1 rhce red hat certified engineer session 1 asif raza
Post on 26-Mar-2015
230 Views
Preview:
TRANSCRIPT
1
RHCERed Hat Certified
Engineer
Session 1Session 1
Asif RazaAsif Raza
2
History Of UNIX & History Of UNIX & LinuxLinux 1957:1957: Bell Labs found they needed an operating Bell Labs found they needed an operating
systemsystem which at the time was which at the time was running various batch jobs.running various batch jobs.
1965:1965: Bell Labs create Multics (Multiplexed Bell Labs create Multics (Multiplexed Information and Information and Computing Service) Computing Service)
1969:1969: Summer 1969 UNIX was developed by AT&T Summer 1969 UNIX was developed by AT&T 1975:1975: Sixth edition of UNIX released May 1975 Sixth edition of UNIX released May 1975 19851985: GNU project startedGNU project started 19911991: Linux is introduced by Linus Benedict Torvalds Linux is introduced by Linus Benedict Torvalds
who who was a second year student of Computer was a second year student of Computer Science at the Science at the University of Helsinki University of Helsinki
19931993: NetBSD & FreeBSD releasedNetBSD & FreeBSD released 19941994: Red Hat Linux is introducedRed Hat Linux is introduced
3
First Article About First Article About LinuxLinux
From: torvalds@klaava.Helsinki.FI (Linus Benedict Torvalds) From: torvalds@klaava.Helsinki.FI (Linus Benedict Torvalds) Newsgroups: comp.os.minix Newsgroups: comp.os.minix Subject: What would you like to see most in minix? Subject: What would you like to see most in minix? Summary: small poll for my new operating system Summary: small poll for my new operating system Message-ID: <1991Aug25.205708.9541@klaava.Helsinki.FI> Message-ID: <1991Aug25.205708.9541@klaava.Helsinki.FI> Date: 25 Aug 91 20:57:08 GMT Date: 25 Aug 91 20:57:08 GMT Organization: University of Helsinki Organization: University of Helsinki
Hello everybody out there using Hello everybody out there using minixminix - - I'm doing a (free) operating system (just a hobby, won't be big and I'm doing a (free) operating system (just a hobby, won't be big and professional like gnu) for 386(486) AT clones. This has been brewing professional like gnu) for 386(486) AT clones. This has been brewing since april, and is starting to get ready. I'd like any feedback on since april, and is starting to get ready. I'd like any feedback on things people like/dislike in minix, as my OS resembles it somewhat things people like/dislike in minix, as my OS resembles it somewhat (same physical layout of the file-system (due to practical reasons) (same physical layout of the file-system (due to practical reasons) among other things). I've currently ported bash(1.08) and among other things). I've currently ported bash(1.08) and gcc(1.40),and gcc(1.40),and things seem to work.This implies that I'll get something practical things seem to work.This implies that I'll get something practical within a within a few months, andI'd like to know what features most people would few months, andI'd like to know what features most people would want.a want.a Any suggestions are welcome, but I won't promise I'll Any suggestions are welcome, but I won't promise I'll implement them :-) implement them :-) Linus (torvalds@kruuna.helsinki.fi) Linus (torvalds@kruuna.helsinki.fi) PS. Yes - it's free of any minix code, and it has a multi-threaded fs. PS. Yes - it's free of any minix code, and it has a multi-threaded fs. It is NOT protable (uses 386 task switching etc), and it probably It is NOT protable (uses 386 task switching etc), and it probably never never will support anything other than AT-harddisks, as that's all I have :-(.will support anything other than AT-harddisks, as that's all I have :-(.
4
GNU & GPLGNU & GPLGNU Project:
Focused on creating a Unix like operating systemthat could be freely distributed
GPL:
Global Public license(Copyleft)
5
Major Linux DistributorsMajor Linux Distributors
Caldera Caldera LinuxLinux Corel LinuxCorel Linux Debian Debian LinuxLinux Kondara Kondara LinuxLinux Red Hat Red Hat LinuxLinux
Mandrake Mandrake LinuxLinux Slackware Slackware LinuxLinux SuSE LinuxSuSE Linux Turbo LinuxTurbo Linux Vector Vector LinuxLinux
6
The Advantage of LinuxThe Advantage of Linux Low purchase costLow purchase cost Open Source Software Open Source Software
(OSS)(OSS) UNIX heritageUNIX heritage Multi UserMulti User ScalabilityScalability Vendor supportVendor support Reliable uptimeReliable uptime SecuritySecurity Logging SystemLogging System ……
7
The Disadvantage of The Disadvantage of LinuxLinux
Steep learning curveSteep learning curve Hardware supportHardware support End-user applicationsEnd-user applications
8
A Comparison Of Win 9x, A Comparison Of Win 9x, NT, and LinuxNT, and Linux
FeatureFeatureWin 9xWin 9xWin NTWin NTLinuxLinux
ScalabilityScalabilityPoorPoorGoodGoodGoodGood
Desktop App. Desktop App. SupportSupport
ExcelleExcellentnt
GoodGoodGoodGood
Enterprise App. Enterprise App. SupportSupportNoneNoneGoodGoodGoodGood
Hardware SupportHardware SupportExcelleExcellentnt
GoodGoodGoodGood
Licensing CostLicensing CostGoodGoodPoorPoorExcelleExcellentnt
Network Network PerformancePerformance
GoodGoodGoodGoodExcelleExcellentnt
SecuritySecurityPoorPoorGoodGoodGoodGood
9
Linux Filesystem HierarchyLinux Filesystem Hierarchy//binbin Essential Binary FilesEssential Binary Files
//bootboot Boot Loader FilesBoot Loader Files
//devdev Device FilesDevice Files
//etcetc Configuration FilesConfiguration Files
//homehome User Home DirectoriesUser Home Directories
//liblib Shared Libraries and Kernel ModulesShared Libraries and Kernel Modules
//mntmnt Mount Point for Temporarily Mounted FSMount Point for Temporarily Mounted FS
//procproc System Information Virtual File SystemSystem Information Virtual File System
//rootroot root User Home Directoryroot User Home Directory
//sbinsbin Essential System BinariesEssential System Binaries
//tmptmp Temporary FilesTemporary Files
//usrusr Shareable FilesShareable Files
//varvar Non-Shareable FilesNon-Shareable Files
10
RHCERed Hat Certified
Engineer
Session 2Session 2
Asif RazaAsif Raza
11
Installing LinuxInstalling Linux
Hardware Hardware RequirementsRequirements
Harddisk PartitioningHarddisk Partitioning Boot LoaderBoot Loader Install PackagesInstall Packages X ConfigurationX Configuration
12
Overview of the Installation Overview of the Installation ProcessProcess
1.1. Starting the installation processStarting the installation process Installation ModeInstallation Mode LanguageLanguage KeyboardKeyboard MouseMouse
2.2. Partitioning Partitioning
3.3. Boot Loader InstallationBoot Loader Installation
4.4. Network ConfigurationNetwork Configuration
5.5. Setting the time zoneSetting the time zone
13
5.5. Firewall ConfigurationFirewall Configuration6.6. Specifying authentication Specifying authentication
options (optional)options (optional)7.7. Specifying user accountsSpecifying user accounts8.8. Selecting packagesSelecting packages9.9. Installing packagesInstalling packages10.10. Creating a boot diskCreating a boot disk11.11. Configuration the X Windows Configuration the X Windows
system (optional)system (optional)
Overview of the Installation Overview of the Installation ProcessProcess
14
Installing Linux:Installing Linux: Consoles & Consoles & Message LogsMessage Logs
ConsoleKeystrokesContents
1Ctrl+Alt+F1 Text-based installation procedure
2Ctrl+Alt+F2 Shell prompt
3Ctrl+Alt+F3 Messages from installation program
4Ctrl+Alt+F4 Kernel messages
5Ctrl+Alt+F5 Other messages, including file system creation messages
7Ctrl+Alt+F7 Graphical installation procedure
15
Configuring InstallTime Configuring InstallTime Options after InstallationOptions after Installation
kbdconfigkbdconfigmouseconfigmouseconfigtimeconfigtimeconfigsndconfigsndconfignetconfignetconfig
authconfigauthconfigntsysvntsysvsetupsetupredhat-redhat-config-config-……
16
RHCERed Hat Certified
Engineer
Session 3Session 3
Asif RazaAsif Raza
17
SHELLSHELL
Some of Important BASH VariablesSome of Important BASH VariablesPATHPATH SHELLSHELL PS1PS1 PS2PS2
bash (Bourne Again bash (Bourne Again Shell)Shell)
ashash sachsach tcshtcsh mcmc
PS1, PS2 SwitchesPS1, PS2 Switches
\u , \h , \W , \d , \t , \s , \$ , $\u , \h , \W , \d , \t , \s , \$ , $
18
Some of Linux Some of Linux CommandsCommands(1)(1)
echoecho manman helphelp infoinfo lsls
catcat tactac cpcp mvmv rmrm
cdcd touchtouch
pwdpwd mkdirmkdir
rmdirrmdir
clearclear
aliasalias lessless datedate logoutlogout
exitexit rebootreboot
halthalt
19
RHCERed Hat Certified
Engineer
Session 4Session 4
Asif RazaAsif Raza
20
BASHBASH• TAB key FeaturesTAB key Features• Review Pages & CommandsReview Pages & Commands
Quoting in BASH:Quoting in BASH:““valuevalue”” ‘‘valuevalue’’ `value``value`
Redirection Operators:Redirection Operators:>> >>>> || <<<< <<
Standard Input & Standard Output:Standard Input & Standard Output:stdinstdin 00stdoutstdout 11stderrstderr 22
21
Important Command Important Command FormsFormscmdcmd
cmd &cmd & (fg, ctrl+z, bg)(fg, ctrl+z, bg)
cmd1 ; cmd2cmd1 ; cmd2(cmd1 ; cmd2)(cmd1 ; cmd2)cmd1 `cmd2`cmd1 `cmd2`cmd1 | cmd2cmd1 | cmd2cmd1 && cmd2cmd1 && cmd2cmd1 || cmd2cmd1 || cmd2{ cmd1 ; cmd2 }{ cmd1 ; cmd2 }
22
Linux File TypesLinux File TypesNormalNormal--Normal fileNormal file
DirectoriesDirectoriesddNormal directoryNormal directory
Hard linkHard link--
Symbolic Symbolic linklinkllShortcut to a file or directoryShortcut to a file or directory
SocketSocketssPass data between 2 processPass data between 2 process
Named pipeNamed pipeppLike sockets, user canLike sockets, user can’’t work t work directly withdirectly with
Character Character devicedeviceccProcesses character hw Processes character hw
communicationcommunication
Block deviceBlock devicebbMajor & minor numbers for Major & minor numbers for controling dev.controling dev.
23
Bash Special VariablesBash Special Variables
$#$#Specifies number of arguments given to the Specifies number of arguments given to the commandcommand
$?$?Returns value of the last program to be usedReturns value of the last program to be used
$$$$Processes number of the current shellProcesses number of the current shell
$!$!Processes number of the last child processProcesses number of the last child process
$@$@Specifies individually quoted argumentsSpecifies individually quoted arguments
$*$*Specifies all arguments quoted as wholeSpecifies all arguments quoted as whole
$n$nSpecifies positional argument value, where Specifies positional argument value, where nn is the position is the position
$0$0Specifies name of the current shellSpecifies name of the current shell
24
Process Text StreamsProcess Text Streamssort, cut, head, tail, split, wc, uniq, sort, cut, head, tail, split, wc, uniq, grepgrep
Redirecting CommandRedirecting Command’’s s outputoutputteetee
Create, Monitor & Kill Create, Monitor & Kill ProcessesProcessesps, pstree, top, kill, killallps, pstree, top, kill, killall
Modify Process PriorityModify Process Priority((renicerenice))
Some of Linux Some of Linux CommandsCommands(2)(2)
25
RHCERed Hat Certified
Engineer
Asif RazaAsif Raza
Session 5Session 5
26
Create Partitions and Create Partitions and FilesystemFilesystemfdisk, mke2fs, mkfs.*fdisk, mke2fs, mkfs.*
Maintain the Integrity of Maintain the Integrity of FilesystemFilesysteme2fsck, fsck.*, du, dfe2fsck, fsck.*, du, df
Filesystem Mounting & Filesystem Mounting & UmountingUmountingmount, umount, /etc/fstabmount, umount, /etc/fstab
Some of Linux Some of Linux CommandsCommands(3)(3)
27
Use File PermissionsUse File Permissionschmod, chown, chgrp, suchmod, chown, chgrp, su
Create Hard & Symbolic Create Hard & Symbolic Links (Links (lnln))
Find System Files (Find System Files (find, find,
locate, whichlocate, which))Using Emergency & Single Using Emergency & Single
User ModeUser Mode
Some of Linux Some of Linux CommandsCommands(4)(4)
28
Insert ModeInsert Mode
Normal ModeNormal Mode
Command ModeCommand Mode
‘‘vivi’’ Powerful Text Powerful Text EditorEditor
• dd n+dd (Delete)
• yy n+yy (Copy)
• p (paste)
• P (Paste)
• / (Search)
• v (Visual) (Text Selection)
• Insert Text
• Delete
• w
• q
• wq = x
• q!
• r
• s///
29
RHCERed Hat Certified
Engineer
Session 6Session 6
30
Run LevelsRun LevelsRun LevelsDefinition
0This runlevel halts the system
1This runlevel sets single-user mode
2Multiuser mode without networking
3Multiuser mode with networking
4Not used
5X-based log in
6This runlevel reboot the system
init & chkconfig Commandsinit & chkconfig Commands
/etc/inittab/etc/inittab
/etc/rc.d/init.d & /etc/rc.d/init.d & /etc/rc[0123456].d//etc/rc[0123456].d/
31
Configuring Boot Configuring Boot loaderloader
LILOLILOEdit /etc/lilo.conf & Edit /etc/lilo.conf &
execute execute ‘‘lilolilo’’ command command GRUBGRUB
Edit /boot/grub/grub.confEdit /boot/grub/grub.conf
32
Manage Users, Groups & Manage Users, Groups & Related Files Related Files useradd, userdel, groupadd, groupdel, useradd, userdel, groupadd, groupdel,
passwd, vipw, vigrpasswd, vipw, vigr/etc/passwd, /etc/shadow, /etc/skel, /etc/passwd, /etc/shadow, /etc/skel,
/etc/profile, /etc/profile, …… Configure and use system log Configure and use system log
filesfiles/etc/syslog.conf, /etc/logrotate.conf/etc/syslog.conf, /etc/logrotate.conf
Scheduling Jobs (at & crontab Scheduling Jobs (at & crontab commands)commands)
Backup & Restore ToolsBackup & Restore Toolstar, bzip2, gziptar, bzip2, gzip
Administrative TasksAdministrative Tasks
33
RHCERed Hat Certified
Engineer
Session 7Session 7
34
Linux Installation andLinux Installation and Package Management Package Management
Make and Install Make and Install Programs from SourcePrograms from Source
RPM RPM
(Redhat Package (Redhat Package Manager)Manager)
35
KernelKernelAbout Kernel and About Kernel and Loadable ModulesLoadable Modules
Manage Kernel Modules at Manage Kernel Modules at Runtime (Runtime (/etc/modules.conf/etc/modules.conf))
Reconfigure, Build and Reconfigure, Build and Install a Custom KernelInstall a Custom Kernel
37
RHCERed Hat Certified
Engineer
Session 8Session 8
38
Shell ScriptsShell Scripts # Comments# Comments #! Special Comments#! Special Comments Assign a ValueAssign a Value
x=yx=y x=x=‘‘$y$y’’
x=${y}x=${y} x=\$yx=\$y
x=$yx=$y export x,y,zexport x,y,z
x=${y}esx=${y}es export x=$yexport x=$y
x=$yesx=$yes
39
Shell ScriptsShell Scripts Control ConstructsControl Constructs
‘‘readread’’ command command ‘‘testtest’’ command ( [ ] ) command ( [ ] ) if if ……; then ; then ……; else ; else ……; fi; fi case ...; in pattern) case ...; in pattern) ……;; esac;; esac while while ……; do ; do ……; done; done until until ……; do ; do ……; done; done for x in for x in ……; do ; do ……; done; donebreak, continue, exit (for, while, break, continue, exit (for, while,
until)until)
40
RHCERed Hat Certified Engineer
Asif RazaAsif Raza
Session 9Session 9
41
Installing and Installing and ConfiguringConfiguring
XX
42
Basic X ConceptsBasic X Concepts
X ClientX Client
X ServerX Server
X ProtocolX Protocol
43
Basic X ConceptsBasic X Concepts X Window X Window
ManagerManager
X Desktop X Desktop ManagerManager
X Display ManagerX Display Manager
44
Installing XInstalling X
1.1. Determine the proper X Determine the proper X serverserver
2.2. Install the proper packagesInstall the proper packages
45
X Server SelectionX Server Selection XFree86-*XFree86-*
Installation the PackagesInstallation the Packages freetypefreetype gtk+gtk+ XFree86-libsXFree86-libs XFree86-75dpi-fontsXFree86-75dpi-fonts redhat-config-xfree86redhat-config-xfree86
XFree86-xfsXFree86-xfs XFree86-xdmXFree86-xdm XFree86-twmXFree86-twm XFree86-XFree86-
tools tools xinitrcxinitrc
46
Configuring XConfiguring X
redhat-config-redhat-config-xfree86xfree86
xvidtunexvidtune
47
Important X Directories & FilesImportant X Directories & Files
/usr/X11R6/bin/usr/X11R6/bin /etc/X11/etc/X11 /etc/X11//etc/X11/
XF86ConfigXF86Config
48
Configure and Use PPPConfigure and Use PPP
‘‘redhat-config-network-tuiredhat-config-network-tui’’ Command in Text ModeCommand in Text Mode
Modem Configuration FilesModem Configuration Files kppp Command in X window kppp Command in X window
49
RHCERed Hat Certified Engineer
Session 10Session 10
50
IP (network & host portion)IP (network & host portion)192.168.168.1 192.168.168.1 ::1100000011000000..1010100010101000..1010100010101000..0000000100000001
Static IPStatic IP Dynamic IP Dynamic IP Netmask AddressNetmask Address255.255.255.0 :255.255.255.0 :1111111111111111..1111111111111111..1111111111111111..0000000000000000
Network AddressNetwork Address192.168.168.0 :192.168.168.0 :1100000011000000..1010100010101000..1010100010101000..0000000000000000
Broadcast AddressBroadcast Address192.168.168.255 :192.168.168.255 :1100000011000000..1010100010101000..1010100010101000..1111111111111111
Network BasicsNetwork Basics
51
Classfull Addressing SystemClassfull Addressing System Network ClassesNetwork Classes
Class AClass A 1.0.0.0-126.0.0.01.0.0.0-126.0.0.0 (8 bits)(8 bits) Class BClass B 128.0.0.0-191.0.0.0128.0.0.0-191.0.0.0 (16 bits)(16 bits) Class CClass C 192.0.0.0-223.0.0.0192.0.0.0-223.0.0.0 (24 bits)(24 bits)
Reserved IPReserved IP 127.0.0.0-127.255.255.255127.0.0.0-127.255.255.255 (Loop back Addr.)(Loop back Addr.) 224.0.0.0-239.255.255.255 224.0.0.0-239.255.255.255 (Multicast Protocols)(Multicast Protocols) 240.0.0.0-255.255.255.255240.0.0.0-255.255.255.255 (do not used)(do not used)
Public & Private Networks (Valid & Public & Private Networks (Valid & Invalid IPes)Invalid IPes)
10.0.0.0-10.255.255.25510.0.0.0-10.255.255.255 172.16.0.0-172.31.255.255172.16.0.0-172.31.255.255 192.168.0.0-192.168.255.255192.168.0.0-192.168.255.255
52
Net. Addr.:Net. Addr.: 192.168.168.0 = 192.168.168.0 = 1100000011000000..1010100010101000..1010100010101000..0000000000000000
Netmasks:Netmasks:255.255.255.0 (*/24) :255.255.255.0 (*/24) :1111111111111111..1111111111111111..1111111111111111..0000000000000000
255.255.255.128 (*/25) :255.255.255.128 (*/25) :1111111111111111..1111111111111111..1111111111111111..1100000000000000
255.255.255.192 (*/26) :255.255.255.192 (*/26) :1111111111111111..1111111111111111..1111111111111111..1111000000000000
255.255.255.224 (*/27) :255.255.255.224 (*/27) :1111111111111111..1111111111111111..1111111111111111..1111110000000000
255.255.255.240 (*/28) :255.255.255.240 (*/28) :1111111111111111..1111111111111111..1111111111111111..1111111100000000
255.255.255.248 (*/29) :255.255.255.248 (*/29) :1111111111111111..1111111111111111..1111111111111111..1111111111000000
255.255.255.252 (*/30) :255.255.255.252 (*/30) :1111111111111111..1111111111111111..1111111111111111..1111111111110000
255.255.255.254 (*/31) :255.255.255.254 (*/31) :1111111111111111..1111111111111111..1111111111111111..1111111111111100
Classless Addressing System Classless Addressing System (Subnet)(Subnet)
53
TCP/IP Model (1)TCP/IP Model (1)
ApplicationProtocols
TransportProtocols
InternetProtocols
Network AccessProtocols
54
TCP/IP Model (2)TCP/IP Model (2)
Network Access ProtocolsNetwork Access Protocols All functions necessary to access All functions necessary to access
the physical networkthe physical network
Internet ProtocolsInternet Protocols IPIP ((Internet Protocol Internet Protocol ––
ConnectionlessConnectionless)) ICMPICMP ((Internet Control Message Internet Control Message
ProtocolProtocol))
55
TCP/IP Model (3)TCP/IP Model (3)
Transport ProtocolsTransport Protocols TCP TCP (Transmission Control (Transmission Control
Protocol)Protocol) Connection-basedConnection-based
UDP UDP (User Datagram Protocol)(User Datagram Protocol) ConnectionlessConnectionless
Application ProtocolsApplication Protocols Previlage Ports (0-1023)Previlage Ports (0-1023) /etc/services/etc/services
56
Types of TCP/IP ServicesTypes of TCP/IP Services
Stand-aloneStand-alone
xinetd xinetd (and its config)(and its config)
57
Related TCP/IP CommandsRelated TCP/IP Commands ps xps x netstat -ap --inet | grep netstat -ap --inet | grep
LISTENLISTEN
Start the daemonStart the daemon Stop the daemonStop the daemon Restart the daemonRestart the daemon Status the daemonStatus the daemon
Controlling TCP/IP DaemonsControlling TCP/IP Daemons
58
RHCERed Hat Certified Engineer
Asif RazaAsif Raza
Session 11Session 11
59
Configuration NetworkConfiguration Network
Initializing Network HardwareInitializing Network Hardware Load related moduleLoad related module
Network Configuration ToolsNetwork Configuration Tools netconfignetconfig redhat-config-networkredhat-config-network
60
Configuration NetworkConfiguration Network Other Network ToolsOther Network Tools
•ifconfigifconfig•pingping•tracerouttracerout
ee•netstatnetstat
•tcpdumptcpdump•nmapnmap•tetherealtethereal•iptraffiptraff
61
Configuration NetworkConfiguration Network
Network Configuration Network Configuration FilesFiles /etc/hosts/etc/hosts /etc/host.conf/etc/host.conf /etc/services/etc/services /etc/resolv.conf/etc/resolv.conf /etc/sysconfig/network/etc/sysconfig/network /etc/sysconfig/network-/etc/sysconfig/network-
scripts/*scripts/* IP AliasingIP Aliasing
62
RHCERed Hat Certified Engineer
Asif RazaAsif Raza
Session 12Session 12
63
DHCPDHCP Advantage & Advantage &
disadvantage of DHCPdisadvantage of DHCP DHCP Server DHCP Server
ConfigurationConfiguration /etc/dhcpd.conf/etc/dhcpd.conf /var/lib/dhcp/dhcpd.leases/var/lib/dhcp/dhcpd.leases
DHCP Client DHCP Client ConfigurationConfiguration netconfig commandnetconfig command
64
An Example of dhcpd.confAn Example of dhcpd.confddns-update-style ad-hocddns-update-style ad-hoc;;subnet 192.168.0.0 netmask 255.255.255.0 {subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.1 192.168.0.25range 192.168.0.1 192.168.0.25;;option routersoption routers 192.168.0.1192.168.0.1;;option subnet-maskoption subnet-mask 255.255.255.0255.255.255.0;;option domain-nameoption domain-name "domain.com""domain.com";;option domain-name-serversoption domain-name-servers 192.168.1.1192.168.1.1;;default-lease-time 21600default-lease-time 21600;;max-lease-time 43200max-lease-time 43200;;
# we want the nameserver to appear at a fixed # we want the nameserver to appear at a fixed addressaddresshost dns1 {host dns1 {
hardware ethernet 12:34:56:78:AB:CDhardware ethernet 12:34:56:78:AB:CD;;fixed-address 192.168.0.20fixed-address 192.168.0.20;;
}}}}
65
dhcpd.leases Formatdhcpd.leases Format
lease 192.168.1.8 {lease 192.168.1.8 {
starts 3 2004/04/12 09:34:12starts 3 2004/04/12 09:34:12
ends 6 2004/07/15 23:49:57ends 6 2004/07/15 23:49:57
hardware ethernet hardware ethernet 00:09:e6:88:0a:0500:09:e6:88:0a:05
}}
......
2004 Agust 66
NFSNFS Related DaemonsRelated Daemons
rpc.nfsdrpc.nfsd rpc.portmaprpc.portmap rpc.mountdrpc.mountd
InstallationInstallation nfs-utilsnfs-utils portmapportmap
67
NFS ConfigurationNFS Configuration Server SideServer Side
Edit /etc/exports fileEdit /etc/exports file
PATHPATHhost_lists(options)host_lists(options)
Run Run ‘‘exportfs exportfs ––rr’’ command command ‘‘redhat-config-nfsredhat-config-nfs’’ Command Command
Client SideClient Side mount mount ––t nfs server:PATH t nfs server:PATH
MountpointMountpoint Edit Edit ‘‘/etc/fstab/etc/fstab’’ file file
server:PATH M.P.server:PATH M.P. nfsnfs roro 0000
68
SAMBA (1)SAMBA (1) Related ServicesRelated Services
smbdsmbd nmbdnmbd
Related PackagesRelated Packages sambasamba samba-commonsamba-common samba-clientsamba-client
69
SAMBA (2)SAMBA (2) Server ConfigurationServer Configuration
Global DirectivesGlobal Directives Service DirectivesService Directives
Client ConfigurationClient Configuration smbmount //server/share smbmount //server/share
/m.p./m.p. smbclient //server/sharesmbclient //server/share
Configuration with SWATConfiguration with SWAT
70
RHCERed Hat Certified Engineer
Asif RazaAsif Raza
Session 13Session 13
71
TCP/IP ServicesTCP/IP Services
Client Server
Process
Port
Port
Port
Process
2. Client binds to port
1. server binds to port and listens
4. Server designates port
3. Client connects to server
5. Client and server communicate
72
Remote LoginRemote Login
TelnetTelnet Server & Client Server & Client
SSHSSH Server & ClientServer & Client
73
The Apache Web ServerThe Apache Web Server ModulesModules
mod_authmod_auth mod_infomod_info mod_phpmod_php mod_includemod_include mod_perlmod_perl mod_sslmod_ssl
74
Installation ApacheInstallation Apache
rpm rpm ––Uvh httpd-[^d]*.rpmUvh httpd-[^d]*.rpm
rpm rpm ––Uvh httpd-devel*.rpmUvh httpd-devel*.rpm(for support apache modules)(for support apache modules)
75
Basic ConfigurationBasic Configuration
httpd.confhttpd.conf Section 1:Section 1:
The Global EnvironmentThe Global Environment Section 2:Section 2:
The Main ConfigurationThe Main Configuration Section 3:Section 3:
The Virtual Host The Virtual Host ConfigurationConfiguration
76
Apache Advanced Apache Advanced ConfigurationConfiguration
Authentication in ApacheAuthentication in Apache Configure with PHPConfigure with PHP Configure with SSLConfigure with SSL Configure Virtual HostConfigure Virtual Host
77
Authentication in ApacheAuthentication in Apache
<Location /dir_name><Location /dir_name>
AuthTypeAuthType BasicBasic
AuthNameAuthName ““NAMENAME””
AuthUserFileAuthUserFile ““.htpasswd.htpasswd””
RequireRequire valid-uservalid-user
</Location></Location>
Create Create ‘‘/etc/httpd/.htpasswd/etc/httpd/.htpasswd’’ filefile
Configuring Configuring ‘‘httpd.confhttpd.conf’’ file file
78
Configure Apache with PHPConfigure Apache with PHP
rpm rpm ––Uvh php-4*.rpmUvh php-4*.rpm
Configure Apache with SSLConfigure Apache with SSL rpm rpm ––Uvh mod_ssl*.rpmUvh mod_ssl*.rpm
79
Configure Virtual HostConfigure Virtual Host
<VirtualHost 127.0.0.2><VirtualHost 127.0.0.2>
ServerAdminServerAdmin webmaster@vh.comwebmaster@vh.com
DocumentRootDocumentRoot /var/www/html//var/www/html/vh/vh/
ServerNameServerName www.vh.comwww.vh.com
</VirtualHost></VirtualHost>
Configuring Configuring ‘‘/etc/hosts/etc/hosts’’ file file Configuring Configuring ‘‘httpd.confhttpd.conf’’ file file
80
StartStart StopStop RestartRestart ReloadReload StatusStatus
Apache AdministrationApache Administration
81
Troubleshooting the ApacheTroubleshooting the Apache
/var/log/messages/var/log/messages
/var/log/httpd//var/log/httpd/
/usr/sbin/httpd /usr/sbin/httpd ––S S (for virtual host)(for virtual host)
82
Securing Your NetworkSecuring Your Network Using Using ‘‘lokkitlokkit’’ or or ‘‘redhat-redhat-
config-securitylevelconfig-securitylevel’’ CommandCommand
Password & Physical SecurityPassword & Physical Security Securing TCP/IPSecuring TCP/IP Using TripwireUsing Tripwire Keeping Up-to-Date on Linux Keeping Up-to-Date on Linux
Security IssuesSecurity Issues
83
RHCERed Hat Certified Engineer
Asif RazaAsif Raza
Session 14Session 14
84
FTPFTP InstallationInstallation
rpm rpm ––ivh vsftp*.rpmivh vsftp*.rpm Config FileConfig File
/etc/vsftpd/vsftpd.conf/etc/vsftpd/vsftpd.conf Access LevelsAccess Levels
Anonymouse Access Anonymouse Access ((anonymouse_enableanonymouse_enable))
User Access (User Access (tcp_wrappers needstcp_wrappers needs))
85
Cache Server (Squid)Cache Server (Squid)
Install squidInstall squid rpm rpm ––ivh squid*.rpmivh squid*.rpm
Managing squidManaging squid start, stop, restart, start, stop, restart,
status, reloadstatus, reload
86
Squid Log FilesSquid Log Files /var/log/squid/access.log /var/log/squid/access.log
((cache_access_logcache_access_log)) /var/log/squid/cache.log /var/log/squid/cache.log
((cache_logcache_log)) /var/log/squid/store.log/var/log/squid/store.log
((cache_store_logcache_store_log))
87
An Example of ‘squid.conf’An Example of ‘squid.conf’http_port 8081http_port 8081
cache_effective_user squidcache_effective_user squid
cache_effective_group squidcache_effective_group squid
acl all src 0.0.0.0/0.0.0.0acl all src 0.0.0.0/0.0.0.0
http_access allow allhttp_access allow all
cache_dir ufs /cache 1024 16 cache_dir ufs /cache 1024 16 3232
visible_hostname ws1visible_hostname ws1
88
Running SquidRunning Squid service squid startservice squid start
squid squid ––d1 d1 ––zz
squid squid ––d1 d1 ––f f
/etc/squid/squid.conf/etc/squid/squid.conf
89
The Kind of ProxiesThe Kind of Proxies Upstream ProxyUpstream Proxy
cache_peer yourproxy.com parent cache_peer yourproxy.com parent 3128 31303128 3130
prefer_direct offprefer_direct off
Transparent ProxyTransparent Proxyhttpd_accel_host virtualhttpd_accel_host virtual
httpd_accel_port 80httpd_accel_port 80
httpd_accel_with_proxy onhttpd_accel_with_proxy on
httpd_accel_uses_host_header onhttpd_accel_uses_host_header on
90
RHCERed Hat Certified Engineer
Asif RazaAsif Raza
Session 15Session 15
91
Configuring a Linux RouterConfiguring a Linux Router
Configuring KernelConfiguring KernelIP: advanced routerIP: advanced router
Enable IP ForwadingEnable IP ForwadingAdd Add ‘‘net.ipv4.ip_forward=1net.ipv4.ip_forward=1’’ to to
/etc/sysctl.conf/etc/sysctl.confecho echo ““11”” > >
/proc/sys/net/ipv4/ip_forward/proc/sys/net/ipv4/ip_forward
92
Type of RoutesType of Routes
Static routeStatic route
Dynamic Dynamic routeroute
93
Components of Routing RulesComponents of Routing Rules
Destination IP Destination IP AddressAddress
An InterfaceAn Interface An Optional Gateway An Optional Gateway
IP AddressIP Address
94
Routing CommandRouting Command route add route add ––net net net_addrnet_addr
netmask netmask mask_addrmask_addr interfaceinterface
route add route add ––host host ip_addrip_addr interfaceinterface
route add default gateway route add default gateway ip_addrip_addr interfaceinterface
95
A
192.168.1.2
B
192.168.1.3
C
192.168.1.4
D
192.168.1.5
E
192.168.100.2
F
192.168.100.3
G
192.168.100.4
H
192.168.100.5
Gateway 192.168.1.1
192.168.100.110.1.1.1
Router 10.1.1.2
Internet
eth0 eth1
eth2
An ExampleAn Example
96
Related RulesRelated Rules route add route add ––net 192.168.1.0 netmask net 192.168.1.0 netmask
255.255.255.0 eth0255.255.255.0 eth0 route add route add ––net 192.168.100.0 netmask net 192.168.100.0 netmask
255.255.255.0 eth1255.255.255.0 eth1 route add route add ––net 10.1.1.0 netmask net 10.1.1.0 netmask
255.255.255.0 eth2255.255.255.0 eth2 route add default gateway 10.1.1.2 eth2route add default gateway 10.1.1.2 eth2
97
ResultResultDestinationDestinationGatewayGatewayGenmaskGenmaskFlagsFlagsMetrMetr
icicRefRefUsUs
eeIfaceIface
192.168.1.1192.168.1.1**255.255.255.255.255.255.255255UHUH000000eth0eth0
192.168.100192.168.100.1.1
**255.255.255.255.255.255.255255UHUH000000Eth1Eth1
10.1.1.110.1.1.1**255.255.255.255.255.255.255255UHUH000000Eth2Eth2
192.168.1.0192.168.1.0**255.255.255.255.255.255.00
UU000000eth0eth0
192.168.100192.168.100.0.0
**255.255.255.255.255.255.00
UU000000Eth1Eth1
10.1.1.010.1.1.0**255.255.255.255.255.255.00
UU000000Eth2Eth2
0.0.0.00.0.0.010.1.1.10.1.1.22
0.0.0.00.0.0.0UGUG000000eth2eth2
127.0.0.0127.0.0.0**255.0.0.0255.0.0.0UU000000lolo
U: Network link is up H: Dest. Addr. Refers to a host G: Gateway
98
Electronic Electronic MailMail
(Sendmail)(Sendmail)
99
How Email Is Sent and ReceivedHow Email Is Sent and Receivedmail2 MTA
user2@mail2.comuser1@mail1.com
mail1 MTA
?
?
100
ConceptsConcepts MTA : MTA : Mail Transport AgentMail Transport Agent SMTP (server-to-server)SMTP (server-to-server)
Simple Mail Transport ProtocolSimple Mail Transport Protocol POP (Mail Access)POP (Mail Access)
Post Office ProtocolPost Office Protocol IMAP (Mail Access)IMAP (Mail Access)
Interim Mail Access ProtocolInterim Mail Access Protocol MDA : MDA : Mail Delivery AgentMail Delivery Agent MUA : MUA : Mail User AgentMail User Agent
101
Advantage of SendmailAdvantage of Sendmail Older MTAOlder MTA Powerful MTAPowerful MTA
Disadvantage of SendmailDisadvantage of Sendmail SlowSlow High Load EnvironmentHigh Load Environment Crypto ConfigurationCrypto Configuration
102
MTAsMTAs SendmailSendmail PostfixPostfix EximExim QmailQmail
MUAsMUAs Evolution, KmailEvolution, Kmail
(KDE)(KDE) BalsaBalsa (GNOME)(GNOME) Mozilla MailMozilla Mail
103
Required PackagesRequired Packages sendmailsendmail sendmail-cfsendmail-cf imap imap (Config xinetd)(Config xinetd)
(contains IMAP & (contains IMAP & POP3)POP3)
104
Sendmail Sendmail ConfigurationConfiguration
Config Config ‘‘/etc/mail/sendmail.mc/etc/mail/sendmail.mc’’ file file LOCAL_DOMAIN(LOCAL_DOMAIN(‘‘example.comexample.com
’’)dnl)dnl Run Run ‘‘make make ––C /etc/mail/C /etc/mail/’’ Config DNSConfig DNS
105
Email AliasesEmail Aliases Edit Edit ‘‘/etc/aliases/etc/aliases’’ file file
postmaster: josephpostmaster: joseph
Run Run ‘‘newaliasesnewaliases’’ Command Command
106
Rejecting EmailRejecting Email Edit Edit ‘‘/etc/mail/access/etc/mail/access’’ file file
spam.comspam.com REJECTREJECT
yahoo.comyahoo.com OKOK
service sendmail restartservice sendmail restart
107
RHCERed Hat Certified Engineer
Asif RazaAsif Raza
Session 16Session 16
108
DNSDNS
109
Where do I lookWhere do I look??
/etc/nsswitch.conf/etc/nsswitch.conf (nameservice switch)(nameservice switch)
t@localhost:~$ cat /etc/nsswitch.conft@localhost:~$ cat /etc/nsswitch.conf
hosts: files dnshosts: files dns
110
FilesFiles Search order determined by Search order determined by
nsswitch.confnsswitch.conf It is polite to have /etc/hosts It is polite to have /etc/hosts
first!first!
sjh@mccoy:~$ cat /etc/hostssjh@mccoy:~$ cat /etc/hosts
127.0.0.1127.0.0.1 localhostlocalhost
193.62.81.135193.62.81.135 mccoy.tardis.ed.ac.uk mccoymccoy.tardis.ed.ac.uk mccoy
193.62.81.134193.62.81.134 baker.tardis.ed.ac.uk bakerbaker.tardis.ed.ac.uk baker
193.62.81.132193.62.81.132 packages.tardis.ed.ac.uk packagespackages.tardis.ed.ac.uk packages
111
DNS TraversalDNS Traversal
1.1. Local filesLocal files
2.2. Dns server locallyDns server locally
3.3. Item in cache?Item in cache?
4.4. Root server, work your Root server, work your way downway down……
112
Resolving NamesResolving Names
Configuration Files for the Configuration Files for the Local Host Name Resolution Local Host Name Resolution (important for testing)(important for testing) /etc/resolv.conf/etc/resolv.conf /etc/nsswitch.conf/etc/nsswitch.conf /etc/host.conf/etc/host.conf
113
DNSDNS
BIND BIND –– Berkley Internet Name Berkley Internet Name DaemonDaemon
Dents Dents –– buggy as hell (still in alpha?) buggy as hell (still in alpha?) Djbdns Djbdns –– Dan Bernstein Dan Bernstein’’s DNS servers DNS server Banyan VINES Banyan VINES –– don don’’t go there!t go there!
114
Named (name dee)Named (name dee) /etc/named.conf:/etc/named.conf:
this defines a directory to store the DNS config this defines a directory to store the DNS config filesfiles
Contains info about what zones we serve, and Contains info about what zones we serve, and where to find config files!where to find config files!
Config file for named Config file for named –– tells us if we are master / tells us if we are master / slave, allow or deny zone transfers, what the IPs of slave, allow or deny zone transfers, what the IPs of other master / slave servers are, etc.other master / slave servers are, etc.
<DNSROOT>/root.hints: <DNSROOT>/root.hints: Contains "pointers" to the Root ServersContains "pointers" to the Root Servers
<DNSROOT>/127.0.0: <DNSROOT>/127.0.0: Config for reverse-lookup to the local host/subnetConfig for reverse-lookup to the local host/subnet
<DNSROOT>/<zone>:<DNSROOT>/<zone>: Config for zoneConfig for zone
<DNSROOT>/<in-addr.arpa file> <DNSROOT>/<in-addr.arpa file> Config for reverse lookup for your zoneConfig for reverse lookup for your zone
115
A simple named.confA simple named.conf## named.custom - custom configuration for bind## named.custom - custom configuration for bind
zone "." { zone "." {
type hint; type hint;
file "root.lists";file "root.lists";
};};
options {options {
directory "/var/named/";directory "/var/named/";
};};
zone "0.0.127.in-addr.arpa" {zone "0.0.127.in-addr.arpa" {
type master;type master;
file "127.0.0";file "127.0.0";
};};
zone "hq.alim.ir" {zone "hq.alim.ir" {
type master;type master;
file "hq.alim.ir";file "hq.alim.ir";
};};
zone "168.168.192.in-addr.arpa" {zone "168.168.192.in-addr.arpa" {
type master;type master;
file "192.168.168";file "192.168.168";
};};
116
DNS DataDNS DataDNS databases contain more than DNS databases contain more than
just hostname-to-address records:just hostname-to-address records: SOA SOA –– Start Of Authority Start Of Authority –– it is the it is the
daddy!daddy! IN NS IN NS –– Name Server Name Server IN MX IN MX –– Mail eXchanger Mail eXchanger IN A IN A –– A record (Address record) A record (Address record) IN CNAME IN CNAME –– Canonical NAME Canonical NAME
117
A simple zone fileA simple zone file@ IN SOA hq.alim.ir. root.hq.alim.ir. (@ IN SOA hq.alim.ir. root.hq.alim.ir. (
199609206 ; serial, todays date + todays serial 199609206 ; serial, todays date + todays serial ##
8H ; refresh, seconds8H ; refresh, seconds
2H ; retry, seconds2H ; retry, seconds
4W ; expire, seconds4W ; expire, seconds
1D ) ; minimum, seconds1D ) ; minimum, seconds
NSNS hq.alim.ir.hq.alim.ir.
MXMX 10 hq.alim.ir. ; Primary Mail Exchanger10 hq.alim.ir. ; Primary Mail Exchanger
TXTTXT "Alim IT Center""Alim IT Center"
localhostlocalhost A 127.0.0.1A 127.0.0.1
routerrouter A 192.168.168.1A 192.168.168.1
hq.alim.ir.hq.alim.ir. A 192.168.168.2A 192.168.168.2
nsns A 192.168.168.3A 192.168.168.3
wwwwww A 207.159.141.192A 207.159.141.192
ftpftp CNAMECNAME hq.alim.ir.hq.alim.ir.
mailmail CNAMECNAME hq.alim.ir.hq.alim.ir.
newsnews CNAMECNAME hq.alim.ir.hq.alim.ir.
118
A simple in-addr.arpa fileA simple in-addr.arpa file$TTL 3D$TTL 3D
@ IN SOA hq.alim.ir. root.hq.alim.ir. (@ IN SOA hq.alim.ir. root.hq.alim.ir. (
199609206 ; Serial199609206 ; Serial
28800 ; Refresh28800 ; Refresh
7200 ; Retry7200 ; Retry
604800 ; Expire604800 ; Expire
86400) ; Minimum TTL86400) ; Minimum TTL
NS hq.alim.ir.NS hq.alim.ir.
; Servers; Servers
1 PTR router.hq.alim.ir.1 PTR router.hq.alim.ir.
2 PTR hq.alim.ir.2 PTR hq.alim.ir.
2 PTR funn.hq.alim.ir.2 PTR funn.hq.alim.ir.
; Workstations; Workstations
200 PTR ws-177200.hq.alim.ir.200 PTR ws-177200.hq.alim.ir.
201 PTR ws-177201.hq.alim.ir.201 PTR ws-177201.hq.alim.ir.
202 PTR ws-177202.hq.alim.ir.202 PTR ws-177202.hq.alim.ir.
119
Forward DNSForward DNS hq.alim.ir (as per /etc/named.conf)hq.alim.ir (as per /etc/named.conf)
SOA SOA –– Start Of Authority Start Of Authority –– it is the it is the daddy!daddy!
IN NS IN NS –– Name Server Name Server IN MX IN MX –– Mail eXchanger Mail eXchanger IN A IN A –– A record (Address record) A record (Address record) IN CNAME IN CNAME –– Canonical NAME Canonical NAME
120
Reverse DNSReverse DNS
192.168.168192.168.168 ( (as per as per /etc/named.conf/etc/named.conf))
SOASOA IN NSIN NS IN PTR IN PTR –– Pointer Pointer
121
DNS Round RobinDNS Round Robin Fault tolerance? Through Fault tolerance? Through
nifty DNS hacksnifty DNS hacks
www.teviot.com.www.teviot.com. 6060 ININ AA 10.0.1.10010.0.1.100
www.teviot.com.www.teviot.com. 6060 ININ AA 10.0.2.10010.0.2.100
www.teviot.com.www.teviot.com. 6060 ININ AA 10.0.3.10010.0.3.100
122
Common MistakesCommon Mistakes Forgetting to increment the Serial Forgetting to increment the Serial
Number!Number! CNAME pointing at another CNAME!CNAME pointing at another CNAME! Forgetting the Forgetting the ““..”” In appropriate places! In appropriate places! Underscores in hostnames!Underscores in hostnames! Forgetting to reload the daemon!Forgetting to reload the daemon! Version control issues Version control issues –– clobber changes! clobber changes! TTL IssuesTTL Issues
123
Test ToolsTest Tools nslookupnslookup digdig
dig mail.hq.alim.irdig mail.hq.alim.ir dig -x 192.168.168.2dig -x 192.168.168.2 dig 168.168.192.in-addr.arpa. AXFRdig 168.168.192.in-addr.arpa. AXFR
whoiswhois
http://www.squish.net/dnscheck/http://www.squish.net/dnscheck/ James PonderJames Ponder’’s DNS check web pages DNS check web page
124
RHCERed Hat Certified Engineer
Asif RazaAsif Raza
Session 17Session 17
125
FirewallFirewall
ControlControlAllow only those packets that you Allow only those packets that you
are interested to pass through.are interested to pass through. SecuritySecurity
Reject packets from malicious Reject packets from malicious outsidersoutsiders
WatchfulnessWatchfulnessLog packets to/from outside worldLog packets to/from outside world
Required PropertiesRequired Properties::
126
Firewall TypesFirewall Types
Packet FilteringPacket Filtering
Proxy-Based FirewallProxy-Based Firewall
Statefull
Stateless
127
Packet Filter under LinuxPacket Filter under Linux 11st generationst generation
ipfw (from BSD)ipfw (from BSD) 2nd generation2nd generation
ipfwadm (Linux 2.0)ipfwadm (Linux 2.0) 3rd generation3rd generation
ipchains (Linux 2.2)ipchains (Linux 2.2) 4th generation4th generation
iptable (Linux 2.4 & 2.6)iptable (Linux 2.4 & 2.6)
128
Installing IptablesInstalling Iptables Kernel Supports IptablesKernel Supports Iptables
Networking Options -> TCP/IP Networking ->Network Networking Options -> TCP/IP Networking ->Network Packet FilteringPacket Filtering
Networking Options -> TCP/IP Networking ->IP: advanced Networking Options -> TCP/IP Networking ->IP: advanced router -> *router -> *
Networking Options -> IP: NetfilterNetworking Options -> Networking Options -> IP: NetfilterNetworking Options -> IP: NetfilterIP: Netfilter
For Packets Traffic Control :For Packets Traffic Control : Networking Options> QoS and/or fair queueing -> *Networking Options> QoS and/or fair queueing -> *
# rpm -ivh \# rpm -ivh \
iptables-1.2.6a-2.i386.rpm iptables-1.2.6a-2.i386.rpm
129
INPUTINPUT Controls packets entering your systemControls packets entering your system
OUTPUTOUTPUT Controls packets leaving your systemControls packets leaving your system
FORWARDFORWARD Controls what packets can move from Controls what packets can move from
one network to another through your one network to another through your systemsystem
Chains of TablesChains of Tables
130
Forward
Input
Output
Local Process
RoutingDecision
131
1.1. When a packet comes in, the kernel When a packet comes in, the kernel first looks at the destination of the first looks at the destination of the packet: this is called routing.packet: this is called routing.
2.2. If itIf it’’s destined for this boxs destined for this box• Passes downwards in the diagramPasses downwards in the diagram• To INPUT chainTo INPUT chain
If it passes, any processes waiting for that If it passes, any processes waiting for that packet will receive it.packet will receive it.
Otherwise go to step 3Otherwise go to step 3
Continue…
132
3.3. If forwarding is not enabled The If forwarding is not enabled The packet will be droppedpacket will be droppedIf forwarding is enable and the packet is destined for another If forwarding is enable and the packet is destined for another network interface.network interface.
The packet goes rightwards on our diagram to the The packet goes rightwards on our diagram to the FORWARD chain.FORWARD chain.
If it is accepted, it will be sent out.If it is accepted, it will be sent out.
4.4. Packets generated from local process Packets generated from local process pass to the OUPUT chain pass to the OUPUT chain immediately.immediately.If its says accept, the packet will be sent out.If its says accept, the packet will be sent out.
133
Packet Status in Packet Status in IptablesIptables
EstablishedEstablished NewNew RelatedRelated InvalidInvalid
134
Results of Packet CheckingResults of Packet Checking
ACCEPTACCEPT DROPDROP REJECTREJECT ……
135
Tables of IptablesTables of Iptables
FilterFilter NATNAT MangleMangle
136
Network
Mangle TablePREROUTING Chain
NAT TablePREROUTING Chain Destination NAT
Mangle INPUT
Filter INPUT
Local process
Routing decision
Mangle OUTPUT
Mangle FORWARD
Mangle POSTROUTING
NATPOSTROUTING Chain
Network
Source NAT
Based on routing
Routingdecision
The Path of Packet The Path of Packet in Iptablesin Iptables
NAT OUTPUT
Filter OUTPUT
Filter FORWARD
137
Tables of ChainsTables of Chains
ChainChain
tabletableINPUINPU
TTOUTPUOUTPU
TTFORWARFORWAR
DDPREROUTINPREROUTIN
GGPOSTROUPOSTROU
TINGTING
MANGLMANGLEE**********
NATNAT--**--****
FILTERFILTER******----
138
Building a Rule source/destinationBuilding a Rule source/destination
iptables iptables ––s 200.200.200.1s 200.200.200.1 Refers to packet from a specific IP addressRefers to packet from a specific IP address The The ““-s-s”” refers to the source of the packet, refers to the source of the packet,
where the packet is coming from.where the packet is coming from. A corresponding A corresponding ““-d-d”” refers to the refers to the
destination, where the packet is going to.destination, where the packet is going to.
139
Building a Rule ActionBuilding a Rule Action iptables iptables ––s 200.200.200.1 s 200.200.200.1 -j DROP-j DROP
The The ““-j-j”” determines what happens to the determines what happens to the
Building a RuleBuilding a RuleIP address rangesIP address ranges
iptables iptables ––s s 200.200.200.0/24200.200.200.0/24 -j -j DROPDROP IPs that match 200.200.200.*IPs that match 200.200.200.* The The ““/24/24”” refers to the number of bits refers to the number of bits
that are fixed, counting from the left.that are fixed, counting from the left.
140
Other ActionsOther Actions
REDIRECTREDIRECT Sends packets to a proxySends packets to a proxy
LOGLOG Tracks packets as they match Tracks packets as they match
rulesrules RETURNRETURN
Terminates user defined chainsTerminates user defined chains
141
Building a RuleBuilding a Ruleappending rules to tablesappending rules to tables
iptables iptables ––AA INPUT INPUT ––s 200.200.200.1 -j DROPs 200.200.200.1 -j DROP The The ““-A-A”” appends the rule to an iptable appends the rule to an iptable The The ““INPUTINPUT”” specifies the iptable specifies the iptable This command makes your system to ignore all This command makes your system to ignore all
packets from 200.200.200.1packets from 200.200.200.1 iptables iptables ––A A OUTPUT OUTPUT ––dd 200.200.200.1 200.200.200.1 ––j DROPj DROP
This command does not allow your system to sent packets This command does not allow your system to sent packets to 200.200.200.1to 200.200.200.1
142
Building a RuleBuilding a Ruleonly blocking some packetsonly blocking some packets
iptables iptables ––A INPUT A INPUT ––s 200.200.200.1s 200.200.200.1 ––p tcp --p tcp --destination-port telenetdestination-port telenet ––j DROPj DROP The The ““-p-p”” specifies a specific protocol: tcp, udp, or specifies a specific protocol: tcp, udp, or
icmpicmp The The ““-destination-port-destination-port”” is where the packet is going is where the packet is going
You can user the service name or the port numberYou can user the service name or the port number Could use 23 in this exampleCould use 23 in this example
Keep in mind that the source-port is very different from Keep in mind that the source-port is very different from the destination-port. In this example the inbound message the destination-port. In this example the inbound message is going to your telenet server. The telenet client that is is going to your telenet server. The telenet client that is sending you the message could be running on any port.sending you the message could be running on any port.
--dport == --destination-port--dport == --destination-port --sport == --source-port--sport == --source-port
143
Building a RuleBuilding a Rulemultiple network interfacesmultiple network interfaces
Assume your machine has two interface cards. One to a Assume your machine has two interface cards. One to a LAN named eth0 and the other to the Internet named ppp0LAN named eth0 and the other to the Internet named ppp0
iptables iptables ––A INPUT A INPUT ––p tcp --dport telnet p tcp --dport telnet ––i ppp0 i ppp0 ––j DROPj DROP The The ““-i-i”” option specifies the input interface option specifies the input interface
The is also a The is also a ““-o-o”” option for the output interface option for the output interface
iptables iptables ––A INPUT A INPUT ––p tcp --dport telnet p tcp --dport telnet ––i eth0 i eth0 ––j ACCEPTj ACCEPT
Together these rules would accept telnet requests from Together these rules would accept telnet requests from the LAN but block telnet requests from the Internet.the LAN but block telnet requests from the Internet.
144
Building a Rule Table PoliciesBuilding a Rule Table Policies
iptables iptables ––P FORWARD ACCEPTP FORWARD ACCEPT The The ““-P-P”” option followed by a table name option followed by a table name
and action determines the default policy and action determines the default policy of the table. If no rule in the table of the table. If no rule in the table matches this default action is taken.matches this default action is taken.
The usual policies areThe usual policies are INPUT = ACCEPTINPUT = ACCEPT OUTPUT = ACCEPTOUTPUT = ACCEPT FORWARD = DENYFORWARD = DENY
145
Building a RuleBuilding a RuleAdding Rules to TablesAdding Rules to Tables
iptables iptables ––A INPUT A INPUT ––s 200.200.200.1 -j DROPs 200.200.200.1 -j DROP Appends the rule to the end of the tableAppends the rule to the end of the table
iptables iptables ––I INPUT 3 I INPUT 3 ––s 200.200.200.1 -j DROPs 200.200.200.1 -j DROP Inserts the rule as rule 3 in the table, moving all Inserts the rule as rule 3 in the table, moving all
other rules down 1.other rules down 1. iptables iptables ––R INPUT 3 R INPUT 3 ––s 200.200.200.1 -j DROPs 200.200.200.1 -j DROP
Replaces rule 3 in the tableReplaces rule 3 in the table iptables iptables ––D INPUT 3 D INPUT 3
Deletes rule 3 in the tableDeletes rule 3 in the table
146
Operations to manage whole Operations to manage whole chainschains
--NNCreate a new chainCreate a new chain
--XXDelete an empty chainDelete an empty chain
--PPChange the policy for a built-in Change the policy for a built-in chainchain
--LLList the rules in a chainList the rules in a chain
--FFFlush the rules out of a chainFlush the rules out of a chain
--ZZZero the packet and byte counters Zero the packet and byte counters on all rules in a chainon all rules in a chain
147
Manipulate rules inside a chainManipulate rules inside a chain
--AAAppend a new rule to a chainAppend a new rule to a chain
--IIInsert a new rule at some Insert a new rule at some position in a chainposition in a chain
--RRReplace a rule at some position Replace a rule at some position in a chainin a chain
--DDDelete a rule at some position in Delete a rule at some position in a chaina chain
--D D Delete the first rule that Delete the first rule that matches in a chainmatches in a chain
148
An ExampleAn Example
192.168.1.5 GW: 192.168.1.1
192.168.1.6 GW: 192.168.1.1
192.168.1.7 GW: 192.168.1.1
192.168.1.1
Internet
Firewall
eth0
eth1Web Server
SSH ServerAccessible ONLY via LAN
149
RHCERed Hat Certified Engineer
Asif RazaAsif Raza
Session 18Session 18
AdvancedAdvanced
150
Traffic Shaping (CBQ)Traffic Shaping (CBQ) /etc/rc.d/init.d/cbq.init/etc/rc.d/init.d/cbq.init
((http://ovh.dl.sourceforge.net/sourceforge/cbqinit/cbq.init-v0.7.3))
Install Install ‘‘shapecfgshapecfg’’ RPM RPM
/etc/sysconfig/cbq/*/etc/sysconfig/cbq/*(0002-(0002-FFFF)FFFF)
/etc/rc.d/init.d/cbq.init start/etc/rc.d/init.d/cbq.init start
151
Sample of CBQ Sample of CBQ ConfigurationConfiguration
DEVICE=eth0,10Mbit,1MDEVICE=eth0,10Mbit,1Mbit RATE=10 Kbit bit RATE=10 Kbit
PRIO=5PRIO=5
RULE=:21,192.168.1.0/24RULE=:21,192.168.1.0/24
152
The EndGood Luck
top related