Unix-India: lan dns

iptables is the inbuilt firewall in Linux kernel. It can be used for allowing and blocking the traffic passing trough the system.

Configuring iptables to work Linux as a router:

For Linux to work as a router, there should be two NICs normally.

Here we implement the router with below network settings with two NICs

eth1 -> 192.168.15.100, net mask =255.255.255.0, Gateway: 192.168.15.1 -> connected with modem and hence internet, No other system in my LAN des not have direct acces to this modem.

eth0 -> 192.168.1.1, netmask 255.255.255.0 connected with LAN, All system in the LAN has to communicate to internet trough this host.

For Linux to act as route, 2 settings must be done.

1. IP forwarding: This can be achieved temporary by setting the status to 1 as below.

#echo 1 >/proc/sys/net/ipv4/ip_forward

For making it permanet and active on next reboot, we have to enable it by editing /etc/sysctl.conf and edit as below:
net.ipv4.ip_forward = 1
To enable this chage, run the command
sysctl -p /etc/sysctl

2. Adding iptables entry for packets routing:

Before you add any entry, make sure iptables service is running.
[root@shimna /]# chkconfig --list|grep iptables
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
If its on yet on service level 2-5, make it on using below command.
[root@shimna /]# chkconfig iptables on

Make sure you don't have any unwanted iptables running currently

[root@shimna /]# iptables -nvL

If any unwanted iptables are running, flush all the rules using -F option and save the same.
[root@shimna /]# iptables -F
[root@shimna scripts]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@shimna scripts]#

Now you can add the entry to route the packets:

[root@shimna scripts]# iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE

The above setting can be verified by below command:

[root@shimna scripts]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 19 packets, 1554 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth1 192.168.1.0/24 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 19 packets, 1554 bytes)
pkts bytes target prot opt in out source destination

Now your Linux system is ready to act as a router. You can configure all other system the LAN gate way as the Linux host LAN IP.

This is a caching DNS server for internet and DNS server for my local network. If any DNS entry is not available in local cache, it will forward the the same request to ISP DNS server and cache the same locally for next time. This will speed up the NAME resolving process.

There are some multiple entry for same IP. This for apache virtual host propose (By using this it is possible to host multiple website in a single IP. Apache divert the page by looking in the name the the client queried for)

Step 1:

Installing DNS server:

[root@latheefp#
yum install bind-9*

Step 2: Editing configuration Files

[root@latheefp named]# cat /etc/named.conf
acl mynet { 192.168.1.0/24; 127.0/8; };
options {
# listen-on port 53 { 127.0.0.1; }; #replace this line with below
listen-on port 53 { 192.168.1.30; 192.168.1.1; 192.168.15.100; }; # All the system in the 192.168.1.0/24 and 192.168.15.x can acess this dns server.All three above are the IPs for this host.
listen-on-v6 port 53 { ::1; }; #This is the default dns port.
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { mynet; };
recursion yes;
forwarders { 192.168.15.1; }; #IP of upstream ISP nameserver(s)
forward only; #relay completely on our upstream nameservers
};

logging{
channel simple_log {
file "/var/log/bind.log" versions 3 size 5m; #For any lookup, it make a log in this file
severity warning;
print-time yes;
print-severity yes;
print-category yes;
};
category default{
simple_log;
};
};

#This is my forward zone, all local IP and Host names are defied here
zone "riyadh.lan" IN {
type master;
file "/var/named/riyadh.lan.zone";
};

# Reverse Zone for riyadh.lan domain
zone "168.192.in-addr.arpa" IN {
type master;
file "/var/named/rev.192.168.1.l.zone";
};
zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";

Step 3: Making Forward lookup zone file
This is the forward lookup zone db.

For adding/removing/modifying any system, just do a entry in the bottom these two files and restart yp.

[root@latheefp /]# cat /var/named/riyadh.lan.zone
$TTL 1D
riyadh.lan. IN SOA ns.riyadh.lan. admin.riyadh.lan. (

   2009122701
   3H ;refresh
   15 ;retry
   1w ;expire
   3h ;negative ttl
)
   IN NS ns.riyadh.lan.
   IN MX 10 mail.riyadh.lan.
ns IN A 192.168.1.30
shimna IN A 192.168.1.1
audit IN A 192.168.1.1
phpmysql IN A 192.168.1.1
shimna IN A 192.168.15.100
wimax IN A 192.168.15.1 ;modem
wan IN A 192.168.15.100 ;modem
wifi IN A 192.168.1.100 ;wifimodem
mds IN A 192.168.1.6 ;mds lap
tiger IN A 192.168.1.3 ;tiger server
mail IN A 192.168.1.20 ;tiger server
bitt IN A 192.168.1.104 ;webserver
ent IN A 192.168.1.107 ;webserver
film IN A 192.168.1.40 ;webserver
song IN A 192.168.1.40 ;webserver
;log IN A 192.168.1.3 ;webserver
webmin IN A 192.168.1.103 ;webserver
chimmu IN A 192.168.1.7
webtiger IN A 192.168.1.106
linux IN A 192.168.1.101
ganglia IN A 192.168.1.102
iphone IN A 192.168.1.9
E65 IN A 192.168.1.8
;shimna IN A 192.168.1.5
node1 IN A 192.168.1.99
win7 IN A 192.168.1.75

Step 4: Editing corresponding reverse lookup file.

[root@latheefp/]# cat /var/named/rev.192.168.zone
$TTL 1D
@ IN SOA ns1.riyah.lan. admin.riyadh.lan. (
   2009122701;
   28800;
   604800;
   604800;
   86400
)

@ IN NS ns.riyadh.lan.
30.1.168.192.in-addr.arpa. IN PTR ns.riyadh.lan.
1.1.168.192.in-addr.arpa. IN PTR shimna.riyadh.lan.
1.1.168.192.in-addr.arpa. IN PTR audit.riyadh.lan.
1.1.168.192.in-addr.arpa. IN PTR phpmysql.riyadh.lan.
100.15.168.192.in-addr.arpa. IN PTR shimna.riyadh.lan.
104.1.168.192.in-addr.arpa. IN PTR bitt.riyadh.lan.
107.1.168.192.in-addr.arpa. IN PTR ent.riyadh.lan.
103.1.168.192.in-addr.arpa. IN PTR webmin.riyadh.lan.
20.1.168.192.in-addr.arpa. IN PTR mail.riyadh.lan.
40.1.168.192.in-addr.arpa. IN PTR film.riyadh.lan.
40.1.168.192.in-addr.arpa. IN PTR song.riyadh.lan.
;3.1.168.192.in-addr.arpa. IN PTR log.riyadh.lan.
106.1.168.192.in-addr.arpa. IN PTR webtiger.riyadh.lan.
7.1.168.192.in-addr.arpa. IN PTR chimmu.riyadh.lan.
100.1.168.192.in-addr.arpa. IN PTR wifi.riyadh.lan.
6.1.168.192.in-addr.arpa. IN PTR mds.riyadh.lan.
3.1.168.192.in-addr.arpa. IN PTR tiger.riyadh.lan.
1.15.168.192.in-addr.arpa. IN PTR wimax.riyadh.lan.
100.15.168.192.in-addr.arpa. IN PTR wan.riyadh.lan.
101.1.168.192.in-addr.arpa. IN PTR linux.riyadh.lan.
102.1.168.192.in-addr.arpa. IN PTR ganglia.riyadh.lan.
9.1.168.192.in-addr.arpa. IN PTR iphone.riyadh.lan.
8.1.168.192.in-addr.arpa. IN PTR E65.riyadh.lan.
;5.1.168.192.in-addr.arpa. IN PTR shimna.riyadh.lan.
99.1.168.192.in-addr.arpa. IN PTR node1.riyadh.lan.
75.1.168.192.in-addr.arpa. IN PTR win7.riyadh.lan.

Step 5: Starting DNS server:

[root@latheefp/]# /etc/init.d/named start
Starting named: [ OK ]

Named can be restarted using below command

[root@latheefp/]# /etc/init.d/named restart
Stopping named:
   [ OK ]
Starting named: [ OK ]

Now in any system in 192.168.1.x and 192.168.15.x network can access this dns server for lookup.It can resolve all local hosts and other global hosts.

Unix-India

Search This Blog

Saturday, 3 July 2010

Linux iptables Basic Commands-Linux as a router

Thursday, 3 December 2009

Configuring linux DNS server for LAN.

Followers