[CentOS] RE: DHCPd Config or HOW-TO on DNS + DHCP + SQUID + Firewall + Router

Seth Bardash seth at integratedsolutions.org
Wed Mar 30 19:27:40 UTC 2005


To the list: 

HOW-TO on DNS + DHCP + SQUID + Firewall + Router

Since this seems to be a recurring topic:

Thought you might be interested in a working set up of
DNS + DHCP + SQUID + Firewall + Router machine that took
quite an effort to get working but now runs flawlessly.

Don't get discouraged. This takes some time to set up
correctly but once you get through it - it works great!

Remember: tcpdump is your friend!!!!

Anyone having a network internally that needs these
features should continue reading:

We set up a new firewall based on CentOS 3.3. (3.4 should work fine)

We needed it to serve many protocols internally.

The specifications for it are:

NOT Microsoft based 
(We are a MS Partner with all the software but I wanted something that was
MS virus proof)

KDE Graphical Firewall Control
External Internet LAN Port x 1
Internal Networks x 2 (more can be added) -> we used 192.168.0.X and
192.168.1.X
DNS Name Caching Server - internal and external, forward and reverse lookups
DHCP Server that does ddns-update internally
Squid Server
IP Masqerading
Routing between all networks

Hardware:

OLD P3-800 Based System (Only non AMD system we run)
3 x Intel Pro 100 NIC's (We have a big box of these)
1GB SDRAM
40GB IDE Disk
CDROM Drive
Floppy
Standard PC Case with extra cooling and 400 w ps.

This hardware is overkill as it never runs above 30% load.
Any machine supported by Centos with > 600 MHz CPU and 512M Memory should
do.

Software:

Centos 3.3 Full Install (Lessens the chance of missing packages)

Guarddog Firewall RPM for Centos
(http://centos.hughesjr.com/3/guarddog/RPMS/)
Guidedog router/masqerader RPM for RH9 (works fine)
 (http://www.simonzone.com/software/guidedog/guidedog-1.0.0-1_rh9.i386.rpm)

Squid source tar ball.

First install Centos and set it for a KDE graphical boot up.
	Turn off all services not used
	Leave Iptables on but turn off IP6tables

Then Install Guarddog
Then install Guidedog
Configure both of the above - read the instructions for these carefully.
                            - questions for these should go to the writer or
his mail forum
                            - Make sure to enable DHCP for eth1 and eth2 BUT
NOT eth0 (external LAN NIC)

Make sure you can see the internet from the inside LANs with the clients set
to use static IPs.

NEXT ---

Please read the instructions on how to set up DHCP and bind(DNS) here:

http://integratedsolutions.org/downloads/DHCP-DDNS.txt

Read this multiple times and make sure you understand it!

Cut and paste can be an enemy. Be careful which editor you use


This set up allows us to have any number of machines on our internal network
automagically connected to each other and the internet with all the IP
information coming from our firewall / router / masquerader / squid server.

It works for forward and reverse DNS internally for Windows and linux
clients and servers.

It also speeds up client internet traffic by caching most outside pages.

Install squid per the INSTALL in the src tar ball and 
add a startup entry to either chkconfig or rc.local.
We set it to use 5 GB of disk cache and start
automatically at boot time. We used the standard proxy port.

We configured squid using webmin and this works fine.

We added Webmin just to see how well it works: 
It can break DNS and DHCP easily if you are not careful but it was helpful
getting squid working. 

Read up on syslogd and change the config file (or use webmin) to rotate logs
every day and keep 7 to 14 old logs for back checking purposes. This will
limit log size and make it easier to find any problems.

Your milage mary vary. 

Standard software disclaimer applies.

If this is helpful drop me an email so I know.

If this needs work drop me an email with specifics.

We will be adding a knowledgebase to our website with complete instructions
for this in the next few weeks.

Best

Seth Bardash

Integrated Solutions and Systems

seth at integratedsolutions.org

719-495-5866

Failure can not cope with perseverance! 



-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.8.4 - Release Date: 3/27/2005




More information about the CentOS mailing list