tachtler:dhcp_isc_dhc-relay_archlinux
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende Überarbeitung | ||
tachtler:dhcp_isc_dhc-relay_archlinux [2021/07/12 16:12] – [/usr/lib/systemd/system/dhcrelay4.service] klaus | tachtler:dhcp_isc_dhc-relay_archlinux [2022/03/31 05:34] (aktuell) – [Installation] klaus | ||
---|---|---|---|
Zeile 32: | Zeile 32: | ||
Mit nachfolgendem Befehl, wird das Pakete **'' | Mit nachfolgendem Befehl, wird das Pakete **'' | ||
+ | < | ||
+ | # pacman --noconfirm -S dhcp | ||
+ | </ | ||
+ | ++++ Installationsverlauf | | ||
< | < | ||
# pacman --noconfirm -S dhcp | # pacman --noconfirm -S dhcp | ||
</ | </ | ||
+ | ++++ | ||
Mit nachfolgendem Befehl kann überprüft werden, welche Inhalte mit den Paket **'' | Mit nachfolgendem Befehl kann überprüft werden, welche Inhalte mit den Paket **'' | ||
+ | |||
+ | < | ||
+ | # pacman -Qil dhcp | ||
+ | </ | ||
+ | ++++ Installierte Dateien | | ||
< | < | ||
# pacman -Qil dhcp | # pacman -Qil dhcp | ||
Zeile 113: | Zeile 123: | ||
dhcp / | dhcp / | ||
</ | </ | ||
+ | ++++ | ||
===== Dienst/ | ===== Dienst/ | ||
Zeile 198: | Zeile 209: | ||
Type=forking | Type=forking | ||
# DHCP-Relay is only necassary when more than one interface is available. | # DHCP-Relay is only necassary when more than one interface is available. | ||
- | ExecStart=/ | + | ExecStart=/ |
RuntimeDirectory=dhcrelay6 | RuntimeDirectory=dhcrelay6 | ||
PIDFile=/ | PIDFile=/ | ||
Zeile 218: | Zeile 229: | ||
</ | </ | ||
- | :!: **HINWEIS** - Wichtig | + | :!: **HINWEIS** - Wichtig |
<code ini> | <code ini> | ||
ExecStart=/ | ExecStart=/ | ||
Zeile 232: | Zeile 243: | ||
</ | </ | ||
+ | ===== Dienst/ | ||
+ | |||
+ | Um die DHC-Relay Dienste, welche als Dienst/ | ||
+ | < | ||
+ | # systemctl enable dhcrelay4.service dhcrelay6.service | ||
+ | Created symlink / | ||
+ | Created symlink / | ||
+ | </ | ||
+ | |||
+ | Eine Überprüfung, | ||
+ | < | ||
+ | # systemctl list-unit-files --type=service | grep dhcrelay | ||
+ | dhcrelay4.service | ||
+ | dhcrelay6.service | ||
+ | </ | ||
+ | bzw. | ||
+ | < | ||
+ | # systemctl is-enabled dhcrelay4.service dhcrelay6.service | ||
+ | enabled | ||
+ | enabled | ||
+ | </ | ||
+ | |||
+ | ===== iptables/ | ||
+ | |||
+ | Damit der DHC-Relay-Server auch erreichbar ist und nicht die Weitergabe der IP-Address Informationen vom Paketfilter '' | ||
+ | |||
+ | Um die aktuellen '' | ||
+ | < | ||
+ | # iptables -nvL --line-numbers | ||
+ | Chain INPUT (policy DROP 0 packets, 0 bytes) | ||
+ | num pkts bytes target | ||
+ | 1 6 398 ACCEPT | ||
+ | 2 0 0 ACCEPT | ||
+ | 3 0 0 ACCEPT | ||
+ | 4 0 0 ACCEPT | ||
+ | 5 0 0 LOG all -- * * | ||
+ | 6 0 0 REJECT | ||
+ | 7 0 0 REJECT | ||
+ | 8 0 0 REJECT | ||
+ | |||
+ | Chain FORWARD (policy DROP 0 packets, 0 bytes) | ||
+ | num pkts bytes target | ||
+ | 1 0 0 LOG all -- * * | ||
+ | 2 0 0 REJECT | ||
+ | 3 0 0 REJECT | ||
+ | 4 0 0 REJECT | ||
+ | |||
+ | Chain OUTPUT (policy ACCEPT 8 packets, 478 bytes) | ||
+ | num pkts bytes target | ||
+ | </ | ||
+ | |||
+ | Nachfolgende Befehle, fügen folgende '' | ||
+ | * < | ||
+ | * < | ||
+ | und hier die Befehle: | ||
+ | < | ||
+ | # iptables -I INPUT 5 -p udp --dport 67 -j ACCEPT | ||
+ | # iptables -I OUTPUT 1 -p udp --dport 68 -j ACCEPT | ||
+ | </ | ||
+ | |||
+ | Ein erneute Abfrage des '' | ||
+ | < | ||
+ | # iptables -nvL --line-numbers | ||
+ | Chain INPUT (policy DROP 0 packets, 0 bytes) | ||
+ | num pkts bytes target | ||
+ | 1 29 15634 ACCEPT | ||
+ | 2 0 0 ACCEPT | ||
+ | 3 0 0 ACCEPT | ||
+ | 4 0 0 ACCEPT | ||
+ | 5 0 0 ACCEPT | ||
+ | 6 0 0 LOG all -- * * | ||
+ | 7 0 0 REJECT | ||
+ | 8 0 0 REJECT | ||
+ | 9 0 0 REJECT | ||
+ | |||
+ | Chain FORWARD (policy DROP 0 packets, 0 bytes) | ||
+ | num pkts bytes target | ||
+ | 1 0 0 LOG all -- * * | ||
+ | 2 0 0 REJECT | ||
+ | 3 0 0 REJECT | ||
+ | 4 0 0 REJECT | ||
+ | |||
+ | Chain OUTPUT (policy ACCEPT 38 packets, 4765 bytes) | ||
+ | num pkts bytes target | ||
+ | 1 0 0 ACCEPT | ||
+ | |||
+ | Die neuen Zeilen sind an **Position 5 (INPUT)** und **Postition 1 (OUTPUT)** zu sehen, hier nachfolgend zur Verdeutlichung noch einmal dargestellt (**nur relevanter Ausschnitt**): | ||
+ | < | ||
+ | ... | ||
+ | 5 0 0 ACCEPT | ||
+ | ... | ||
+ | 1 0 0 ACCEPT | ||
+ | ... | ||
+ | </ | ||
+ | |||
+ | Um diese '' | ||
+ | < | ||
+ | # / | ||
+ | </ | ||
+ | |||
+ | Nachfolgender Befehl kann dazu verwendet werden, um zu überprüfen, | ||
+ | < | ||
+ | # cat / | ||
+ | # Generated by iptables-save v1.8.7 on Mon Jul 12 16:38:03 2021 | ||
+ | *mangle | ||
+ | :PREROUTING ACCEPT [179:83438] | ||
+ | :INPUT ACCEPT [179:83438] | ||
+ | :FORWARD ACCEPT [0:0] | ||
+ | :OUTPUT ACCEPT [221: | ||
+ | : | ||
+ | COMMIT | ||
+ | # Completed on Mon Jul 12 16:38:03 2021 | ||
+ | # Generated by iptables-save v1.8.7 on Mon Jul 12 16:38:03 2021 | ||
+ | *filter | ||
+ | :INPUT DROP [0:0] | ||
+ | :FORWARD DROP [0:0] | ||
+ | :OUTPUT ACCEPT [221: | ||
+ | -A INPUT -m conntrack --ctstate RELATED, | ||
+ | -A INPUT -p icmp -j ACCEPT | ||
+ | -A INPUT -i lo -j ACCEPT | ||
+ | -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT | ||
+ | -A INPUT -p udp -m udp --dport 67 -j ACCEPT | ||
+ | -A INPUT -j LOG --log-prefix " | ||
+ | -A INPUT -p tcp -j REJECT --reject-with tcp-reset | ||
+ | -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable | ||
+ | -A INPUT -j REJECT --reject-with icmp-proto-unreachable | ||
+ | -A FORWARD -j LOG --log-prefix " | ||
+ | -A FORWARD -p tcp -j REJECT --reject-with tcp-reset | ||
+ | -A FORWARD -p udp -j REJECT --reject-with icmp-port-unreachable | ||
+ | -A FORWARD -j REJECT --reject-with icmp-proto-unreachable | ||
+ | -A OUTPUT -p udp -m udp --dport 68 -j ACCEPT | ||
+ | COMMIT | ||
+ | # Completed on Mon Jul 12 16:38:03 2021 | ||
+ | # Generated by iptables-save v1.8.7 on Mon Jul 12 16:38:03 2021 | ||
+ | *nat | ||
+ | :PREROUTING ACCEPT [0:0] | ||
+ | :INPUT ACCEPT [0:0] | ||
+ | :OUTPUT ACCEPT [33:2171] | ||
+ | : | ||
+ | COMMIT | ||
+ | # Completed on Mon Jul 12 16:38:03 2021</ | ||
+ | |||
+ | Um die aktuellen '' | ||
+ | < | ||
+ | # ip6tables -nvL --line-numbers | ||
+ | Chain INPUT (policy DROP 0 packets, 0 bytes) | ||
+ | num pkts bytes target | ||
+ | 1 0 0 ACCEPT | ||
+ | 2 0 0 ACCEPT | ||
+ | 3 0 0 ACCEPT | ||
+ | 4 0 0 ACCEPT | ||
+ | 5 0 0 LOG all * * ::/ | ||
+ | 6 0 0 REJECT | ||
+ | 7 0 0 REJECT | ||
+ | 8 0 0 REJECT | ||
+ | |||
+ | Chain FORWARD (policy DROP 0 packets, 0 bytes) | ||
+ | num pkts bytes target | ||
+ | 1 0 0 LOG all * * ::/ | ||
+ | 2 0 0 REJECT | ||
+ | 3 0 0 REJECT | ||
+ | 4 0 0 REJECT | ||
+ | |||
+ | Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) | ||
+ | num pkts bytes target | ||
+ | |||
+ | Nachfolgende Befehle, fügen folgende '' | ||
+ | * < | ||
+ | * < | ||
+ | und hier die Befehle: | ||
+ | < | ||
+ | # ip6tables -I INPUT 5 -p udp --dport 547 -j ACCEPT | ||
+ | # ip6tables -I OUTPUT 1 -p udp --dport 546 -j ACCEPT | ||
+ | </ | ||
+ | |||
+ | Ein erneute Abfrage des '' | ||
+ | < | ||
+ | # ip6tables -nvL --line-numbers | ||
+ | Chain INPUT (policy DROP 0 packets, 0 bytes) | ||
+ | num pkts bytes target | ||
+ | 1 0 0 ACCEPT | ||
+ | 2 0 0 ACCEPT | ||
+ | 3 0 0 ACCEPT | ||
+ | 4 0 0 ACCEPT | ||
+ | 5 0 0 ACCEPT | ||
+ | 6 0 0 LOG all * * ::/ | ||
+ | 7 0 0 REJECT | ||
+ | 8 0 0 REJECT | ||
+ | 9 0 0 REJECT | ||
+ | |||
+ | Chain FORWARD (policy DROP 0 packets, 0 bytes) | ||
+ | num pkts bytes target | ||
+ | 1 0 0 LOG all * * ::/ | ||
+ | 2 0 0 REJECT | ||
+ | 3 0 0 REJECT | ||
+ | 4 0 0 REJECT | ||
+ | |||
+ | Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) | ||
+ | num pkts bytes target | ||
+ | 1 0 0 ACCEPT | ||
+ | </ | ||
+ | |||
+ | Die neuen Zeilen sind an **Position 5 (INPUT)** und **Postition 1 (OUTPUT)** zu sehen, hier nachfolgend zur Verdeutlichung noch einmal dargestellt (**nur relevanter Ausschnitt**): | ||
+ | < | ||
+ | ... | ||
+ | 5 0 0 ACCEPT | ||
+ | ... | ||
+ | 1 0 0 ACCEPT | ||
+ | ... | ||
+ | </ | ||
+ | |||
+ | Um diese '' | ||
+ | < | ||
+ | # / | ||
+ | </ | ||
+ | |||
+ | Nachfolgender Befehl kann dazu verwendet werden, um zu überprüfen, | ||
+ | < | ||
+ | # cat / | ||
+ | # Generated by ip6tables-save v1.8.7 on Mon Jul 12 16:48:38 2021 | ||
+ | *mangle | ||
+ | :PREROUTING ACCEPT [0:0] | ||
+ | :INPUT ACCEPT [0:0] | ||
+ | :FORWARD ACCEPT [0:0] | ||
+ | :OUTPUT ACCEPT [0:0] | ||
+ | : | ||
+ | COMMIT | ||
+ | # Completed on Mon Jul 12 16:48:38 2021 | ||
+ | # Generated by ip6tables-save v1.8.7 on Mon Jul 12 16:48:38 2021 | ||
+ | *filter | ||
+ | :INPUT DROP [0:0] | ||
+ | :FORWARD DROP [0:0] | ||
+ | :OUTPUT ACCEPT [0:0] | ||
+ | -A INPUT -m conntrack --ctstate RELATED, | ||
+ | -A INPUT -p icmp -j ACCEPT | ||
+ | -A INPUT -i lo -j ACCEPT | ||
+ | -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT | ||
+ | -A INPUT -p udp -m udp --dport 547 -j ACCEPT | ||
+ | -A INPUT -j LOG --log-prefix " | ||
+ | -A INPUT -p tcp -j REJECT --reject-with tcp-reset | ||
+ | -A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable | ||
+ | -A INPUT -j REJECT --reject-with icmp6-addr-unreachable | ||
+ | -A FORWARD -j LOG --log-prefix " | ||
+ | -A FORWARD -p tcp -j REJECT --reject-with tcp-reset | ||
+ | -A FORWARD -p udp -j REJECT --reject-with icmp6-port-unreachable | ||
+ | -A FORWARD -j REJECT --reject-with icmp6-addr-unreachable | ||
+ | -A OUTPUT -p udp -m udp --dport 546 -j ACCEPT | ||
+ | COMMIT | ||
+ | # Completed on Mon Jul 12 16:48:38 2021 | ||
+ | # Generated by ip6tables-save v1.8.7 on Mon Jul 12 16:48:38 2021 | ||
+ | *nat | ||
+ | :PREROUTING ACCEPT [0:0] | ||
+ | :INPUT ACCEPT [0:0] | ||
+ | :OUTPUT ACCEPT [0:0] | ||
+ | : | ||
+ | COMMIT | ||
+ | # Completed on Mon Jul 12 16:48:38 2021 | ||
+ | </ | ||
+ | |||
+ | ===== DHC-Relay starten ====== | ||
+ | |||
+ | Falls alle voranstehenden Schritte wie beschrieben durchgeführt wurden, **Installation, | ||
+ | < | ||
+ | # systemctl start dhcrelay4.service dhcrelay6.service | ||
+ | </ | ||
+ | |||
+ | ===== DHC-Relay Überprüfung ===== | ||
+ | |||
+ | Ob der DHC-Relay-Server, | ||
+ | < | ||
+ | # ps auxwf | grep dhcrelay | ||
+ | root | ||
+ | dhcp | ||
+ | dhcp | ||
+ | |||
+ | </ | ||
+ | |||
+ | Eine weitere Überprüfung, | ||
+ | * **'' | ||
+ | durchgeführt werden. | ||
+ | |||
+ | Die Ausgabe des **'' | ||
+ | < | ||
+ | # journalctl -u dhcrelay? | ||
+ | Jul 12 16:59:15 vml010 systemd[1]: Starting IPv4 DHCRELAY server... | ||
+ | Jul 12 16:59:15 vml010 systemd[1]: Starting IPv6 DHCRELAY server... | ||
+ | Jul 12 16:59:15 vml010 dhcrelay[64601]: | ||
+ | Jul 12 16:59:15 vml010 systemd[1]: Started IPv6 DHCRELAY server. | ||
+ | Jul 12 16:59:15 vml010 systemd[1]: Started IPv4 DHCRELAY server. | ||
+ | </ | ||
+ | |||
+ | ===== Interface Überprüfung ===== | ||
+ | |||
+ | Ob und an welchen Interfaces das DHC-Relay " | ||
+ | < | ||
+ | # ss -taub | grep -E ' | ||
+ | udp | ||
+ | udp | ||
+ | </ | ||
+ | |||
+ | :!: **HINWEIS** - **Auch bei der Konfiguration __nur__ ein Netzwerk-Interface für eingehende Broadcast-Anfragen zu nutzen, wird immer '' | ||
+ | |||
+ | ===== IP-Adressanfragen Überprüfung ===== | ||
+ | |||
+ | Um die Anfrage einer IP-Adresse zu überprüfen, | ||
+ | < | ||
+ | </ | ||
+ | FIXME |
tachtler/dhcp_isc_dhc-relay_archlinux.txt · Zuletzt geändert: 2022/03/31 05:34 von klaus