Download ppt - Complete RHCE doc

Transcript
Page 1: Complete RHCE doc

1

RHCERed Hat Certified

Engineer

Session 1Session 1

M. A. AgheliM. A. Agheli

Page 2: Complete RHCE doc

2

History Of UNIX & History Of UNIX & LinuxLinux 1957:1957: Bell Labs found they needed an operating Bell Labs found they needed an operating

systemsystem which at the time was which at the time was running various batch jobs.running various batch jobs.

1965:1965: Bell Labs create Multics Bell Labs create Multics ((Multiplexed Multiplexed Information and Information and Computing Service Computing Service))

1969:1969: Summer 1969 UNIX was developed by AT&T Summer 1969 UNIX was developed by AT&T 1975:1975: Sixth edition of UNIX released May 1975 Sixth edition of UNIX released May 1975 19851985: GNU project startedGNU project started 19911991: Linux is introduced by Linus Benedict Torvalds Linux is introduced by Linus Benedict Torvalds

who who was a second year student of Computer was a second year student of Computer Science at the Science at the University of Helsinki University of Helsinki

19931993: NetBSD & FreeBSD releasedNetBSD & FreeBSD released 19941994: Red Hat Linux is introducedRed Hat Linux is introduced

Page 3: Complete RHCE doc

3

First Article About First Article About LinuxLinux

From: [email protected] (Linus Benedict Torvalds) From: [email protected] (Linus Benedict Torvalds) Newsgroups: comp.os.minix Newsgroups: comp.os.minix Subject: What would you like to see most in minix? Subject: What would you like to see most in minix? Summary: small poll for my new operating system Summary: small poll for my new operating system Message-ID: <[email protected]> Message-ID: <[email protected]> Date: 25 Aug 91 20:57:08 GMT Date: 25 Aug 91 20:57:08 GMT Organization: University of Helsinki Organization: University of Helsinki

Hello everybody out there using Hello everybody out there using minixminix - - I'm doing a (free) operating system (just a hobby, won't be big and I'm doing a (free) operating system (just a hobby, won't be big and professional like gnu) for 386(486) AT clones. This has been brewing professional like gnu) for 386(486) AT clones. This has been brewing since april, and is starting to get ready. I'd like any feedback on since april, and is starting to get ready. I'd like any feedback on things people like/dislike in minix, as my OS resembles it somewhat things people like/dislike in minix, as my OS resembles it somewhat (same physical layout of the file-system (due to practical reasons) (same physical layout of the file-system (due to practical reasons) among other things). I've currently ported bash(1.08) and among other things). I've currently ported bash(1.08) and gcc(1.40),and gcc(1.40),and things seem to work.This implies that I'll get something practical things seem to work.This implies that I'll get something practical within a within a few months, andI'd like to know what features most people would few months, andI'd like to know what features most people would want.a want.a Any suggestions are welcome, but I won't promise I'll Any suggestions are welcome, but I won't promise I'll implement them :-) implement them :-) Linus ([email protected]) Linus ([email protected]) PS. Yes - it's free of any minix code, and it has a multi-threaded fs. PS. Yes - it's free of any minix code, and it has a multi-threaded fs. It is NOT protable (uses 386 task switching etc), and it probably It is NOT protable (uses 386 task switching etc), and it probably never never will support anything other than AT-harddisks, as that's all I have :-(.will support anything other than AT-harddisks, as that's all I have :-(.

Page 4: Complete RHCE doc

4

GNU & GPLGNU & GPLGNU Project:

Focused on creating a Unix like operating systemthat could be freely distributed

GPL:

Global Public license(Copyleft)

Page 5: Complete RHCE doc

5

Major Linux DistributorsMajor Linux Distributors

Caldera Caldera LinuxLinux Corel LinuxCorel Linux Debian Debian LinuxLinux Kondara Kondara LinuxLinux Red Hat Red Hat LinuxLinux

Mandrake Mandrake LinuxLinux Slackware Slackware LinuxLinux SuSE LinuxSuSE Linux Turbo LinuxTurbo Linux Vector Vector LinuxLinux

Page 6: Complete RHCE doc

6

The Advantage of LinuxThe Advantage of Linux Low purchase costLow purchase cost Open Source Software Open Source Software

(OSS)(OSS) UNIX heritageUNIX heritage Multi UserMulti User ScalabilityScalability Vendor supportVendor support Reliable uptimeReliable uptime SecuritySecurity Logging SystemLogging System ……

Page 7: Complete RHCE doc

7

The Disadvantage of The Disadvantage of LinuxLinux

Steep learning curveSteep learning curve Hardware supportHardware support End-user applicationsEnd-user applications

Page 8: Complete RHCE doc

8

A Comparison Of Win 9x, A Comparison Of Win 9x, NT, and LinuxNT, and Linux

FeatureFeatureWin 9xWin 9xWin NTWin NTLinuxLinux

ScalabilityScalabilityPoorPoorGoodGoodGoodGood

Desktop App. Desktop App. SupportSupport

ExcelleExcellentnt

GoodGoodGoodGood

Enterprise App. Enterprise App. SupportSupportNoneNoneGoodGoodGoodGood

Hardware SupportHardware SupportExcelleExcellentnt

GoodGoodGoodGood

Licensing CostLicensing CostGoodGoodPoorPoorExcelleExcellentnt

Network Network PerformancePerformance

GoodGoodGoodGoodExcelleExcellentnt

SecuritySecurityPoorPoorGoodGoodGoodGood

Page 9: Complete RHCE doc

9

Linux Filesystem HierarchyLinux Filesystem Hierarchy//binbin Essential Binary FilesEssential Binary Files

//bootboot Boot Loader FilesBoot Loader Files

//devdev Device FilesDevice Files

//etcetc Configuration FilesConfiguration Files

//homehome User Home DirectoriesUser Home Directories

//liblib Shared Libraries and Kernel ModulesShared Libraries and Kernel Modules

//mntmnt Mount Point for Temporarily Mounted FSMount Point for Temporarily Mounted FS

//procproc System Information Virtual File SystemSystem Information Virtual File System

//rootroot root User Home Directoryroot User Home Directory

//sbinsbin Essential System BinariesEssential System Binaries

//tmptmp Temporary FilesTemporary Files

//usrusr Shareable FilesShareable Files

//varvar Non-Shareable FilesNon-Shareable Files

Page 10: Complete RHCE doc

10

RHCERed Hat Certified

Engineer

Session 2Session 2

M. A. AgheliM. A. Agheli

Page 11: Complete RHCE doc

11

Installing LinuxInstalling Linux

Hardware Hardware RequirementsRequirements

Harddisk PartitioningHarddisk Partitioning Boot LoaderBoot Loader Install PackagesInstall Packages X ConfigurationX Configuration

Page 12: Complete RHCE doc

12

Overview of the Installation Overview of the Installation ProcessProcess

1.1. Starting the installation processStarting the installation process Installation ModeInstallation Mode LanguageLanguage KeyboardKeyboard MouseMouse

2.2. Partitioning Partitioning

3.3. Boot Loader InstallationBoot Loader Installation

4.4. Network ConfigurationNetwork Configuration

5.5. Setting the time zoneSetting the time zone

Page 13: Complete RHCE doc

13

5.5. Firewall ConfigurationFirewall Configuration6.6. Specifying authentication Specifying authentication

options (optional)options (optional)7.7. Specifying user accountsSpecifying user accounts8.8. Selecting packagesSelecting packages9.9. Installing packagesInstalling packages10.10. Creating a boot diskCreating a boot disk11.11. Configuration the X Windows Configuration the X Windows

system (optional)system (optional)

Overview of the Installation Overview of the Installation ProcessProcess

Page 14: Complete RHCE doc

14

Installing Linux:Installing Linux: Consoles & Consoles & Message LogsMessage Logs

ConsoleKeystrokesContents

1Ctrl+Alt+F1 Text-based installation procedure

2Ctrl+Alt+F2 Shell prompt

3Ctrl+Alt+F3 Messages from installation program

4Ctrl+Alt+F4 Kernel messages

5Ctrl+Alt+F5 Other messages, including file system creation messages

7Ctrl+Alt+F7 Graphical installation procedure

Page 15: Complete RHCE doc

15

Configuring InstallTime Configuring InstallTime Options after InstallationOptions after Installation

kbdconfigkbdconfigmouseconfigmouseconfigtimeconfigtimeconfigsndconfigsndconfignetconfignetconfig

authconfigauthconfigntsysvntsysvsetupsetupredhat-redhat-config-…config-…

Page 16: Complete RHCE doc

16

RHCERed Hat Certified

Engineer

Session 3Session 3

M. A. AgheliM. A. Agheli

Page 17: Complete RHCE doc

17

SHELLSHELL

Some of Important BASH VariablesSome of Important BASH VariablesPATHPATH SHELLSHELL PS1PS1 PS2PS2

bash (Bourne Again bash (Bourne Again Shell)Shell)

ashash sachsach tcshtcsh mcmc

PS1, PS2 SwitchesPS1, PS2 Switches

\u , \h , \W , \d , \t , \s , \$ , $\u , \h , \W , \d , \t , \s , \$ , $

Page 18: Complete RHCE doc

18

Some of Linux Some of Linux CommandsCommands(1)(1)

echoecho manman helphelp infoinfo lsls

catcat tactac cpcp mvmv rmrm

cdcd touchtouch

pwdpwd mkdirmkdir

rmdirrmdir

clearclear

aliasalias lessless datedate logoutlogout

exitexit rebootreboot

halthalt

Page 19: Complete RHCE doc

19

RHCERed Hat Certified

Engineer

Session 4Session 4

M. A. AgheliM. A. Agheli

Page 20: Complete RHCE doc

20

BASHBASH• TAB key FeaturesTAB key Features• Review Pages & CommandsReview Pages & Commands

Quoting in BASH:Quoting in BASH:““value”value” ‘value’‘value’ `value``value`

Redirection Operators:Redirection Operators:>> >>>> || <<<< <<

Standard Input & Standard Output:Standard Input & Standard Output:stdinstdin 00stdoutstdout 11stderrstderr 22

Page 21: Complete RHCE doc

21

Important Command Important Command FormsFormscmdcmd

cmd &cmd & (fg, ctrl+z, bg)(fg, ctrl+z, bg)

cmd1 ; cmd2cmd1 ; cmd2(cmd1 ; cmd2)(cmd1 ; cmd2)cmd1 `cmd2`cmd1 `cmd2`cmd1 | cmd2cmd1 | cmd2cmd1 && cmd2cmd1 && cmd2cmd1 || cmd2cmd1 || cmd2{ cmd1 ; cmd2 }{ cmd1 ; cmd2 }

Page 22: Complete RHCE doc

22

Linux File TypesLinux File TypesNormalNormal--Normal fileNormal file

DirectoriesDirectoriesddNormal directoryNormal directory

Hard linkHard link--

Symbolic Symbolic linklinkllShortcut to a file or directoryShortcut to a file or directory

SocketSocketssPass data between 2 processPass data between 2 process

Named pipeNamed pipeppLike sockets, user can’t work Like sockets, user can’t work directly withdirectly with

Character Character devicedeviceccProcesses character hw Processes character hw

communicationcommunication

Block deviceBlock devicebbMajor & minor numbers for Major & minor numbers for controling dev.controling dev.

Page 23: Complete RHCE doc

23

Bash Special VariablesBash Special Variables

$#$#Specifies number of arguments given to the Specifies number of arguments given to the commandcommand

$?$?Returns value of the last program to be usedReturns value of the last program to be used

$$$$Processes number of the current shellProcesses number of the current shell

$!$!Processes number of the last child processProcesses number of the last child process

$@$@Specifies individually quoted argumentsSpecifies individually quoted arguments

$*$*Specifies all arguments quoted as wholeSpecifies all arguments quoted as whole

$n$nSpecifies positional argument value, where Specifies positional argument value, where nn is the position is the position

$0$0Specifies name of the current shellSpecifies name of the current shell

Page 24: Complete RHCE doc

24

Process Text StreamsProcess Text Streamssort, cut, head, tail, split, wc, uniq, grepsort, cut, head, tail, split, wc, uniq, grep

Redirecting Command’s outputRedirecting Command’s outputteetee

Create, Monitor & Kill ProcessesCreate, Monitor & Kill Processesps, pstree, top, kill, killallps, pstree, top, kill, killall

Modify Process PriorityModify Process Priority ((renicerenice))

Some of Linux Some of Linux CommandsCommands(2)(2)

Page 25: Complete RHCE doc

25

RHCERed Hat Certified

Engineer

M. A. AgheliM. A. Agheli

Session 5Session 5

Page 26: Complete RHCE doc

26

Create Partitions and FilesystemCreate Partitions and Filesystemfdisk, mke2fs, mkfs.*fdisk, mke2fs, mkfs.*

Maintain the Integrity of FilesystemMaintain the Integrity of Filesysteme2fsck, fsck.*, du, dfe2fsck, fsck.*, du, df

Filesystem Mounting & UmountingFilesystem Mounting & Umountingmount, umount, /etc/fstabmount, umount, /etc/fstab

Some of Linux Some of Linux CommandsCommands(3)(3)

Page 27: Complete RHCE doc

27

Use File PermissionsUse File Permissionschmod, chown, chgrp, suchmod, chown, chgrp, su

Create Hard & Symbolic Links Create Hard & Symbolic Links ((lnln))

Find System Files (Find System Files (find, locate, find, locate,

whichwhich))Using Emergency & Single User Using Emergency & Single User

ModeMode

Some of Linux Some of Linux CommandsCommands(4)(4)

Page 28: Complete RHCE doc

28

Insert ModeInsert Mode

Normal ModeNormal Mode

Command ModeCommand Mode

‘‘vi’ Powerful Text vi’ Powerful Text EditorEditor

• dd n+dd (Delete)

• yy n+yy (Copy)

• p (paste)

• P (Paste)

• / (Search)

• v (Visual) (Text Selection)

• Insert Text

• Delete

• w

• q

• wq = x

• q!

• r

• s///

Page 29: Complete RHCE doc

29

RHCERed Hat Certified

Engineer

M. A. AgheliM. A. Agheli

Session 6Session 6

Page 30: Complete RHCE doc

30

Run LevelsRun LevelsRun LevelsDefinition

0This runlevel halts the system

1This runlevel sets single-user mode

2Multiuser mode without networking

3Multiuser mode with networking

4Not used

5X-based log in

6This runlevel reboot the system

init & chkconfig Commandsinit & chkconfig Commands

/etc/inittab/etc/inittab

/etc/rc.d/init.d & /etc/rc.d/init.d & /etc/rc[0123456].d//etc/rc[0123456].d/

Page 31: Complete RHCE doc

31

Configuring Boot Configuring Boot loaderloader

LILOLILOEdit /etc/lilo.conf & Edit /etc/lilo.conf &

execute ‘lilo’ commandexecute ‘lilo’ command GRUBGRUB

Edit /boot/grub/grub.confEdit /boot/grub/grub.conf

Page 32: Complete RHCE doc

32

Manage Users, Groups & Related Files Manage Users, Groups & Related Files useradd, userdel, groupadd, groupdel, passwd, vipw, useradd, userdel, groupadd, groupdel, passwd, vipw,

vigrvigr/etc/passwd, /etc/shadow, /etc/skel, /etc/profile, …/etc/passwd, /etc/shadow, /etc/skel, /etc/profile, …

Configure and use system log filesConfigure and use system log files/etc/syslog.conf, /etc/logrotate.conf/etc/syslog.conf, /etc/logrotate.conf

Scheduling Jobs (at & crontab Scheduling Jobs (at & crontab commands)commands)

Backup & Restore ToolsBackup & Restore Toolstar, bzip2, gziptar, bzip2, gzip

Administrative TasksAdministrative Tasks

Page 33: Complete RHCE doc

33

RHCERed Hat Certified

Engineer

M. A. AgheliM. A. Agheli

Session 7Session 7

Page 34: Complete RHCE doc

34

Linux Installation andLinux Installation and Package Management Package Management

Make and Install Make and Install Programs from SourcePrograms from Source

RPM RPM

(Redhat Package (Redhat Package Manager)Manager)

Page 35: Complete RHCE doc

35

KernelKernelAbout Kernel and About Kernel and Loadable ModulesLoadable Modules

Manage Kernel Modules at Manage Kernel Modules at Runtime (Runtime (/etc/modules.conf/etc/modules.conf))

Reconfigure, Build and Reconfigure, Build and Install a Custom KernelInstall a Custom Kernel

Page 36: Complete RHCE doc

37

RHCERed Hat Certified

Engineer

M. A. AgheliM. A. Agheli

Session 8Session 8

Page 37: Complete RHCE doc

38

Shell ScriptsShell Scripts # Comments# Comments #! Special Comments#! Special Comments Assign a ValueAssign a Value

x=yx=y x=‘$y’x=‘$y’

x=${y}x=${y} x=\$yx=\$y

x=$yx=$y export x,y,zexport x,y,z

x=${y}esx=${y}es export x=$yexport x=$y

x=$yesx=$yes

Page 38: Complete RHCE doc

39

Shell ScriptsShell Scripts Control ConstructsControl Constructs

‘‘read’ commandread’ command ‘‘test’ command ( [ ] )test’ command ( [ ] ) if …; then …; else …; fiif …; then …; else …; fi case ...; in pattern) …;; esaccase ...; in pattern) …;; esac while …; do …; donewhile …; do …; done until …; do …; doneuntil …; do …; done for x in …; do …; donefor x in …; do …; done break, continue, exit (for, while, break, continue, exit (for, while,

until)until)

Page 39: Complete RHCE doc

40

RHCERed Hat Certified Engineer

M. A. AgheliM. A. Agheli

Session 9Session 9

Page 40: Complete RHCE doc

41

Installing and Installing and ConfiguringConfiguring

XX

Page 41: Complete RHCE doc

42

Basic X ConceptsBasic X Concepts

X ClientX Client

X ServerX Server

X ProtocolX Protocol

Page 42: Complete RHCE doc

43

Basic X ConceptsBasic X Concepts X Window X Window

ManagerManager

X Desktop X Desktop ManagerManager

X Display ManagerX Display Manager

Page 43: Complete RHCE doc

44

Installing XInstalling X

1.1. Determine the proper X Determine the proper X serverserver

2.2. Install the proper packagesInstall the proper packages

Page 44: Complete RHCE doc

45

X Server SelectionX Server Selection XFree86-*XFree86-*

Installation the PackagesInstallation the Packages freetypefreetype gtk+gtk+ XFree86-libsXFree86-libs XFree86-75dpi-fontsXFree86-75dpi-fonts redhat-config-xfree86redhat-config-xfree86

XFree86-xfsXFree86-xfs XFree86-xdmXFree86-xdm XFree86-twmXFree86-twm XFree86-XFree86-

tools tools xinitrcxinitrc

Page 45: Complete RHCE doc

46

Configuring XConfiguring X

redhat-config-redhat-config-xfree86xfree86

xvidtunexvidtune

Page 46: Complete RHCE doc

47

Important X Directories & FilesImportant X Directories & Files

/usr/X11R6/bin/usr/X11R6/bin /etc/X11/etc/X11 /etc/X11//etc/X11/

XF86ConfigXF86Config

Page 47: Complete RHCE doc

48

Configure and Use PPPConfigure and Use PPP

‘‘redhat-config-network-tui’ redhat-config-network-tui’ Command in Text ModeCommand in Text Mode

Modem Configuration FilesModem Configuration Files kppp Command in X window kppp Command in X window

Page 48: Complete RHCE doc

49

RHCERed Hat Certified Engineer

M. A. AgheliM. A. Agheli

Session 10Session 10

Page 49: Complete RHCE doc

50

IP (network & host portion)IP (network & host portion)192.168.168.1 192.168.168.1 ::1100000011000000..1010100010101000..1010100010101000..0000000100000001

Static IPStatic IP Dynamic IP Dynamic IP Netmask AddressNetmask Address255.255.255.0 :255.255.255.0 :1111111111111111..1111111111111111..1111111111111111..0000000000000000

Network AddressNetwork Address192.168.168.0 :192.168.168.0 :1100000011000000..1010100010101000..1010100010101000..0000000000000000

Broadcast AddressBroadcast Address192.168.168.255 :192.168.168.255 :1100000011000000..1010100010101000..1010100010101000..1111111111111111

Network BasicsNetwork Basics

Page 50: Complete RHCE doc

51

Classfull Addressing SystemClassfull Addressing System Network ClassesNetwork Classes

Class AClass A 1.0.0.0-126.0.0.01.0.0.0-126.0.0.0 (8 bits)(8 bits) Class BClass B 128.0.0.0-191.0.0.0128.0.0.0-191.0.0.0 (16 bits)(16 bits) Class CClass C 192.0.0.0-223.0.0.0192.0.0.0-223.0.0.0 (24 bits)(24 bits)

Reserved IPReserved IP 127.0.0.0-127.255.255.255127.0.0.0-127.255.255.255 (Loop back Addr.)(Loop back Addr.) 224.0.0.0-239.255.255.255 224.0.0.0-239.255.255.255 (Multicast Protocols)(Multicast Protocols) 240.0.0.0-255.255.255.255240.0.0.0-255.255.255.255 (do not used)(do not used)

Public & Private Networks (Valid & Public & Private Networks (Valid & Invalid IPes)Invalid IPes)

10.0.0.0-10.255.255.25510.0.0.0-10.255.255.255 172.16.0.0-172.31.255.255172.16.0.0-172.31.255.255 192.168.0.0-192.168.255.255192.168.0.0-192.168.255.255

Page 51: Complete RHCE doc

52

Net. Addr.:Net. Addr.: 192.168.168.0 = 192.168.168.0 = 1100000011000000..1010100010101000..1010100010101000..0000000000000000

Netmasks:Netmasks:255.255.255.0 (*/24) :255.255.255.0 (*/24) :1111111111111111..1111111111111111..1111111111111111..0000000000000000

255.255.255.128 (*/25) :255.255.255.128 (*/25) :1111111111111111..1111111111111111..1111111111111111..1100000000000000

255.255.255.192 (*/26) :255.255.255.192 (*/26) :1111111111111111..1111111111111111..1111111111111111..1111000000000000

255.255.255.224 (*/27) :255.255.255.224 (*/27) :1111111111111111..1111111111111111..1111111111111111..1111110000000000

255.255.255.240 (*/28) :255.255.255.240 (*/28) :1111111111111111..1111111111111111..1111111111111111..1111111100000000

255.255.255.248 (*/29) :255.255.255.248 (*/29) :1111111111111111..1111111111111111..1111111111111111..1111111111000000

255.255.255.252 (*/30) :255.255.255.252 (*/30) :1111111111111111..1111111111111111..1111111111111111..1111111111110000

255.255.255.254 (*/31) :255.255.255.254 (*/31) :1111111111111111..1111111111111111..1111111111111111..1111111111111100

Classless Addressing System Classless Addressing System (Subnet)(Subnet)

Page 52: Complete RHCE doc

53

TCP/IP Model (1)TCP/IP Model (1)

ApplicationProtocols

TransportProtocols

InternetProtocols

Network AccessProtocols

Page 53: Complete RHCE doc

54

TCP/IP Model (2)TCP/IP Model (2)

Network Access ProtocolsNetwork Access Protocols All functions necessary to access All functions necessary to access

the physical networkthe physical network

Internet ProtocolsInternet Protocols IPIP ((Internet Protocol – Internet Protocol –

ConnectionlessConnectionless)) ICMPICMP ((Internet Control Message Internet Control Message

ProtocolProtocol))

Page 54: Complete RHCE doc

55

TCP/IP Model (3)TCP/IP Model (3)

Transport ProtocolsTransport Protocols TCP TCP (Transmission Control (Transmission Control

Protocol)Protocol) Connection-basedConnection-based

UDP UDP (User Datagram Protocol)(User Datagram Protocol) ConnectionlessConnectionless

Application ProtocolsApplication Protocols Previlage Ports (0-1023)Previlage Ports (0-1023) /etc/services/etc/services

Page 55: Complete RHCE doc

56

Types of TCP/IP ServicesTypes of TCP/IP Services

Stand-aloneStand-alone

xinetd xinetd (and its config)(and its config)

Page 56: Complete RHCE doc

57

Related TCP/IP CommandsRelated TCP/IP Commands ps xps x netstat -ap --inet | grep netstat -ap --inet | grep

LISTENLISTEN

Start the daemonStart the daemon Stop the daemonStop the daemon Restart the daemonRestart the daemon Status the daemonStatus the daemon

Controlling TCP/IP DaemonsControlling TCP/IP Daemons

Page 57: Complete RHCE doc

58

RHCERed Hat Certified Engineer

M. A. AgheliM. A. Agheli

Session 11Session 11

Page 58: Complete RHCE doc

59

Configuration NetworkConfiguration Network

Initializing Network HardwareInitializing Network Hardware Load related moduleLoad related module

Network Configuration ToolsNetwork Configuration Tools netconfignetconfig redhat-config-networkredhat-config-network

Page 59: Complete RHCE doc

60

Configuration NetworkConfiguration Network Other Network ToolsOther Network Tools

•ifconfigifconfig•pingping•traceroutetraceroute•netstatnetstat

•tcpdumptcpdump•nmapnmap•tetherealtethereal•iptraffiptraff

Page 60: Complete RHCE doc

61

Configuration NetworkConfiguration Network

Network Configuration Network Configuration FilesFiles /etc/hosts/etc/hosts /etc/host.conf/etc/host.conf /etc/services/etc/services /etc/resolv.conf/etc/resolv.conf /etc/sysconfig/network/etc/sysconfig/network /etc/sysconfig/network-/etc/sysconfig/network-

scripts/*scripts/* IP AliasingIP Aliasing

Page 61: Complete RHCE doc

62

RHCERed Hat Certified Engineer

M. A. AgheliM. A. Agheli

Session 12Session 12

Page 62: Complete RHCE doc

63

DHCPDHCP Advantage & Advantage &

disadvantage of DHCPdisadvantage of DHCP DHCP Server DHCP Server

ConfigurationConfiguration /etc/dhcpd.conf/etc/dhcpd.conf /var/lib/dhcp/dhcpd.leases/var/lib/dhcp/dhcpd.leases

DHCP Client DHCP Client ConfigurationConfiguration netconfig commandnetconfig command

Page 63: Complete RHCE doc

64

An Example of dhcpd.confAn Example of dhcpd.confddns-update-style ad-hocddns-update-style ad-hoc;;subnet 192.168.0.0 netmask 255.255.255.0 {subnet 192.168.0.0 netmask 255.255.255.0 {

range 192.168.0.1 192.168.0.25range 192.168.0.1 192.168.0.25;;option routersoption routers 192.168.0.1192.168.0.1;;option subnet-maskoption subnet-mask 255.255.255.0255.255.255.0;;option domain-nameoption domain-name "domain.com""domain.com";;option domain-name-serversoption domain-name-servers 192.168.1.1192.168.1.1;;default-lease-time 21600default-lease-time 21600;;max-lease-time 43200max-lease-time 43200;;

# we want the nameserver to appear at a fixed # we want the nameserver to appear at a fixed addressaddresshost dns1 {host dns1 {

hardware ethernet 12:34:56:78:AB:CDhardware ethernet 12:34:56:78:AB:CD;;fixed-address 192.168.0.20fixed-address 192.168.0.20;;

}}}}

Page 64: Complete RHCE doc

65

dhcpd.leases Formatdhcpd.leases Format

lease 192.168.1.8 {lease 192.168.1.8 {

starts 3 2004/04/12 09:34:12starts 3 2004/04/12 09:34:12

ends 6 2004/07/15 23:49:57ends 6 2004/07/15 23:49:57

hardware ethernet hardware ethernet 00:09:e6:88:0a:0500:09:e6:88:0a:05

}}

......

Page 65: Complete RHCE doc

2004 Agust 66

NFSNFS Related DaemonsRelated Daemons

rpc.nfsdrpc.nfsd rpc.portmaprpc.portmap rpc.mountdrpc.mountd

InstallationInstallation nfs-utilsnfs-utils portmapportmap

Page 66: Complete RHCE doc

67

NFS ConfigurationNFS Configuration Server SideServer Side

Edit /etc/exports fileEdit /etc/exports file

PATHPATHhost_lists(options)host_lists(options)

Run ‘exportfs –r’ commandRun ‘exportfs –r’ command ‘‘redhat-config-nfsredhat-config-nfs’ Command’ Command

Client SideClient Side mount –t nfs server:PATH mount –t nfs server:PATH

MountpointMountpoint Edit ‘/etc/fstab’ fileEdit ‘/etc/fstab’ file

server:PATH M.P.server:PATH M.P. nfsnfs roro 0000

Page 67: Complete RHCE doc

68

SAMBA (1)SAMBA (1) Related ServicesRelated Services

smbdsmbd nmbdnmbd

Related PackagesRelated Packages sambasamba samba-commonsamba-common samba-clientsamba-client

Page 68: Complete RHCE doc

69

SAMBA (2)SAMBA (2) Server ConfigurationServer Configuration

Global DirectivesGlobal Directives Service DirectivesService Directives

Client ConfigurationClient Configuration smbmount //server/share smbmount //server/share

/m.p./m.p. smbclient //server/sharesmbclient //server/share

Configuration with SWATConfiguration with SWAT

Page 69: Complete RHCE doc

70

RHCERed Hat Certified Engineer

M. A. AgheliM. A. Agheli

Session 13Session 13

Page 70: Complete RHCE doc

71

TCP/IP ServicesTCP/IP Services

Client Server

Process

Port

Port

Port

Process

2. Client binds to port

1. server binds to port and listens

4. Server designates port

3. Client connects to server

5. Client and server communicate

Page 71: Complete RHCE doc

72

Remote LoginRemote Login

TelnetTelnet Server & Client Server & Client

SSHSSH Server & ClientServer & Client

Page 72: Complete RHCE doc

73

The Apache Web ServerThe Apache Web Server ModulesModules

mod_authmod_auth mod_infomod_info mod_phpmod_php mod_includemod_include mod_perlmod_perl mod_sslmod_ssl

Page 73: Complete RHCE doc

74

Installation ApacheInstallation Apache

rpm –Uvh httpd-[^d]*.rpmrpm –Uvh httpd-[^d]*.rpm

rpm –Uvh httpd-devel*.rpmrpm –Uvh httpd-devel*.rpm(for support apache modules)(for support apache modules)

Page 74: Complete RHCE doc

75

Basic ConfigurationBasic Configuration

httpd.confhttpd.conf Section 1:Section 1:

The Global EnvironmentThe Global Environment Section 2:Section 2:

The Main ConfigurationThe Main Configuration Section 3:Section 3:

The Virtual Host The Virtual Host ConfigurationConfiguration

Page 75: Complete RHCE doc

76

Apache Advanced Apache Advanced ConfigurationConfiguration

Authentication in ApacheAuthentication in Apache Configure with PHPConfigure with PHP Configure with SSLConfigure with SSL Configure Virtual HostConfigure Virtual Host

Page 76: Complete RHCE doc

77

Authentication in ApacheAuthentication in Apache

<Location /dir_name><Location /dir_name>

AuthTypeAuthType BasicBasic

AuthNameAuthName “NAME”“NAME”

AuthUserFileAuthUserFile “.htpasswd”“.htpasswd”

RequireRequire valid-uservalid-user

</Location></Location>

Create ‘/etc/httpd/.htpasswd’ Create ‘/etc/httpd/.htpasswd’ filefile

Configuring ‘httpd.conf’ fileConfiguring ‘httpd.conf’ file

Page 77: Complete RHCE doc

78

Configure Apache with PHPConfigure Apache with PHP

rpm –Uvh php-4*.rpmrpm –Uvh php-4*.rpm

Configure Apache with SSLConfigure Apache with SSL rpm –Uvh mod_ssl*.rpmrpm –Uvh mod_ssl*.rpm

Page 78: Complete RHCE doc

79

Configure Virtual HostConfigure Virtual Host

<VirtualHost 127.0.0.2><VirtualHost 127.0.0.2>

ServerAdminServerAdmin [email protected]@vh.com

DocumentRootDocumentRoot /var/www/html//var/www/html/vh/vh/

ServerNameServerName www.vh.comwww.vh.com

</VirtualHost></VirtualHost>

Configuring ‘/etc/hosts’ fileConfiguring ‘/etc/hosts’ file Configuring ‘httpd.conf’ fileConfiguring ‘httpd.conf’ file

Page 79: Complete RHCE doc

80

StartStart StopStop RestartRestart ReloadReload StatusStatus

Apache AdministrationApache Administration

Page 80: Complete RHCE doc

81

Troubleshooting the ApacheTroubleshooting the Apache

/var/log/messages/var/log/messages

/var/log/httpd//var/log/httpd/

/usr/sbin/httpd –S /usr/sbin/httpd –S (for virtual host)(for virtual host)

Page 81: Complete RHCE doc

82

Securing Your NetworkSecuring Your Network Using ‘Using ‘lokkitlokkit’ or ‘’ or ‘redhat-redhat-

config-securitylevelconfig-securitylevel’ ’ CommandCommand

Password & Physical SecurityPassword & Physical Security Securing TCP/IPSecuring TCP/IP Using TripwireUsing Tripwire Keeping Up-to-Date on Linux Keeping Up-to-Date on Linux

Security IssuesSecurity Issues

Page 82: Complete RHCE doc

83

RHCERed Hat Certified Engineer

M. A. AgheliM. A. Agheli

Session 14Session 14

Page 83: Complete RHCE doc

84

FTPFTP InstallationInstallation

rpm –ivh vsftp*.rpmrpm –ivh vsftp*.rpm Config FileConfig File

/etc/vsftpd/vsftpd.conf/etc/vsftpd/vsftpd.conf Access LevelsAccess Levels

Anonymouse Access Anonymouse Access ((anonymouse_enableanonymouse_enable))

User Access (User Access (tcp_wrappers needstcp_wrappers needs))

Page 84: Complete RHCE doc

85

Cache Server (Squid)Cache Server (Squid)

Install squidInstall squid rpm –ivh squid*.rpmrpm –ivh squid*.rpm

Managing squidManaging squid start, stop, restart, start, stop, restart,

status, reloadstatus, reload

Page 85: Complete RHCE doc

86

Squid Log FilesSquid Log Files /var/log/squid/access.log /var/log/squid/access.log

((cache_access_logcache_access_log)) //varvar//loglog//squidsquid//cachecache..log log

((cache_logcache_log)) //varvar//loglog//squidsquid//storestore..loglog

((cache_store_logcache_store_log))

Page 86: Complete RHCE doc

87

An Example of ‘squid.conf’An Example of ‘squid.conf’http_port 8081http_port 8081

cache_effective_user squidcache_effective_user squid

cache_effective_group squidcache_effective_group squid

acl all src 0.0.0.0/0.0.0.0acl all src 0.0.0.0/0.0.0.0

http_access allow allhttp_access allow all

cache_dir ufs /cache 1024 16 cache_dir ufs /cache 1024 16 3232

visible_hostname ws1visible_hostname ws1

Page 87: Complete RHCE doc

88

Running SquidRunning Squid service squid startservice squid start

squid –d1 –zsquid –d1 –z

squid –d1 –f squid –d1 –f

/etc/squid/squid.conf/etc/squid/squid.conf

Page 88: Complete RHCE doc

89

The Kind of ProxiesThe Kind of Proxies Upstream ProxyUpstream Proxy

cache_peer cache_peer youryourproxy.com parent proxy.com parent 3128 31303128 3130

prefer_direct ofprefer_direct offf

Transparent Transparent ProxyProxyhttpd_accel_host virtualhttpd_accel_host virtual

httpd_accel_port 80httpd_accel_port 80

httpd_accel_with_proxy onhttpd_accel_with_proxy on

httpd_accel_uses_host_header onhttpd_accel_uses_host_header on

Page 89: Complete RHCE doc

90

RHCERed Hat Certified Engineer

M. A. AgheliM. A. Agheli

Session 15Session 15

Page 90: Complete RHCE doc

91

Configuring a Linux RouterConfiguring a Linux Router

Configuring KernelConfiguring KernelIP: advanced routerIP: advanced router

Enable IP ForwadingEnable IP ForwadingAdd ‘net.ipv4.ip_forward=1’ to Add ‘net.ipv4.ip_forward=1’ to

/etc/sysctl.conf/etc/sysctl.confecho “1” > echo “1” >

/proc/sys/net/ipv4/ip_forward/proc/sys/net/ipv4/ip_forward

Page 91: Complete RHCE doc

92

Type of RoutesType of Routes

Static routeStatic route

Dynamic Dynamic routeroute

Page 92: Complete RHCE doc

93

Components of Routing RulesComponents of Routing Rules

Destination IP Destination IP AddressAddress

An InterfaceAn Interface An Optional Gateway An Optional Gateway

IP AddressIP Address

Page 93: Complete RHCE doc

94

Routing CommandRouting Command route add –net route add –net net_addrnet_addr

netmask netmask mask_addrmask_addr interfaceinterface

route add –host route add –host ip_addrip_addr interfaceinterface

route add default gateway route add default gateway ip_addrip_addr interfaceinterface

Page 94: Complete RHCE doc

95

A

192.168.1.2

B

192.168.1.3

C

192.168.1.4

D

192.168.1.5

E

192.168.100.2

F

192.168.100.3

G

192.168.100.4

H

192.168.100.5

Gateway 192.168.1.1

192.168.100.110.1.1.1

Router 10.1.1.2

Internet

eth0 eth1

eth2

An ExampleAn Example

Page 95: Complete RHCE doc

96

Related RulesRelated Rules route add –net 192.168.1.0 netmask route add –net 192.168.1.0 netmask

255.255.255.0 eth0255.255.255.0 eth0 route add –net 192.168.100.0 netmask route add –net 192.168.100.0 netmask

255.255.255.0 eth1255.255.255.0 eth1 route add –net 10.1.1.0 netmask route add –net 10.1.1.0 netmask

255.255.255.0 eth2255.255.255.0 eth2 route add default gateway 10.1.1.2 eth2route add default gateway 10.1.1.2 eth2

Page 96: Complete RHCE doc

97

ResultResultDestinationDestinationGatewayGatewayGenmaskGenmaskFlagsFlagsMetrMetr

icicRefRefUsUs

eeIfaceIface

192.168.1.1192.168.1.1**255.255.255.255.255.255.255255UHUH000000eth0eth0

192.168.100192.168.100.1.1

**255.255.255.255.255.255.255255UHUH000000Eth1Eth1

10.1.1.110.1.1.1**255.255.255.255.255.255.255255UHUH000000Eth2Eth2

192.168.1.0192.168.1.0**255.255.255.255.255.255.00

UU000000eth0eth0

192.168.100192.168.100.0.0

**255.255.255.255.255.255.00

UU000000Eth1Eth1

10.1.1.010.1.1.0**255.255.255.255.255.255.00

UU000000Eth2Eth2

0.0.0.00.0.0.010.1.1.10.1.1.22

0.0.0.00.0.0.0UGUG000000eth2eth2

127.0.0.0127.0.0.0**255.0.0.0255.0.0.0UU000000lolo

U: Network link is up H: Dest. Addr. Refers to a host G: Gateway

Page 97: Complete RHCE doc

98

Electronic Electronic MailMail

(Sendmail)(Sendmail)

Page 98: Complete RHCE doc

99

How Email Is Sent and ReceivedHow Email Is Sent and Receivedmail2 MTA

[email protected]@mail1.com

mail1 MTA

?

?

Page 99: Complete RHCE doc

100

ConceptsConcepts MTA : MTA : Mail Transport AgentMail Transport Agent SMTP (server-to-server)SMTP (server-to-server)

Simple Mail Transport ProtocolSimple Mail Transport Protocol POP (Mail Access)POP (Mail Access)

Post Office ProtocolPost Office Protocol IMAP (Mail Access)IMAP (Mail Access)

Interim Mail Access ProtocolInterim Mail Access Protocol MDA : MDA : Mail Delivery AgentMail Delivery Agent MUA : MUA : Mail User AgentMail User Agent

Page 100: Complete RHCE doc

101

Advantage of SendmailAdvantage of Sendmail Older MTAOlder MTA Powerful MTAPowerful MTA

Disadvantage of SendmailDisadvantage of Sendmail SlowSlow High Load EnvironmentHigh Load Environment Crypto ConfigurationCrypto Configuration

Page 101: Complete RHCE doc

102

MTAsMTAs SendmailSendmail PostfixPostfix EximExim QmailQmail

MUAsMUAs Evolution, KmailEvolution, Kmail

(KDE)(KDE) BalsaBalsa (GNOME)(GNOME) Mozilla MailMozilla Mail

Page 102: Complete RHCE doc

103

Required PackagesRequired Packages sendmailsendmail sendmail-cfsendmail-cf imap imap (Config xinetd)(Config xinetd)

(contains IMAP & (contains IMAP & POP3)POP3)

Page 103: Complete RHCE doc

104

Sendmail Sendmail ConfigurationConfiguration

Config Config ‘/etc/mail/sendmail.mc’ file‘/etc/mail/sendmail.mc’ file LOCAL_DOMAIN(‘example.coLOCAL_DOMAIN(‘example.co

m’)dnlm’)dnl Run ‘make –C /etc/mail/’Run ‘make –C /etc/mail/’ Config DNSConfig DNS

Page 104: Complete RHCE doc

105

Email AliasesEmail Aliases Edit ‘/etc/aliases’ fileEdit ‘/etc/aliases’ file

postmaster: josephpostmaster: joseph

Run ‘newaliases’ CommandRun ‘newaliases’ Command

Page 105: Complete RHCE doc

106

Rejecting EmailRejecting Email Edit ‘/etc/mail/access’ fileEdit ‘/etc/mail/access’ file

spam.comspam.com REJECTREJECT

yahoo.comyahoo.com OKOK

service sendmail restartservice sendmail restart

Page 106: Complete RHCE doc

107

RHCERed Hat Certified Engineer

M. A. AgheliM. A. Agheli

Session 16Session 16

Page 107: Complete RHCE doc

108

DNSDNS

Page 108: Complete RHCE doc

109

Where do I lookWhere do I look??

/etc/nsswitch.conf/etc/nsswitch.conf (nameservice switch)(nameservice switch)

t@localhost:~$ cat /etc/nsswitch.conft@localhost:~$ cat /etc/nsswitch.conf

hosts: files dnshosts: files dns

Page 109: Complete RHCE doc

110

FilesFiles Search order determined by Search order determined by

nsswitch.confnsswitch.conf It is polite to have /etc/hosts It is polite to have /etc/hosts

first!first!

sjh@mccoy:~$ cat /etc/hostssjh@mccoy:~$ cat /etc/hosts

127.0.0.1127.0.0.1 localhostlocalhost

193.62.81.135193.62.81.135 mccoy.tardis.ed.ac.uk mccoymccoy.tardis.ed.ac.uk mccoy

193.62.81.134193.62.81.134 baker.tardis.ed.ac.uk bakerbaker.tardis.ed.ac.uk baker

193.62.81.132193.62.81.132 packages.tardis.ed.ac.uk packagespackages.tardis.ed.ac.uk packages

Page 110: Complete RHCE doc

111

DNS TraversalDNS Traversal

1.1. Local filesLocal files

2.2. Dns server locallyDns server locally

3.3. Item in cache?Item in cache?

4.4. Root server, work your Root server, work your way down…way down…

Page 111: Complete RHCE doc

112

Resolving NamesResolving Names

Configuration Files for the Configuration Files for the Local Host Name Resolution Local Host Name Resolution (important for testing)(important for testing) /etc/resolv.conf/etc/resolv.conf /etc/nsswitch.conf/etc/nsswitch.conf /etc/host.conf/etc/host.conf

Page 112: Complete RHCE doc

113

DNSDNS

BIND – Berkley Internet Name BIND – Berkley Internet Name DaemonDaemon

Dents – buggy as hell (still in alpha?)Dents – buggy as hell (still in alpha?) Djbdns – Dan Bernstein’s DNS serverDjbdns – Dan Bernstein’s DNS server Banyan VINES – don’t go there!Banyan VINES – don’t go there!

Page 113: Complete RHCE doc

114

Named (name dee)Named (name dee) /etc/named.conf:/etc/named.conf:

this defines a directory to store the DNS config this defines a directory to store the DNS config filesfiles

Contains info about what zones we serve, and Contains info about what zones we serve, and where to find config files!where to find config files!

Config file for named – tells us if we are master / Config file for named – tells us if we are master / slave, allow or deny zone transfers, what the IPs of slave, allow or deny zone transfers, what the IPs of other master / slave servers are, etc.other master / slave servers are, etc.

<DNSROOT>/root.hints: <DNSROOT>/root.hints: Contains "pointers" to the Root ServersContains "pointers" to the Root Servers

<DNSROOT>/127.0.0: <DNSROOT>/127.0.0: Config for reverse-lookup to the local host/subnetConfig for reverse-lookup to the local host/subnet

<DNSROOT>/<zone>:<DNSROOT>/<zone>: Config for zoneConfig for zone

<DNSROOT>/<in-addr.arpa file> <DNSROOT>/<in-addr.arpa file> Config for reverse lookup for your zoneConfig for reverse lookup for your zone

Page 114: Complete RHCE doc

115

A simple named.confA simple named.conf## named.custom - custom configuration for bind## named.custom - custom configuration for bind

zone "." { zone "." {

type hint; type hint;

file "root.lists";file "root.lists";

};};

options {options {

directory "/var/named/";directory "/var/named/";

};};

zone "0.0.127.in-addr.arpa" {zone "0.0.127.in-addr.arpa" {

type master;type master;

file "127.0.0";file "127.0.0";

};};

zone "hq.alim.ir" {zone "hq.alim.ir" {

type master;type master;

file "hq.alim.ir";file "hq.alim.ir";

};};

zone "168.168.192.in-addr.arpa" {zone "168.168.192.in-addr.arpa" {

type master;type master;

file "192.168.168";file "192.168.168";

};};

Page 115: Complete RHCE doc

116

DNS DataDNS DataDNS databases contain more than DNS databases contain more than

just hostname-to-address records:just hostname-to-address records: SOA – Start Of Authority – it is the SOA – Start Of Authority – it is the

daddy!daddy! IN NS – Name ServerIN NS – Name Server IN MX – Mail eXchangerIN MX – Mail eXchanger IN A – A record (Address record)IN A – A record (Address record) IN CNAME – Canonical NAMEIN CNAME – Canonical NAME

Page 116: Complete RHCE doc

117

A simple zone fileA simple zone file@ IN SOA hq.alim.ir. root.hq.alim.ir. (@ IN SOA hq.alim.ir. root.hq.alim.ir. (

199609206 ; serial, todays date + todays serial 199609206 ; serial, todays date + todays serial ##

8H ; refresh, seconds8H ; refresh, seconds

2H ; retry, seconds2H ; retry, seconds

4W ; expire, seconds4W ; expire, seconds

1D ) ; minimum, seconds1D ) ; minimum, seconds

NSNS hq.alim.ir.hq.alim.ir.

MXMX 10 hq.alim.ir. ; Primary Mail Exchanger10 hq.alim.ir. ; Primary Mail Exchanger

TXTTXT "Alim IT Center""Alim IT Center"

localhostlocalhost A 127.0.0.1A 127.0.0.1

routerrouter A 192.168.168.1A 192.168.168.1

hq.alim.ir.hq.alim.ir. A 192.168.168.2A 192.168.168.2

nsns A 192.168.168.3A 192.168.168.3

wwwwww A 207.159.141.192A 207.159.141.192

ftpftp CNAMECNAME hq.alim.ir.hq.alim.ir.

mailmail CNAMECNAME hq.alim.ir.hq.alim.ir.

newsnews CNAMECNAME hq.alim.ir.hq.alim.ir.

Page 117: Complete RHCE doc

118

A simple in-addr.arpa fileA simple in-addr.arpa file$TTL 3D$TTL 3D

@ IN SOA hq.alim.ir. root.hq.alim.ir. (@ IN SOA hq.alim.ir. root.hq.alim.ir. (

199609206 ; Serial199609206 ; Serial

28800 ; Refresh28800 ; Refresh

7200 ; Retry7200 ; Retry

604800 ; Expire604800 ; Expire

86400) ; Minimum TTL86400) ; Minimum TTL

NS hq.alim.ir.NS hq.alim.ir.

; Servers; Servers

1 PTR router.hq.alim.ir.1 PTR router.hq.alim.ir.

2 PTR hq.alim.ir.2 PTR hq.alim.ir.

2 PTR funn.hq.alim.ir.2 PTR funn.hq.alim.ir.

; Workstations; Workstations

200 PTR ws-177200.hq.alim.ir.200 PTR ws-177200.hq.alim.ir.

201 PTR ws-177201.hq.alim.ir.201 PTR ws-177201.hq.alim.ir.

202 PTR ws-177202.hq.alim.ir.202 PTR ws-177202.hq.alim.ir.

Page 118: Complete RHCE doc

119

Forward DNSForward DNS hq.alim.ir (as per /etc/named.conf)hq.alim.ir (as per /etc/named.conf)

SOA – Start Of Authority – it is the SOA – Start Of Authority – it is the daddy!daddy!

IN NS – Name ServerIN NS – Name Server IN MX – Mail eXchangerIN MX – Mail eXchanger IN A – A record (Address record)IN A – A record (Address record) IN CNAME – Canonical NAMEIN CNAME – Canonical NAME

Page 119: Complete RHCE doc

120

Reverse DNSReverse DNS

192.168.168192.168.168 ( (as per as per /etc/named.conf/etc/named.conf))

SOASOA IN NSIN NS IN PTR – PointerIN PTR – Pointer

Page 120: Complete RHCE doc

121

DNS Round RobinDNS Round Robin Fault tolerance? Through Fault tolerance? Through

nifty DNS hacksnifty DNS hacks

www.teviot.com.www.teviot.com. 6060 ININ AA 10.0.1.10010.0.1.100

www.teviot.com.www.teviot.com. 6060 ININ AA 10.0.2.10010.0.2.100

www.teviot.com.www.teviot.com. 6060 ININ AA 10.0.3.10010.0.3.100

Page 121: Complete RHCE doc

122

Common MistakesCommon Mistakes Forgetting to increment the Serial Forgetting to increment the Serial

Number!Number! CNAME pointing at another CNAME!CNAME pointing at another CNAME! Forgetting the “.” In appropriate places!Forgetting the “.” In appropriate places! Underscores in hostnames!Underscores in hostnames! Forgetting to reload the daemon!Forgetting to reload the daemon! Version control issues – clobber changes!Version control issues – clobber changes! TTL IssuesTTL Issues

Page 122: Complete RHCE doc

123

Test ToolsTest Tools nslookupnslookup digdig

dig mail.hq.alim.irdig mail.hq.alim.ir dig -x 192.168.168.2dig -x 192.168.168.2 dig 168.168.192.in-addr.arpa. AXFRdig 168.168.192.in-addr.arpa. AXFR

whoiswhois

http://www.squish.net/dnscheck/http://www.squish.net/dnscheck/ James Ponder’s DNS check web pageJames Ponder’s DNS check web page

Page 123: Complete RHCE doc

124

RHCERed Hat Certified Engineer

M. A. AgheliM. A. Agheli

Session 17Session 17

Page 124: Complete RHCE doc

125

FirewallFirewall

ControlControlAllow only those packets that you Allow only those packets that you

are interested to pass through.are interested to pass through. SecuritySecurity

Reject packets from malicious Reject packets from malicious outsidersoutsiders

WatchfulnessWatchfulnessLog packets to/from outside worldLog packets to/from outside world

Required PropertiesRequired Properties::

Page 125: Complete RHCE doc

126

Firewall TypesFirewall Types

Packet FilteringPacket Filtering

Proxy-Based FirewallProxy-Based Firewall

Statefull

Stateless

Page 126: Complete RHCE doc

127

Packet Filter under LinuxPacket Filter under Linux 11st generationst generation

ipfw (from BSD)ipfw (from BSD) 2nd generation2nd generation

ipfwadm (Linux 2.0)ipfwadm (Linux 2.0) 3rd generation3rd generation

ipchains (Linux 2.2)ipchains (Linux 2.2) 4th generation4th generation

iptable (Linux 2.4 & 2.6)iptable (Linux 2.4 & 2.6)

Page 127: Complete RHCE doc

128

Installing IptablesInstalling Iptables Kernel Supports IptablesKernel Supports Iptables

Networking Options -> TCP/IP Networking ->Network Networking Options -> TCP/IP Networking ->Network Packet FilteringPacket Filtering

Networking Options -> TCP/IP Networking ->IP: advanced Networking Options -> TCP/IP Networking ->IP: advanced router -> *router -> *

Networking Options -> IP: NetfilterNetworking Options -> Networking Options -> IP: NetfilterNetworking Options -> IP: NetfilterIP: Netfilter

For Packets Traffic Control :For Packets Traffic Control : Networking Options> QoS and/or fair queueing -> *Networking Options> QoS and/or fair queueing -> *

# rpm -ivh \# rpm -ivh \

iptables-1.2.6a-2.i386.rpm iptables-1.2.6a-2.i386.rpm

Page 128: Complete RHCE doc

129

INPUTINPUT Controls packets entering your systemControls packets entering your system

OUTPUTOUTPUT Controls packets leaving your systemControls packets leaving your system

FORWARDFORWARD Controls what packets can move from Controls what packets can move from

one network to another through your one network to another through your systemsystem

Chains of TablesChains of Tables

Page 129: Complete RHCE doc

130

Forward

Input

Output

Local Process

RoutingDecision

Page 130: Complete RHCE doc

131

1.1. When a packet comes in, the kernel When a packet comes in, the kernel first looks at the destination of the first looks at the destination of the packet: this is called routing.packet: this is called routing.

2.2. If it’s destined for this boxIf it’s destined for this box• Passes downwards in the diagramPasses downwards in the diagram• To INPUT chainTo INPUT chain

If it passes, any processes waiting for that If it passes, any processes waiting for that packet will receive it.packet will receive it.

Otherwise go to step 3Otherwise go to step 3

Continue…

Page 131: Complete RHCE doc

132

3.3. If forwarding is not enabled The If forwarding is not enabled The packet will be droppedpacket will be droppedIf forwarding is enable and the packet is destined for another If forwarding is enable and the packet is destined for another network interface.network interface.

The packet goes rightwards on our diagram to the The packet goes rightwards on our diagram to the FORWARD chain.FORWARD chain.

If it is accepted, it will be sent out.If it is accepted, it will be sent out.

4.4. Packets generated from local process Packets generated from local process pass to the OUPUT chain pass to the OUPUT chain immediately.immediately.If its says accept, the packet will be sent out.If its says accept, the packet will be sent out.

Page 132: Complete RHCE doc

133

Packet Status in Packet Status in IptablesIptables

EstablishedEstablished NewNew RelatedRelated InvalidInvalid

Page 133: Complete RHCE doc

134

Results of Packet CheckingResults of Packet Checking

ACCEPTACCEPT DROPDROP REJECTREJECT ……

Page 134: Complete RHCE doc

135

Tables of IptablesTables of Iptables

FilterFilter NATNAT MangleMangle

Page 135: Complete RHCE doc

136

Network

Mangle TablePREROUTING Chain

NAT TablePREROUTING Chain Destination NAT

Mangle INPUT

Filter INPUT

Local process

Routing decision

Mangle OUTPUT

Mangle FORWARD

Mangle POSTROUTING

NATPOSTROUTING Chain

Network

Source NAT

Based on routing

Routingdecision

The Path of Packet The Path of Packet in Iptablesin Iptables

NAT OUTPUT

Filter OUTPUT

Filter FORWARD

Page 136: Complete RHCE doc

137

Tables of ChainsTables of Chains

ChainChain

tabletableINPUINPU

TTOUTPUOUTPU

TTFORWARFORWAR

DDPREROUTINPREROUTIN

GGPOSTROUPOSTROU

TINGTING

MANGLMANGLEE**********

NATNAT--**--****

FILTERFILTER******----

Page 137: Complete RHCE doc

138

Building a Rule source/destinationBuilding a Rule source/destination

iptables –s 200.200.200.1iptables –s 200.200.200.1 Refers to packet from a specific IP addressRefers to packet from a specific IP address The “-s” refers to the source of the packet, The “-s” refers to the source of the packet,

where the packet is coming from.where the packet is coming from. A corresponding “-d” refers to the A corresponding “-d” refers to the

destination, where the packet is going to.destination, where the packet is going to.

Page 138: Complete RHCE doc

139

Building a Rule ActionBuilding a Rule Action iptables –s 200.200.200.1 iptables –s 200.200.200.1 -j DROP-j DROP

The “-j” determines what happens to theThe “-j” determines what happens to the

Building a RuleBuilding a RuleIP address rangesIP address ranges

iptables –s iptables –s 200.200.200.0/24200.200.200.0/24 -j DROP -j DROP IPs that match 200.200.200.*IPs that match 200.200.200.* The “/24” refers to the number of bits that The “/24” refers to the number of bits that

are fixed, counting from the left.are fixed, counting from the left.

Page 139: Complete RHCE doc

140

Other ActionsOther Actions

REDIRECTREDIRECT Sends packets to a proxySends packets to a proxy

LOGLOG Tracks packets as they match Tracks packets as they match

rulesrules RETURNRETURN

Terminates user defined chainsTerminates user defined chains

Page 140: Complete RHCE doc

141

Building a RuleBuilding a Ruleappending rules to tablesappending rules to tables

iptables iptables –A–A INPUT INPUT –s 200.200.200.1 -j DROP –s 200.200.200.1 -j DROP The “-A” appends the rule to an iptableThe “-A” appends the rule to an iptable The “INPUT” specifies the iptableThe “INPUT” specifies the iptable This command makes your system to ignore all This command makes your system to ignore all

packets from 200.200.200.1packets from 200.200.200.1 iptables –A iptables –A OUTPUT OUTPUT –d–d 200.200.200.1 –j DROP 200.200.200.1 –j DROP

This command does not allow your system to sent packets This command does not allow your system to sent packets to 200.200.200.1to 200.200.200.1

Page 141: Complete RHCE doc

142

Building a RuleBuilding a Ruleonly blocking some packetsonly blocking some packets

iptables –A INPUT –s 200.200.200.1iptables –A INPUT –s 200.200.200.1 –p tcp --–p tcp --destination-port telenetdestination-port telenet –j DROP–j DROP The “-p” specifies a specific protocol: tcp, udp, or The “-p” specifies a specific protocol: tcp, udp, or

icmpicmp The “-destination-port” is where the packet is goingThe “-destination-port” is where the packet is going

You can user the service name or the port numberYou can user the service name or the port number Could use 23 in this exampleCould use 23 in this example

Keep in mind that the source-port is very different from Keep in mind that the source-port is very different from the destination-port. In this example the inbound message the destination-port. In this example the inbound message is going to your telenet server. The telenet client that is is going to your telenet server. The telenet client that is sending you the message could be running on any port.sending you the message could be running on any port.

--dport == --destination-port--dport == --destination-port --sport == --source-port--sport == --source-port

Page 142: Complete RHCE doc

143

Building a RuleBuilding a Rulemultiple network interfacesmultiple network interfaces

Assume your machine has two interface cards. One to a Assume your machine has two interface cards. One to a LAN named eth0 and the other to the Internet named ppp0LAN named eth0 and the other to the Internet named ppp0

iptables –A INPUT –p tcp --dport telnet –i ppp0 –j DROPiptables –A INPUT –p tcp --dport telnet –i ppp0 –j DROP The “-i” option specifies the input interfaceThe “-i” option specifies the input interface

The is also a “-o” option for the output interfaceThe is also a “-o” option for the output interface

iptables –A INPUT –p tcp --dport telnet –i eth0 –j ACCEPTiptables –A INPUT –p tcp --dport telnet –i eth0 –j ACCEPT

Together these rules would accept telnet requests from the Together these rules would accept telnet requests from the LAN but block telnet requests from the Internet.LAN but block telnet requests from the Internet.

Page 143: Complete RHCE doc

144

Building a Rule Table PoliciesBuilding a Rule Table Policies

iptables –P FORWARD ACCEPTiptables –P FORWARD ACCEPT The “-P” option followed by a table name The “-P” option followed by a table name

and action determines the default policy and action determines the default policy of the table. If no rule in the table of the table. If no rule in the table matches this default action is taken.matches this default action is taken.

The usual policies areThe usual policies are INPUT = ACCEPTINPUT = ACCEPT OUTPUT = ACCEPTOUTPUT = ACCEPT FORWARD = DENYFORWARD = DENY

Page 144: Complete RHCE doc

145

Building a RuleBuilding a RuleAdding Rules to TablesAdding Rules to Tables

iptables –A INPUT –s 200.200.200.1 -j DROPiptables –A INPUT –s 200.200.200.1 -j DROP Appends the rule to the end of the tableAppends the rule to the end of the table

iptables –I INPUT 3 –s 200.200.200.1 -j DROPiptables –I INPUT 3 –s 200.200.200.1 -j DROP Inserts the rule as rule 3 in the table, moving all Inserts the rule as rule 3 in the table, moving all

other rules down 1.other rules down 1. iptables –R INPUT 3 –s 200.200.200.1 -j DROPiptables –R INPUT 3 –s 200.200.200.1 -j DROP

Replaces rule 3 in the tableReplaces rule 3 in the table iptables –D INPUT 3 iptables –D INPUT 3

Deletes rule 3 in the tableDeletes rule 3 in the table

Page 145: Complete RHCE doc

146

Operations to manage whole Operations to manage whole chainschains

--NNCreate a new chainCreate a new chain

--XXDelete an empty chainDelete an empty chain

--PPChange the policy for a built-in Change the policy for a built-in chainchain

--LLList the rules in a chainList the rules in a chain

--FFFlush the rules out of a chainFlush the rules out of a chain

--ZZZero the packet and byte counters Zero the packet and byte counters on all rules in a chainon all rules in a chain

Page 146: Complete RHCE doc

147

Manipulate rules inside a chainManipulate rules inside a chain

--AAAppend a new rule to a chainAppend a new rule to a chain

--IIInsert a new rule at some Insert a new rule at some position in a chainposition in a chain

--RRReplace a rule at some position Replace a rule at some position in a chainin a chain

--DDDelete a rule at some position in Delete a rule at some position in a chaina chain

--D D Delete the first rule that Delete the first rule that matches in a chainmatches in a chain

Page 147: Complete RHCE doc

148

An ExampleAn Example

192.168.1.5 GW: 192.168.1.1

192.168.1.6 GW: 192.168.1.1

192.168.1.7 GW: 192.168.1.1

192.168.1.1

Internet

Firewall

eth0

eth1Web Server

SSH ServerAccessible ONLY via LAN

Page 148: Complete RHCE doc

149

RHCERed Hat Certified Engineer

M. A. AgheliM. A. Agheli

Session 18Session 18

AdvancedAdvanced

Page 149: Complete RHCE doc

150

Traffic Shaping (CBQ)Traffic Shaping (CBQ) /etc/rc.d/init.d/cbq.init/etc/rc.d/init.d/cbq.init

((http://ovh.dl.sourceforge.net/sourceforge/cbqinit/cbq.init-v0.7.3http://ovh.dl.sourceforge.net/sourceforge/cbqinit/cbq.init-v0.7.3))

Install ‘shapecfg’ RPMInstall ‘shapecfg’ RPM

/etc/sysconfig/cbq/*/etc/sysconfig/cbq/*(0002-(0002-FFFF)FFFF)

/etc/rc.d/init.d/cbq.init start/etc/rc.d/init.d/cbq.init start

Page 150: Complete RHCE doc

151

Sample of CBQ Sample of CBQ ConfigurationConfiguration

DEVICE=eth0,10Mbit,1MDEVICE=eth0,10Mbit,1Mbit RATE=10 Kbit bit RATE=10 Kbit

PRIO=5PRIO=5

RULE=:21,192.168.1.0/24RULE=:21,192.168.1.0/24

Page 151: Complete RHCE doc

152

The EndGood Luck