Session 1

Red Hat Certified Engineer

1

History Of UNIX & Linux
1957: Bell Labs found they needed an operating system which at the time was running various batch jobs. 1965: Bell Labs create Multics (Multiplexed Information and Computing Service) 1969: Summer 1969 UNIX was developed by AT&T 1975: Sixth edition of UNIX released May 1975 1985: GNU project started 1985 1991: Linux is introduced by Linus Benedict Torvalds who 1991 was a second year student of Computer Science at the University of Helsinki 1993: NetBSD & FreeBSD released 1993 1994: Red Hat Linux is introduced 1994
2

From: torvalds@klaava.Helsinki.FI (Linus Benedict Torvalds) Newsgroups: comp.os.minix Subject: What would you like to see most in minix? Summary: small poll for my new operating system Message-ID: <1991Aug25.205708.9541@klaava.Helsinki.FI> Date: 25 Aug 91 20:57:08 GMT Organization: University of Helsinki Hello everybody out there using minix I'm doing a (free) operating system (just a hobby, won't be big and professional like gnu) for 386(486) AT clones. This has been brewing since april, and is starting to get ready. I'd like any feedback on things people like/dislike in minix, as my OS resembles it somewhat (same physical layout of the file-system (due to practical reasons) among other things). I've currently ported bash(1.08) and gcc(1.40),and things seem to work.This implies that I'll get something practical within a few months, andI'd like to know what features most people would want.a Any suggestions are welcome, but I won't promise I'll implement them :-) Linus (torvalds@kruuna.helsinki.fi) PS. Yes - it's free of any minix code, and it has a multi-threaded fs. It is NOT protable (uses 386 task switching etc), and it probably never will support anything other than AT-harddisks, as that's all I have :-(.

First Article About Linux

3

GNU & GPL GNU Project: Focused on creating a Unix like operating system that could be freely distributed GPL: Global Public license(Copyleft) 4 .

Major Linux Distributors • Caldera Linux • Corel Linux • Debian Linux • Kondara Linux • Red Hat Linux • Mandrake Linux • Slackware Linux • SuSE Linux • Turbo Linux • Vector Linux 5 .

The Advantage of Linux • • • • • • • • • • Low purchase cost Open Source Software (OSS) UNIX heritage Multi User Scalability Vendor support Reliable uptime Security Logging System … 6 .

The Disadvantage of Linux • Steep learning curve • Hardware support • End-user applications 7 .

Support Enterprise App. Support Hardware Support Licensing Cost Network Performance Security Win 9x Win NT Poor Good Excelle Good nt None Excelle nt Good Good Poor Good Good Poor Good Good Linux Good Good Good Good Excellent Excellent Good 8 . NT. and Linux Feature Scalability Desktop App.A Comparison Of Win 9x.

Linux Filesystem Hierarchy /bin /boot /dev /etc /home /lib /mnt /proc /root /sbin /tmp /usr /var Essential Binary Files Boot Loader Files Device Files Configuration Files User Home Directories Shared Libraries and Kernel Modules Mount Point for Temporarily Mounted FS System Information Virtual File System root User Home Directory Essential System Binaries Temporary Files Shareable Files Non-Shareable Files 9 .

Session 2 Red Hat Certified Engineer 10 .

Installing Linux • • • • • Hardware Requirements Harddisk Partitioning Boot Loader Install Packages X Configuration 11 .

3. Starting the installation process – – – – Installation Mode Language Keyboard Mouse Overview of the Installation Process 2. 5.1. 4. Partitioning Boot Loader Installation Network Configuration Setting the time zone 12 .

Installing packages 10. Specifying authentication options (optional) 7. Firewall Configuration 6. Selecting packages 9.Creating a boot disk 11.Overview of the Installation Process 5.Configuration the X Windows system (optional) 13 . Specifying user accounts 8.

including file system creation messages Graphical installation procedure 14 .Installing Linux: Consoles & Message Logs Contents Console 1 2 3 4 5 7 Keystrokes Ctrl+Alt+F1 Ctrl+Alt+F2 Ctrl+Alt+F3 Ctrl+Alt+F4 Ctrl+Alt+F5 Ctrl+Alt+F7 Text-based installation procedure Shell prompt Messages from installation program Kernel messages Other messages.

Configuring InstallTime Options after Installation •kbdconfig •mouseconfig •timeconfig •sndconfig •netconfig •authconfig •ntsysv •setup •redhat-config… 15 .

Session 3 Red Hat Certified Engineer 16 .

PS2 Switches \u . \$ . \W . \t . \d .SHELL • bash (Bourne Again Shell) • ash • tcsh PATH SHELL • sach • mc PS1 PS2 Some of Important BASH Variables PS1. \h . \s . $ 17 .

Some of Linux Commands(1) • echo • cat • cd • clear • exit • man • tac • help • cp • info • mv • ls • rm • touch • pwd • alias • less • mkdir • rmdir • date •logout •reboot • halt 18 .

Session 4 Red Hat Certified Engineer 19 .

• TAB key Features • Review Pages & Commands BASH Quoting in BASH: “value” > stdin stdout stderr ‘value’ >> | 0 1 2 `value` << < Redirection Operators: Standard Input & Standard Output: 20 .

bg) cmd1 . cmd2 } 21 . cmd2 (cmd1 .Important Command Forms cmd cmd & (fg. cmd2) cmd1 `cmd2` cmd1 | cmd2 cmd1 && cmd2 cmd1 || cmd2 { cmd1 . ctrl+z.

user can’t work directly with Processes character hw communication Major & minor numbers for controling 22 dev. Normal file Normal directory .Linux File Types Normal Directories Hard link Symbolic link Socket Named pipe Character device Block device d l s p c b Shortcut to a file or directory Pass data between 2 process Like sockets.

where n is the position Specifies name of the current shell 23 .Bash Special Variables $# $? $$ $! $@ $* $n $0 Specifies number of arguments given to the command Returns value of the last program to be used Processes number of the current shell Processes number of the last child process Specifies individually quoted arguments Specifies all arguments quoted as whole Specifies positional argument value.

uniq. wc. kill. split. cut. grep • Redirecting Command’s output tee • Create. pstree.Some of Linux Commands(2) • Process Text Streams sort. killall • Modify Process Priority (renice) 24 . Monitor & Kill Processes ps. tail. top. head.

Session 5 Red Hat Certified Engineer 25 .

mke2fs. umount. fsck.Some of Linux Commands(3) • Create Partitions and Filesystem fdisk. df • Filesystem Mounting & Umounting mount.*. mkfs. /etc/fstab 26 .* • Maintain the Integrity of Filesystem e2fsck. du.

locate.Some of Linux Commands(4) • Use File Permissions chmod. which) • Using Emergency & Single User Mode 27 . chgrp. chown. su • Create Hard & Symbolic Links (ln) • Find System Files (find.

‘vi’ Powerful Text Editor • Insert Mode • Insert Text • Delete • dd • yy •p •P •/ n+dd n+yy (Delete) (Copy) (paste) (Paste) (Search) (Text Selection) • Normal Mode • v (Visual) •w • q! •r • s/// 28 • Command Mode •q • wq = x .

Session 6 Red Hat Certified Engineer 29 .

d/init.d & /etc/rc[0123456].d/ 30 .Run Levels Run Levels 0 1 2 3 4 5 6 Definition This runlevel halts the system This runlevel sets single-user mode Multiuser mode without networking Multiuser mode with networking Not used X-based log in This runlevel reboot the system init & chkconfig Commands /etc/inittab /etc/rc.

conf 31 .conf & execute ‘lilo’ command • GRUB –Edit /boot/grub/grub.Configuring Boot loader • LILO –Edit /etc/lilo.

vigr /etc/passwd.conf Scheduling Jobs (at & crontab commands) Backup & Restore Tools tar.conf. bzip2. Groups & Related Files useradd. … Configure and use system log files /etc/syslog. /etc/profile. /etc/shadow. passwd. /etc/skel. groupdel.Administrative Tasks Manage Users. gzip 32 . userdel. vipw. /etc/logrotate. groupadd.

Session 7 Red Hat Certified Engineer 33 .

Linux Installation and Package Management • • Make and Install Programs from Source RPM (Redhat Package Manager) 34 .

Build and Install a Custom Kernel 35 .Kernel • About Kernel and Loadable Modules • Manage Kernel Modules at Runtime (/etc/modules.conf) • Reconfigure.

Configuring Modems • redhat-config-network-tui Command in Text Mode • Modem Configuration Files • kppp Command in X window 36 .

Session 8 Red Hat Certified Engineer 37 .

y.Shell Scripts • # Comments • #! Special Comments • Assign a Value x=y x=${y} x=$y x=${y}es x=$yes x=‘$y’ x=\$y export x.z export x=$y 38 .

until) 39 . do …. do …. in pattern) ….. done – until …. done –for x in ….. exit (for. else …. esac – while …. continue.. done –break. do ….Shell Scripts • Control Constructs – ‘read’ command – ‘test’ command ( [ ] ) – if …. fi – case . then …. while..

Session 9 Red Hat Certified Engineer 40 .

Installing and Configuring X 41 .

Basic X Concepts • X Client • X Server • X Protocol 42 .

Basic X Concepts • X Window Manager • X Desktop Manager • X Display Manager 43 .

Determine the proper X server 2. Install the proper packages 44 .Installing X 1.

X Server Selection • XFree86-* Installation the Packages • • • • • freetype gtk+ XFree86-libs XFree86-75dpi-fonts redhat-config-xfree86 • • • • • XFree86-xfs XFree86-xdm XFree86-twm XFree86-tools xinitrc 45 .

Configuring X • redhat-config-xfree86 • xvidtune 46 .

Important X Directories & Files • /usr/X11R6/bin • /etc/X11 • /etc/X11/XF86Config 47 .

Configure and Use PPP • ‘redhat-config-network-tui’ Command in Text Mode • Modem Configuration Files • kppp Command in X window 48 .

Session 10 Red Hat Certified Engineer 49 .

10101000.11111111.10101000.0 : 11111111.168.255 : 11000000.10101000.11111111 50 .0 : 11000000.168.168.00000001 Static IP Dynamic IP •Netmask Address 255.168.00000000 •Broadcast Address 192.255.168.11111111.255.10101000.1 : 11000000.00000000 •Network Address 192.Network Basics • IP (network & host portion) 192.168.10101000.10101000.

0.0.168.0-191.31.0.0.0.0.255 – 172.0 (16 bits) – Class C 192.255.16.0-192.0.0.0.168.) – 224.0.255.0.0.255 – 192.0.0.0 (24 bits) • Reserved IP – 127.0.255 (do not used) • Public & Private Networks (Valid & Invalid IPes) – 10.0-126.0.255.255.255.255.0-10.0.0-127.255.0-255.0-239.255 (Loop back Addr.0-223.0.255.255.0.0.0 (8 bits) – Class B 128.0-172.255 (Multicast Protocols) – 240.0.Classfull Addressing System • Network Classes – Class A 1.255.255 51 .0.

11111110 52 .255.11111111.254 (*/31) : 11111111.11100000 11111111.00000000 Netmasks: 255.255.11111111.128 (*/25) : 255.0 = 11000000.255.10000000 11111111.Classless Addressing System (Subnet) Net.192 (*/26) : 255.00000000 11111111.11111111.11111111.168.255.11111111.11111000 11111111.11111100 11111111.255.11111111.11111111.11000000 11111111.255.11111111.10101000.255.168.: 192.11111111.11111111.240 (*/28) : 255.11111111.11111111.255. Addr.224 (*/27) : 255.11111111.255.11111111.11110000 11111111.255.255.255.252 (*/30) : 255.255.11111111.10101000.255.255.11111111.0 (*/24) : 255.255.248 (*/29) : 255.

TCP/IP Model (1) Application Protocols Transport Protocols Internet Protocols Network Access Protocols 53 .

TCP/IP Model (2) • Network Access Protocols – All functions necessary to access the physical network • Internet Protocols – IP (Internet Protocol – Connectionless) – ICMP (Internet Control Message Protocol) 54 .

TCP/IP Model (3) • Transport Protocols – TCP (Transmission Control Protocol) • Connection-based – UDP (User Datagram Protocol) • Connectionless • Application Protocols – Previlage Ports (0-1023) – /etc/services 55 .

Types of TCP/IP Services . xinetd (and its config) 56 . Stand-alone .

Related TCP/IP Commands • ps x • netstat -ap --inet | grep LISTEN Controlling TCP/IP Daemons • • • • Start the daemon Stop the daemon Restart the daemon Status the daemon 57 .

Session 11 Red Hat Certified Engineer 58 .

Configuration Network • Initializing Network Hardware – Load related module • Network Configuration Tools – netconfig – redhat-config-network 59 .

Configuration Network • Other Network Tools • • • • ifconfig ping traceroute netstat • • • • tcpdump nmap tethereal iptraff 60 .

Configuration Network • Network Configuration Files – /etc/hosts – /etc/host.conf – /etc/services – /etc/resolv.conf – /etc/sysconfig/network – /etc/sysconfig/network-scripts/* • IP Aliasing 61 .

Session 12 Red Hat Certified Engineer 62 .

DHCP
• Advantage & disadvantage of DHCP • DHCP Server Configuration
– /etc/dhcpd.conf – /var/lib/dhcp/dhcpd.leases

• DHCP Client Configuration
– netconfig command
63

An Example of dhcpd.conf
ddns-update-style ad-hoc; subnet 192.168.0.0 netmask 255.255.255.0 { range 192.168.0.1 192.168.0.25; option routers 192.168.0.1; option subnet-mask 255.255.255.0; option domain-name "domain.com"; option domain-name-servers 192.168.1.1; default-lease-time 21600; max-lease-time 43200; # we want the nameserver to appear at a fixed address host dns1 { hardware ethernet 12:34:56:78:AB:CD; fixed-address 192.168.0.20; } }
64

dhcpd.leases Format
lease 192.168.1.8 { starts 3 2004/04/12 09:34:12 ends 6 2004/07/15 23:49:57 hardware ethernet 00:09:e6:88:0a:05 } ...
65

NFS
• Related Daemons
– rpc.nfsd – rpc.portmap – rpc.mountd

• Installation
– nfs-utils – portmap
Agust 2004 66

P.NFS Configuration • Server Side – Edit /etc/exports file PATH host_lists(options) – Run ‘exportfs –r’ command – ‘redhat-config-nfs’ Command • Client Side – mount –t nfs server:PATH Mountpoint – Edit ‘/etc/fstab’ file server:PATH M. nfs ro 0 0 67 .

SAMBA (1) • Related Services – smbd – nmbd • Related Packages – samba – samba-common – samba-client 68 .

– smbclient //server/share • Configuration with SWAT 69 .p.SAMBA (2) • Server Configuration – Global Directives – Service Directives • Client Configuration – smbmount //server/share /m.

Session 13 Red Hat Certified Engineer 70 .

TCP/IP Services Client Server Process Process 2. Client connects to server 1. server binds to port and listens Port 4. Server designates port Port 5. Client binds to port 3. Client and server communicate Port 71 .

Remote Login • Telnet – Server & Client • SSH – Server & Client 72 .

The Apache Web Server • Modules – – – – – – mod_auth mod_info mod_php mod_include mod_perl mod_ssl 73 .

Installation Apache

• rpm –Uvh httpd-[^d]*.rpm

• rpm –Uvh httpd-devel*.rpm
(for support apache modules)

74

Basic Configuration
• httpd.conf
– Section 1:
• The Global Environment

– Section 2:
• The Main Configuration

– Section 3:
• The Virtual Host Configuration
75

Apache Advanced Configuration
• • • • Authentication in Apache Configure with PHP Configure with SSL Configure Virtual Host
76

Authentication in Apache • Create ‘/etc/httpd/.htpasswd” Require valid-user </Location> 77 .htpasswd’ file • Configuring ‘httpd.conf’ file <Location /dir_name> AuthType Basic AuthName “NAME” AuthUserFile “.

rpm 78 .rpm Configure Apache with SSL • rpm –Uvh mod_ssl*.Configure Apache with PHP • rpm –Uvh php-4*.

conf’ file <VirtualHost 127.vh.0.Configure Virtual Host • Configuring ‘/etc/hosts’ file • Configuring ‘httpd.com </VirtualHost> 79 .com DocumentRoot /var/www/html/vh/ ServerName www.0.2> ServerAdmin webmaster@vh.

Apache Administration • • • • • Start Stop Restart Reload Status 80 .

Troubleshooting the Apache • /var/log/messages • /var/log/httpd/ • /usr/sbin/httpd –S (for virtual host) 81 .

Securing Your Network • Using ‘lokkit’ or ‘redhat-configsecuritylevel’ Command • Password & Physical Security • Securing TCP/IP • Using Tripwire • Keeping Up-to-Date on Linux Security Issues 82 .

Session 14 Red Hat Certified Engineer 83 .

rpm • Config File – /etc/vsftpd/vsftpd.FTP • Installation – rpm –ivh vsftp*.conf • Access Levels – Anonymouse Access (anonymouse_enable) – User Access (tcp_wrappers needs) 84 .

rpm • Managing squid – start. stop. status. reload 85 . restart.Cache Server (Squid) • Install squid – rpm –ivh squid*.

log (cache_log) • /var/log/squid/store.log (cache_store_log) 86 .Squid Log Files • /var/log/squid/access.log (cache_access_log) • /var/log/squid/cache.

conf’ http_port 8081 cache_effective_user squid cache_effective_group squid acl all src 0.0/0.0.0.0.An Example of ‘squid.0 http_access allow all cache_dir ufs /cache 1024 16 32 visible_hostname ws1 87 .0.

conf 88 .Running Squid • service squid start squid –d1 –z • squid –d1 –f /etc/squid/squid.

com parent 3128 3130 prefer_direct off • Transparent Proxy httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on 89 .The Kind of Proxies • Upstream Proxy cache_peer yourproxy.

Session 15 Red Hat Certified Engineer 90 .

ip_forward=1’ to /etc/sysctl.Configuring a Linux Router • Configuring Kernel – IP: advanced router • Enable IP Forwading – Add ‘net.conf – echo “1” > /proc/sys/net/ipv4/ip_forward 91 .ipv4.

Type of Routes • Static route • Dynamic route 92 .

Components of Routing Rules • Destination IP Address • An Interface • An Optional Gateway IP Address 93 .

Routing Command • route add –net net_addr netmask mask_addr interface • route add –host ip_addr interface • route add default gateway ip_addr interface 94 .

168.4 H 192.1 10.1.1.1.1.1.A An Example Internet E 192.100.3 G 192.168.1 192.168.168.168.1.168.100.5 95 .100.1 192.168.168.1.5 192.100.100.1.1.2 192.168.168.2 B 192.4 D Gateway 192.3 C eth0 eth2 eth1 192.2 F Router 10.

0 netmask 255.100.168.0 eth1 • route add –net 10.1.1.255.Related Rules • route add –net 192.0 netmask 255.255.0 netmask 255.0 eth2 • route add default gateway 10.255.2 eth2 96 .1.255.168.255.255.1.1.0 eth0 • route add –net 192.

255.1.255.255.255 UH 255.0.1.168.0 255.168.0 192.0.1.255.0.168.0.0 * 255.0.0 127.100.1.255.255.2 0.255 UH 255. Refers to a host G: Gateway 97 .255.1.255 UH 255.0 10.0 * * * * * * 255.1.255.0.1 192.1 192.0 U U U UG U 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 eth0 Eth1 Eth2 eth0 Eth1 Eth2 eth2 lo 10.Result Destination Gateway Genmask Flags Metric Ref Use Iface 192.255.255. Addr.0.0 255.1.0 0.0.168.0 U: Network link is up H: Dest.1.100.1 10.255.255.

Electronic Mail (Sendmail) 98 .

How Email Is Sent and Received mail1 MTA mail2 MTA user1@mail1.com user2@mail2.com 99 .

Concepts • MTA : Mail Transport Agent • SMTP (server-to-server) Simple Mail Transport Protocol • POP (Mail Access) Post Office Protocol • IMAP (Mail Access) Interim Mail Access Protocol • MDA : Mail Delivery Agent • MUA : Mail User Agent 100 .

Advantage of Sendmail • Older MTA • Powerful MTA Disadvantage of Sendmail • Slow • High Load Environment • Crypto Configuration 101 .

MTAs • • • • Sendmail Postfix Exim Qmail MUAs • Evolution. Kmail(KDE) • Balsa (GNOME) • Mozilla Mail 102 .

Required Packages • sendmail • sendmail-cf • imap (Config xinetd) (contains IMAP & POP3) 103 .

mc’ file – LOCAL_DOMAIN(‘example.Sendmail Configuration • Config ‘/etc/mail/sendmail.com’)dnl • Run ‘make –C /etc/mail/’ • Config DNS 104 .

Email Aliases • Edit ‘/etc/aliases’ file postmaster: joseph • Run ‘newaliases’ Command 105 .

Rejecting Email • Edit ‘/etc/mail/access’ file spam.com yahoo.com REJECT OK • service sendmail restart 106 .

Session 16 Red Hat Certified Engineer 107 .

DNS 108 .

Where do I look? • /etc/nsswitch.conf hosts: files dns 109 .conf (nameservice switch) t@localhost:~$ cat /etc/nsswitch.

uk baker 193.62.1 localhost 193.132 packages.tardis.conf • It is polite to have /etc/hosts first! sjh@mccoy:~$ cat /etc/hosts 127.ac.ed.81.62.uk packages 110 .ed.Files • Search order determined by nsswitch.0.62.ac.tardis.ed.81.uk mccoy 193.134 baker.ac.tardis.0.135 mccoy.81.

3. Local files Dns server locally Item in cache? Root server.DNS Traversal 1. 2. 4. work your way down… 111 .

conf • /etc/nsswitch.conf • /etc/host.conf 112 .Resolving Names Configuration Files for the Local Host Name Resolution (important for testing) • /etc/resolv.

DNS • • • • BIND – Berkley Internet Name Daemon Dents – buggy as hell (still in alpha?) Djbdns – Dan Bernstein’s DNS server Banyan VINES – don’t go there! 113 .

0.Named (name dee) • /etc/named. what the IPs of other master / slave servers are.arpa file> – Config for reverse lookup for your zone 114 . etc.hints: – Contains "pointers" to the Root Servers • <DNSROOT>/127. and where to find config files! – Config file for named – tells us if we are master / slave. • <DNSROOT>/root. allow or deny zone transfers.conf: – this defines a directory to store the DNS config files – Contains info about what zones we serve.0: – Config for reverse-lookup to the local host/subnet • <DNSROOT>/<zone>: – Config for zone • <DNSROOT>/<in-addr.

zone "168.168.168.0. file "127. zone "hq.lists".arpa" { type master.0". file "192.0." { type hint. }.127.168". }.custom configuration for bind zone ".in-addr.192. zone "0.custom .alim. file "root.in-addr. options { directory "/var/named/". file "hq.ir" { type master. }.arpa" { type master. 115 .alim. }.ir".A simple named. }.conf ## named.

DNS Data DNS databases contain more than just hostname-to-address records: • SOA – Start Of Authority – it is the daddy! • IN NS – Name Server • IN MX – Mail eXchanger • IN A – A record (Address record) • IN CNAME – Canonical NAME 116 .

2 ns A 192.0. seconds 4W .alim.ir.159. news CNAME hq.ir. refresh. MX 10 hq. todays date + todays serial # 8H . root. seconds NS hq. retry.ir.A simple zone file SOA hq.168.ir. mail CNAME hq.alim.168. serial. minimum.alim.0.1 router A 192.hq. ( 199609206 .168.168.1 hq.141.168.ir.alim.alim.alim.3 www A 207.192 ftp CNAME hq.alim.ir.alim. seconds 1D ) . Primary Mail Exchanger TXT "Alim IT Center" localhost A 127. expire.168. 117 @ IN . A 192.ir. seconds 2H . .ir.

1 2 2 .alim.hq. Serial 28800 .ir. Refresh 7200 . Minimum TTL NS hq. PTR funn.hq. 118 .alim. Retry 604800 . root. PTR hq.alim.alim. Expire 86400) .ir.ir. PTR ws-177201.arpa file $TTL 3D @ IN SOA hq.alim. ( 199609206 .hq. . PTR ws-177202.ir.alim.A simple in-addr.hq.ir.hq.alim.ir.ir.alim.alim.ir. 200 201 202 Servers PTR router.ir. Workstations PTR ws-177200.hq.

Forward DNS • hq.alim.ir (as per /etc/named.conf) • • • • • SOA – Start Of Authority – it is the daddy! IN NS – Name Server IN MX – Mail eXchanger IN A – A record (Address record) IN CNAME – Canonical NAME 119 .

168.Reverse DNS • 192.conf) • SOA • IN NS • IN PTR – Pointer 120 .168 (as per /etc/named.

teviot.100 121 . www.100 10.0.0.DNS Round Robin • Fault tolerance? Through nifty DNS hacks www.com.0.com. 60 60 60 IN IN IN A A A 10.teviot.teviot.2. www.100 10.com.1.3.

Common Mistakes • • • • • • • Forgetting to increment the Serial Number! CNAME pointing at another CNAME! Forgetting the “.” In appropriate places! Underscores in hostnames! Forgetting to reload the daemon! Version control issues – clobber changes! TTL Issues 122 .

hq. AXFR • whois • http://www.168.168.in-addr.squish.alim.net/dnscheck/ – James Ponder’s DNS check web page 123 .arpa.192.ir – dig -x 192.Test Tools • nslookup • dig – dig mail.2 – dig 168.168.

Session 17 Red Hat Certified Engineer 124 .

Firewall Required Properties: • Control Allow only those packets that you are interested to pass through. • • Security Reject packets from malicious outsiders Watchfulness Log packets to/from outside world 125 .

Firewall Types • Packet Filtering Statefull Stateless • Proxy-Based Firewall 126 .

Packet Filter under Linux • 1st generation ipfw (from BSD) • 2nd generation ipfwadm (Linux 2.6) 127 .0) • 3rd generation ipchains (Linux 2.2) • 4th generation iptable (Linux 2.4 & 2.

i386.2.Installing Iptables • Kernel Supports Iptables – Networking Options -> TCP/IP Networking ->Network Packet Filtering – Networking Options -> TCP/IP Networking ->IP: advanced router -> * – Networking Options -> IP: NetfilterNetworking Options -> IP: Netfilter For Packets Traffic Control : – Networking Options> QoS and/or fair queueing -> * • # rpm -ivh \ iptables-1.rpm 128 .6a-2.

Chains of Tables • INPUT – Controls packets entering your system • OUTPUT – Controls packets leaving your system • FORWARD – Controls what packets can move from one network to another through your system 129 .

Routing Decision Forward Output Input Local Process 130 .

Otherwise go to step 3 Continue… 131 . 2. When a packet comes in.1. If it’s destined for this box • • Passes downwards in the diagram To INPUT chain If it passes. any processes waiting for that packet will receive it. the kernel first looks at the destination of the packet: this is called routing.

4. The packet goes rightwards on our diagram to the FORWARD chain. If its says accept.3. it will be sent out. If forwarding is not enabled The packet will be dropped If forwarding is enable and the packet is destined for another network interface. the packet will be sent out. 132 . If it is accepted. Packets generated from local process pass to the OUPUT chain immediately.

Packet Status in Iptables • • • • Established New Related Invalid 133 .

Results of Packet Checking • • • • ACCEPT DROP REJECT … 134 .

Tables of Iptables • Filter • NAT • Mangle 135 .

The Path of Packet in Iptables Network Mangle Table PREROUTING Chain NAT Table PREROUTING Chain Destination NAT Routing decision Mangle INPUT Filter INPUT Local process Routing decision Mangle OUTPUT NAT OUTPUT Filter OUTPUT NAT POSTROUTING Chain Mangle POSTROUTING Mangle FORWARD Filter FORWARD Source NAT Based on routing Network 136 .

Tables of Chains Chain table MANGLE NAT FILTER INPUT OUTPUT FORWARD PREROUTING POSTROU TING * * * * * * * * * - * * - 137 .

1 – Refers to packet from a specific IP address – The “-s” refers to the source of the packet. where the packet is going to.Building a Rule source/destination • iptables –s 200. 138 . – A corresponding “-d” refers to the destination. where the packet is coming from.200.200.

counting from the left.200.200.200.Building a Rule Action • iptables –s 200.200.1 -j DROP – The “-j” determines what happens to the Building a Rule IP address ranges • iptables –s 200.200.0/24 -j DROP – IPs that match 200.200. 139 .* – The “/24” refers to the number of bits that are fixed.

Other Actions • REDIRECT – Sends packets to a proxy • LOG – Tracks packets as they match rules • RETURN – Terminates user defined chains 140 .

1 141 .1 • iptables –A OUTPUT –d 200.1 –j DROP – This command does not allow your system to sent packets to 200.200.200.200.1 -j DROP – The “-A” appends the rule to an iptable – The “INPUT” specifies the iptable – This command makes your system to ignore all packets from 200.200.200.200.Building a Rule appending rules to tables • iptables –A INPUT –s 200.200.200.

1 –p tcp --destination-port telenet –j DROP – The “-p” specifies a specific protocol: tcp.200. In this example the inbound message is going to your telenet server.Building a Rule only blocking some packets • iptables –A INPUT –s 200. udp. or icmp – The “-destination-port” is where the packet is going • You can user the service name or the port number – Could use 23 in this example • Keep in mind that the source-port is very different from the destination-port.200. The telenet client that is sending you the message could be running on any port. • --dport == --destination-port • --sport == --source-port 142 .

Building a Rule multiple network interfaces
• Assume your machine has two interface cards. One to a LAN named eth0 and the other to the Internet named ppp0 • iptables –A INPUT –p tcp --dport telnet –i ppp0 –j DROP
– The “-i” option specifies the input interface
• The is also a “-o” option for the output interface

• iptables –A INPUT –p tcp --dport telnet –i eth0 –j ACCEPT • Together these rules would accept telnet requests from the LAN but block telnet requests from the Internet.
143

Building a Rule Table Policies
• iptables –P FORWARD ACCEPT
– The “-P” option followed by a table name and action determines the default policy of the table. If no rule in the table matches this default action is taken.

• The usual policies are
– INPUT = ACCEPT – OUTPUT = ACCEPT – FORWARD = DENY
144

Building a Rule Adding Rules to Tables
• iptables –A INPUT –s 200.200.200.1 -j DROP
– Appends the rule to the end of the table

• iptables –I INPUT 3 –s 200.200.200.1 -j DROP
– Inserts the rule as rule 3 in the table, moving all other rules down 1.

• iptables –R INPUT 3 –s 200.200.200.1 -j DROP
– Replaces rule 3 in the table

• iptables –D INPUT 3
– Deletes rule 3 in the table
145

Operations to manage whole chains -N -X -P -L -F -Z Create a new chain Delete an empty chain Change the policy for a built-in chain List the rules in a chain Flush the rules out of a chain Zero the packet and byte counters on all rules in a chain 146 .

Manipulate rules inside a chain -A -I -R -D -D Append a new rule to a chain Insert a new rule at some position in a chain Replace a rule at some position in a chain Delete a rule at some position in a chain Delete the first rule that matches in a chain 147 .

1 148 .168.7 GW: 192.1.1.168.168.1 192.5 GW: 192.1.1.An Example Firewall 192.1.1 Web Server SSH Server Accessible ONLY via LAN eth1 eth0 Internet 192.1.168.168.1.168.168.6 GW: 192.1 192.

Session 18 Red Hat Certified Engineer Advanced 149 .

Traffic Shaping (CBQ) • /etc/rc.d/cbq.d/init.d/cbq.init (http://ovh.init-v0.3) • Install ‘shapecfg’ RPM • /etc/sysconfig/cbq/*(0002-FFFF) • /etc/rc.sourceforge.dl.net/sourceforge/cbqinit/cbq.d/init.init start 150 .7.

192.Sample of CBQ Configuration DEVICE=eth0.1Mbit RATE=10 Kbit PRIO=5 RULE=:21.10Mbit.1.0/24 151 .168.

152 .

Sign up to vote on this title
UsefulNot useful