[root@Brynhildr] # sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
[root@Brynhildr] # emerge -pvq iptables
[ebuild R ] net-firewall/iptables-1.4.21-r1 USE="ipv6 -netlink -static-libs"
[root@Brynhildr] # emerge -pvq dhcp
[ebuild R ] net-misc/dhcp-4.3.1-r2 USE="client ipv6 server ssl vim-syntax -ldap (-selinux)"
[root@Brynhildr] # emerge -pvq bind
[ebuild R ] net-dns/bind-9.10.1_p1 USE="berkdb caps dlz ipv6 ssl threads -doc -filter-aaaa -fixed-rrset -geoip -gost -gssapi -idn -json -ldap -mysql -nslint -odbc -postgres -python -rpz -seccomp (-selinux) -static-libs -urandom -xml" PYTHON_TARGETS="python2_7 python3_3 -python3_4"
[root@Brynhildr] # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 10.16.0.0/16 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain LOG_AND_DROP (2 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix "(IPTABLES_DROPPED)"
DROP all -- anywhere anywhere
[root@Brynhildr] # iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.16.0.0/16 anywhere
[root@Brynhildr] # cat /etc/dhcp/dhcpd.conf
default-lease-time 600;
max-lease-time 1800;
ddns-update-style interim;
ddns-domainname "lab.mazgi.net.";
log-facility local7;
subnet 10.16.0.0 netmask 255.255.0.0 {
range 10.16.1.0 10.16.1.255;
option domain-name-servers 10.16.0.1;
option domain-name "lab.mazgi.net";
option routers 10.16.0.1;
}
[root@Brynhildr] # cat /etc/bind/named.conf
acl "xfer" {
none;
};
acl "trusted" {
127.0.0.0/8;
::1/128;
10.16.0.0/16;
};
options {
directory "/var/bind";
pid-file "/run/named/named.pid";
listen-on-v6 { ::1; };
listen-on { 127.0.0.1; };
listen-on { 10.16.0.1; };
allow-query {
trusted;
};
allow-query-cache {
trusted;
};
allow-recursion {
trusted;
};
allow-transfer {
none;
};
forward first;
forwarders {
8.8.8.8; // Google Open DNS
8.8.4.4; // Google Open DNS
};
dnssec-enable yes;
dnssec-validation auto;
};
logging {
channel default_log {
file "/var/log/named/named.log" versions 16 size 64M;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category default { default_log; };
category general { default_log; };
};
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };
};
view "lab" {
match-clients {
10.16.0.0/16;
localhost;
};
recursion yes;
allow-recursion {
10.16.0.0/16;
localhost;
};
allow-update {
10.16.0.0/16;
localhost;
};
zone "lab.mazgi.net" {
type master;
file "pri/lab.net.mazgi.lab.zone";
};
};
[root@Brynhildr] # cat /etc/bind/pri/lab.net.mazgi.lab.zone
$ORIGIN .
$TTL 3600 ; 1 hour
lab.mazgi.net IN SOA ns1.lab.mazgi.net. root.lab.mazgi.net. (
2015050101 ; serial
3600 ; refresh (1 hour)
3600 ; retry (1 hour)
86400 ; expire (1 day)
3600 ; minimum (1 hour)
)
NS ns1.lab.mazgi.net.
MX 10 mail.lab.mazgi.net.
$ORIGIN lab.mazgi.net.
$TTL 300 ; 5 minutes
$TTL 3600 ; 1 hour
mail A 10.16.0.1
ns1 A 10.16.0.1
[root@Brynhildr] # grep -vE '^\s*(#|$)' /etc/conf.d/dhcpd
DHCPD_IFACE="eth1"
rc_need="net.eth1 named"