How do I restart the DHCP server on Debian

debian-dhcp

Debian DHCP

content

DHCP is the abbreviation for Dynamic Host Configuration Protocol, a network protocol for passing various parameters on to hosts. The DHCP client asks the DHCP server for IP, gateway or DNS. The server answers these questions so that not every host has to be configured manually. This process usually runs transparently and automatically without user intervention. This guide gives an overview of the configuration of both the DHCP server and the DHCP client under Debian GNU / Linux.

Sections OLD were for Lenny / Squeeze Debian 5/6 versions. NEW is Debian Jessie 8.x

The new version of the dnsmasq package is both a DHCP server and DNS cache and would be sufficient.

Nothing is set on the client PC.

Please take DNS servers from your provider (Are only examples with 62.2.17.60,62.2.24.162,62.2.17.61)

  • Automatic assignment of IP to clients (dynamic or static)
  • Name resolution

e.g .:

  • Instead you can use ssh testuser @ fantasia

  • In the browser, if a www server is running in the other client (apache2); instead of just typing.

  • For then goes

  • Etc..

For this article:

  • Debian, the Debian installation page gives tips.

  • iptables (with kernel modules, is normally available)

  • That you are the boss of the server, i.e. root authorization.
  • further packages follow in the text
  • an operational network card, but normally you have two in it (should also give LANs without Internet )

  • I work without a network manager in the example, only with the networking system.

/etc/resolv.conf

Before we start, we check /etc/resolv.conf, the name servers of our provider are usually there. Ideally, create a copy right away.

cp /etc/resolv.conf /etc/resolv.conf.bak

So, if necessary, we can look again in /etc/resolv.conf.bak (backup). We need the entries in the DHCP server to serve the clients with them.

Find a free IP

A free IP would have to be searched for, outside of the DHCP server IP range of the provider modem, maybe you can log into the modem quickly, it is normal under Local network (LAN) and DHCP server. Example of a provider modem: DHCP server 192.168.0.1, range 192.168.0.10 Max. 244, i.e. 192.168.0.10 to 192.168.0.254 are used, 192.168.0.2 to 192.168.0.9 would be free. And never use the IP with the extension x.x.x.255! This is broadcast.

Uninstall isc-dhcp-client

If you work with graphical interfaces, you should leave isc-dhcp-client in the system, otherwise it would uninstall other things from the graphical interface. The best thing to do is to set the network cards in / etc / network / interfaces as described below. This then automatically deactivates these two network cards for the network manager and isc-dhcp-client.

Most of the time the isc-dhcp-client is still installed, which actually disturbs and leads to confusion, then sometimes the eth1 can get a new address from eth0, despite the interfaces entries below, so get rid of it. (For servers without a graphical user interface)

apt-get remove isc-dhcp-client

Then we set the IPs of the network cards statically, i.e. fixed IPs

A Debian system is assumed with two network cards, the first eth0 becomes the home network, the second eth1 makes the contact to the Internet. Later comes how to do that with a network card and two IP.

# / etc / network / interfaces - configuration file for ifup (8), ifdown (8) # The loopback interface # automatically added when upgrading auto lo iface lo inet loopback # The first network card - this entry was created during the Debian installation # automatically added when upgooglegrading # # And I have now changed that, this will be a static IP # for the LAN network (internal at home) # Here the DHCP server will listen auto eth0 iface eth0 inet static address 192.168.1.1 network 192.168.1.0 netmask 255.255.255.0 broadcast 192.168.1.255 # Our server is on the Internet here # We also do a static IP here, something will be free with the # provider modem. (Please select an IP something outside the Provider Modem DHCP Server Range) # This is just an example auto eth1 iface eth1 inet static address 192.168.0.6 netmask 255.255.255.0 gateway 192.168.0.1

If your provider modem works with 192.168.1.x, then you just take 192.168.2.x for eth0 at home. (be creative)

It would look like this:

# / etc / network / interfaces - configuration file for ifup (8), ifdown (8) # The loopback interface # automatically added when upgrading auto lo iface lo inet loopback # The first network card - this entry was created during the Debian installation # automatically added when upgooglegrading # # And I have now changed that, this will be a static IP # for the LAN network (internal at home) # Here the DHCP server will listen auto eth0 iface eth0 inet static address 192.168.2.1 network 192.168.2.0 netmask 255.255.255.0 broadcast 192.168.2.255 # Our server is on the Internet here # We also do a static IP here, something will be free with the # provider modem. (Please select an IP something outside the Provider Modem DHCP Server Range) # This is just an example auto eth1 iface eth1 inet static address 192.168.1.6 netmask 255.255.255.0 gateway 192.168.1.1

Use a network card with two IPs in a special case

It is possible that you only have one network card in the system. I will do that throughout the text Use symbol if this is the case and it differs from two network cards operation. And a change to the config is required. With two network cards, the Internet and LAN are electrically separated, with one network card not, so you have to deactivate the DHCP server in the provider modem.

#Instead: auto eth1 iface eth1 inet static. . #With a network card you would do this here, and then our Internet access is: auto eth0: 0 iface eth0: 0 inet static address 192.168.0.6 netmask 255.255.255.0 gateway 192.168.0.

When checking later with ifconfig, it is possible that you still have the wrong network card in operation. So you can deactivate or activate interfaces: ifconfig eth0 down ifconfig eth1 down ifconfig eth0: 0 down or activate: ifconfig eth0 up #ifconfig eth1 up #we only have one network card, unnecessary. ifconfig eth0: 0 up (that doesn't work, but /etc/init.d/networking restart will do it)

Network manager

If you want to leave the network manager in the system because of the graphical user interface, but the ip's do the definition in / etc / network / interfaces, you should now /etc/init.d/network-manager restart then network-manager will recognize that it is already controlled by the interfaces file and deactivate itself for these two network cards. "Unmanaged" then appears in the Network Manager.

Then:

Refreshing the interfaces:

/etc/init.d/networking restart

We can control the configuration of the network cards via. And at best just run tail -f / var / log / syslog in a terminal.

"Possible Traps" ip_forward please read

Here only dnsmasq is used for dhcp server and DNS cache. The small advantage here (in contrast to isc-dhcp-server) is that fixed IP via MAC address with host name e.g. fantasia, are also distributed in the LAN, and no longer have to be entered separately in / etc / hosts.

Install dnsmasq:

apt update apt install dnsmasq

(As mentioned earlier, if the provider uses modem 192.168.1.1, then you have to change everything here with 192.168.1.x to 192.168.2.x)

Minimal entries in /etc/dnsmasq.conf

# This is where our LAN is attached. interface = eth0 # This entry is for host commands on the server listen-address = 127.0.0.1 # This is important for LAN requests DNS listen-address = 192.168.1.1 # You can, I think it's better, this is the interface to the Internet in the example no-dhcp-interface = eth1 # activate DHCP server, with IP range from 192.168.1.20 to 192.168.1.80 lease duration: 4h dhcp-range = 192.168.1.20,192.168.1.80,4h # and a client with MAC network card hardware Address 08: 00: 27: 26: 15: 78 we give the name fantasia and the IP 192.168.1.25 and lease duration 4h dhcp-host = 08: 00: 27: 26: 15: 78, fantasia, 192.168.1.25,4h #And very nice to assign an IP based on a computer name. (see arp 192.168.1.26 as root). As it is in the client in the / etc / hostname. dhcp-host = anabelle, 192.168.1.26,4h

no-dhcp-interface = eth0: 0

We have to adjust /etc/resolv.conf with 127.0.0.1 so that the server can read from the dnsmasq DNS cache itself. Then two external DNS servers have to be entered so that Internet sites can be found. The clients also request dnsmasq on the server, and this ultimately the external DNS.

The clients only receive 192.168.1.1 as a DNS server here in the example, and are therefore dependent on our server dnsmasq DNS.

In the server /etc/resolv.conf should look like this.

nameserver 127.0.0.1 #Diser is important so that the server also knows the host names. host commands nameserver 62.2.24.162 nameserver 62.2.17.61

Activate: service dnsmasq restart

If you make entries manually in the server / etc / hosts, you can distribute them again in the whole LAN with the command: service dnsmasq reload

Then you could do ip_forward now, and the clients would also have internet access.

Now we are actually already done, now you can still install ssh / nfs / samba and share directories.

For private and small companies you can stop here and don't have to turn over the next chapters. Except maybe firewall.

NEW

"Possible Traps" ip_forward please read

Here bind (the name server, recognizable as named in "ps aux") is omitted. The is evaluated by the server.

Install DhcpServer and dnsmasq packages:

apt-get update apt-get install isc-dhcp-server dnsmasq

Configure:

Adjust minimal entries here.

#option domain-name "example.org"; option domain-name-servers 62.2.17.60, 62.2.24.162; subnet 192.168.1.0 netmask 255.255.255.0 {range 192.168.1.20 192.168.1.80; option routers 192.168.1.1; }

Assuming you have to work with 192.168.2.x IP for the LAN, it would look like this.

#option domain-name "example.org"; option domain-name-servers 62.2.17.60, 62.2.24.162; subnet 192.168.2.0 netmask 255.255.255.0 {range 192.168.2.20 192.168.2.80; option routers 192.168.2.1; }

Activate: /etc/init.d/isc-dhcp-server restart

In this example the DHCP server now automatically gives addresses from 192.168.1.20 to 192.168.1.80 to your clients in the LAN. If you are still without a firewall. Then you could do ip_forward now, and the clients would also have internet access.

option domain-name-servers please take DNS server from your provider. These are issued to the clients.

The server itself still works with /etc/resolv.conf, and it should look something like this.

nameserver 127.0.0.1 #Diser is important so that the server also knows the host names. (host commands) nameserver 62.2.17.60 nameserver 62.2.24.162

Three entries, that's enough. You delete any domain search entries.

option domain name "example.org";

So for private purposes I would omit this line, it leads to a DNS entry for the client: search example.org, and then it is more annoying. Whoever needs it can do it. (With your own name for your domain)

Deactivate with # in front of it:

#option domain-name "example.org";

If but option domain-name "example.org", you would / can write a different / etc / hosts, since our infrastructure has a domain name

#Add two lines 192.168.1.1 meinserver.example.org meinserver 192.168.1.22 fantasia.example.org fantasia

You would then actually have to write the / etc / hosts a little differently. But I do it myself as indicated below.

Activate: /etc/init.d/isc-dhcp-server restart

Activate dnsmasq

dnsmasq can be used for name resolution. You only have to edit the server / etc / hosts file and give out fixed addresses to PCs.

You have to know the MAC hardware network card address of the client. Can be found in the client with ifconfig or windows ipconfig (e.g. hardware address 08: 00: 27: 9b: ec: 8a)

You can also use the server to send the client's MAC hardware network card address arp IP_from_client determine.

New you have to change a little more, but not much.

First adjust and configure the DHCP server again:

#New we enter ourselves here as DNS name server #At least 192.168.2.1 as mentioned above, if the provider has modem 192.168.1.1. option domain-name-servers 192.168.1.1, 62.2.17.60, 62.2.24.162; #dnsmasq has the possibility to query the / etc / hosts and /etc/resolv.conf DNS server. #That's why you could just specify your server as DNS for the clients. But after a service dnsmasq stop, # the clients can no longer resolve names. In the example above, you can also request external DNS servers yourself. #option domain-name-servers 192.168.1.1; # Then we should always give out the same IP to a PC host fantasia {hardware ethernet 08: 00: 27: 9b: ec: 8a; fixed-address 192.168.1.22; }

Activate: /etc/init.d/isc-dhcp-server restart

Then we edit dnsmasq , /etc/dnsmasq.conf

# It will have a # listen-address = empty example around line 110 in the config # This entry is for host commands on the server listen-address = 127.0.0.1 # This is important for LAN requests DNS listen-address = 192.168.1.1 #And we don't use dnsmasq's DHCP service no-dhcp-interface = eth0 no-dhcp-interface = eth1

no-dhcp-interface = eth0 no-dhcp-interface = eth0: 0

So far, we can wait with the start, every time you add something to the server / etc / hosts, you have to restart dnsmasq afterwards so that it is included in your cache. So let's adjust the / etc / hosts in the server.

/ etc / hosts

# Add two lines 192.168.1.1 meinserver 192.168.1.22 fantasia

Now it is worth restarting dnsmasq.

Activate everything: /etc/init.d/dnsmasq restart

The clients must also be restarted once, or or disconnected briefly so that they receive the new DNS server entry (192.168.1.1).

In normal operation it is sufficient to adjust the server / etc / hosts and service dnsmasq reload , and clients see the change.

Now you can do it on every client host fantasia do, and get the IP from fantasia. If an Apache is running on fantasia, you can also start a browser on any other computer and type fantasia into the URL line. Or start from another computer with ssh ne shell and log in: (installed sshd required)

Now we're actually already done, now you can still install ssh / nfs / samba and share directories.

For private and small companies you can stop here and don't have to turn over the next chapters. Except maybe firewall.

OLD

In the old description, eth0 network card was the internet access, so everything is a bit upside down here. And NAT-MASQ for a firewall would be: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

"Possible Traps" ip_forward please read

Here bind (the name server, recognizable as named in the "ps aux") is omitted. The is evaluated by the server.

Install DhcpServer and dnsmasq packages:

apt-get update apt-get install dhcp dnsmasq

Configure:

# / etc / dhcpd.conf # Minimum lease time in seconds (1 hour) default-lease-time 3600; # Maximum lease time in seconds (24 hours) max-lease-time 86400; # The following settings apply to the eth1 (LAN) network card subnet 192.168.1.0 netmask 255.255.255.0 {# domain name = mylan option domain name "mylan"; # two DNS servers or your own DNS server (192.168.1.1 then), only keep one line active. # Your name servers from the provider will be in /etc/resolv.conf, or host -t NS domainProvider # will also show them. option domain-name-servers ns1.einDNS.net, ns2.zweiterDNS.net; # if we install DNS server this one. #option domain-name-servers 192.168.1.1; # Internet gateway option routers 192.168.1.1; # Netmask option subnet-mask 255.255.255.0; # Configuration for the computer pc1 # that would now be marlise as an example below. #host pc1 # {hardware ethernet 00: 20: 78: 19: 0E: 6B; # fixed-address 192.168.1.2; #} # Configuration for the computer pc2 #host pc2 # {hardware ethernet 00: 02: 3F: 31: A3: 29; # fixed-address 192.168.1.3; #} # Configuration for the computer pc3 #host pc3 # {hardware ethernet 00: 02: 3F6d: 78: 09: 3c; # fixed-address 192.168.1.4; #} # dynamic assignment for other computers in the LAN range 192.168.1.100 192.168.1.200; }

With host pc1 to host pc3 you could always transfer the same IP to a client computer according to the MAC hardware address of the network card. Otherwise you get one from the range of "range 192.168.1.100 192.168.1.200". Client computers with a fixed IP in the LAN can be advantageous if you have things like P2P running on them, then you can always port forward them specifically to the same computer (works with iptables, i.e. minifire can do that too).

Configure:

# Defaults for dhcp initscript # sourced by /etc/init.d/dhcp # installed at / etc / default / dhcp by the maintainer scripts # # This is a POSIX shell fragment # # On what interfaces should the DHCP server (dhcpd) serve DHCP requests? # Separate multiple interfaces with spaces, e.g. "eth0 eth1". INTERFACES = "eth1"

Note interfaces

How do I find the MAC address of the client's network card? arp, arping

Refreshing the dhcpserver:

marlise: If you want a computer to be used as a marlise is to be addressed, you can assign it a fixed IP in dhcpd.conf, then add a line below in the server:

192.168.1.2 marlise marlise.local www.marlise.local

Now you can do it on every client host marlise do, and get the IP from marlise. If an Apache is running on marlise, you can also start a browser on any other computer and type marlise into the URL line. Or start from another computer with ssh ne shell and log in: (installed sshd required)

Now we are actually already done, now you can still install nfs / samba and share directories.

For private and small companies you can stop here and don't have to turn over the next chapters.

NEW

"Possible Traps" ip_forward please read

from here the / etc / hosts becomes inactive! (The server itself is still using / etc / hosts locally, but the clients no longer see it.)

A name server without configuration will find Internet pages, but not the local computers. That’s why you’re already encouraged to configure it.

Anyone who has worked with dnsmasq up to this point should uninstall it first: apt remove dnsmasq

The firewall must allow UDP packets on port 53 in the LAN for the BIND name server.

Modify the servers: Save the old resolv.conf, from now on you won't find anything on the Internet without your own bind. The server itself also has to request its own name server, which is why resolv.conf is adapted accordingly.

#search example.com #The line if you also work with domain in the dhcp server nameserver 127.0.0.1 #If an answer is given here, it does not ask for the next line. (bind9 server) #nameserver 62.2.17.60 #If you want that with a service bind9 stop, the server still finds internet pages, activate this line.

We also have to give the client our name server as default, further external ones according to your taste and how it should behave. First adjust and configure the DHCP server again:

#New we enter ourselves here as DNS name server #At least 192.168.2.1 as mentioned above, if the provider has modem 192.168.1.1. option domain-name-servers 192.168.1.1, 62.2.17.60, 62.2.24.162; # bind9 is a DNS server that knows everything. That's why /etc/resolv.conf is directed to 127.0.0.1, and / etc / hosts is inactive for clients #That's why you could only specify your server as DNS for the clients. But after a service bind9 stop, # the server and the clients can no longer resolve names. In the example above, the clients can also request external DNS servers themselves. #option domain-name-servers 192.168.1.1; #Then we should always give the same IP out to a PC #Is just an example, and would also be necessary with DNS server, and then configure in bind with names. #The name is no longer made in / etc / hosts. It's inactive. host fantasia {hardware ethernet 08: 00: 27: 9b: ec: 8a; fixed-address 192.168.1.22; }

Activate: /etc/init.d/isc-dhcp-server restart

bind9 name server

I think these articles are really good from https://wiki.debian.org/Bind9, and I refrain from writing the same thing myself.

OLD - Maybe still useful after all

Do without dnsmasq and set up the correct DNS name server is explained from here.

"Possible Traps" ip_forward please read

from here the / etc / hosts becomes inactive!

The firewall must allow UDP packets on port 53 for the BIND name server.

The change: Save the old resolv.conf, from now on you won't find anything on the Internet without your own bind.

search mylan nameserver 192.168.1.1

"Possible Traps" Please read resolv.conf

Basically: uninstalls dnsmasq. However, this can also be reversed with, but then reset /etc/resolv.conf again.

bind without configuration: (does not make sense, you can find internet pages, but not the other computers in the LAN)

apt-get install bind

Then in /etc/dhcpd.conf change the line "option domain-name-servers ns1.ersterDNS.net, ns2.zweiterDNS.net" to "option domain-name-servers 192.168.1.1".

Refresh:

Refresh client: Debian as root pump Enter, reboot Windows (so that the DNS entry of 192.168.1.1 is read)

You can only reach the other computers via IP addresses, not via names, unless you have a current one on each computer. Internet does for the computer.

bind with configuration: (useful, demanding), then you have the following files in / etc / bind: db.0 db.127 db.255 db.local db.root named.conf named.conf.local named.conf.options. So we are missing a db.mylan and a db.192was. And in /etc/dhcpd.conf change the line "option domain-name-servers ns1.ersterDNS.net, ns2.zweiterDNS.net" to "option domain-name-servers 192.168.1.1".

so :

; ; /etc/bind/db.mylan; $ TTL 604800 @ IN SOA ns.mylan. webmaster.mylan.local. (1; Serial 604800; Refresh 86400; Retry 2419200; Expire 604800); Negative Cache TTL; NS ns.mylan. ; ; ns.mylan. A 192.168.1.1 meinserver.mylan. CNAME ns.mylan. marlise.mylan. A 192.168.1.2 marlise2.mylan. A 192.168.1.3

Here the names are given IP addresses. please then assign fixed IPs to the MAC addresses of the network cards (not from the dynamic range) - see dhcpd.conf.

Then:

; ; /etc/bind/db.192.168.1: $ TTL 604800 @ IN SOA ns.mylan. webmaster.mylan.local. (1; Serial 604800; Refresh 86400; Retry 2419200; Expire 604800); Negative Cache TTL; NS ns. ; ; ; 1 NS ns.mylan. 1 PTR meinserver.mylan. 2 PTR marlise.mylan. 3 PTR marlise2.mylan.

Reverse resolution is enabled here - host results in marlise.

With a dynamic IP from the provider, the next two are almost not worth it, unless you rewrite the content again and again with a script. With static IPs, it's a great thing.

so :

; ; /etc/bind/db.meinserver.org: $ ORIGIN meinserver.org. $ TTL 604800 @ IN SOA meinserver.org. webmaster.meinserver.org. (1; Serial 604800; Refresh 86400; Retry 2419200; Expire 604800); Negative Cache TTL; NS meinserver.org. ; ; meinserver.org. A ???. ???. ???. ??? meinserver.meinserver.org. CNAME meinserver.org marlise.meinserver.org. A 192.168.1.2 marlise2.meinserver.org. A 192.168.1.3

so :

; ; / etc / bind / db. ???. ???. ??? ; $ TTL 604800 @ IN SOA meinserver.org. webmaster.meinserver.org. (1; Serial 604800; Refresh 86400; Retry 2419200; Expire 604800); Negative Cache TTL; NS meinserver.org. ; ; 131 PTR meinserver.org.

Here the own IP would have ne 131 at the end. you would have to set yourself again and again with dynamic IPs and change the file names. The ??? are for the first three parts of the IP on the Internet that you have.)

webmaster.meinserver.org is viewed as [email protected], and should be a valid email!

Then include the zones in the configuration:

// /etc/bind/named.conf.local // Add local zone definitions here. zone "mylan" {notify no; type master; file "/etc/bind/db.mylan"; }; zone "1.168.192.in-addr.arpa" {notify no; type master; file "/etc/bind/db.192.168.1"; }; #zone "meinserver.org" {# type master; # file "/etc/bind/db.meinserver.org"; #}; #zone "???. ???. ???. in-addr.arpa" {# type master; # file "/ etc / bind / db. ???. ???. ???"; #};

The last ones would be for the IP that you got from the provider - note the zone entry: 192.168.1 becomes 1.168.192, also with zone.???.???.???.in-addr. arpa work. Actually you should enter the last two zones in named.conf so that it is nicely separated, but then you are only fiddling with one named.conf.local.

Refresh:

Check: and see if it loads all of the Master.Zones without errors when loading the Master.Zones, otherwise you have probably made a mistake somewhere.

Tests: and (internal resolution) / If you have activated that with ???. ???? - stuff: (internal) and should display internal IP (external).

Documentation on bind can be found at: file: /usr/share/doc/HOWTO/de-html/DE-DNS-HOWTO-1.html

NEW Actually all of them are already dhcp-client capable by default.

OLD Debian client: it is actually sufficient to install pump - Simple DHCP / BOOTP client and to make sure that the network card kernel module is loaded.

(apt-get install pump, if necessary set / etc / network / interfaces like eth0 section at the beginning of this page), a command as root pump Enter is then sufficient to refresh the connection. With tail -f /var/log/daemon.log in a free shell, you can check the data transferred by the dhcp server. If you want the hardware address so that you can assign a fixed IP, you can find it out on the client with ifconfig.

Mac / Windows client: normally the dhcp client capability is provided during the network driver installation, i.e. under network everything refer to "ip auto" etc ..

NAT / MASQ

Only if you make a firewall yourself, this tip:

Before we set up the DhcpServer, a quick note about the firewall. In order for packets from the Internet to find the right computer in the home network, you have to change a few things on them. This happens with the command:

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

iptables -t nat -A POSTROUTING -o eth0: 0 -j MASQUERADE

(only an extract of the most important command, here the output interface would be the eth1 network card)

NAT / POSTROUTING - Here all packets that have been routed go through again (including locally generated packets). Information about the origin of a package is changed here, such as:

  • Source IP address
  • Masquerading (special form of source IP change)

MASQUERADE - This routed packet receives the IP number and any port of the outgoing interface as the sender address. With dial-up connections with only one IP address, several computers can be linked to just one dial-up connection via a router. When deleting the interface with the "loan IP number", all saved data will be forgotten.

Communication ports and firewall

The basic ports can be viewed in / etc / services. The following ports should be used in the LAN Not close up.

DHCP server basically runs with bootps (port 67 and 68 UDP (should suffice), also TCP possible.) for IPV4. With IPV6 this should be dhcpv6, port 546 and 547 UDP and TCP. Since I never do IPV6 at home, I don't even know whether it really needs TCP. sry

dnsmasq and DNS bind server run on port 53 UDP

Time server in the LAN runs over port 123 UDP (ntp packet is sufficient, both in the server and in the client, no more ntpdate!)

ssh uses port 22 TCP

arno-iptables-firewall

If you don't write the firewall yourself, there are various offers, from scripts to graphically operable ones. I am showing the arno-iptables-firewall as an example.

eth0 is LAN (192.168.1.1), eth1 is Internet ( eth0: 0 is internet)

Installation:

apt install arno-iptables-firewall

Configuration, this can be called up again and again:

dpkg-reconfigure arno-iptables-firewall

The answers:

  1. Would you like to manage the firewall configuration with debconf? -> yes

  2. External network interfaces: -> eth1 eth0: 0

  3. Is DHCP used with the external network interfaces? -> Actually we have fixed ip's, but that doesn't matter, we say -> Yes -> No would be correct

  4. Open external TCP ports: -> 22 80 443 (that would be for ssh and apache2 from external to the server, you have to know that)

  5. Open external UDP ports: -> remains empty, unless you know what you are giving free, a timeserver outside (123), or bind9 (53) outside ??

  6. Should this system be 'pingable' from the outside? -> A matter of taste, I say yes

  7. Internal network interfaces: -> eth0

  8. Internal networks: -> 192.168.1.0/8

  9. Would you like to enable NAT? -> YES

  10. Internal networks with access to external networks: -> no entry, all internal networks may access the Internet, or only all from this network -> 192.168.1.0/8 (you can only share individual IP computers)

  11. Do you want to (re) start the firewall now? -> yes

If someone named their network 192.168.2.x, the answer would be 192.168.2.0/8 instead of 192.168.1.0/8

The configuration files are in / etc / arno-iptables-firewall, our answers can be found in conf.d / 00debconf.conf, firewall.conf is the basic one and would have to be edited by hand. The custom.conf is also useful to do something with iptables commands. It's best to read the FAQ at arno, e.g. for port forward etc.

For me the /etc/arno-iptables-firewall/conf.d/00debconf.conf would look like this:

EXT_IF = "eth1" EXT_IF_DHCP_IP = 1 OPEN_TCP = "22 80 443" OPEN_UDP = "" INT_IF = "eth0" NAT = 1 INTERNAL_NET = "192.168.1.0/8" NAT_INTERNAL_NET = "192.168.1.0/8" OPEN_ICMP = 1

EXT_IF = "eth0: 0"

You can also rewrite something here by hand, and then activate it with: /etc/init.d/arno-iptables-firewall restart

ip_forward

If you can ping the gateway from the clients and DNS works, but otherwise no packets are forwarded, make sure that IP forwarding is activated:

NEW

From this moment on, the clients will be redirected to the internet. It asks if you want to install a firewall etc.

Let's check the status:

cat / proc / sys / net / ipv4 / ip_forward

A 0 does not mean.

Let's definitely put it in /etc/sysctl.conf (insert a line at the bottom, or it has one in it, # away):

net.ipv4.ip_forward = 1

Activate: sysctl -p /etc/sysctl.conf

OLD

echo "1"> / proc / sys / net / ipv4 / ip_forward

With Debian this is best set in.

dhcp-client