Kea DHCP Server

Posted on Jul 4, 2024

Quick info

DHCP Server uses 67/UDP on the server side and 68/UDP on the client side.

Before you begin

Static IP

/etc/netplan/00-installer-config.yaml

network:
  ethernets:
    enp0s3:
      dhcp4: no
      addresses:
        - 192.168.1.120/24
      routes:
        - to: default
          via: 192.168.1.1
      nameservers:
        addresses: [8.8.8.8, 8.8.4.4]

  version: 2

sudo netplan apply

Configure Firewall

*filter

## Default policy
-P INPUT DROP

-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s NETWORK/24 -m state --state NEW -j ACCEPT

## DROP timestamp request
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP

## DROP N-scan
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

## DROP X-scan
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP

## DROP FIN-scan
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP

## Ping access
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

## TCP/UDP access
#-A INPUT -p tcp -m tcp --dport PORTNUMBER -j ACCEPT
-A INPUT -p udp -m udp --dport 67 -j ACCEPT

## Time label deny
-A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP

## Logging
#-A INPUT -j LOG --log-tcp-options --log-ip-options

COMMIT

sudo systemctl restart iptables
sudo systemctl enable iptables

Check:

sudo iptables -nL

Install

Update the repositories and install Kea DHCP Server:

sudo apt update
sudo apt install -y kea

Config file

sudo mv /etc/kea/kea-dhcp4.conf /etc/kea/kea-dhcp4.conf.bak

/etc/kea/kea-dhcp4.conf

{
"Dhcp4": {
    "interfaces-config": {
        "interfaces": ["enp0s8"]

        // "dhcp-socket-type": "udp"
    },

    "control-socket": {
        "socket-type": "unix",
        "socket-name": "/tmp/kea4-ctrl-socket"
    },

    "lease-database": {
        "type": "memfile",
        "persist": true,
        "name": "/var/lib/kea/kea-leases4.csv",
        "lfc-interval": 3600
    },

    "expired-leases-processing": {
        "reclaim-timer-wait-time": 10,
        "flush-reclaimed-timer-wait-time": 25,
        "hold-reclaimed-time": 3600,
        "max-reclaim-leases": 100,
        "max-reclaim-time": 250,
        "unwarned-reclaim-cycles": 5
    },

    "renew-timer": 900,
    "rebind-timer": 1800,
    "valid-lifetime": 3600,

    "option-data": [
        {
            "name": "domain-name-servers",
            "data": "8.8.8.8, 8.8.4.4"
        }

    ],

    "subnet4": [
        {
            "subnet": "192.168.11.0/24",

            "pools": [ { "pool": "192.168.11.50 - 192.168.11.99" } ],

            "option-data": [
                {
                    "name": "routers",
                    "data": "192.168.11.1"
                }
            ]

        }
    ],

    "loggers": [
    {
        "name": "kea-dhcp4",
        "output_options": [
            {
                "output": "/var/log/kea/kea-dhcp4.log"

            }
        ],
        "severity": "INFO",

        "debuglevel": 0
    }
  ]
}
}

Validation check:

sudo kea-dhcp4 -t /etc/kea/kea-dhcp4.conf

Check:

sudo systemctl start kea-dhcp4-server.service
sudo systemctl status kea-dhcp4-server.service