Skip to content

Instantly share code, notes, and snippets.

@mazgi
Last active Aug 29, 2015
Embed
What would you like to do?
Linux Router on Gentoo
[root@Brynhildr] # sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
[root@Brynhildr] # emerge -pvq iptables
[ebuild   R   ] net-firewall/iptables-1.4.21-r1  USE="ipv6 -netlink -static-libs" 
[root@Brynhildr] # emerge -pvq dhcp
[ebuild   R   ] net-misc/dhcp-4.3.1-r2  USE="client ipv6 server ssl vim-syntax -ldap (-selinux)" 
[root@Brynhildr] # emerge -pvq bind
[ebuild   R   ] net-dns/bind-9.10.1_p1  USE="berkdb caps dlz ipv6 ssl threads -doc -filter-aaaa -fixed-rrset -geoip -gost -gssapi -idn -json -ldap -mysql -nslint -odbc -postgres -python -rpz -seccomp (-selinux) -static-libs -urandom -xml" PYTHON_TARGETS="python2_7 python3_3 -python3_4" 
[root@Brynhildr] # iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  10.16.0.0/16         anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain LOG_AND_DROP (2 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 1/sec burst 5 LOG level warning prefix "(IPTABLES_DROPPED)"
DROP       all  --  anywhere             anywhere            
[root@Brynhildr] # iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  10.16.0.0/16         anywhere            
[root@Brynhildr] # cat /etc/dhcp/dhcpd.conf
default-lease-time 600;
max-lease-time 1800;

ddns-update-style interim;
ddns-domainname "lab.mazgi.net.";

log-facility local7;

subnet 10.16.0.0 netmask 255.255.0.0 {
  range 10.16.1.0 10.16.1.255;
  option domain-name-servers 10.16.0.1;
  option domain-name "lab.mazgi.net";
  option routers 10.16.0.1;
}
[root@Brynhildr] # cat /etc/bind/named.conf
acl "xfer" {
  none;
};

acl "trusted" {
  127.0.0.0/8;
  ::1/128;
  10.16.0.0/16;
};

options {
  directory "/var/bind";
  pid-file "/run/named/named.pid";

  listen-on-v6 { ::1; };
  listen-on { 127.0.0.1; };
  listen-on { 10.16.0.1; };

  allow-query {
    trusted;
  };

  allow-query-cache {
    trusted;
  };

  allow-recursion {
    trusted;
  };

  allow-transfer {
    none;
  };

  forward first;
  forwarders {
    8.8.8.8;            // Google Open DNS
    8.8.4.4;            // Google Open DNS
  };

  dnssec-enable yes;

  dnssec-validation auto;
};

logging {
  channel default_log {
    file "/var/log/named/named.log" versions 16 size 64M;
    severity info;
    print-time yes;
    print-severity yes;
    print-category yes;
  };

  category default { default_log; };
  category general { default_log; };
};

include "/etc/bind/rndc.key";
controls {
  inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };
};

view "lab" {
  match-clients {
    10.16.0.0/16;
    localhost;
  };
  recursion yes;
  allow-recursion {
    10.16.0.0/16;
    localhost;
  };

  allow-update {
    10.16.0.0/16;
    localhost;
  };

  zone "lab.mazgi.net" {
    type master;
    file "pri/lab.net.mazgi.lab.zone";
  };
};
[root@Brynhildr] # cat /etc/bind/pri/lab.net.mazgi.lab.zone
$ORIGIN .
$TTL 3600       ; 1 hour
lab.mazgi.net           IN SOA  ns1.lab.mazgi.net. root.lab.mazgi.net. (
                                2015050101 ; serial
                                3600       ; refresh (1 hour)
                                3600       ; retry (1 hour)
                                86400      ; expire (1 day)
                                3600       ; minimum (1 hour)
                                )
                        NS      ns1.lab.mazgi.net.
                        MX      10 mail.lab.mazgi.net.
$ORIGIN lab.mazgi.net.
$TTL 300        ; 5 minutes
$TTL 3600       ; 1 hour
mail                    A       10.16.0.1
ns1                     A       10.16.0.1
[root@Brynhildr] # grep -vE '^\s*(#|$)' /etc/conf.d/dhcpd
DHCPD_IFACE="eth1"
rc_need="net.eth1 named"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment