Building a DHCP server with NAT using Debian Lenny

Posted by Dark Training on December 11, 2009 tags: | debian | linux

Below I will be outlining how to build a DHCP server and NAT for the clients. This how-to assumes that you are starting from a totally vanilla Debian install, also I will assume that you have at least two NICs: eth0 = Public eth1 = Private (NAT)

First lets get the packages we are going to need

# apt-get install dhcp3-server

</p>

Now we need to configure our ethernet settings, we want to set the eth1 NIC to use an internal IP scope.

# nano /etc/network/interfaces
# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp

allow-hotplug eth1
iface eth1 inet static
        address 192.168.0.1
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1

</p>

Now we need to edit the dhcp-config file to setup our NAT IP space. In the example below, replace the xxx with the correct IP for your environments DNS servers (optional).

# nano  /etc/dhcp3/dhcpd.conf

ddns-update-style none;

option domain-name-servers 192.168.0.1, xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx;
option broadcast-address 192.168.0.255;
option ntp-servers 192.168.0.254;

default-lease-time 14400;
max-lease-time 14400;
#authoritative;

log-facility local7;

subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.5 192.168.0.253;
option routers 192.168.0.1;
}

</p>

Next, we need to allow IP forwarding otherwise the NAT clients will not be able to reach an outbound network.

# nano /etc/sysctl.conf

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

</p>

Next, we need to the the dhcp server what NIC it will be using.

# nano /etc/default/dhcp3-server
INTERFACES="eth1"

</p>

Last, we need to configure IP tables to route the traffic correctly, below is a sample firewall script that will accomplish this.

*filter
:INPUT ACCEPT [5072:272211]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [8928:529007]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -j DROP


-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [5556:310567]
:POSTROUTING ACCEPT [11:3060]
:OUTPUT ACCEPT [23:3801]

-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

</p>

Now all you need to do it either reboot or run the following commands and you should be good to go!

# /etc/init.d/networking restart; /etc/init.d/dhcp3-server restart;

</p>

That's it, if you have supplemental questions on how to configure this, feel free to post them below in the comments and I will try to answer them for you