Thursday, 13 February 2014

IPTABLES MADE EASY :


Netfilter/IPtables

The term Netfilter/Iptables may sound a bit confusing because of the ‘Netfilter’ tag. To clear the confusion, Both Netfilter and Iptables are related to each other in the sense that Iptables is to user space what Netfilter is to Kernel space. Iptables provides the facility to users to customize and configure the Linux firewall from user space. This firewall is implemented in Linux kernel through the concept of Netfilters.

This tutorial will help you to understand iptables basics and lot more in a much detailed way. I did lot of head scratching to understand IPTABLES and gone through lot's of different tutorials before delivering this tutorial.

I recommend to start writing rules by yourself rather than copying from any other same instances. This will help to understand how the packets traverse through different chains.

Now let's start :

There are three types of tables.

FILTER TABLE = This table is used for packet filtering.
NAT TABLE = This table is not used for packet filtering but it rather provides NAT/PAT capabilities and IP masquerading.
MANGLE TABLE = This table is used to alter packet fields and is also used to mark packets for later filtering. Again this is also not used for packet filtering

There are mainly three types of built-in CHAINS in IPTABLES.

INPUT = packets coming into the PC
FORWARD = packets passing through the PC ( if it's a router )
OUTPUT = packets leaving out PC

Here are commonly used switches with iptables :

-s = source address
-d = destination address
-p = protocol
-j = action
-P = specify default policy for a chain.
-D = delete a rule for chain.
-R = replace a rule for chain.
-F = remove all rules for specified chain or flush iptables.
-L = list all chain rules
-A = append rule to end of a chain.
-v = verbose
-n = shows the IP addresses





So start with the practical session :

List all rules. Now below are my current rules in iptables.

[root@test ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4479 5556K RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 2693 packets, 1098K bytes)
pkts bytes target prot opt in out source destination

Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
915 958K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
42 7510 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
3298 4568K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
224 22831 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[root@test ~]#

----------------------------------------------------------------------------------------------------------
The general form of an IP tables rule is:
iptables -A CHAIN -p tcp [options] -j ACTION

Now I am flushing all the rules from iptables :

[root@test ~]# iptables -F
[root@test ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 2697 packets, 1098K bytes)
pkts bytes target prot opt in out source destination

Chain RH-Firewall-1-INPUT (0 references)
pkts bytes target prot opt in out source destination
[root@test ~]#
----------------------------------------------------------------------------------------------------------
Now let's start with your own set of rules.
Now, I wanted to drop all the packets coming from outside. Also I am dropping all the packets forwarded from my PC.
But I will allow all the traffic going outside my PC. Now we will start adding rules one by one as per our requirements.

[root@test ~]#iptables -A INPUT -P DROP
[root@test ~]#iptables -A FORWARD -P DROP
[root@test ~]#iptables -A OUTPUT -P ACCEPT

[root@test ~]# /etc/init.d/iptables status
Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination

Chain FORWARD (policy DROP)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain RH-Firewall-1-INPUT (0 references)
num target prot opt source destination

You can see above the drop policy applied to INPUT and FORWARD chain.
----------------------------------------------------------------------------------------------------------

Now you will not able to ping even your loopback address. So all the services running on your loopback will now stop.

[root@test ~]# ping localhost
PING localhost.localdomain (127.0.0.1) 56(84) bytes of data.

--- localhost.localdomain ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 4999ms

In order to allow it running again, add the below rule.
[root@test ~]# iptables -A INPUT -i lo -j ACCEPT

[root@test ~]# ping localhost
PING localhost.localdomain (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=1 ttl=64 time=0.089 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=2 ttl=64 time=0.069 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=3 ttl=64 time=0.074 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=4 ttl=64 time=0.070 ms

--- localhost.localdomain ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.069/0.075/0.089/0.011 ms
[root@test ~]#
--------------------------------------------------------------------------------------------------------

Next very important rule that we need to add at the end of INPUT chain. This will allow the responses for the connections that are initiated.
Try surfing web pages, before this rule and you won't. This rule will allow any website to come through our firewall.

Before adding rule :

[root@test ~]# ping google.com
ping: unknown host google.com

After adding rule :

[root@test ~]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

[root@test ~]# ping google.com
PING google.com (173.194.36.1) 56(84) bytes of data.
64 bytes from bom04s01-in-f1.1e100.net (173.194.36.1): icmp_seq=1 ttl=56 time=3.27 ms
64 bytes from bom04s01-in-f1.1e100.net (173.194.36.1): icmp_seq=2 ttl=56 time=10.6 ms
64 bytes from bom04s01-in-f1.1e100.net (173.194.36.1): icmp_seq=3 ttl=56 time=3.40 ms
64 bytes from bom04s01-in-f1.1e100.net (173.194.36.1): icmp_seq=4 ttl=56 time=3.10 ms
64 bytes from bom04s01-in-f1.1e100.net (173.194.36.1): icmp_seq=5 ttl=56 time=3.22 ms

--- google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4142ms
rtt min/avg/max/mdev = 3.106/4.726/10.629/2.953 ms
[root@test ~]#

--------------------------------------------------------------------------------------------------------

Listing all the rules of iptables that are set till now :

[root@test ~]# iptables -L -n -v --line-numbers
Chain INPUT (policy DROP 244 packets, 107K bytes)
num pkts bytes target prot opt in out source destination
1 20 1868 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 63 33303 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 318 packets, 21960 bytes)
num pkts bytes target prot opt in out source destination

Chain RH-Firewall-1-INPUT (0 references)
num pkts bytes target prot opt in out source destination
[root@test ~]#

--------------------------------------------------------------------------------------------------------
This rule will allow services with specific port.

[root@test ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
[root@test ~]#
[root@test ~]#
[root@test ~]# iptables -L -n -v --line-numbers
Chain INPUT (policy DROP 254 packets, 108K bytes)
num pkts bytes target prot opt in out source destination
1 20 1868 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 63 33303 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 326 packets, 22552 bytes)
num pkts bytes target prot opt in out source destination

Chain RH-Firewall-1-INPUT (0 references)
num pkts bytes target prot opt in out source destination
[root@test ~]#

--------------------------------------------------------------------------------------------------------

[root@test ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Try connecting from any other client PC.

Before adding rule :
amol@amol-Lenovo-G570:~$ telnet 10.0.0.5 22
Trying 10.0.0.5...
telnet: Unable to connect to remote host: Connection timed out

After adding rule :
amol@amol-Lenovo-G570:~$ telnet 10.0.0.5 22
Trying 10.0.0.5...
Connected to 10.0.0.5.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.3
^C

[root@test ~]# iptables -L -n -v --line-numbers
Chain INPUT (policy DROP 295 packets, 111K bytes)
num pkts bytes target prot opt in out source destination
1 26 2168 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 63 33303 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 356 packets, 24560 bytes)
num pkts bytes target prot opt in out source destination

Chain RH-Firewall-1-INPUT (0 references)
num pkts bytes target prot opt in out source destination
[root@test ~]#

--------------------------------------------------------------------------------------------------------

Suppose you want local machines to use your print server and disallow anyone from Internet.

Then, provide the range for the local machines who can access print server as follows :

[root@test ~]#
[root@test ~]# iptables -A INPUT -m iprange --src-range 10.0.0.1-10.0.0.254 -p tcp --dport 631 -j ACCEPT
[root@test ~]# iptables -A INPUT -m iprange --src-range 10.0.0.1-10.0.0.254 -p udp --dport 631 -j ACCEPT
[root@test ~]#
[root@test ~]#
[root@test ~]#
[root@test ~]# iptables -L -n -v --line-numbers
Chain INPUT (policy DROP 346 packets, 115K bytes)
num pkts bytes target prot opt in out source destination
1 28 2359 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 120 39591 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
4 2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 source IP range 10.0.0.1-10.0.0.254 tcp dpt:631
6 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 source IP range 10.0.0.1-10.0.0.254 udp dpt:631

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 448 packets, 33705 bytes)
num pkts bytes target prot opt in out source destination

Chain RH-Firewall-1-INPUT (0 references)
num pkts bytes target prot opt in out source destination
[root@test ~]#

--------------------------------------------------------------------------------------------------------

After adding this rule and note that webserver running on port 8008.

[root@test ~]# iptables -A INPUT -p tcp --dport 8008 -j ACCEPT



Redirection of ports :

Suppose your webserver no longer works on port 80 and has been directed to some port say 8008 as above.

Now everytime you need to bind that port with the IP as such www.webserver.com:8008

In order to get rid of this situation, we will be redirecting port, so that you can only use www.webserver.com, rather than memorising a whole www.webserver.com:8008

For this we will make use of NAT table, bcoz we are changing the packet data and redirect it from one port to another, we can't use filter table
Flow of packets :

NAT TABLE

Prerouting
FILTER TABLE
Forward
Input
Packets are altered in PREROUTING chain, Once they are altered, they are passed through FORWARD chain bcoz they are considered to be routed though here we are only changing the port and then through the INPUT chain.

Rules added for redirection of port :

[root@test ~]# iptables -t nat -P OUTPUT ACCEPT
[root@test ~]# iptables -t nat -P PREROUTING ACCEPT
[root@test ~]# iptables -t nat -P POSTROUTING ACCEPT

[root@test ~]# iptables -L -n -v --line-numbers
Chain INPUT (policy DROP 452 packets, 124K bytes)
num pkts bytes target prot opt in out source destination
1 65 5573 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 152 49657 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
4 2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 source IP range 10.0.0.1-10.0.0.254 tcp dpt:631
6 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 source IP range 10.0.0.1-10.0.0.254 udp dpt:631

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 617 packets, 46577 bytes)
num pkts bytes target prot opt in out source destination

Chain RH-Firewall-1-INPUT (0 references)
num pkts bytes target prot opt in out source destination


[root@test ~]# iptables -t nat -L -n -v --line-numbers
Chain PREROUTING (policy ACCEPT 2 packets, 511 bytes)
num pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 1 packets, 74 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 3 packets, 222 bytes)
num pkts bytes target prot opt in out source destination
[root@test ~]#

--------------------------------------------------------------------------------------------------------

[root@test ~]# iptables -A INPUT -p tcp --dport 8008 -j ACCEPT

[root@test ~]# iptables -L -n -v --line-numbers
Chain INPUT (policy DROP 571 packets, 132K bytes)
num pkts bytes target prot opt in out source destination
1 65 5573 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 178 52216 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 3 180 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
4 2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 source IP range 10.0.0.1-10.0.0.254 tcp dpt:631
6 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 source IP range 10.0.0.1-10.0.0.254 udp dpt:631
7 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8008

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 670 packets, 55599 bytes)
num pkts bytes target prot opt in out source destination

Chain RH-Firewall-1-INPUT (0 references)
num pkts bytes target prot opt in out source destination
[root@test ~]#

--------------------------------------------------------------------------------------------------------
Now all traffic directed to port 80 will come to port 8008.

[root@test ~]# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8008
[root@test ~]# iptables -A FORWARD -p tcp --dport 8008 -j ACCEPT

After adding above rules :



[root@test ~]# iptables-save
# Generated by iptables-save v1.3.5 on Tue Feb 11 00:13:43 2014
*nat
:PREROUTING ACCEPT [100:6782]
:POSTROUTING ACCEPT [63:4662]
:OUTPUT ACCEPT [65:4810]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8008
COMMIT
# Completed on Tue Feb 11 00:13:43 2014
# Generated by iptables-save v1.3.5 on Tue Feb 11 00:13:43 2014
*filter
:INPUT DROP [604:134726]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [708:63493]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m iprange --src-range 10.0.0.1-10.0.0.254 -m tcp --dport 631 -j ACCEPT
-A INPUT -p udp -m iprange --src-range 10.0.0.1-10.0.0.254 -m udp --dport 631 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8008 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 8008 -j ACCEPT
COMMIT
# Completed on Tue Feb 11 00:13:43 2014
[root@test ~]#
[root@test ~]#
[root@test ~]#
[root@test ~]#

--------------------------------------------------------------------------------------------------------

Source NAT and Masquerading :

1) Source NAT (SNAT) is used to share a single Internet connection among computers on a network.
2) The computer attached to the Internet acts as a gateway and uses SNAT to rewrite packets for connections between the Internet and the internal network.
3) The source address of outbound packets is replaced with the static IP address of the gateway’s Internet connection.
4) When outside computers respond, they will set the destination address to the IP address of the gateway’s Internet connection,
and the gateway will intercept those packets, change their destination addresses to the correct inside computer, and forward them to the internal network.
5) Since SNAT entails modifying the source addresses and/or ports of packets just before they leave the kernel, it is performed through the POSTROUTING chain of the nat table.

For example, rules can be written as :

iptables -t nat -A POSTROUTING -o eth1 -j SNAT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE


If gateway computer has static IP address, then we use SNAT
If gateway computer has dynamic IP address, then target extension is MASQUERADE.


Destination NAT :

1) Destination NAT (DNAT) exposes specific services on an internal network to the outside world without linking the internal computers directly to the Internet.
2) And as long as there is no more than one service to be exposed on any given port, only one Internet connection (public IP address) is required.
3) The gateway computer redirects connections to the specified ports to the designated internal computers and ports and arranges for return traffic
to go back to the original address outside the network.
4) Since DNAT entails modifying the destination addresses and/or ports of packets just before they are either routed to local processes or forwarded to other computers,
it is performed through the PREROUTING chain of the nat table.

For example, to forward inbound connections coming in on a gateway’s port 80 (HTTP) to an internal web server running on port 8080 of 192.168.1.3,
you could use a rule like this:

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.3:8080

Saturday, 8 February 2014

Kickstart Configuration step by step process :

Kickstart installation can be performed in different ways:

1) HTTP method.
2) NFS
3) FTP
Here I am explaining the HTTP method for kickstart installation in vmware workstation, in my lab environment.
In kickstart installation, one machine will act as the kickstart server and another machine will be the client machine. Installation includes the following major steps.
1) Mount the installation media to the kickstart server
2) Create kickstart configuration file.
3) Boot the client machine from the boot image and mention the boot parametes in the boot prompt



Installation steps :
  1. Let the machine with IP address “10.0.0.5″ be the kickstart server for the installation. As we are using the HTTP methos of kickstart installation, make sure that apache is running in the server. If it is not running, start using the follwing command.
# /etc/init.d/httpd start
If it is not installed, install using command.
# yum install httpd

I am using a VM in Vmware to configure the kickstart. For creating the installation media, insert CentOS / Redhat ISO image to the kickstart server (10.0.0.5).

  1. Go to Virtual Machine settings >> select CD/DVD (IDE) >> Browse the ISO image to “Use ISO image file section”
You can see mounted image as follows :
We are using HTTP method of kickstart installation. So we need to re-mount this ISO image to document root of the apache server. By default /var/www/html will be the document root. So I created one folder named “kickstart” in /var/www/html and mount the ISO image to that path.


Now you can see the mount point as /var/www/html/kickstart

 
  1. For next step, will need to build a kickstart file and copy it into /var/www/html/ks directory, where the clients will pull it from during install. Below is the example of a simple kickstart file I am using


# Kickstart file for a basic install.
install
url --url http://10.0.0.5/kickstart/
lang en_US.UTF-8
keyboard us


#Assign Ip address to client during boot time
network --device eth0 --bootproto dhcp --nameserver 10.0.0.5 --hostname centos
rootpw --iscrypted $1$qZi5T68m$mexD6C3uPJfXGghhrtgNj1


# Disable the firewall and open port 22
#firewall –enabled –port=22:tcp
firewall --disabled


# Setup security and SELinux levels
authconfig –enableshadow –enablemd5
selinux --disabled


# boot loader location
bootloader --location=mbr --driveorder=sda


#set time zone
timezone --utc Asia/Kolkata


#wipe all the partitions and create the below.
clearpart --drives=sda --all --initlabel
part /boot --fstype ext3 --size=100
part / --fstype ext3 --size=5000
part swap --size=1024
part /var --fstype ext3 --size=100 --grow
# install the base and core packages with open ssh client and server
%packages
@Core
@Base


The kickstart server has been built, the kickstart file is in place, and you are ready to boot up your client to start testing a kickstart installation.
  1. To boot up the client machine, we need boot image file. This file can be available from CentOS / Redhat download page with name “netinstall.iso”. Otherwise you can get it from the installation media itself.
path is “/media/CentOS_5.5_Final/images/boot.iso”.
  1. Create a new virtual machine and insert “boot.iso” into client machine.
     [ Go to Virtual Machine settings >> select CD/DVD (IDE) >> Browse the ISO image to "Use ISO image file section" ]
Now boot the client machine from the “boot.iso” file.  

It will show the installation start page as below 
 
      6.  Type the following line in the boot prompt.


boot: linux text ks=http://10.0.0.5/ks/ks.cfg append ip=10.0.0.8 netmask=255.255.255.0

It will start the installation of packages as such

Once the installation is completed, the client machine will ask for reboot.



Yes, your machine has been installed and booted up using our kickstart server now… Enjoy !!







Wednesday, 5 February 2014

DNS Configuration step by step process :


1) Install bind packages :

yum -y install bind bind-chroot bind-utils caching-name-server

2) copy /usr/share/doc/bind/sample/etc/caching-name-server.conf /var/named/chroot/etc/named.conf

Make symbolic link for named.conf as

ln -s /var/named/chroot/etc/named.conf /etc/

3) Make changes in named.conf

4) copy named.root.hints file from /usr/share/doc/bind/sample/etc/named.root.hints

cp /usr/share/doc/bind-9.3.6/sample/etc/named.root.hints /var/named/chroot/etc/

5) Make symbolic link to named.root.hints file
ln -s /var/named/chroot/etc/named.root.hints /etc/

6) Copy named.root file from /usr/share/doc/bind/sample/var/named/named.root
cp /usr/share/doc/bind-9.3.6/sample/var/named/named.root /var/named/chroot/var/named/  OR

Make a change as named.ca replacing named.root in named.root.hints file. This will solve the problem.

7) Also make symbolic link to the above respective files.

8) Change group to named for all the files in /var/named/chroot/var/named/ and /var/named/chroot/etc/

chgrp named /var/named/chroot/var/named/*
chgrp named /var/named/chroot/etc/*

9) comment ddns-key part from named.conf file. Otherwise named service will not start.

10) Make two views internal and external as such files :

Internal - for private IP
External - for public IP

Filename : example.com-internal.db  -  for forward lookup zone file
@               IN SOA  test.example.com. root (
                                        1              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum
                        IN NS           test.example.com.
@                       IN A            10.0.0.5
test.example.com.       IN A            10.0.0.5
www.example.com         IN CNAME        test.example.com.


Filename : example.com-external.db
@               IN SOA  test.example.com. root (
                                        1              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum
                        IN NS           test.example.com.
@                       IN A            64.1.2.3
test.example.com.       IN A            64.1.2.3
www.example.com         IN CNAME        test.example.com.



11) Make reverse lookup in config file /etc/named.conf file which is placed below forward lookup file as :

0.0.10.in-addr.arpa.db file in /var/named/chroot/var/named/

Filename : 0.0.10.in-addr.arpa.db
@               IN SOA  test.example.com. root (
                                        1              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum
                        IN NS           test.example.com.
5.0.0.10.in-addr.arpa    IN PTR        test.example.com.
OR u can write it as
5            IN PTR        test.example.com.


Change the group permission to named for the file.

At this point, u will able to resolve sites quering from other client PC's in the same network as :

dig test.example.com @test.example.com

But the same query will not be executed from localhost.
In order to execute query from localhost, make changes as below


12) Add the zone file config in localhost_resolver view also in order to carry out forward and reverse lookup from localhost.

E.g :
view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
 * If all you want is a caching-only nameserver, then you need only define this view:
 */
        match-clients           { localhost; };
        match-destinations      { localhost; };
        recursion yes;
        # all views must contain the root hints zone:
        // include "/etc/named.root.hints";

        /* these are zones that contain definitions for all the localhost
         * names and addresses, as recommended in RFC1912 - these names should
         * ONLY be served to localhost clients:
         */
        include "/etc/named.rfc1912.zones";

        zone "example.com" {
                type master;
                file "example.com-internal.db";
                };
        zone "0.0.10.in-addr.arpa" {
                type master;
                file "0.0.10.in-addr.arpa.db";
                };
};

13) If you want to uncomment ddns-key, then generate a key with /usr/sbin/ddns-keygen given as named.conf file and add the same key in the file.

15) Also make sure everytime u make changes in named config file and restart the service, check the logs in /var/log/messages in order to troubleshoot the issues.

16) Also whnever u r making changes in zone file, change the serial no. in order to replicate zone files properly among all the slaves.

14) Transfer zone files from primary dns server to secondary dns server.

15) Install bind in secondary dns server.

16) In named.conf file, make changes as such :

    zone "example.com" {
                type slave;
                masters { 10.0.0.5; };    // Assign this IP as per ur network configuration.

17) Stop the iptables on both the sides.

18) /etc/init.d/named restart

That's all, you are ready with your DNS server.