In my environment I have limited IP addresses, so we’re creating a new network and then allowing one server, the jump server, to sit between these network.\u00a0 To do this, my jump server, aka: jump104 is “dual-homed”.\u00a0 This means it has two network adapters:\u00a0 One on the public network, and one on the internal private network.\u00a0 We are going to make this server a:<\/p>\n
First, we install a brand new Ubuntu 18.04 operating system.\u00a0 When I first set it up, I only had one interface which was configured correctly for the public network.\u00a0 Now I need to modify the network to add the second network configuration.\u00a0 This is done by editing \/etc\/netplan\/01-netcfg.yaml<\/p>\n
We add another stanza below what is already there:<\/p>\n
network:\r\n version: 2\r\n renderer: networkd\r\n ethernets:\r\n ens160:\r\n addresses: [ 172.28.225.138\/23 ]\r\n gateway4: 172.28.224.1\r\n nameservers:\r\n search: [ localhost ]\r\n addresses:\r\n - \"171.36.131.10\"\r\n - \"171.70.168.183\"\r\n ens192:\r\n addresses: [ 10.99.104.1\/24 ]\r\n nameservers:\r\n addresses:\r\n - \"10.99.104.1\"<\/pre>\nTo make sure that we can route traffic from the 104 net, we have to add some rules.\u00a0 This is called IP masquerading or setting up a NAT service.<\/p>\n
First, edit \/etc\/sysctl.d\/99-sysctl.conf and uncomment<\/p>\n
net.ipv4.ip_forward=1<\/pre>\nThen run<\/p>\n
sysctl -p<\/pre>\nNext add the masquerading rules<\/p>\n
iptables -t nat -A POSTROUTING -s 10.99.104.0\/24 -o ens160 -j MASQUERADE\r\niptables -A FORWARD -s 10.99.104.0\/24 -o ens160 -j ACCEPT\r\niptables -A FORWARD -d 10.99.104.0\/24 -m state --state ESTABLISHED,RELATED -i ens160 -j ACCEPT<\/pre>\nHere, the -s is the source of the internal network: 10.99.104.0\/24.\u00a0 The -o is the Internet facing interface, so for my setup it is the ens160<\/p>\n
DNS<\/h2>\n
Next up, we need to make it a DNS slave.<\/p>\n
sudo apt-get install bind9<\/pre>\nIn my setup we are creating a zone called “ccp.cisco.com”\u00a0\u00a0 We have to modify and add a few files.<\/p>\n
\/etc\/bind\/named.conf.local<\/h4>\n
zone \"ccp.cisco.com\" {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 type master;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 file \"\/etc\/bind\/zones\/db.ccp.cisco.com\";\r\n};\r\n\r\nzone \"104.99.10.in-addr.arpa\" {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 type master;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 file \"\/etc\/bind\/zones\/db.10.99.104\";\r\n};<\/pre>\nAbove we added two stanzas.\u00a0 First our new domain and where to do lookups and changes and second the reverse zone:\u00a0 Where to get names from IP addresses.<\/p>\n
\/etc\/bind\/named.conf.options<\/h4>\n
Here we make sure to only listen on our private interface for queries and only allow queries from addresses in our private network.\u00a0 We also specify that any DNS query that we don’t know about (most of them) be forwarded to the master DNS service which can be directed through this server as well.<\/p>\n
options {\r\n directory \"\/var\/cache\/bind\";\r\n\r\n forwarders {\r\n 173.36.131.10;\r\n 171.70.168.183;\r\n };\r\n\r\n listen-on { 10.99.104.1; };\r\n\r\n allow-query { localhost; 10.99.104.0\/24; 172.28.0.0\/16; };\r\n allow-transfer { any; };\r\n dnssec-validation auto;\r\n\r\n auth-nxdomain no; # conform to RFC1035\r\n listen-on-v6 { any; };\r\n};\r\n<\/pre>\n\/etc\/bind\/zones<\/h4>\n
Now we add the addresses to the zone files we listed above.<\/p>\n
db.10.99.104<\/h5>\n
$TTL\u00a0\u00a0\u00a0 604800\r\n@\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 SOA\u00a0\u00a0\u00a0\u00a0 jump104.ccp.cisco.com. root.ccp.cisco.com. (\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 3\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; Serial\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 604800\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; Refresh\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 86400\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; Retry\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2419200\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; Expire\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 604800 )\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; Negative Cache TTL\r\n\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 NS\u00a0\u00a0\u00a0\u00a0\u00a0 jump104.ccp.cisco.com.\r\n\r\n1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 PTR\u00a0\u00a0\u00a0\u00a0 jump104.ccp.cisco.com.<\/pre>\ndb.sjc.kubam.cisco.com<\/h5>\n
$TTL\u00a0\u00a0\u00a0 604800\r\n@\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 SOA\u00a0\u00a0\u00a0\u00a0 jump104.ccp.cisco.com. root.ccp.cisco.com. (\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 3\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; Serial\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 604800\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; Refresh\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 86400\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; Retry\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2419200\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; Expire\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 604800 )\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; Negative Cache TTL\r\n;\r\n@\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 NS\u00a0\u00a0\u00a0\u00a0\u00a0 localhost.\u00a0\u00a0\u00a0\u00a0\u00a0 ; delete this line\r\n@\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 127.0.0.1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; delete this line\r\n@\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 AAAA\u00a0\u00a0\u00a0 ::1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; delete this line\r\n\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 NS\u00a0\u00a0\u00a0\u00a0\u00a0 jump104.ccp.cisco.com.\r\n\r\njump104.ccp.cisco.com.\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 10.99.104.1<\/pre>\nLet’s check that we did it right with:<\/p>\n
sudo named-checkconf<\/pre>\n\/etc\/default\/bind9<\/h4>\n
We are only serving on IPv4, so add the -4 flag to the options<\/p>\n
OPTIONS=\"-4 -u bind\"<\/pre>\nOnce done we can now restart the DNS server and apply changes:<\/p>\n
service bind9 restart<\/pre>\n<\/p>\n
DHCP<\/h2>\n
DHCP is used for dolling out IP addresses to unsuspecting servers that come on the network.\u00a0 This makes setting up IP addressing easy for VMs that pop up in our data center.<\/p>\n
sudo apt-get install isc-dhcp-server<\/pre>\nNow we add the DHCP range.\u00a0 Here we want to create a dynamic range from 10.99.104.100-10.99.104.254.\u00a0 By editing the \/etc\/dhcp\/dhcpd.conf file we can make this happen:<\/p>\n
# dhcpd.conf\r\noption domain-name \"sjc.kubam.cisco.com\";\r\noption domain-name-servers 10.99.104.1;\r\ndefault-lease-time 3600;\r\nmax-lease-time 7200;\r\n\r\nddns-update-style none;\r\nauthoritative;\r\n\r\nsubnet 10.99.104.0 netmask 255.255.255.0 {\r\n option routers 10.99.104.1;\r\n option subnet-mask 255.255.255.0;\r\n option domain-name \"sjc.kubam.cisco.com\";\r\n option domain-name-servers 10.99.104.1;\r\n range 10.99.104.100 10.99.104.254;\r\n}<\/pre>\nBut we want to be sure we only listen and respond to DHCP requests on the internal facing network interface.\u00a0 This is done by editing the \/etc\/default\/isc-dhcp-server<\/p>\n
Since after running ifconfig I see that my internal interface is ens192, I update this file to look as follows:<\/p>\n
INTERFACESv4=\"ens192\"\r\nINTERFACESv6=\"\"<\/pre>\nSince I’m not serving up DHCP for IPV6 then I just leave that blank.\u00a0 To make all these changes take effect I now run:<\/p>\n
service isc-dhcp-server restart<\/pre>\nIt’s funny that I haven’t done this type of configuration since 2005 but some things haven’t changed all that much.<\/p>\n
<\/p>\n
VNC Server<\/h2>\n