complete rhce doc

RHCERed Hat Certified

Engineer

Session 1Session 1

M. A. AgheliM. A. Agheli

History Of UNIX & History Of UNIX & LinuxLinux 1957:1957: Bell Labs found they needed an operating Bell Labs found they needed an operating

systemsystem which at the time was which at the time was running various batch jobs.running various batch jobs.

1965:1965: Bell Labs create Multics Bell Labs create Multics ((Multiplexed Multiplexed Information and Information and Computing Service Computing Service))

1969:1969: Summer 1969 UNIX was developed by AT&T Summer 1969 UNIX was developed by AT&T 1975:1975: Sixth edition of UNIX released May 1975 Sixth edition of UNIX released May 1975 19851985: GNU project startedGNU project started 19911991: Linux is introduced by Linus Benedict Torvalds Linux is introduced by Linus Benedict Torvalds

who who was a second year student of Computer was a second year student of Computer Science at the Science at the University of Helsinki University of Helsinki

19931993: NetBSD & FreeBSD releasedNetBSD & FreeBSD released 19941994: Red Hat Linux is introducedRed Hat Linux is introduced

First Article About First Article About LinuxLinux

From: torvalds@klaava.Helsinki.FI (Linus Benedict Torvalds) From: torvalds@klaava.Helsinki.FI (Linus Benedict Torvalds) Newsgroups: comp.os.minix Newsgroups: comp.os.minix Subject: What would you like to see most in minix? Subject: What would you like to see most in minix? Summary: small poll for my new operating system Summary: small poll for my new operating system Message-ID: <1991Aug25.205708.9541@klaava.Helsinki.FI> Message-ID: <1991Aug25.205708.9541@klaava.Helsinki.FI> Date: 25 Aug 91 20:57:08 GMT Date: 25 Aug 91 20:57:08 GMT Organization: University of Helsinki Organization: University of Helsinki

Hello everybody out there using Hello everybody out there using minixminix - - I'm doing a (free) operating system (just a hobby, won't be big and I'm doing a (free) operating system (just a hobby, won't be big and professional like gnu) for 386(486) AT clones. This has been brewing professional like gnu) for 386(486) AT clones. This has been brewing since april, and is starting to get ready. I'd like any feedback on since april, and is starting to get ready. I'd like any feedback on things people like/dislike in minix, as my OS resembles it somewhat things people like/dislike in minix, as my OS resembles it somewhat (same physical layout of the file-system (due to practical reasons) (same physical layout of the file-system (due to practical reasons) among other things). I've currently ported bash(1.08) and among other things). I've currently ported bash(1.08) and gcc(1.40),and gcc(1.40),and things seem to work.This implies that I'll get something practical things seem to work.This implies that I'll get something practical within a within a few months, andI'd like to know what features most people would few months, andI'd like to know what features most people would want.a want.a Any suggestions are welcome, but I won't promise I'll Any suggestions are welcome, but I won't promise I'll implement them :-) implement them :-) Linus (torvalds@kruuna.helsinki.fi) Linus (torvalds@kruuna.helsinki.fi) PS. Yes - it's free of any minix code, and it has a multi-threaded fs. PS. Yes - it's free of any minix code, and it has a multi-threaded fs. It is NOT protable (uses 386 task switching etc), and it probably It is NOT protable (uses 386 task switching etc), and it probably never never will support anything other than AT-harddisks, as that's all I have :-(.will support anything other than AT-harddisks, as that's all I have :-(.

GNU & GPLGNU & GPLGNU Project:

Focused on creating a Unix like operating systemthat could be freely distributed

Global Public license(Copyleft)

Major Linux DistributorsMajor Linux Distributors

Caldera Caldera LinuxLinux Corel LinuxCorel Linux Debian Debian LinuxLinux Kondara Kondara LinuxLinux Red Hat Red Hat LinuxLinux

Mandrake Mandrake LinuxLinux Slackware Slackware LinuxLinux SuSE LinuxSuSE Linux Turbo LinuxTurbo Linux Vector Vector LinuxLinux

The Advantage of LinuxThe Advantage of Linux Low purchase costLow purchase cost Open Source Software Open Source Software

(OSS)(OSS) UNIX heritageUNIX heritage Multi UserMulti User ScalabilityScalability Vendor supportVendor support Reliable uptimeReliable uptime SecuritySecurity Logging SystemLogging System ……

The Disadvantage of The Disadvantage of LinuxLinux

Steep learning curveSteep learning curve Hardware supportHardware support End-user applicationsEnd-user applications

A Comparison Of Win 9x, A Comparison Of Win 9x, NT, and LinuxNT, and Linux

FeatureFeatureWin 9xWin 9xWin NTWin NTLinuxLinux

ScalabilityScalabilityPoorPoorGoodGoodGoodGood

Desktop App. Desktop App. SupportSupport

ExcelleExcellentnt

GoodGoodGoodGood

Enterprise App. Enterprise App. SupportSupportNoneNoneGoodGoodGoodGood

Hardware SupportHardware SupportExcelleExcellentnt

GoodGoodGoodGood

Licensing CostLicensing CostGoodGoodPoorPoorExcelleExcellentnt

Network Network PerformancePerformance

GoodGoodGoodGoodExcelleExcellentnt

SecuritySecurityPoorPoorGoodGoodGoodGood

Linux Filesystem HierarchyLinux Filesystem Hierarchy//binbin Essential Binary FilesEssential Binary Files

//bootboot Boot Loader FilesBoot Loader Files

//devdev Device FilesDevice Files

//etcetc Configuration FilesConfiguration Files

//homehome User Home DirectoriesUser Home Directories

//liblib Shared Libraries and Kernel ModulesShared Libraries and Kernel Modules

//mntmnt Mount Point for Temporarily Mounted FSMount Point for Temporarily Mounted FS

//procproc System Information Virtual File SystemSystem Information Virtual File System

//rootroot root User Home Directoryroot User Home Directory

//sbinsbin Essential System BinariesEssential System Binaries

//tmptmp Temporary FilesTemporary Files

//usrusr Shareable FilesShareable Files

//varvar Non-Shareable FilesNon-Shareable Files

Engineer

Session 2Session 2

Installing LinuxInstalling Linux

Hardware Hardware RequirementsRequirements

Harddisk PartitioningHarddisk Partitioning Boot LoaderBoot Loader Install PackagesInstall Packages X ConfigurationX Configuration

Overview of the Installation Overview of the Installation ProcessProcess

1.1. Starting the installation processStarting the installation process Installation ModeInstallation Mode LanguageLanguage KeyboardKeyboard MouseMouse

2.2. Partitioning Partitioning

3.3. Boot Loader InstallationBoot Loader Installation

4.4. Network ConfigurationNetwork Configuration

5.5. Setting the time zoneSetting the time zone

5.5. Firewall ConfigurationFirewall Configuration6.6. Specifying authentication Specifying authentication

options (optional)options (optional)7.7. Specifying user accountsSpecifying user accounts8.8. Selecting packagesSelecting packages9.9. Installing packagesInstalling packages10.10. Creating a boot diskCreating a boot disk11.11. Configuration the X Windows Configuration the X Windows

system (optional)system (optional)

Overview of the Installation Overview of the Installation ProcessProcess

Installing Linux:Installing Linux: Consoles & Consoles & Message LogsMessage Logs

ConsoleKeystrokesContents

1Ctrl+Alt+F1 Text-based installation procedure

2Ctrl+Alt+F2 Shell prompt

3Ctrl+Alt+F3 Messages from installation program

4Ctrl+Alt+F4 Kernel messages

5Ctrl+Alt+F5 Other messages, including file system creation messages

7Ctrl+Alt+F7 Graphical installation procedure

Configuring InstallTime Configuring InstallTime Options after InstallationOptions after Installation

kbdconfigkbdconfigmouseconfigmouseconfigtimeconfigtimeconfigsndconfigsndconfignetconfignetconfig

authconfigauthconfigntsysvntsysvsetupsetupredhat-redhat-config-…config-…

Engineer

Session 3Session 3

SHELLSHELL

Some of Important BASH VariablesSome of Important BASH VariablesPATHPATH SHELLSHELL PS1PS1 PS2PS2

bash (Bourne Again bash (Bourne Again Shell)Shell)

ashash sachsach tcshtcsh mcmc

PS1, PS2 SwitchesPS1, PS2 Switches

\u , \h , \W , \d , \t , \s , \$ , $\u , \h , \W , \d , \t , \s , \$ , $

Some of Linux Some of Linux CommandsCommands(1)(1)

echoecho manman helphelp infoinfo lsls

catcat tactac cpcp mvmv rmrm

cdcd touchtouch

pwdpwd mkdirmkdir

rmdirrmdir

clearclear

aliasalias lessless datedate logoutlogout

exitexit rebootreboot

halthalt

Engineer

Session 4Session 4

BASHBASH• TAB key FeaturesTAB key Features• Review Pages & CommandsReview Pages & Commands

Quoting in BASH:Quoting in BASH:““value”value” ‘value’‘value’ `value``value`

Redirection Operators:Redirection Operators:>> >>>> || <<<< <<

Standard Input & Standard Output:Standard Input & Standard Output:stdinstdin 00stdoutstdout 11stderrstderr 22

Important Command Important Command FormsFormscmdcmd

cmd &cmd & (fg, ctrl+z, bg)(fg, ctrl+z, bg)

cmd1 ; cmd2cmd1 ; cmd2(cmd1 ; cmd2)(cmd1 ; cmd2)cmd1 `cmd2`cmd1 `cmd2`cmd1 | cmd2cmd1 | cmd2cmd1 && cmd2cmd1 && cmd2cmd1 || cmd2cmd1 || cmd2{ cmd1 ; cmd2 }{ cmd1 ; cmd2 }

Linux File TypesLinux File TypesNormalNormal--Normal fileNormal file

DirectoriesDirectoriesddNormal directoryNormal directory

Hard linkHard link--

Symbolic Symbolic linklinkllShortcut to a file or directoryShortcut to a file or directory

SocketSocketssPass data between 2 processPass data between 2 process

Named pipeNamed pipeppLike sockets, user can’t work Like sockets, user can’t work directly withdirectly with

Character Character devicedeviceccProcesses character hw Processes character hw

communicationcommunication

Block deviceBlock devicebbMajor & minor numbers for Major & minor numbers for controling dev.controling dev.

Bash Special VariablesBash Special Variables

$#$#Specifies number of arguments given to the Specifies number of arguments given to the commandcommand

$?$?Returns value of the last program to be usedReturns value of the last program to be used

$$$$Processes number of the current shellProcesses number of the current shell

$!$!Processes number of the last child processProcesses number of the last child process

$@$@Specifies individually quoted argumentsSpecifies individually quoted arguments

$*$*Specifies all arguments quoted as wholeSpecifies all arguments quoted as whole

$n$nSpecifies positional argument value, where Specifies positional argument value, where nn is the position is the position

$0$0Specifies name of the current shellSpecifies name of the current shell

Process Text StreamsProcess Text Streamssort, cut, head, tail, split, wc, uniq, grepsort, cut, head, tail, split, wc, uniq, grep

Redirecting Command’s outputRedirecting Command’s outputteetee

Create, Monitor & Kill ProcessesCreate, Monitor & Kill Processesps, pstree, top, kill, killallps, pstree, top, kill, killall

Modify Process PriorityModify Process Priority ((renicerenice))

Engineer

Session 5Session 5

Create Partitions and FilesystemCreate Partitions and Filesystemfdisk, mke2fs, mkfs.*fdisk, mke2fs, mkfs.*

Maintain the Integrity of FilesystemMaintain the Integrity of Filesysteme2fsck, fsck.*, du, dfe2fsck, fsck.*, du, df

Filesystem Mounting & UmountingFilesystem Mounting & Umountingmount, umount, /etc/fstabmount, umount, /etc/fstab

Use File PermissionsUse File Permissionschmod, chown, chgrp, suchmod, chown, chgrp, su

Create Hard & Symbolic Links Create Hard & Symbolic Links ((lnln))

Find System Files (Find System Files (find, locate, find, locate,

whichwhich))Using Emergency & Single User Using Emergency & Single User

ModeMode

Insert ModeInsert Mode

Normal ModeNormal Mode

Command ModeCommand Mode

‘‘vi’ Powerful Text vi’ Powerful Text EditorEditor

• dd n+dd (Delete)

• yy n+yy (Copy)

• p (paste)

• P (Paste)

• / (Search)

• v (Visual) (Text Selection)

• Insert Text

• Delete

• wq = x

• q!

• s///

Engineer

Session 6Session 6

Run LevelsRun LevelsRun LevelsDefinition

0This runlevel halts the system

1This runlevel sets single-user mode

2Multiuser mode without networking

3Multiuser mode with networking

4Not used

5X-based log in

6This runlevel reboot the system

init & chkconfig Commandsinit & chkconfig Commands

/etc/inittab/etc/inittab

/etc/rc.d/init.d & /etc/rc.d/init.d & /etc/rc[0123456].d//etc/rc[0123456].d/

Configuring Boot Configuring Boot loaderloader

LILOLILOEdit /etc/lilo.conf & Edit /etc/lilo.conf &

execute ‘lilo’ commandexecute ‘lilo’ command GRUBGRUB

Edit /boot/grub/grub.confEdit /boot/grub/grub.conf

Manage Users, Groups & Related Files Manage Users, Groups & Related Files useradd, userdel, groupadd, groupdel, passwd, vipw, useradd, userdel, groupadd, groupdel, passwd, vipw,

vigrvigr/etc/passwd, /etc/shadow, /etc/skel, /etc/profile, …/etc/passwd, /etc/shadow, /etc/skel, /etc/profile, …

Configure and use system log filesConfigure and use system log files/etc/syslog.conf, /etc/logrotate.conf/etc/syslog.conf, /etc/logrotate.conf

Scheduling Jobs (at & crontab Scheduling Jobs (at & crontab commands)commands)

Backup & Restore ToolsBackup & Restore Toolstar, bzip2, gziptar, bzip2, gzip

Administrative TasksAdministrative Tasks

Engineer

Session 7Session 7

Linux Installation andLinux Installation and Package Management Package Management

Make and Install Make and Install Programs from SourcePrograms from Source

RPM RPM

(Redhat Package (Redhat Package Manager)Manager)

KernelKernelAbout Kernel and About Kernel and Loadable ModulesLoadable Modules

Manage Kernel Modules at Manage Kernel Modules at Runtime (Runtime (/etc/modules.conf/etc/modules.conf))

Reconfigure, Build and Reconfigure, Build and Install a Custom KernelInstall a Custom Kernel

Engineer

Session 8Session 8

Shell ScriptsShell Scripts # Comments# Comments #! Special Comments#! Special Comments Assign a ValueAssign a Value

x=yx=y x=‘$y’x=‘$y’

x=${y}x=${y} x=\$yx=\$y

x=$yx=$y export x,y,zexport x,y,z

x=${y}esx=${y}es export x=$yexport x=$y

x=$yesx=$yes

Shell ScriptsShell Scripts Control ConstructsControl Constructs

‘‘read’ commandread’ command ‘‘test’ command ( [ ] )test’ command ( [ ] ) if …; then …; else …; fiif …; then …; else …; fi case ...; in pattern) …;; esaccase ...; in pattern) …;; esac while …; do …; donewhile …; do …; done until …; do …; doneuntil …; do …; done for x in …; do …; donefor x in …; do …; done break, continue, exit (for, while, break, continue, exit (for, while,

until)until)

RHCERed Hat Certified Engineer

Session 9Session 9

Installing and Installing and ConfiguringConfiguring

Basic X ConceptsBasic X Concepts

X ClientX Client

X ServerX Server

X ProtocolX Protocol

Basic X ConceptsBasic X Concepts X Window X Window

ManagerManager

X Desktop X Desktop ManagerManager

X Display ManagerX Display Manager

Installing XInstalling X

1.1. Determine the proper X Determine the proper X serverserver

2.2. Install the proper packagesInstall the proper packages

X Server SelectionX Server Selection XFree86-*XFree86-*

Installation the PackagesInstallation the Packages freetypefreetype gtk+gtk+ XFree86-libsXFree86-libs XFree86-75dpi-fontsXFree86-75dpi-fonts redhat-config-xfree86redhat-config-xfree86

XFree86-xfsXFree86-xfs XFree86-xdmXFree86-xdm XFree86-twmXFree86-twm XFree86-XFree86-

tools tools xinitrcxinitrc

Configuring XConfiguring X

redhat-config-redhat-config-xfree86xfree86

xvidtunexvidtune

Important X Directories & FilesImportant X Directories & Files

/usr/X11R6/bin/usr/X11R6/bin /etc/X11/etc/X11 /etc/X11//etc/X11/

XF86ConfigXF86Config

Configure and Use PPPConfigure and Use PPP

‘‘redhat-config-network-tui’ redhat-config-network-tui’ Command in Text ModeCommand in Text Mode

Modem Configuration FilesModem Configuration Files kppp Command in X window kppp Command in X window

Session 10Session 10

IP (network & host portion)IP (network & host portion)192.168.168.1 192.168.168.1 ::1100000011000000..1010100010101000..1010100010101000..0000000100000001

Static IPStatic IP Dynamic IP Dynamic IP Netmask AddressNetmask Address255.255.255.0 :255.255.255.0 :1111111111111111..1111111111111111..1111111111111111..0000000000000000

Network AddressNetwork Address192.168.168.0 :192.168.168.0 :1100000011000000..1010100010101000..1010100010101000..0000000000000000

Broadcast AddressBroadcast Address192.168.168.255 :192.168.168.255 :1100000011000000..1010100010101000..1010100010101000..1111111111111111

Network BasicsNetwork Basics

Classfull Addressing SystemClassfull Addressing System Network ClassesNetwork Classes

Class AClass A 1.0.0.0-126.0.0.01.0.0.0-126.0.0.0 (8 bits)(8 bits) Class BClass B 128.0.0.0-191.0.0.0128.0.0.0-191.0.0.0 (16 bits)(16 bits) Class CClass C 192.0.0.0-223.0.0.0192.0.0.0-223.0.0.0 (24 bits)(24 bits)

Reserved IPReserved IP 127.0.0.0-127.255.255.255127.0.0.0-127.255.255.255 (Loop back Addr.)(Loop back Addr.) 224.0.0.0-239.255.255.255 224.0.0.0-239.255.255.255 (Multicast Protocols)(Multicast Protocols) 240.0.0.0-255.255.255.255240.0.0.0-255.255.255.255 (do not used)(do not used)

Public & Private Networks (Valid & Public & Private Networks (Valid & Invalid IPes)Invalid IPes)

10.0.0.0-10.255.255.25510.0.0.0-10.255.255.255 172.16.0.0-172.31.255.255172.16.0.0-172.31.255.255 192.168.0.0-192.168.255.255192.168.0.0-192.168.255.255

Net. Addr.:Net. Addr.: 192.168.168.0 = 192.168.168.0 = 1100000011000000..1010100010101000..1010100010101000..0000000000000000

Netmasks:Netmasks:255.255.255.0 (*/24) :255.255.255.0 (*/24) :1111111111111111..1111111111111111..1111111111111111..0000000000000000

255.255.255.128 (*/25) :255.255.255.128 (*/25) :1111111111111111..1111111111111111..1111111111111111..1100000000000000

255.255.255.192 (*/26) :255.255.255.192 (*/26) :1111111111111111..1111111111111111..1111111111111111..1111000000000000

255.255.255.224 (*/27) :255.255.255.224 (*/27) :1111111111111111..1111111111111111..1111111111111111..1111110000000000

255.255.255.240 (*/28) :255.255.255.240 (*/28) :1111111111111111..1111111111111111..1111111111111111..1111111100000000

255.255.255.248 (*/29) :255.255.255.248 (*/29) :1111111111111111..1111111111111111..1111111111111111..1111111111000000

255.255.255.252 (*/30) :255.255.255.252 (*/30) :1111111111111111..1111111111111111..1111111111111111..1111111111110000

255.255.255.254 (*/31) :255.255.255.254 (*/31) :1111111111111111..1111111111111111..1111111111111111..1111111111111100

Classless Addressing System Classless Addressing System (Subnet)(Subnet)

TCP/IP Model (1)TCP/IP Model (1)

ApplicationProtocols

TransportProtocols

InternetProtocols

Network AccessProtocols

Network Access ProtocolsNetwork Access Protocols All functions necessary to access All functions necessary to access

the physical networkthe physical network

Internet ProtocolsInternet Protocols IPIP ((Internet Protocol – Internet Protocol –

ConnectionlessConnectionless)) ICMPICMP ((Internet Control Message Internet Control Message

ProtocolProtocol))

Transport ProtocolsTransport Protocols TCP TCP (Transmission Control (Transmission Control

Protocol)Protocol) Connection-basedConnection-based

UDP UDP (User Datagram Protocol)(User Datagram Protocol) ConnectionlessConnectionless

Application ProtocolsApplication Protocols Previlage Ports (0-1023)Previlage Ports (0-1023) /etc/services/etc/services

Types of TCP/IP ServicesTypes of TCP/IP Services

Stand-aloneStand-alone

xinetd xinetd (and its config)(and its config)

Related TCP/IP CommandsRelated TCP/IP Commands ps xps x netstat -ap --inet | grep netstat -ap --inet | grep

LISTENLISTEN

Start the daemonStart the daemon Stop the daemonStop the daemon Restart the daemonRestart the daemon Status the daemonStatus the daemon

Controlling TCP/IP DaemonsControlling TCP/IP Daemons

Configuration NetworkConfiguration Network

Initializing Network HardwareInitializing Network Hardware Load related moduleLoad related module

Network Configuration ToolsNetwork Configuration Tools netconfignetconfig redhat-config-networkredhat-config-network

Configuration NetworkConfiguration Network Other Network ToolsOther Network Tools

•ifconfigifconfig•pingping•traceroutetraceroute•netstatnetstat

•tcpdumptcpdump•nmapnmap•tetherealtethereal•iptraffiptraff

Configuration NetworkConfiguration Network

Network Configuration Network Configuration FilesFiles /etc/hosts/etc/hosts /etc/host.conf/etc/host.conf /etc/services/etc/services /etc/resolv.conf/etc/resolv.conf /etc/sysconfig/network/etc/sysconfig/network /etc/sysconfig/network-/etc/sysconfig/network-

scripts/*scripts/* IP AliasingIP Aliasing

DHCPDHCP Advantage & Advantage &

disadvantage of DHCPdisadvantage of DHCP DHCP Server DHCP Server

ConfigurationConfiguration /etc/dhcpd.conf/etc/dhcpd.conf /var/lib/dhcp/dhcpd.leases/var/lib/dhcp/dhcpd.leases

DHCP Client DHCP Client ConfigurationConfiguration netconfig commandnetconfig command

An Example of dhcpd.confAn Example of dhcpd.confddns-update-style ad-hocddns-update-style ad-hoc;;subnet 192.168.0.0 netmask 255.255.255.0 {subnet 192.168.0.0 netmask 255.255.255.0 {

range 192.168.0.1 192.168.0.25range 192.168.0.1 192.168.0.25;;option routersoption routers 192.168.0.1192.168.0.1;;option subnet-maskoption subnet-mask 255.255.255.0255.255.255.0;;option domain-nameoption domain-name "domain.com""domain.com";;option domain-name-serversoption domain-name-servers 192.168.1.1192.168.1.1;;default-lease-time 21600default-lease-time 21600;;max-lease-time 43200max-lease-time 43200;;

# we want the nameserver to appear at a fixed # we want the nameserver to appear at a fixed addressaddresshost dns1 {host dns1 {

hardware ethernet 12:34:56:78:AB:CDhardware ethernet 12:34:56:78:AB:CD;;fixed-address 192.168.0.20fixed-address 192.168.0.20;;

dhcpd.leases Formatdhcpd.leases Format

lease 192.168.1.8 {lease 192.168.1.8 {

starts 3 2004/04/12 09:34:12starts 3 2004/04/12 09:34:12

ends 6 2004/07/15 23:49:57ends 6 2004/07/15 23:49:57

hardware ethernet hardware ethernet 00:09:e6:88:0a:0500:09:e6:88:0a:05

......

2004 Agust 66

NFSNFS Related DaemonsRelated Daemons

rpc.nfsdrpc.nfsd rpc.portmaprpc.portmap rpc.mountdrpc.mountd

InstallationInstallation nfs-utilsnfs-utils portmapportmap

NFS ConfigurationNFS Configuration Server SideServer Side

Edit /etc/exports fileEdit /etc/exports file

PATHPATHhost_lists(options)host_lists(options)

Run ‘exportfs –r’ commandRun ‘exportfs –r’ command ‘‘redhat-config-nfsredhat-config-nfs’ Command’ Command

Client SideClient Side mount –t nfs server:PATH mount –t nfs server:PATH

MountpointMountpoint Edit ‘/etc/fstab’ fileEdit ‘/etc/fstab’ file

server:PATH M.P.server:PATH M.P. nfsnfs roro 0000

SAMBA (1)SAMBA (1) Related ServicesRelated Services

smbdsmbd nmbdnmbd

Related PackagesRelated Packages sambasamba samba-commonsamba-common samba-clientsamba-client

SAMBA (2)SAMBA (2) Server ConfigurationServer Configuration

Global DirectivesGlobal Directives Service DirectivesService Directives

Client ConfigurationClient Configuration smbmount //server/share smbmount //server/share

/m.p./m.p. smbclient //server/sharesmbclient //server/share

Configuration with SWATConfiguration with SWAT

TCP/IP ServicesTCP/IP Services

Client Server

Process

2. Client binds to port

1. server binds to port and listens

4. Server designates port

3. Client connects to server

5. Client and server communicate

Remote LoginRemote Login

TelnetTelnet Server & Client Server & Client

SSHSSH Server & ClientServer & Client

The Apache Web ServerThe Apache Web Server ModulesModules

mod_authmod_auth mod_infomod_info mod_phpmod_php mod_includemod_include mod_perlmod_perl mod_sslmod_ssl

Installation ApacheInstallation Apache

rpm –Uvh httpd-[^d]*.rpmrpm –Uvh httpd-[^d]*.rpm

rpm –Uvh httpd-devel*.rpmrpm –Uvh httpd-devel*.rpm(for support apache modules)(for support apache modules)

Basic ConfigurationBasic Configuration

httpd.confhttpd.conf Section 1:Section 1:

The Global EnvironmentThe Global Environment Section 2:Section 2:

The Main ConfigurationThe Main Configuration Section 3:Section 3:

The Virtual Host The Virtual Host ConfigurationConfiguration

Apache Advanced Apache Advanced ConfigurationConfiguration

Authentication in ApacheAuthentication in Apache Configure with PHPConfigure with PHP Configure with SSLConfigure with SSL Configure Virtual HostConfigure Virtual Host

Authentication in ApacheAuthentication in Apache

AuthTypeAuthType BasicBasic

AuthNameAuthName “NAME”“NAME”

AuthUserFileAuthUserFile “.htpasswd”“.htpasswd”

RequireRequire valid-uservalid-user

</Location></Location>

Create ‘/etc/httpd/.htpasswd’ Create ‘/etc/httpd/.htpasswd’ filefile

Configuring ‘httpd.conf’ fileConfiguring ‘httpd.conf’ file

Configure Apache with PHPConfigure Apache with PHP

rpm –Uvh php-4*.rpmrpm –Uvh php-4*.rpm

Configure Apache with SSLConfigure Apache with SSL rpm –Uvh mod_ssl*.rpmrpm –Uvh mod_ssl*.rpm

Configure Virtual HostConfigure Virtual Host

ServerAdminServerAdmin webmaster@vh.comwebmaster@vh.com

DocumentRootDocumentRoot /var/www/html//var/www/html/vh/vh/

ServerNameServerName www.vh.comwww.vh.com

</VirtualHost></VirtualHost>

Configuring ‘/etc/hosts’ fileConfiguring ‘/etc/hosts’ file Configuring ‘httpd.conf’ fileConfiguring ‘httpd.conf’ file

StartStart StopStop RestartRestart ReloadReload StatusStatus

Apache AdministrationApache Administration

Troubleshooting the ApacheTroubleshooting the Apache

/var/log/messages/var/log/messages

/var/log/httpd//var/log/httpd/

/usr/sbin/httpd –S /usr/sbin/httpd –S (for virtual host)(for virtual host)

Securing Your NetworkSecuring Your Network Using ‘Using ‘lokkitlokkit’ or ‘’ or ‘redhat-redhat-

config-securitylevelconfig-securitylevel’ ’ CommandCommand

Password & Physical SecurityPassword & Physical Security Securing TCP/IPSecuring TCP/IP Using TripwireUsing Tripwire Keeping Up-to-Date on Linux Keeping Up-to-Date on Linux

Security IssuesSecurity Issues

FTPFTP InstallationInstallation

rpm –ivh vsftp*.rpmrpm –ivh vsftp*.rpm Config FileConfig File

/etc/vsftpd/vsftpd.conf/etc/vsftpd/vsftpd.conf Access LevelsAccess Levels

Anonymouse Access Anonymouse Access ((anonymouse_enableanonymouse_enable))

User Access (User Access (tcp_wrappers needstcp_wrappers needs))

Cache Server (Squid)Cache Server (Squid)

Install squidInstall squid rpm –ivh squid*.rpmrpm –ivh squid*.rpm

Managing squidManaging squid start, stop, restart, start, stop, restart,

status, reloadstatus, reload

Squid Log FilesSquid Log Files /var/log/squid/access.log /var/log/squid/access.log

((cache_access_logcache_access_log)) //varvar//loglog//squidsquid//cachecache..log log

((cache_logcache_log)) //varvar//loglog//squidsquid//storestore..loglog

((cache_store_logcache_store_log))

An Example of ‘squid.conf’An Example of ‘squid.conf’http_port 8081http_port 8081

cache_effective_user squidcache_effective_user squid

cache_effective_group squidcache_effective_group squid

acl all src 0.0.0.0/0.0.0.0acl all src 0.0.0.0/0.0.0.0

http_access allow allhttp_access allow all

cache_dir ufs /cache 1024 16 cache_dir ufs /cache 1024 16 3232

visible_hostname ws1visible_hostname ws1

Running SquidRunning Squid service squid startservice squid start

squid –d1 –zsquid –d1 –z

squid –d1 –f squid –d1 –f

/etc/squid/squid.conf/etc/squid/squid.conf

The Kind of ProxiesThe Kind of Proxies Upstream ProxyUpstream Proxy

cache_peer cache_peer youryourproxy.com parent proxy.com parent 3128 31303128 3130

prefer_direct ofprefer_direct offf

Transparent Transparent ProxyProxyhttpd_accel_host virtualhttpd_accel_host virtual

httpd_accel_port 80httpd_accel_port 80

httpd_accel_with_proxy onhttpd_accel_with_proxy on

httpd_accel_uses_host_header onhttpd_accel_uses_host_header on

Configuring a Linux RouterConfiguring a Linux Router

Configuring KernelConfiguring KernelIP: advanced routerIP: advanced router

Enable IP ForwadingEnable IP ForwadingAdd ‘net.ipv4.ip_forward=1’ to Add ‘net.ipv4.ip_forward=1’ to

/etc/sysctl.conf/etc/sysctl.confecho “1” > echo “1” >

/proc/sys/net/ipv4/ip_forward/proc/sys/net/ipv4/ip_forward

Type of RoutesType of Routes

Static routeStatic route

Dynamic Dynamic routeroute

Components of Routing RulesComponents of Routing Rules

Destination IP Destination IP AddressAddress

An InterfaceAn Interface An Optional Gateway An Optional Gateway

IP AddressIP Address

Routing CommandRouting Command route add –net route add –net net_addrnet_addr

netmask netmask mask_addrmask_addr interfaceinterface

route add –host route add –host ip_addrip_addr interfaceinterface

route add default gateway route add default gateway ip_addrip_addr interfaceinterface

192.168.1.2

192.168.1.3

192.168.1.4

192.168.1.5

192.168.100.2

192.168.100.3

192.168.100.4

192.168.100.5

Gateway 192.168.1.1

192.168.100.110.1.1.1

Router 10.1.1.2

Internet

eth0 eth1

An ExampleAn Example

Related RulesRelated Rules route add –net 192.168.1.0 netmask route add –net 192.168.1.0 netmask

255.255.255.0 eth0255.255.255.0 eth0 route add –net 192.168.100.0 netmask route add –net 192.168.100.0 netmask

255.255.255.0 eth1255.255.255.0 eth1 route add –net 10.1.1.0 netmask route add –net 10.1.1.0 netmask

255.255.255.0 eth2255.255.255.0 eth2 route add default gateway 10.1.1.2 eth2route add default gateway 10.1.1.2 eth2

ResultResultDestinationDestinationGatewayGatewayGenmaskGenmaskFlagsFlagsMetrMetr

icicRefRefUsUs

eeIfaceIface

192.168.1.1192.168.1.1**255.255.255.255.255.255.255255UHUH000000eth0eth0

192.168.100192.168.100.1.1

**255.255.255.255.255.255.255255UHUH000000Eth1Eth1

10.1.1.110.1.1.1**255.255.255.255.255.255.255255UHUH000000Eth2Eth2

192.168.1.0192.168.1.0**255.255.255.255.255.255.00

UU000000eth0eth0

192.168.100192.168.100.0.0

**255.255.255.255.255.255.00

UU000000Eth1Eth1

10.1.1.010.1.1.0**255.255.255.255.255.255.00

UU000000Eth2Eth2

0.0.0.00.0.0.010.1.1.10.1.1.22

0.0.0.00.0.0.0UGUG000000eth2eth2

127.0.0.0127.0.0.0**255.0.0.0255.0.0.0UU000000lolo

U: Network link is up H: Dest. Addr. Refers to a host G: Gateway

Electronic Electronic MailMail

(Sendmail)(Sendmail)

How Email Is Sent and ReceivedHow Email Is Sent and Receivedmail2 MTA

user2@mail2.comuser1@mail1.com

mail1 MTA

ConceptsConcepts MTA : MTA : Mail Transport AgentMail Transport Agent SMTP (server-to-server)SMTP (server-to-server)

Simple Mail Transport ProtocolSimple Mail Transport Protocol POP (Mail Access)POP (Mail Access)

Post Office ProtocolPost Office Protocol IMAP (Mail Access)IMAP (Mail Access)

Interim Mail Access ProtocolInterim Mail Access Protocol MDA : MDA : Mail Delivery AgentMail Delivery Agent MUA : MUA : Mail User AgentMail User Agent

Advantage of SendmailAdvantage of Sendmail Older MTAOlder MTA Powerful MTAPowerful MTA

Disadvantage of SendmailDisadvantage of Sendmail SlowSlow High Load EnvironmentHigh Load Environment Crypto ConfigurationCrypto Configuration

MTAsMTAs SendmailSendmail PostfixPostfix EximExim QmailQmail

MUAsMUAs Evolution, KmailEvolution, Kmail

(KDE)(KDE) BalsaBalsa (GNOME)(GNOME) Mozilla MailMozilla Mail

Required PackagesRequired Packages sendmailsendmail sendmail-cfsendmail-cf imap imap (Config xinetd)(Config xinetd)

(contains IMAP & (contains IMAP & POP3)POP3)

Sendmail Sendmail ConfigurationConfiguration

Config Config ‘/etc/mail/sendmail.mc’ file‘/etc/mail/sendmail.mc’ file LOCAL_DOMAIN(‘example.coLOCAL_DOMAIN(‘example.co

m’)dnlm’)dnl Run ‘make –C /etc/mail/’Run ‘make –C /etc/mail/’ Config DNSConfig DNS

Email AliasesEmail Aliases Edit ‘/etc/aliases’ fileEdit ‘/etc/aliases’ file

postmaster: josephpostmaster: joseph

Run ‘newaliases’ CommandRun ‘newaliases’ Command

Rejecting EmailRejecting Email Edit ‘/etc/mail/access’ fileEdit ‘/etc/mail/access’ file

spam.comspam.com REJECTREJECT

yahoo.comyahoo.com OKOK

service sendmail restartservice sendmail restart

DNSDNS

Where do I lookWhere do I look??

/etc/nsswitch.conf/etc/nsswitch.conf (nameservice switch)(nameservice switch)

t@localhost:~$ cat /etc/nsswitch.conft@localhost:~$ cat /etc/nsswitch.conf

hosts: files dnshosts: files dns

FilesFiles Search order determined by Search order determined by

nsswitch.confnsswitch.conf It is polite to have /etc/hosts It is polite to have /etc/hosts

first!first!

sjh@mccoy:~$ cat /etc/hostssjh@mccoy:~$ cat /etc/hosts

127.0.0.1127.0.0.1 localhostlocalhost

193.62.81.135193.62.81.135 mccoy.tardis.ed.ac.uk mccoymccoy.tardis.ed.ac.uk mccoy

193.62.81.134193.62.81.134 baker.tardis.ed.ac.uk bakerbaker.tardis.ed.ac.uk baker

193.62.81.132193.62.81.132 packages.tardis.ed.ac.uk packagespackages.tardis.ed.ac.uk packages

DNS TraversalDNS Traversal

1.1. Local filesLocal files

2.2. Dns server locallyDns server locally

3.3. Item in cache?Item in cache?

4.4. Root server, work your Root server, work your way down…way down…

Resolving NamesResolving Names

Configuration Files for the Configuration Files for the Local Host Name Resolution Local Host Name Resolution (important for testing)(important for testing) /etc/resolv.conf/etc/resolv.conf /etc/nsswitch.conf/etc/nsswitch.conf /etc/host.conf/etc/host.conf

DNSDNS

BIND – Berkley Internet Name BIND – Berkley Internet Name DaemonDaemon

Dents – buggy as hell (still in alpha?)Dents – buggy as hell (still in alpha?) Djbdns – Dan Bernstein’s DNS serverDjbdns – Dan Bernstein’s DNS server Banyan VINES – don’t go there!Banyan VINES – don’t go there!

Named (name dee)Named (name dee) /etc/named.conf:/etc/named.conf:

this defines a directory to store the DNS config this defines a directory to store the DNS config filesfiles

Contains info about what zones we serve, and Contains info about what zones we serve, and where to find config files!where to find config files!

Config file for named – tells us if we are master / Config file for named – tells us if we are master / slave, allow or deny zone transfers, what the IPs of slave, allow or deny zone transfers, what the IPs of other master / slave servers are, etc.other master / slave servers are, etc.

<DNSROOT>/root.hints: <DNSROOT>/root.hints: Contains "pointers" to the Root ServersContains "pointers" to the Root Servers

<DNSROOT>/127.0.0: <DNSROOT>/127.0.0: Config for reverse-lookup to the local host/subnetConfig for reverse-lookup to the local host/subnet

<DNSROOT>/<zone>:<DNSROOT>/<zone>: Config for zoneConfig for zone

<DNSROOT>/<in-addr.arpa file> <DNSROOT>/<in-addr.arpa file> Config for reverse lookup for your zoneConfig for reverse lookup for your zone

A simple named.confA simple named.conf## named.custom - custom configuration for bind## named.custom - custom configuration for bind

zone "." { zone "." {

type hint; type hint;

file "root.lists";file "root.lists";

options {options {

directory "/var/named/";directory "/var/named/";

zone "0.0.127.in-addr.arpa" {zone "0.0.127.in-addr.arpa" {

type master;type master;

file "127.0.0";file "127.0.0";

zone "hq.alim.ir" {zone "hq.alim.ir" {

file "hq.alim.ir";file "hq.alim.ir";

zone "168.168.192.in-addr.arpa" {zone "168.168.192.in-addr.arpa" {

file "192.168.168";file "192.168.168";

DNS DataDNS DataDNS databases contain more than DNS databases contain more than

just hostname-to-address records:just hostname-to-address records: SOA – Start Of Authority – it is the SOA – Start Of Authority – it is the

daddy!daddy! IN NS – Name ServerIN NS – Name Server IN MX – Mail eXchangerIN MX – Mail eXchanger IN A – A record (Address record)IN A – A record (Address record) IN CNAME – Canonical NAMEIN CNAME – Canonical NAME

A simple zone fileA simple zone file@ IN SOA hq.alim.ir. root.hq.alim.ir. (@ IN SOA hq.alim.ir. root.hq.alim.ir. (

199609206 ; serial, todays date + todays serial 199609206 ; serial, todays date + todays serial ##

8H ; refresh, seconds8H ; refresh, seconds

2H ; retry, seconds2H ; retry, seconds

4W ; expire, seconds4W ; expire, seconds

1D ) ; minimum, seconds1D ) ; minimum, seconds

NSNS hq.alim.ir.hq.alim.ir.

MXMX 10 hq.alim.ir. ; Primary Mail Exchanger10 hq.alim.ir. ; Primary Mail Exchanger

TXTTXT "Alim IT Center""Alim IT Center"

localhostlocalhost A 127.0.0.1A 127.0.0.1

routerrouter A 192.168.168.1A 192.168.168.1

hq.alim.ir.hq.alim.ir. A 192.168.168.2A 192.168.168.2

nsns A 192.168.168.3A 192.168.168.3

wwwwww A 207.159.141.192A 207.159.141.192

ftpftp CNAMECNAME hq.alim.ir.hq.alim.ir.

mailmail CNAMECNAME hq.alim.ir.hq.alim.ir.

newsnews CNAMECNAME hq.alim.ir.hq.alim.ir.

A simple in-addr.arpa fileA simple in-addr.arpa file$TTL 3D$TTL 3D

@ IN SOA hq.alim.ir. root.hq.alim.ir. (@ IN SOA hq.alim.ir. root.hq.alim.ir. (

199609206 ; Serial199609206 ; Serial

28800 ; Refresh28800 ; Refresh

7200 ; Retry7200 ; Retry

604800 ; Expire604800 ; Expire

86400) ; Minimum TTL86400) ; Minimum TTL

NS hq.alim.ir.NS hq.alim.ir.

; Servers; Servers

1 PTR router.hq.alim.ir.1 PTR router.hq.alim.ir.

2 PTR hq.alim.ir.2 PTR hq.alim.ir.

2 PTR funn.hq.alim.ir.2 PTR funn.hq.alim.ir.

; Workstations; Workstations

200 PTR ws-177200.hq.alim.ir.200 PTR ws-177200.hq.alim.ir.

Forward DNSForward DNS hq.alim.ir (as per /etc/named.conf)hq.alim.ir (as per /etc/named.conf)

SOA – Start Of Authority – it is the SOA – Start Of Authority – it is the daddy!daddy!

IN NS – Name ServerIN NS – Name Server IN MX – Mail eXchangerIN MX – Mail eXchanger IN A – A record (Address record)IN A – A record (Address record) IN CNAME – Canonical NAMEIN CNAME – Canonical NAME

Reverse DNSReverse DNS

192.168.168192.168.168 ( (as per as per /etc/named.conf/etc/named.conf))

SOASOA IN NSIN NS IN PTR – PointerIN PTR – Pointer

DNS Round RobinDNS Round Robin Fault tolerance? Through Fault tolerance? Through

nifty DNS hacksnifty DNS hacks

www.teviot.com.www.teviot.com. 6060 ININ AA 10.0.1.10010.0.1.100

Common MistakesCommon Mistakes Forgetting to increment the Serial Forgetting to increment the Serial

Number!Number! CNAME pointing at another CNAME!CNAME pointing at another CNAME! Forgetting the “.” In appropriate places!Forgetting the “.” In appropriate places! Underscores in hostnames!Underscores in hostnames! Forgetting to reload the daemon!Forgetting to reload the daemon! Version control issues – clobber changes!Version control issues – clobber changes! TTL IssuesTTL Issues

Test ToolsTest Tools nslookupnslookup digdig

dig mail.hq.alim.irdig mail.hq.alim.ir dig -x 192.168.168.2dig -x 192.168.168.2 dig 168.168.192.in-addr.arpa. AXFRdig 168.168.192.in-addr.arpa. AXFR

whoiswhois

http://www.squish.net/dnscheck/http://www.squish.net/dnscheck/ James Ponder’s DNS check web pageJames Ponder’s DNS check web page

FirewallFirewall

ControlControlAllow only those packets that you Allow only those packets that you

are interested to pass through.are interested to pass through. SecuritySecurity

Reject packets from malicious Reject packets from malicious outsidersoutsiders

WatchfulnessWatchfulnessLog packets to/from outside worldLog packets to/from outside world

Required PropertiesRequired Properties::

Firewall TypesFirewall Types

Packet FilteringPacket Filtering

Proxy-Based FirewallProxy-Based Firewall

Statefull

Stateless

Packet Filter under LinuxPacket Filter under Linux 11st generationst generation

ipfw (from BSD)ipfw (from BSD) 2nd generation2nd generation

ipfwadm (Linux 2.0)ipfwadm (Linux 2.0) 3rd generation3rd generation

ipchains (Linux 2.2)ipchains (Linux 2.2) 4th generation4th generation

iptable (Linux 2.4 & 2.6)iptable (Linux 2.4 & 2.6)

Installing IptablesInstalling Iptables Kernel Supports IptablesKernel Supports Iptables

Networking Options -> TCP/IP Networking ->Network Networking Options -> TCP/IP Networking ->Network Packet FilteringPacket Filtering

Networking Options -> TCP/IP Networking ->IP: advanced Networking Options -> TCP/IP Networking ->IP: advanced router -> *router -> *

Networking Options -> IP: NetfilterNetworking Options -> Networking Options -> IP: NetfilterNetworking Options -> IP: NetfilterIP: Netfilter

For Packets Traffic Control :For Packets Traffic Control : Networking Options> QoS and/or fair queueing -> *Networking Options> QoS and/or fair queueing -> *

# rpm -ivh \# rpm -ivh \

iptables-1.2.6a-2.i386.rpm iptables-1.2.6a-2.i386.rpm

INPUTINPUT Controls packets entering your systemControls packets entering your system

OUTPUTOUTPUT Controls packets leaving your systemControls packets leaving your system

FORWARDFORWARD Controls what packets can move from Controls what packets can move from

one network to another through your one network to another through your systemsystem

Chains of TablesChains of Tables

Forward

Output

Local Process

RoutingDecision

1.1. When a packet comes in, the kernel When a packet comes in, the kernel first looks at the destination of the first looks at the destination of the packet: this is called routing.packet: this is called routing.

2.2. If it’s destined for this boxIf it’s destined for this box• Passes downwards in the diagramPasses downwards in the diagram• To INPUT chainTo INPUT chain

If it passes, any processes waiting for that If it passes, any processes waiting for that packet will receive it.packet will receive it.

Otherwise go to step 3Otherwise go to step 3

Continue…

3.3. If forwarding is not enabled The If forwarding is not enabled The packet will be droppedpacket will be droppedIf forwarding is enable and the packet is destined for another If forwarding is enable and the packet is destined for another network interface.network interface.

The packet goes rightwards on our diagram to the The packet goes rightwards on our diagram to the FORWARD chain.FORWARD chain.

If it is accepted, it will be sent out.If it is accepted, it will be sent out.

4.4. Packets generated from local process Packets generated from local process pass to the OUPUT chain pass to the OUPUT chain immediately.immediately.If its says accept, the packet will be sent out.If its says accept, the packet will be sent out.

Packet Status in Packet Status in IptablesIptables

EstablishedEstablished NewNew RelatedRelated InvalidInvalid

Results of Packet CheckingResults of Packet Checking

ACCEPTACCEPT DROPDROP REJECTREJECT ……

Tables of IptablesTables of Iptables

FilterFilter NATNAT MangleMangle

Network

Mangle TablePREROUTING Chain

NAT TablePREROUTING Chain Destination NAT

Mangle INPUT

Filter INPUT

Local process

Routing decision

Mangle OUTPUT

Mangle FORWARD

Mangle POSTROUTING

NATPOSTROUTING Chain

Network

Source NAT

Based on routing

Routingdecision

The Path of Packet The Path of Packet in Iptablesin Iptables

NAT OUTPUT

Filter OUTPUT

Filter FORWARD

Tables of ChainsTables of Chains

ChainChain

tabletableINPUINPU

TTOUTPUOUTPU

TTFORWARFORWAR

DDPREROUTINPREROUTIN

GGPOSTROUPOSTROU

TINGTING

MANGLMANGLEE**********

NATNAT--**--****

FILTERFILTER******----

Building a Rule source/destinationBuilding a Rule source/destination

iptables –s 200.200.200.1iptables –s 200.200.200.1 Refers to packet from a specific IP addressRefers to packet from a specific IP address The “-s” refers to the source of the packet, The “-s” refers to the source of the packet,

where the packet is coming from.where the packet is coming from. A corresponding “-d” refers to the A corresponding “-d” refers to the

destination, where the packet is going to.destination, where the packet is going to.

Building a Rule ActionBuilding a Rule Action iptables –s 200.200.200.1 iptables –s 200.200.200.1 -j DROP-j DROP

The “-j” determines what happens to theThe “-j” determines what happens to the

Building a RuleBuilding a RuleIP address rangesIP address ranges

iptables –s iptables –s 200.200.200.0/24200.200.200.0/24 -j DROP -j DROP IPs that match 200.200.200.*IPs that match 200.200.200.* The “/24” refers to the number of bits that The “/24” refers to the number of bits that

are fixed, counting from the left.are fixed, counting from the left.

Other ActionsOther Actions

REDIRECTREDIRECT Sends packets to a proxySends packets to a proxy

LOGLOG Tracks packets as they match Tracks packets as they match

rulesrules RETURNRETURN

Terminates user defined chainsTerminates user defined chains

Building a RuleBuilding a Ruleappending rules to tablesappending rules to tables

iptables iptables –A–A INPUT INPUT –s 200.200.200.1 -j DROP –s 200.200.200.1 -j DROP The “-A” appends the rule to an iptableThe “-A” appends the rule to an iptable The “INPUT” specifies the iptableThe “INPUT” specifies the iptable This command makes your system to ignore all This command makes your system to ignore all

packets from 200.200.200.1packets from 200.200.200.1 iptables –A iptables –A OUTPUT OUTPUT –d–d 200.200.200.1 –j DROP 200.200.200.1 –j DROP

This command does not allow your system to sent packets This command does not allow your system to sent packets to 200.200.200.1to 200.200.200.1

Building a RuleBuilding a Ruleonly blocking some packetsonly blocking some packets

iptables –A INPUT –s 200.200.200.1iptables –A INPUT –s 200.200.200.1 –p tcp --–p tcp --destination-port telenetdestination-port telenet –j DROP–j DROP The “-p” specifies a specific protocol: tcp, udp, or The “-p” specifies a specific protocol: tcp, udp, or

icmpicmp The “-destination-port” is where the packet is goingThe “-destination-port” is where the packet is going

You can user the service name or the port numberYou can user the service name or the port number Could use 23 in this exampleCould use 23 in this example

Keep in mind that the source-port is very different from Keep in mind that the source-port is very different from the destination-port. In this example the inbound message the destination-port. In this example the inbound message is going to your telenet server. The telenet client that is is going to your telenet server. The telenet client that is sending you the message could be running on any port.sending you the message could be running on any port.

--dport == --destination-port--dport == --destination-port --sport == --source-port--sport == --source-port

Building a RuleBuilding a Rulemultiple network interfacesmultiple network interfaces

Assume your machine has two interface cards. One to a Assume your machine has two interface cards. One to a LAN named eth0 and the other to the Internet named ppp0LAN named eth0 and the other to the Internet named ppp0

iptables –A INPUT –p tcp --dport telnet –i ppp0 –j DROPiptables –A INPUT –p tcp --dport telnet –i ppp0 –j DROP The “-i” option specifies the input interfaceThe “-i” option specifies the input interface

The is also a “-o” option for the output interfaceThe is also a “-o” option for the output interface

iptables –A INPUT –p tcp --dport telnet –i eth0 –j ACCEPTiptables –A INPUT –p tcp --dport telnet –i eth0 –j ACCEPT

Together these rules would accept telnet requests from the Together these rules would accept telnet requests from the LAN but block telnet requests from the Internet.LAN but block telnet requests from the Internet.

Building a Rule Table PoliciesBuilding a Rule Table Policies

iptables –P FORWARD ACCEPTiptables –P FORWARD ACCEPT The “-P” option followed by a table name The “-P” option followed by a table name

and action determines the default policy and action determines the default policy of the table. If no rule in the table of the table. If no rule in the table matches this default action is taken.matches this default action is taken.

The usual policies areThe usual policies are INPUT = ACCEPTINPUT = ACCEPT OUTPUT = ACCEPTOUTPUT = ACCEPT FORWARD = DENYFORWARD = DENY

Building a RuleBuilding a RuleAdding Rules to TablesAdding Rules to Tables

iptables –A INPUT –s 200.200.200.1 -j DROPiptables –A INPUT –s 200.200.200.1 -j DROP Appends the rule to the end of the tableAppends the rule to the end of the table

iptables –I INPUT 3 –s 200.200.200.1 -j DROPiptables –I INPUT 3 –s 200.200.200.1 -j DROP Inserts the rule as rule 3 in the table, moving all Inserts the rule as rule 3 in the table, moving all

other rules down 1.other rules down 1. iptables –R INPUT 3 –s 200.200.200.1 -j DROPiptables –R INPUT 3 –s 200.200.200.1 -j DROP

Replaces rule 3 in the tableReplaces rule 3 in the table iptables –D INPUT 3 iptables –D INPUT 3

Deletes rule 3 in the tableDeletes rule 3 in the table

Operations to manage whole Operations to manage whole chainschains

--NNCreate a new chainCreate a new chain

--XXDelete an empty chainDelete an empty chain

--PPChange the policy for a built-in Change the policy for a built-in chainchain

--LLList the rules in a chainList the rules in a chain

--FFFlush the rules out of a chainFlush the rules out of a chain

--ZZZero the packet and byte counters Zero the packet and byte counters on all rules in a chainon all rules in a chain

Manipulate rules inside a chainManipulate rules inside a chain

--AAAppend a new rule to a chainAppend a new rule to a chain

--IIInsert a new rule at some Insert a new rule at some position in a chainposition in a chain

--RRReplace a rule at some position Replace a rule at some position in a chainin a chain

--DDDelete a rule at some position in Delete a rule at some position in a chaina chain

--D D Delete the first rule that Delete the first rule that matches in a chainmatches in a chain

An ExampleAn Example

192.168.1.5 GW: 192.168.1.1

192.168.1.6 GW: 192.168.1.1

192.168.1.7 GW: 192.168.1.1

192.168.1.1

Internet

Firewall

eth1Web Server

SSH ServerAccessible ONLY via LAN

AdvancedAdvanced

Traffic Shaping (CBQ)Traffic Shaping (CBQ) /etc/rc.d/init.d/cbq.init/etc/rc.d/init.d/cbq.init

((http://ovh.dl.sourceforge.net/sourceforge/cbqinit/cbq.init-v0.7.3http://ovh.dl.sourceforge.net/sourceforge/cbqinit/cbq.init-v0.7.3))

Install ‘shapecfg’ RPMInstall ‘shapecfg’ RPM

/etc/sysconfig/cbq/*/etc/sysconfig/cbq/*(0002-(0002-FFFF)FFFF)

/etc/rc.d/init.d/cbq.init start/etc/rc.d/init.d/cbq.init start

Sample of CBQ Sample of CBQ ConfigurationConfiguration

DEVICE=eth0,10Mbit,1MDEVICE=eth0,10Mbit,1Mbit RATE=10 Kbit bit RATE=10 Kbit

PRIO=5PRIO=5

RULE=:21,192.168.1.0/24RULE=:21,192.168.1.0/24

The EndGood Luck

complete rhce doc

agheli1 history of unix

value value value value

installation process5

installation process1

addr interface route

f1 ctrl

f5 ctrl

f4 ctrl

Documents

rhce rhcsa paper

rhce - edgecloud

rhce prerequisites -...

rhce stepbrystep guide

manual complete doc

doc complete

presentation on rhce

rhce question and answer

rhce prep rhel6

rhce [mike conigliaro's wiki]

rhce slide

rhce total

48468259 rhce cheat sheet

44088245 project of rhce

(ccna, rhce, ceh)

rhce prerequisites - mhprofessionalresources.com€¦ · 2...

rhce - asghar ghori

rhce - sevenmentor

rhce prerequisites -...

rhce flash cards