# setting up a dhcp server at the LAN

## Zaxon

here it goes:  I want to run a dhcpd server on a computer that has access to the net for all the computers on my lan.  I used to do it by just assigning everyone a static ip but i am getting more and more members  :Smile: .  So i am using eth1 to dhcp with my isp so it can access the net, and all the other computers on my network go through eth0 which is my gateway with an ip of 192.168.0.1, so first off, i would want to run the dhcpd server off of eth0 right?  here is an example of my config that i borrowed from someone else: # Sample /etc/dhcpd.conf 

# Nick Maynard 2002.

# Change the domain name to whatever you want your domain to be.

option domain-name "eric.network";

# This line tells everyone which DNS resolvers to use.

# The first IP is your primary DNS server, the second your secondary.  Here

# the second is set to the internet gateway, which hopefully runs a DNS server

# for the internet. 

# We need the secondary DNS server as we will be setting up the primary server

# to only keep records on the LAN machines, and not lookup Internet names.

# If you don't have an internet connection, replace the option line with this:

# option domain-name-servers 192.168.0.1;

option domain-name-servers 192.168.0.1, 192.168.0.1;

ddns-update-style ad-hoc;

# This line tells everyone which WINS resolvers to use.

# This is this machine, as we set it up in smb.conf earlier.

option netbios-name-servers 192.168.0.1;

# These lines configure how long the DHCP IPs are kept unique for.  I recommend

# about 96 hours (4 days), as this will usually exceed the length of your

# average LAN party, and prevents people having to obtain an IP address again.

default-lease-time 345600;

max-lease-time 345600;

# This line is in here because I've had problems in the past with Windows

# (particularly 2000) machines eating up IP addresses on reboot.

one-lease-per-client true;

# This DHCP server is the official DHCP server for the local network, 

# so we tell it to hand out IPs with impunity.

authoritative;

# This is where we set up our subnet and netmask for our guest PCs.

subnet 192.168.0.0 netmask 255.255.255.0 {

	# The range of IPs to hand out.  As you can see we leave the 

	# range 1 - 99 free, allowing a total of 155 assignable addresses.

	range 192.168.0.100 192.168.0.254;

	# This is the IP address of your internet gateway, should you happen

	# to have one.  If not, remove this line.

	option routers 192.168.0.1;

	# Set the broadcast address for this network.

	option broadcast-address 192.168.0.255;

}

Anyway, they computers do recognize the dhcp server and get an ip, but they cannot access the net.  Remember eth1 is connected to the net through dhcp by my isp and eth0 is my gateway 192.168.0.1.

----------

## psp

Looks good, have you setup ip_forwarding between eth0 and eth1. And you probably also what NAT'ing between the two interfaces.

----------

## Zaxon

Yes, IP_Forwarding is setup through IPTables on my computer.  It is not strict at all though and should allow all connections.  The computers could connect through my gateway when i assigned them static ips but with this dhcp server they cannot  :Sad: .  I am a networking newb what did you mean by NAT the two eth's?

----------

## rosskevin

If someone could point me to a definitive thread or document for configuring a lan like this, it would be very helpful to me as well (except i'm not even as far as Zaxon is).

----------

## darktux

```
echo '1' > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -s range.of.ips -j MASQUERADE
```

Do this on the 'gateway', you can also just try:

```
echo '1' > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
```

rosskevin: Just post your questions, I'll do my best to help you out

----------

## Zaxon

thx for the help darktux, I am at school  :Sad:  and I will try this first thing when i get home.

----------

## darktux

 *Zaxon wrote:*   

> thx for the help darktux, I am at school  and I will try this first thing when i get home.

 

Then let us know if it worked out.

----------

## rosskevin

Ok, I have nothing setup.  Clean disk.  

-I have 1.4_rc2 grp and/or 1.4_rc3 ready to go.

-Neworking: linksys gateway/router/wireless access

-Box: AMD 800mhz 512mb 120gb

I have other pc(s) at home, i want gentoo to be the backbone for networking, ldap for ms outlook addresses, development server stuff (java), and file sharing.

I have no idea what the best configuration is at this point for the network.

-  leave the linksys as the dhcp and hardware firewall? (it has nat)

-  have 2 nics in the gentoo box?

I need to know first,  from a high level, which piece of harware is best to serve which purpose?

I'm fine with educating myself, I just need some pointers as a jump start...I'm not lazy...I just don't want to spend a lifetime setting this up.   :Surprised: 

----------

## Zaxon

Well, i am not the #1 guy to be able to answer this ?.  But since you would already have it, I would keep the router doing the dhcp and firewall and run samba on your gentoo box to be a fileserver and such for your other boxes.

----------

## darktux

NET ---- Main Box ---- Switch (or HUB) ---- PC(s)

You'll have 2 nics on the Main Box and 1 for each PC. The main box will have dhcp to give ips to the other PC(s) and will do the firewalling bit.

I'm not familiar with "linksys gateway/router/wireless access", so this is the best sugestion I can make   :Wink: 

----------

## rosskevin

linksys:

http://www.linksys.com/products/product.asp?grid=33&scid=35&prid=415

does this help?  or change your recommendation?

----------

## darktux

If you're going to connect 4 PCs, then give it a go...  You might as well take advantage of that hardware   :Wink: 

----------

## Zaxon

Hey guys me again, i am home and did the iptables thing to allow masquerading on eth1(the nic that connects to the net).  So i ran the dhcp server again on eth0, well it halfway works, the pc's get ips and my domain name i specified, they even say the gateway is 192.168.0.1 (my ip for eth0, the thing i want  :Smile:  ), but they still cannot access the net.  :Sad:   When starting dhcpd i get this... No subnet declaration for eth1 (24.214.55.XX). XX is just marking out my ip  :Smile: 

** Ignoring requests on eth1.  If this is not what

   you want, please write a subnet declaration

   in your dhcpd.conf file for the network segment

   to which interface eth1 is attached. **

Listening on LPF/eth0/00:c0:f0:38:96:1a/192.168.0.0/24

Sending on   LPF/eth0/00:c0:f0:38:96:1a/192.168.0.0/24

Sending on   Socket/fallback/fallback-net

so it is listening on eth0 and sending requests but does it have to run on eth1 as well? since it is obviously not, it has to be a dhcpd.conf problem(i think) so if you can edit the conf i had posted on the first post i would appreciate it.

----------

## darktux

This is mine:

 *Quote:*   

> 
> 
> default-lease-time 600;
> 
> authorative;
> ...

 

----------

## Zaxon

on the domain-name-servers option, can i just use my eth0 ip, 192.168.0.1, do i need more then one ip, and if so what can i use?

----------

## darktux

Are you running a DNS server? If NOT, use the one provided by your ISP. And yes, it can be only one.

----------

## Zaxon

It all worked now, thx for your help and patience darktux, I wuv you  :Wink:  .  NOw i just gotta figure out how to run dhcpd on bootup since it isn't in init.d i can't do rc-update.

----------

## Zaxon

 *Zaxon wrote:*   

> It all worked now, thx for your help and patience darktux, I wuv you  .  NOw i just gotta figure out how to run dhcpd on bootup since it isn't in init.d i can't do rc-update.

    I got it now!  And again thx you soo much for your help darktux!

----------

## darktux

You're welcome   :Very Happy: 

----------

## AresTheImpaler

 *Zaxon wrote:*   

>  *Zaxon wrote:*   It all worked now, thx for your help and patience darktux, I wuv you ;) .  NOw i just gotta figure out how to run dhcpd on bootup since it isn't in init.d i can't do rc-update.    I got it now!  And again thx you soo much for your help darktux!

 

how did you do it?

----------

## darktux

```

rc-update add dhcp default     

```

doesn't work?

----------

## hassan_1321

wow looks like I found the right thread  :Very Happy:  ...I'm trying to setup a newtork just like darktux said 

NET ---- Main Box ---- Switch (or HUB) ---- PC(s) 

I finally got my main box to see my dsl connection and I can share files with the other PC's but no internet   :Sad:  ...I cant seem to find any good (up to date) documentation ...so what do you think darktux? can point me to a good document or school a total network newb?

----------

## darktux

 *hassan_1321 wrote:*   

> wow looks like I found the right thread  ...I'm trying to setup a newtork just like darktux said 
> 
> NET ---- Main Box ---- Switch (or HUB) ---- PC(s) 
> 
> I finally got my main box to see my dsl connection and I can share files with the other PC's but no internet   ...I cant seem to find any good (up to date) documentation ...so what do you think darktux? can point me to a good document or school a total network newb?

 

Your solution is right here in this thread, everything is covered, I guess   :Rolling Eyes: 

After reading all this replies, what don't you understand? What are your dificulties?

----------

## hassan_1321

Well I understand the whole concept but its just not working  :Embarassed:  ...everything can see everything but I can't get internet on the other boxes..thats not explained anywhere here...zaxon just said he did it and it worked...my only difficulty is the other boxes dont get internet access so do you know what piece might be missing??

----------

## darktux

If they can see each other, you have done ip_forward, the iptables MASQUERADE bit, then try doing ping 66.218.71.198, if it does work, then your DNS servers on the machines behind the gateway aren't set properlly, which was the mistake that zaxon was doing.

Try that ping and let us know the output.

----------

## IWBCMAN

darktux-and other enlightened ones,

perhaps I can piggy back on this thread seeing that issues being discussed are similiar to the questions I have and I would appreciate if you, and others who better grasp these things, could help me to make sense of my network config. 

First off I should note that my network is functioning, but more through trial and error than through understanding-unfortunately there are simply to many variables which I do not adequately understand.

Ok. here is an attempt to descirbe my network config

I have currently two machines running gentoo on a local network connect to each other with the built in NIC's on both machines. One is my main computer, a Dell 8100, and the other machine is a Toshiba laptop. The Dell is connected to the internet via adsl and gets its internet ip through dynamic DNS(i am using adsl via rp-pppoe). I have an ultra-cheap hub located between my Dell and my Toshiba. 

here is a diagram :

adsl-modem--------------------------------------------|

                                                                      |

                |-----eth1(dynamic IP/usb NIC)------>|

Dell -------|

                |-----eth0(192.168.0.1/built-in NIC)-->|

                                                                       |

cheap hub-----Dell<-->Toshiba----------------------|                                                                   

                                                                       |

Toshiba----eth0-(192.168.0.10/built-in NIC)---->|

(hope you can readf and make sense of this)

Now I am currently running a dhcp server on the Dell machine, and the Toshiba gets its IP address from the Dell dhcp server. Additionally I am running a Squid proxy on the Dell machine, and the Toshiba accesses the internet through the Dell Squid proxy. And to top things off I am running an apache server on my Dell machine -and I am using dyndns w/ ddclient to host a web presence(iwbcman.homelinux.org). And I have played around with LTSP-which is not being used now-so one can safely ignore any LTSP stuff. 

Both machines are exporting nfs directories to each other and bothe are running sshd. I have no problems using ssh, scp, and nfs mount, and I can access the internet from the Toshiba. I am not currently using a firewall- hope to implement this soon- but that adds a layer of complexity which I can only justify once I can understand how things should be setup. 

This all may seem strange - because I am asking for help when everything appears to work correctly- but I have loads of small problems and I do not understand why/how it works-that this setup works appears to be more due to luck than to smart design. Below are my various config files: my configuration files are the result of putting together various things I have seen posted in these forums but which I have never really grasped. 

Dell machine:

/etc/hosts

```
127.0.0.1       localhost

127.0.0.2       myserver iwbcman.homelinux.org iwbcman

192.168.0.1     mtdman.iwbcman.net mtdman

#192.168.1.1     zollner.infreiburg.org  zollner

```

/etc/resolv.conf-with dynmic assigned IP's

```
nameserver 217.5.112.21

nameserver 194.25.2.129

```

/etc/networks

```

loopback        127.0.0.0

```

/etc/hostname

```

mtdman.iwbcman.net

```

/etc/hosts.conf

```

order hosts, bind

multi on

nospoof on

alert on

```

/etc/conf.d/net

```

# This is basically the ifconfig argument without the ifconfig $iface

#

iface_eth0="192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0"

iface_eth1="192.168.0.2 broadcast 192.168.0.255 netmask 255.255.255.0"

```

/etc/exports

```

# /etc/exports: NFS file systems being exported.  See exports(5).

/mnt/dellshare 192.168.0.10/255.255.255.0(rw,no_root_squash)

/mnt/media     192.168.0.10/255.255.255.0(rw,no_root_squash)

```

/etc/dhcp/dhcpd.conf

```

#allow booting;

#allow bootp;

authoritative;

# Sample /etc/dhcpd.conf

# (add your comments here)

default-lease-time 60000;

max-lease-time 72000;

option broadcast-address 192.168.0.255;

#option routers 192.168.0.1;

option domain-name-servers 192.168.0.1;

option domain-name "iwbcman.net";

option netbios-name-servers 192.168.0.1;

option subnet-mask 255.255.255.0;

option log-servers 192.168.0.1;

#ddns-update-style ad-hoc;

ddns-update-style none;

use-host-decl-names     on;

subnet 192.168.0.0 netmask 255.255.255.0 {

   range 192.168.0.4 192.168.0.10;

}

```

ifconfig on the Dell machine returns:

```

eth0      Link encap:Ethernet  HWaddr 00:B0:D0:34:D3:4A

          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:627715 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1137104 errors:0 dropped:0 overruns:0 carrier:0

          collisions:506187 txqueuelen:100

          RX bytes:105453761 (100.5 Mb)  TX bytes:1650432301 (1573.9 Mb)

          Interrupt:3 Base address:0xec00

                                                                                

eth1      Link encap:Ethernet  HWaddr 00:50:BA:77:36:B7

          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0

          UP BROADCAST MULTICAST  MTU:1500  Metric:1

          RX packets:19752 errors:0 dropped:0 overruns:0 frame:0

          TX packets:14632 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100

          RX bytes:17895275 (17.0 Mb)  TX bytes:1641332 (1.5 Mb)

                                                                                

lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:20695 errors:0 dropped:0 overruns:0 frame:0

          TX packets:20695 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:4291475 (4.0 Mb)  TX bytes:4291475 (4.0 Mb)

                                                                                

ppp0      Link encap:Point-to-Point Protocol

          inet addr:62.226.41.141  P-t-P:62.225.254.1  Mask:255.255.255.255

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1

          RX packets:18457 errors:0 dropped:0 overruns:0 frame:0

          TX packets:13337 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:3

          RX bytes:17411374 (16.6 Mb)  TX bytes:1306013 (1.2 Mb)

```

and nmap 127.0.0.1 returns:

```

Starting nmap V. 3.15BETA2 ( www.insecure.org/nmap/ )

Interesting ports on localhost (127.0.0.1):

(The 1596 ports scanned but not shown below are in state: closed)

Port       State       Service

22/tcp     open        ssh

25/tcp     open        smtp

111/tcp    open        sunrpc

143/tcp    open        imap2

631/tcp    open        ipp

926/tcp    open        unknown

993/tcp    open        imaps

3128/tcp   open        squid-http

3306/tcp   open        mysql

10000/tcp  open        snet-sensor-mgmt

 

Nmap run completed -- 1 IP address (1 host up) scanned in 2.396 seconds

```

****I have no idea what 926 is used for "unknown" looks suspicious**************

and nmap 192.168.0.1 returns:

```

Starting nmap V. 3.15BETA2 ( www.insecure.org/nmap/ )

Interesting ports on mtdman.iwbcman.net (192.168.0.1):

(The 1597 ports scanned but not shown below are in state: closed)

Port       State       Service

22/tcp     open        ssh

25/tcp     open        smtp

111/tcp    open        sunrpc

143/tcp    open        imap2

631/tcp    open        ipp

993/tcp    open        imaps

3128/tcp   open        squid-http

3306/tcp   open        mysql

10000/tcp  open        snet-sensor-mgmt

 

nmap run completed -- 1 IP address (1 host up) scanned in 2.534 seconds

```

I am probably a danger to the internet...but I have yet to discover anyone else hacking into my machine, albeit I am probably a sitting duck for experienced hackers......(not much here on my machine to find anyway)

and finally here are the changes I made to squid.conf.the rest of the file is the same as installed by default.

```

.....

#Default:

 http_access allow all

#

#Recommended minimum configuration:

#

# Only allow cachemgr access from localhost

#http_access allow manager localhost

#http_access deny manager

## Only allow purge requests from localhost

#http_access allow purge localhost

#http_access deny purge

# Deny requests to unknown ports

http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports

#http_access deny CONNECT !SSL_ports

#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#

# And finally deny all other access to this proxy

#http_access deny all

......

#visible_hostname mtdman.iwbcman.net

......

#

#Default:

 httpd_accel_host virtual

 httpd_accel_port 80

 httpd_accel_with_proxy on

 httpd_accel_uses_host_header on

```

god only knows how wide open my squid proxy server is.....

Now for the Toshiba:

/etc/hosts

```

127.0.0.1                localhost

192.168.0.10           mtdman.iwbcman.net infwis

```

/etc/resolv.conf

```

nameserver  192.168.0.1

search iwbcman.net

```

/etc/networks

```

loopback             127.0.0.0

```

/etc/hostname

```

mtdman.iwbcman.net

```

/etc/hosts.conf ---oooppps- no such file or directory-maybe this is messing things up

/etc/conf.d/net

```

iface_eth0="dhcp"

gateway="eth0/192.168.0.1"

```

Ok, now for some questions:

1) what is obviously messed up in this configuration

2) why can't I ping 192.168.0.1 from either machine(remember ssh and nfs work fine with this address-just no pinging)

3) would it make sense to do ip_forwarding on this kind of setup

4) my /etc/hosts files on both machines are probably messed up- any pointers or tips- I wish to have both machine located on iwbcman.net: where Dell is refered to as "mtdman" and the Toshiba is refered to as "infwis"- but I am not sure of how I should achieve this in the /etc/hosts file.....

5) what would you recommend for my firewall settings ? As it is now with the exception of ping, most every kind of acces is available- at work I can ssh into my Dell machine here at home, I can even check my answering machine/faxes(software via isdn card) and localhost email via https://iwbcman.homelinux.org(my dyndns server).....I love this functionality but it is probably very unsafe

6) lastly I may just be suffering from confusion-so many variables, so many config files, such a complex setup-any tips or advice would be greatly appreciated

thanks in advance.....

----------

## darktux

To discover what's running on port 926 do as root fuser 926/tcp and it will give you the pid of the process that has opened that door.

3) would it make sense to do ip_forwarding on this kind of setup

You probably already have this set to 1, without that you couldn't go to the internet from your laptop. To see that do cat /proc/sys/net/ipv4/ip_forward and see the output.

You should have dhcp to assign a static IP to your laptop acordingly to your MAC address, which lets you set static hosts files, since your IP will never change.

If you can access the Internet through your laptop, then you already have a firewall on your DELL which is doing MASQUERADE and can also be droping the ping's ICMP's packets.

----------

## IWBCMAN

darktux,

thanks for your reply

I did not have iptables(ie. the kernel modules were not loaded) running on either system-so I am not sure what is going on. As for internet access on my laptop- mozilla/phoenix work fine using my Dells machines squid prox server(192.168.0.1:3128)- and emerge rsync works fine- yet emerge cannot download any files when emerging stuff-it looks for the servers and sys it cannot find them- as is the case when I try to ping a web site(www.yahoo.com) ie. unkonwn host. I have used the above address for HTTP_PROX/FTP_PROX/Y and RSYNC_PROXY- and like I said emerge rsync works, why I don't know......

I would love to setup ip_forwarding and MASQUERADE -and I am pretty sure that these have not been turned on in my setup- but I have yet to correctly figure out how to do this: can I assume that iptables ony needs to be implemented on my DELL machine ? does the Toshiba need iptable/firewall rules too ? any recommendations as to how to issue commands for implemenenting ip_forwarding and MASQUERADE ?......

thanks in advance...

(also is a /etc/hosts.conf necessary on the Toshiba ?)

----------

## darktux

Yes, iptables and ip_forwarding only needs to be set up on your DELL machine, the Toshiba laptop only needs to change it's default route. As for the recommendations see the previous posts and ask away all of your questions. If you can't manage it, I'll be glad to issue all the stuff you have to do.

btw: just forget about hosts.conf

----------

## IWBCMAN

dartux,

i finally got ping to work between the two machine- it turns out I had echo-ed some stuff to /proc/sys/net/ipv4/* which I had forgotten about  :Embarassed: 

my current iptables stuff looks like this:

echo 1 > /proc/sys/net/ipv4/ip_forward

echo 1 > /proc/sys/net/ipv4/ip_dynaddr

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE

where ppp0 *is* eth1-ie. the one going to my adsl provider which gives me my ip address via dynamic ip allocation

so here is my mystery question for you:

why is it that I can ping in both directions now, emrge rsync works from my toshiba, I can browse the internet via mozilla on my toshiba with proxy set to 192.168.0.1:3128 but when I try to ping www.yahoo.com or try to emerge a package it says "hostname not found" ?

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

 :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy: 

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Everything works now- ignore my last question- I noticed earlier that there was not /etc/hosts.conf file on my toshiba-but didn't think anything of it- well I just scp'ed that file from my Dell onto my Toshiba and rebooted - and copied my Dell's /etc/resolv.conf entries my Dells /etc/dhcp/dhcp.conf file(option domain-name-servers 217.5.112.xx,194.25.2.yyy) and now I emerge works fine and I can ping any internet address I want...

yet iptables_dynaddr does not seem to be working...my Dell machine's ip is changed dynamically- ie. my ISP changes these values when it desires...having these dns entries hard-coded in my /etc/dhcp/dhcp.conf file means that I will have to change these values each and everytime my ISP gives me a new address.....and I am essentially cirumventing my squid proxy server....any clue as to what I need to do to get dynaddr working so that I can simply include my static local network ip address in etc/dhcp/dhcp.conf and allow my Toshiba to automagically adapt to ever-changing ip addresses ?

----------

## metalhedd

Looks like this is the "HELP ME DARKTUX" thread. so I'm going to jump on the bandwagon.

I've currently got only one machine on the internet, its my desktop box, and also hosts a relatively busy website. I'm adding another windoze machine to the network, so I've decided to bring my old PPro box out of the closet and use it as a router/NAT Machine, and a webserver. (I've heard that this is a bad idea for security, but to hell with it)  so my setup will look like this in the end (hopefully),

[CABLEMODEM]--dhcp-->[PPRO]--dhcp-->[CHEAPHUB]-->[PC's]

Which is similar to the previous setups that were mentioned, however I noticed that in the first example you're hardcoding an IP Address for the DNS Server.  As far as I know all of this is handled by DHCP Between the cable modem and PPRO.

I'm also not sure how to set up my net.eth1 (The NIC for the internal network) script, and I didn't see any mention of that.

Another question would be iptables, i've never used it before.  all I need is a simple ruleset, to enforce your typical security precautions, allow both PCs to do whatever they want, and have the webserver function properly on the PPRO.  Any help would be greatly appreciated as I'd like to have the whole thing up and running in a minimal amount of time, since the downtime is no good for my website.

----------

## darktux

The hardcoded DNS servers are for the LAN, not the ones you get from the DHCP to get you on the internet. There's a difference between the dhcp (client) that you use to get your IP and DNS servers from your ISP, and the dhcp (server) you use for your PCs on your LAN to get their IPs (statical, or not) and the DNS servers. Just imagine your PPRO as an ISP. Do you think that the people at your ISP don't have the DNS records hardcoded?   :Wink: 

net.eth1, will simply have an IP address specified by you.

As for the firewall, just use the rules that are listed on this thread in order to get your 'LAN PCs' connected to the web. If you want stronger security, then that's another different issue. 

Any more questions?   :Smile: 

----------

## metalhedd

Ok thanks for the help  :Smile:   I had a ton of issues getting the PPro running so I've had to switch to a P166 machine, gotta recompile everything.  so I probably wont be starting until tonight or tomorrow.  :Smile: 

----------

## darktux

 *metalhedd wrote:*   

> Ok thanks for the help   I had a ton of issues getting the PPro running so I've had to switch to a P166 machine, gotta recompile everything.  so I probably wont be starting until tonight or tomorrow. 

 

Ok then... Good luck   :Wink: 

----------

## skyguy

Boy I sure holpe someone can help! I've been beating my head against the wall on this for way too long. I've been all over the forums, and this seems like the most appropriate thread to post to. In a nutshell, I can't seem to get my client computers to see past the server. Here's the set up:

My equipment: 

------------- 

Basic Toshiba pcx2500 Cable modem, coax in / ethernet out

633MHz Pentium3 w/ Gentoo Linux 1.4_rc2 which I want to ultimately configure as a (firewall/file/mail/web-caching-proxy/dns) server 

Assorted other Linux/Windows clients 

Connections: 

------------ 

```
Cable company      

 ^      DNS nameserver #1:  65.83.241.167

 |      DNS nameserver #2:  65.83.241.167

 |      Default gateway:    66.205.100.1

 |      UBR (traceroute 1st hop):  10.100.168.1

 |

 | Coax link 

 V 

[Toshiba cable modem]

 ^

 | Ethernet link

 V 

Pentium server (future firewall/file/mail/web-caching-proxy/dns) 

 ^      WAN IP=aaa.bbb.ccc.ddd (DHCP assigned by cable company)

 |      LAN IP=192.168.1.1 (Fixed IP's for all LAN connections)

 |

 V [8-port switch]

 | | | | | | | |

 | | | | | | | +-- Laptop runs Gentoo 1.4 (IP 192.168.1.2)

 | | | | | | +---- Network printer (IP 192.168.1.3)

 | | | | | +------ future gentoo on iMac

 | | | | +-------- future gentoo on pIV

 | | | +---------- future gentoo on pIII

 | | +------------

 | +-------------- Various network connections in the house

 V [future expansion 8-port switches]
```

Here's the server data:

=======================

```
/etc/hosts

   127.0.0.1      localhost

   # the server's WAN-side NIC (eth0) DHCP/set by cable co

   # the server's LAN-side NIC (eth1) is:

   192.168.1.1   server.myNISdomain.com      server

   # typical client computer

   192.168.1.3   laptop.myNISdomain.com      laptop

/etc/resolv.conf

   nameserver    63.83.241.167

   nameserver    63.83.241.165

/etc/networks

   loopback      127.0.0.1

   myLAN         192.168.1.0

/etc/hostname (this file didn't exist until I made it)

   server.myNISdomain.com

/etc/hosts.conf (this file does not exist)

/etc/conf.d/net

   # Configure the WAN-side NIC, eth0:

   ifconfig eth0 up

   dhcpcd eth0

   iface_eth0="dhcp"

   # Now configure the LAN-side NIC, eth1:

   ifconfig eth1 up

   iface_eth1="192.168.1.1 broadcast 192.168.1.255 netmask 255.255.255.0"

   # note: I have not (yet?) explicitly set the default gateway anywhere...

/etc/conf.d/iptables

   IPTABLES_SAVE="/var/lib/iptables/rules-save"

   ENABLE_FORWARDING_IPv4="yes"

   ENABLE_FORWARDING_IPv6="no"

   SAVE_RESTORE_OPTIONS="-c"
```

When I verify, 

```
# cat /proc/sys/net/ipv4/ip_forward

  1 (returns the value "1" indicating forwarding is on)

# netstat -nr

Destination      Gateway     Genmask       Flags MSS Window irtt Iface

127.0.0.1        0.0.0.0    255.255.255.255   UH  40   0     0   lo

aaa.bbb.ccc.ddd  0.0.0.0    255.255.255.0     U   40   0     0   eth0 //WAN

192.168.1.0      0.0.0.0    255.255.255.0     U   40   0     0   eth1 //LAN
```

For the client computer (laptop)

===============================

```
/etc/hosts

   127.0.0.1      localhost

   # the server's LAN-side NIC (eth1) is:

   192.168.1.1   server.myNISdomain.com      server

   # typical client computer

   192.168.1.3   laptop.myNISdomain.com      laptop

/etc/resolv.conf

   nameserver    63.83.241.167

   nameserver    63.83.241.165

   search       myNISdomain.com

/etc/networks

   loopback      127.0.0.1

   myLAN      192.168.1.0

/etc/hostname (this file doesn't exist)

# uname -a

Linux laptop.myNISdomain.com 2.4.20-gentoo-r2 #1 Tue Apr 29 07:18:39 CDT 2003 Pentium III (coppermine) GenuineIntel Gnu/Linux
```

(I note that the date/time is off - today is May 4th, 2003, at about 8:30 am (well it was when I started typing   :Rolling Eyes:   ). Nor does the time match that on the server. Bonus question #1, how do I reset the date/time? Bonus question #2, how do I keep them in sync with the world?)

More laptop info

```
/etc/hosts.conf (this file does not exist either)

/etc/conf.d/net

   ifconfig eth0 up

   iface_eth0="192.168.1.2 broadcast 192.168.1.255 netmask 255.255.255.0"

   # again, I have not (yet?) explicitly set the default gateway

# netstat -nr

Destination  Gateway Genmask       Flags MSS Window irtt Iface

192.168.1.0  0.0.0.0  255.255.255.0  U   40   0     0    eth1 //LAN
```

==========================================================

Other:

From the laptop I can ping by address and name BOTH NICs on the server - both the LAN-side nic and the WAN-side nic.

I cannot ping my cable co's DNS servers, UBR, etc from the laptop, but I CAN do so from the server. 

What am I missing?!?  :Question:   :Crying or Very sad:   :Confused:   :Embarassed: 

----------

## darktux

You're missing MASQUERADING on the server, in order to share the outside world with the rest of the machines. That rule is probably somewhere on this thread   :Very Happy: 

----------

## skyguy

Darktux, thank you! I'll get my masque on and see if I can get into the ball...

----------

## JBapt

I think my DHCP is running. The DHCP server is a gentoo and the client is WinXP Pro. when i do ipconfig /renew on the windows machine i can get anip ok. I try to ping the DHCP server and its ok. But when i try to ping the client from the server it cannot ping the client. What is happening?

----------

## Eum-Spliffum

 *darktux wrote:*   

>  *hassan_1321 wrote:*   wow looks like I found the right thread  ...I'm trying to setup a newtork just like darktux said 
> 
> NET ---- Main Box ---- Switch (or HUB) ---- PC(s) 
> 
> I finally got my main box to see my dsl connection and I can share files with the other PC's but no internet   ...I cant seem to find any good (up to date) documentation ...so what do you think darktux? can point me to a good document or school a total network newb? 
> ...

 ]

I'm like super noob here and I'm in need of help as well.

I went through the gentoo docs but I'm having difficulities finding where I should look for getting information on ip forwarding so I route packets with my linux box...

If someone could help me out here that'd be fabulous!

----------

