't read his post so i might be taking it out of context)

Just use my dhcpd.conf file that I posted initially it will get you up and running (if you make your eth1 10.1.1.1 that is, and change your domain name server accordingly)

 *Quote:*   

> also in the conf.d/net you said to configure the eth1 vars manually, i'm not sure what to put in them? or which "other *_eth1" vars need to be changed. 

 

This is what your conf.d/net file should look like:

```
iface_eth0="dhcp"

iface_eth1="10.1.1.1 broadcast 10.1.1.255 netmask 255.255.255.0"
```

----------

## jukka

 *metalhedd wrote:*   

> subnet <your_ext_net> netmask <your_ext_netmask>
> 
> my external net is obtained by dhcp. so what would I put there?

 

the network address and the network mask (numbers and dots notation) of your external interface (which is connected to the internet). if you post a ip address and a netmask you obtained once by your isp's dhcpd, i can tell you the exact values.

 *metalhedd wrote:*   

> option routers defgw.example.com
> 
> what does it do.. do I need it? I dont have a real domain name attached to this machine.  so will it just be ignored?

 

read the dhcpd docs.

 *metalhedd wrote:*   

> also in the conf.d/net you said to configure the eth1 vars manually, i'm not sure what to put in them? or which "other *_eth1" vars need to be changed.

 

read the gentoo install docs, if it doesn't help read some networking basics howtos. the file should be self-explaining.

 *splooge wrote:*   

> I think he meant internal net and internal netmask (didn't read his post so i might be taking it out of context)

 

no, external. see above.

 *splooge wrote:*   

> Just use my dhcpd.conf file that I posted initially it will get you up and running (if you make your eth1 10.1.1.1 that is, and change your domain name server accordingly)

 

splooges file won't work, cause he uses one interface and one subnet only.

----------

## metalhedd

ok, I think I've got all of that straightened out. now I've got to wait till I find another NIC, I seem to have misplaced all my spares while moving last week.  when thats done I'm sure Ill be back for help with iptables  :Wink: 

Thanks a million Folks!

----------

## splooge

I have two interfaces and two subnets.

```
mail conf.d # netstat -nr

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

67.120.24.254   0.0.0.0         255.255.255.255 UH       40 0          0 ppp0

10.1.1.0        0.0.0.0         255.255.255.0   U        40 0          0 eth0

0.0.0.0         67.120.24.254   0.0.0.0         UG       40 0          0 ppp0
```

And it works just fine.   :Rolling Eyes: 

The fact you say it won't work unless your external subnet is defined is pretty funny considering the fact he might get a completely different IP outside of the specified subnet the next time dhcpcd goes to obtain an ip address from his isp.  I'm telling you, there's no need to put your external net in there -- you're not offering any dhcp services on it so really, why bother?

Oh, and as you can see, my external subnet isn't specified: and it works, dhcpd does not complain like you say it does.    :Shocked: 

So I don't get what you're saying.  No need to confuse the poor guy.  Just leave the <external> <crap> out of the dhcpd.conf file and it will work fine.  You confuse even ME when you talk about this 'external net'   :Very Happy: 

Let me give you a rundown of exactly what you need to do:

1) Edit your conf.d/net file to grab a public (dhcp'd) address for eth0 from your isp, and give your eth1 an internal IP address:

```
iface_eth0="dhcp"

iface_eth1="10.1.1.1 broadcast 10.1.1.255 netmask 255.255.255.0"
```

2) Cut and paste this to your /etc/dhcp/dhcpd.conf file.  Yes, it will work!  I promise.

```
authoritative; 

ddns-update-style ad-hoc; 

log-facility local7; 

subnet 10.1.1.0 netmask 255.255.255.0 { 

  range 10.1.1.100 10.1.1.200; 

  option domain-name-servers 10.1.1.1; 

  option domain-name "example.com"; 

  option routers 10.1.1.1; 

  option broadcast-address 10.1.1.255; 

  default-lease-time 600; 

  max-lease-time 7200; 

}
```

3) Edit your conf.d/dhcp file and add this line to the top to force dhcpd to run on eth1:  (I haven't looked too hard where IFACE gets defined before this so it might not even be needed)

```
IFACE=eth1
```

----------

## jukka

 *splooge wrote:*   

> I have two interfaces and two subnets. [...] And it works just fine.  

 

yes, my mistake. i used dhcp version 2, and didn't pass an interface name as an argument... so dhcpd complained about this subnet he didn't know anything about. now i installed version 3, and solved this problem. sorry to both of you!   :Embarassed: 

----------

