© 2025 Ryan Thomas Huff – @NetworkNerd1337. Created with ❤️ using WordPress and Kubio

Linux Administration Deep Dive: Building a Firewall and DDI Server with Linux (Part 4)

April 28, 2025

Welcome to the final installment in our Linux Administration Deep Dive series! We’ve covered a lot of ground so far: Part 1 introduced Linux server administration, Part 2 explored Bash scripting, and Part 3 elevated our skills with Python scripting. If you haven’t checked those out, they’ll provide a strong foundation for what we’re tackling today. In this concluding post, we’ll focus on two practical use cases: using a Linux server as a firewall and setting up a DDI server (DNS, DHCP, and IPAM)—each on separate servers for clarity and best practice.

This installment is crafted for novice-to-intermediate users, breaking down these advanced setups into digestible steps while providing detailed, hands-on examples. We’ll walk through configuring a Linux firewall to secure your network and building a DDI server to manage DNS, DHCP, and IP address allocation. Let’s dive in and put our Linux skills to work!

Use Case 1: Building a Linux Server as a Firewall

A firewall controls network traffic based on predefined rules, protecting your systems from unauthorized access. Using a Linux server as a firewall leverages tools like iptables or nftables to filter traffic, making it a cost-effective and customizable solution.

For novices: Think of a firewall as a security guard for your network—it decides who gets in and who doesn’t. For intermediate users: A Linux firewall offers fine-grained control over traffic, allowing you to shape network behavior for security and performance.

Step 1: Setting Up the Firewall Server

  1. Choose a Distro: Use a lightweight distro like Ubuntu Server or Debian for minimal resource usage.
  2. Network Configuration:
    • The server needs at least two network interfaces: one for the internal network (e.g., eth0) and one for the external network (e.g., eth1).
    • Configure static IPs: # Ubuntu (edit /etc/netplan/01-netcfg.yaml) network: version: 2 ethernets: eth0: addresses: [192.168.1.1/24] eth1: addresses: [10.0.0.1/24] gateway4: 10.0.0.254 Apply with: sudo netplan apply
  3. Enable IP Forwarding:
    • Edit /etc/sysctl.conf: net.ipv4.ip_forward=1
    • Apply the change: sudo sysctl -p

Step 2: Installing and Configuring `iptables`

iptables is a powerful tool for defining firewall rules. Install it:sudo apt install iptables -y # Ubuntu/Debian sudo dnf install iptables -y # CentOS/AlmaLinux

Step 3: Defining Firewall Rules

Let’s create a basic firewall setup to:

  • Allow SSH (port 22) for administration.
  • Allow HTTP/HTTPS (ports 80 and 443) for web traffic.
  • Drop all other incoming traffic.
  • Allow all outgoing traffic.

Here’s the script (firewall.sh):#!/bin/bash # Flush existing rules iptables -F iptables -X # Set default policies iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # Allow established and related connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow SSH (port 22) iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Allow HTTP and HTTPS (ports 80 and 443) iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A FORWARD -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -p tcp --dport 443 -j ACCEPT # Allow loopback traffic iptables -A INPUT -i lo -j ACCEPT # Log and drop everything else iptables -A INPUT -j LOG --log-prefix "IPTABLES-DROP: " iptables -A FORWARD -j LOG --log-prefix "IPTABLES-DROP: " # Save the rules iptables-save > /etc/iptables/rules.v4

Make it executable and run:chmod +x firewall.sh sudo ./firewall.sh

Step 4: Persisting Rules

Install iptables-persistent to save rules across reboots:sudo apt install iptables-persistent -y

The rules are already saved to /etc/iptables/rules.v4 by the script.

Step 5: Testing the Firewall

  • Test SSH access: ssh user@192.168.1.1
  • Test web access from a client behind the firewall: curl http://example.com
  • Check logs for dropped packets: sudo tail -f /var/log/syslog | grep IPTABLES-DROP

For intermediate users: Explore nftables as a modern alternative to iptables, or add NAT rules for masquerading:iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Use Case 2: Setting Up a DDI Server (DNS, DHCP, and IPAM)

A DDI server integrates DNS (Domain Name System), DHCP (Dynamic Host Configuration Protocol), and IPAM (IP Address Management) to manage network services efficiently. We’ll use a separate Linux server for this setup, with BIND for DNS, ISC DHCP Server for DHCP, and a Python script for basic IPAM.

For novices: A DDI server is like a network librarian—it keeps track of addresses and names so devices can talk to each other. For intermediate users: Centralizing DNS, DHCP, and IPAM improves network management and scalability.

Step 1: Setting Up the DDI Server

  • Choose a Distro: Use Ubuntu Server for its ease of use.
  • Network Configuration:
    • Assign a static IP (e.g., 192.168.2.1/24): # Edit /etc/netplan/01-netcfg.yaml network: version: 2 ethernets: eth0: addresses: [192.168.2.1/24] gateway4: 192.168.2.254 nameservers: addresses: [8.8.8.8] Apply with: sudo netplan apply

Step 2: Configuring DNS with `BIND`

  1. Install BIND: sudo apt install bind9 bind9utils -y
  2. Configure BIND:
    • Edit /etc/bind/named.conf.local to define a zone: zone "example.local" { type master; file "/etc/bind/db.example.local"; };
    • Create the zone file (/etc/bind/db.example.local): $TTL 604800 @ IN SOA ns1.example.local. admin.example.local. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS ns1.example.local. ns1 IN A 192.168.2.1 server IN A 192.168.2.10
  3. Restart BIND: sudo systemctl restart bind9
  4. Test DNS: nslookup server.example.local 192.168.2.1 Expected output: Server: 192.168.2.1 Address: 192.168.2.1#53 Name: server.example.local Address: 192.168.2.10

Step 3: Configuring DHCP with `ISC DHCP Server`

  1. Install the DHCP Server: sudo apt install isc-dhcp-server -y
  2. Configure the DHCP Server:
    • Edit /etc/dhcp/dhcpd.conf: subnet 192.168.2.0 netmask 255.255.255.0 { range 192.168.2.100 192.168.2.200; option routers 192.168.2.1; option domain-name-servers 192.168.2.1; option domain-name "example.local"; }
    • Specify the interface in /etc/default/isc-dhcp-server: INTERFACESv4="eth0"
  3. Restart the DHCP Server: sudo systemctl restart isc-dhcp-server
  4. Test DHCP:
    • On a client in the 192.168.2.0/24 network, request an IP: sudo dhclient eth0
    • Check the lease on the server: cat /var/lib/dhcp/dhcpd.leases

Step 4: Implementing IPAM with a Python Script

IPAM tracks IP address usage. We’ll create a simple Python script to log DHCP leases and visualize IP allocation.

  1. Install Required Libraries: pip3 install tabulate
  2. Create the IPAM Script (ipam.py): #!/usr/bin/env python3 from tabulate import tabulate import re import os leases_file = "/var/lib/dhcp/dhcpd.leases" ip_data = [] # Parse the leases file if not os.path.exists(leases_file): print(f"Error: {leases_file} not found.") exit(1) with open(leases_file, "r") as f: lease_block = "" for line in f: lease_block += line if "}" in line: ip_match = re.search(r"client-hostname \"(.*?)\";", lease_block) mac_match = re.search(r"hardware ethernet (.*?);", lease_block) ip_match2 = re.search(r"fixed-address (.*?);", lease_block) if ip_match and mac_match: hostname = ip_match.group(1) mac = mac_match.group(1) ip = ip_match2.group(1) if ip_match2 else "Dynamic" ip_data.append([ip, hostname, mac]) lease_block = "" # Display IP allocation print(tabulate(ip_data, headers=["IP Address", "Hostname", "MAC Address"], tablefmt="grid"))
  3. Run the Script: chmod +x ipam.py sudo ./ipam.py Example output: +--------------+------------+-------------------+ | IP Address | Hostname | MAC Address | +==============+============+===================+ | 192.168.2.100| client1 | 00:1A:2B:3C:4D:5E | +--------------+------------+-------------------+

Step 5: Integrating DNS, DHCP, and IPAM

  • Ensure DHCP clients use the DNS server (option domain-name-servers 192.168.2.1 in dhcpd.conf).
  • Use the IPAM script to monitor IP usage and update DNS records manually or automate with a script: # Example: Add a new DNS record echo "client1 IN A 192.168.2.100" | sudo tee -a /etc/bind/db.example.local sudo systemctl reload bind9

Wrapping Up the Series

In this final installment, we’ve built two powerful Linux servers: a firewall to secure your network and a DDI server to manage DNS, DHCP, and IP addresses. These use cases demonstrate how Linux’s flexibility can solve real-world problems, tying together the skills we’ve developed throughout this series. These are two basic examples of very useful applications of Linux. If you’d like to explore a more in-depth looks at these use-cases of Linux, let me know in the comments!

For novices: Start with the firewall setup on a virtual machine to practice safely, then experiment with the DDI server in a small test network. For intermediate users: Enhance the firewall with advanced iptables rules (e.g., rate limiting) or automate DNS updates with a Python script using paramiko to manage the BIND server remotely.

This series has taken us from Linux server basics to scripting with Bash and Python, and now to advanced use cases like firewalls and DDI servers. I hope you’ve found it valuable and feel empowered to tackle your own Linux projects. Have a setup you’d like to share or questions about these configurations? Let me know in the comments below!

Thank you for joining me on this deep dive into Linux administration. Keep exploring, and happy administering!

Tags:

Previous
Next

Comments are closed

Latest Comments

No comments to show.

Let’s build something awesome together!

Get in touch with me via Linkedin or contact me at https://ryanthomashuff.com!

© 2025 Ryan Thomas Huff – @NetworkNerd1337