Session 1

RHCE
Red Hat Certified
Engineer

M. A. Agheli
1





History Of UNIX &
1957: Bell Labs found
they needed an operating
Linux
system
which at the time was running
various batch jobs.
1965: Bell Labs create Multics (Multiplexed
Information and
Computing Service)
1969: Summer 1969 UNIX was developed by AT&T
1975: Sixth edition of UNIX released May 1975
1985:
1985 GNU project started
1991:
1991 Linux is introduced by Linus Benedict Torvalds
who
was a second year student of Computer
Science at the
University of Helsinki
1993:
1993 NetBSD & FreeBSD released
1994:
1994 Red Hat Linux is introduced
2

First Article About
Linux

From: torvalds@klaava.Helsinki.FI (Linus Benedict Torvalds)
Newsgroups: comp.os.minix
Subject: What would you like to see most in minix?
Summary: small poll for my new operating system
Message-ID: <1991Aug25.205708.9541@klaava.Helsinki.FI>
Date: 25 Aug 91 20:57:08 GMT
Organization: University of Helsinki
Hello everybody out there using minix I'm doing a (free) operating system (just a hobby, won't be big and
professional like gnu) for 386(486) AT clones. This has been brewing
since april, and is starting to get ready. I'd like any feedback on
things people like/dislike in minix, as my OS resembles it somewhat
(same physical layout of the file-system (due to practical reasons)
among other things). I've currently ported bash(1.08) and
gcc(1.40),and
things seem to work.This implies that I'll get something practical
within a
few months, andI'd like to know what features most people would
want.a
Any suggestions are welcome, but I won't promise
I'll implement them :-)
Linus (torvalds@kruuna.helsinki.fi)
PS. Yes - it's free of any minix code, and it has a multi-threaded fs. 3
It is NOT protable (uses 386 task switching etc), and it probably

GNU & GPL
GNU Project:
Focused on creating a Unix
like operating systemthat
could be freely distributed
GPL:
Global Public
license(Copyleft)

4

Major Linux Distributors
 Mandrake
Caldera
Linux
Linux
 Corel Linux
 Slackware
 Debian Linux Linux
 SuSE Linux
 Kondara
 Turbo Linux
Linux
 Red Hat
 Vector Linux
Linux

5

The Advantage of Linux









Low purchase cost
Open Source Software (OSS)
UNIX heritage
Multi User
Scalability
Vendor support
Reliable uptime
Security
Logging System

6

The Disadvantage of
Linux
 Steep

learning curve
 Hardware support
 End-user applications

7

A Comparison Of Win 9x,
NT, and Linux
Feature
Win 9x Win NT
Scalability
Poor
Good
Desktop App.
Excellen Good
Support
t
Enterprise App.
None
Good
Support
Hardware Support Excellen Good
t
Licensing Cost

Good

Poor

Linux
Good
Good
Good
Good
Excellen
t
8

Linux Filesystem Hierarchy
bin/

Essential Binary Files

boot/

Boot Loader Files

dev/

Device Files

etc/

Configuration Files

home/

User Home Directories

lib/

Shared Libraries and Kernel Modules

mnt/

Mount Point for Temporarily Mounted FS

proc/

System Information Virtual File System

root/

root User Home Directory

sbin/

Essential System Binaries

tmp/

Temporary Files

usr/

Shareable Files

var/

Non-Shareable Files
9

Session 2

RHCE
Red Hat Certified
Engineer

M. A. Agheli
10

Installing Linux




Hardware Requirements
Harddisk Partitioning
Boot Loader
Install Packages
X Configuration

11

1.

Overview of the Installation
Process

Starting the installation process




1.
2.
3.
4.

Installation Mode
Language
Keyboard
Mouse

Partitioning
Boot Loader Installation
Network Configuration
Setting the time zone

12

Overview of the Installation
Process

Firewall Configuration
6. Specifying authentication
options (optional)
7. Specifying user accounts
8. Selecting packages
9. Installing packages
10. Creating a boot disk
11. Configuration the X Windows
system (optional)
5.

13

Consoles &
Message Logs

Installing Linux:

Console

Keystrokes

Contents

1

Ctrl+Alt+F1

Text-based installation procedure

2

Ctrl+Alt+F2

Shell prompt

3

Ctrl+Alt+F3

Messages from installation program

4

Ctrl+Alt+F4

Kernel messages

5

Ctrl+Alt+F5

7

Ctrl+Alt+F7

Other messages, including file
system creation messages
Graphical installation procedure
14

Configuring InstallTime
Options after Installation
kbdconfig

authconfig

mouseconfig ntsysv
timeconfig

setup

sndconfig

redhat-

netconfig

config-…
15

Session 3

RHCE
Red Hat Certified
Engineer

M. A. Agheli
16

SHELL

bash (Bourne Again
Shell)
 ash
 sach
 tcsh
 mc

Some of Important BASH Variables
PATH SHELL PS1 PS2

PS1, PS2 Switches

\u , \h , \W , \d , \t , \s , \$ , $
17

echo

Some of Linux
Commands
(1  ls
 (man
 help  info

cat

tac

cd

touch  pwd
alias

clear

cp

less

rm

rmdir

mkdir
 date

mv

logout

exit

halt

reboot
18

Session 4

RHCE
Red Hat Certified
Engineer

M. A. Agheli
19

BASH

• TAB key Features
• Review Pages & Commands
 Quoting in BASH:
“value”
‘value’

`value`

Redirection Operators:
>

>>

|

<<

<

 Standard Input & Standard Output:
stdin
stdout
stderr

0

1
2
20

Important Command
Forms
cmd
cmd & (fg, ctrl+z, bg)
cmd1 ; cmd2
(cmd1 ; cmd2)
cmd1 `cmd2`
cmd1 | cmd2
cmd1 && cmd2
cmd1 || cmd2
{ cmd1 ; cmd2 }

21

Linux File Types
Normal

-

Normal file

Directories

d

Normal directory

Hard link

-

Symbolic link

l

Shortcut to a file or directory

Socket

s

Pass data between 2 process

Named pipe

p

Like sockets, user can’t work
directly with

Character
device

c

Processes character hw
communication

Block device

b

Major & minor numbers for
controling dev.
22

Bash Special Variables
$# Specifies number of arguments given to the
command

$? Returns value of the last program to be used
$$
$!
$@
$*
$n

Processes number of the current shell
Processes number of the last child process
Specifies individually quoted arguments
Specifies all arguments quoted as whole
Specifies positional argument value, where n
is the position

$0 Specifies name of the current shell
23

Some of Linux
(
Commands
(2
 Process Text Streams
sort, cut, head, tail, split, wc, uniq, grep
 Redirecting

Command’s output

tee
 Create,

Monitor & Kill Processes

ps, pstree, top, kill, killall
 Modify

Process Priority (renice)

24

Session 5

RHCE
Red Hat Certified
Engineer

M. A. Agheli
25

 Create

Some of Linux
(Commands(3

Partitions and Filesystem

fdisk, mke2fs, mkfs.*
 Maintain

the Integrity of Filesystem

e2fsck, fsck.*, du, df
 Filesystem

Mounting & Umounting

mount, umount, /etc/fstab

26

Some of Linux
(Commands(4
 Use File Permissions
chmod, chown, chgrp, su
 Create

Hard & Symbolic Links (ln)
 Find System Files (find, locate, which)
 Using Emergency & Single User
Mode

27

vi’ Powerful Text‘
Editor
 Insert

• Insert Text

Mode• Delete
• dd  n+dd (Delete)
• yy  n+yy (Copy)

 Normal

•p

Mode • P
•/

 Command

•w
• v (Visual)
•q

Mode

• wq = x

(paste)
(Paste)
(Search)
• q!
(Text Selection)
•r
• s///
28

Session 6

RHCE
Red Hat Certified
Engineer

M. A. Agheli
29

Run Levels

Run Levels
Definition

0

This runlevel halts the system

1

This runlevel sets single-user mode

2

Multiuser mode without networking

3

Multiuser mode with networking

4

Not used

5

X-based log in

6

This runlevel reboot the system

 init & chkconfig Commands
 /etc/inittab
 /etc/rc.d/init.d &

30

Configuring Boot
loader
 LILO
 Edit

/etc/lilo.conf &
execute ‘lilo’ command

 GRUB
 Edit

/boot/grub/grub.conf

31

Administrative Tasks
 Manage Users, Groups & Related Files

useradd, userdel, groupadd, groupdel, passwd, vipw, vigr
/etc/passwd, /etc/shadow, /etc/skel, /etc/profile, …

 Configure and use system log files

/etc/syslog.conf, /etc/logrotate.conf

 Scheduling Jobs (at & crontab commands)
 Backup & Restore Tools
tar, bzip2, gzip

32

Session 7

RHCE
Red Hat Certified
Engineer

M. A. Agheli
33

Linux Installation and
Package Management
Make and Install
Programs from Source
 RPM
(Redhat Package
Manager)

34

Kernel
 About

Kernel and Loadable
Modules
 Manage Kernel Modules at
Runtime (/etc/modules.conf)
 Reconfigure, Build and
Install a Custom Kernel
35

Configuring Modems
 redhat-config-network-tui

Command in Text Mode
 Modem Configuration Files
 kppp Command in X window

36

Session 8

RHCE
Red Hat Certified
Engineer

M. A. Agheli
37

Shell Scripts
#

Comments
 #! Special Comments
 Assign a Value
x=y
x=${y}
x=$y
x=${y}es
x=$yes

x=‘$y’
x=\$y
export x,y,z
export x=$y
38

 Control

Shell Scripts

Constructs

 ‘read’

command
 ‘test’ command ( [ ] )
 if …; then …; else …; fi
 case ...; in pattern) …;; esac
 while …; do …; done
 until …; do …; done
 for

x in …; do …; done
 break, continue, exit (for, while, until)
39

Session 9

RHCE
Red Hat Certified Engineer

M. A. Agheli
40

Installing and
Configuring
X
41

Basic X Concepts

X Client

X Server

X Protocol
42

Basic X Concepts

X Window
Manager

X Desktop
Manager

X Display Manager
43

Installing X
1.

Determine the proper X
server

2.

Install the proper packages

44

X Server Selection

XFree86-*

Installation the Packages




freetype
gtk+
XFree86-libs
XFree86-75dpi-fonts
redhat-configxfree86




XFree86-xfs
XFree86-xdm
XFree86-twm
XFree86tools
xinitrc
45

Configuring X

redhat-configxfree86

xvidtune

46

Important X Directories & Files


/usr/X11R6/bin
/etc/X11
/
etc/X11/XF86Confi
g
47

Configure and Use PPP


‘redhat-config-network-tui’
Command in Text Mode
Modem Configuration Files
kppp Command in X window

48

Session 10

RHCE
Red Hat Certified Engineer

M. A. Agheli
49

Network Basics
 IP (network & host portion)
192.168.168.1 :

11000000.10101000.10101000.00000001
Static IP
Dynamic IP

Netmask Address

255.255.255.0 :
11111111.11111111.11111111.00000000

Network Address

192.168.168.0 :
11000000.10101000.10101000.00000000
50

Classfull Addressing System

Network Classes


Class A1.0.0.0-126.0.0.0 (8 bits)
Class B128.0.0.0-191.0.0.0
(16 bits)
Class C
192.0.0.0-223.0.0.0
(24 bits)

Reserved IP
127.0.0.0-127.255.255.255
 224.0.0.0-239.255.255.255
Protocols)
 240.0.0.0-255.255.255.255

(Loop back Addr.)
(Multicast
(do not used)

Public & Private Networks (Valid &
Invalid IPes)


10.0.0.0-10.255.255.255
172.16.0.0-172.31.255.255

51

Classless Addressing System (Subnet)
Net. Addr.: 192.168.168.0 =

11000000.10101000.10101000.00000000

Netmasks:
255.255.255.0

(*/24) :

11111111.11111111.11111111.00000000

255.255.255.128 (*/25) :

11111111.11111111.11111111.10000000

255.255.255.192 (*/26) :

11111111.11111111.11111111.11000000

255.255.255.224 (*/27) :

11111111.11111111.11111111.11100000

255.255.255.240 (*/28) :

52

TCP/IP Model (1)
Application
Protocols

Transport
Protocols
Internet
Protocols
Network Access
Protocols
53

)TCP/IP Model (2

Network Access Protocols

All functions necessary to access
the physical network

Internet Protocols

IP

(Internet Protocol –
Connectionless)
ICMP (Internet Control Message
Protocol)
54

)TCP/IP Model (3

Transport Protocols

TCP (Transmission Control
Protocol)

UDP (User Datagram Protocol)

Connection-based
Connectionless

Application Protocols

Previlage Ports (0-1023)
/etc/services

55

Types of TCP/IP Services

Stand-alone

xinetd

(and its config)

56

Related TCP/IP Commands

ps x
netstat -ap --inet | grep
LISTEN

Controlling TCP/IP Daemons



Start the daemon
Stop the daemon
Restart the daemon
Status the daemon
57

Session 11

RHCE
Red Hat Certified Engineer

M. A. Agheli
58

Configuration Network

Initializing Network Hardware

Load related module

Network Configuration Tools

netconfig
redhat-config-network

59

Configuration Network

Other Network Tools
•ifconfig

•tcpdump

•ping

•nmap

•traceroute

•tethereal

•netstat

•iptraff

60

Configuration Network

Network Configuration
Files





/etc/hosts
/etc/host.conf
/etc/services
/etc/resolv.conf
/etc/sysconfig/network
/etc/sysconfig/networkscripts/*
61

Session 12

RHCE
Red Hat Certified Engineer

M. A. Agheli
62

DHCP

Advantage &
disadvantage of DHCP
DHCP Server
Configuration

/etc/dhcpd.conf
/var/lib/dhcp/dhcpd.leases

DHCP Client
Configuration

netconfig command

63

An Example of dhcpd.conf
;ddns-update-style ad-hoc
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.1 192.168.0.25;
option routers
192.168.0.1;
option subnet-mask
255.255.255.0;
option domain-name
"domain.com";
option domain-name-servers 192.168.1.1;
default-lease-time 21600;
max-lease-time 43200;

}

# we want the nameserver to appear at a fixed
address
host dns1 {
hardware ethernet 12:34:56:78:AB:CD;
fixed-address 192.168.0.20;
}
64

dhcpd.leases Format
lease 192.168.1.8 {
starts 3 2004/04/12 09:34:12
ends 6 2004/07/15 23:49:57
hardware ethernet
00:09:e6:88:0a:05
}
...
65

NFS

Related Daemons


Installation

2004 Agust

rpc.nfsd
rpc.portmap
rpc.mountd
nfs-utils
portmap
66

NFS Configuration

Server Side


Edit /etc/exports file
PATH
host_lists(options)
Run ‘exportfs –r’ command
‘redhat-config-nfs’ Command

Client Side

mount –t nfs server:PATH
Mountpoint
Edit ‘/etc/fstab’ file
67

)SAMBA (1

Related Services

smbd
nmbd

Related Packages


samba
samba-common
samba-client
68

)SAMBA (2

Server Configuration

Client Configuration

Global Directives
Service Directives
smbmount //server/share
/m.p.
smbclient //server/share

Configuration with SWAT
69

Session 13

RHCE
Red Hat Certified Engineer

M. A. Agheli
70

TCP/IP Services
Server

Client

Process

Process
2. Client binds
to port

3. Client connects
to server

1. server binds to
port and listens

Port
4. Server
designates port

Port
5. Client and server
communicate

Port
71

Remote Login

Telnet

Server & Client

SSH

Server & Client
72

The Apache Web Server

Modules





mod_auth
mod_info
mod_php
mod_include
mod_perl
mod_ssl
73

Installation Apache

rpm –Uvh httpd-[^d]*.rpm

rpm –Uvh httpd-devel*.rpm
(for support apache modules)

74

Basic Configuration

httpd.conf

Section 1:

Section 2:

The Global Environment
The Main Configuration

Section 3:

The Virtual Host
Configuration
75

Apache Advanced
Configuration



Authentication in Apache
Configure with PHP
Configure with SSL
Configure Virtual Host
76

Authentication in Apache

Create ‘/etc/httpd/.htpasswd’
file
Configuring ‘httpd.conf’ file
<Location /dir_name>
AuthType Basic
AuthName “NAME”
AuthUserFile
“.htpasswd”
Require
valid-user
</Location>
77

Configure Apache with PHP

rpm –Uvh php-4*.rpm

Configure Apache with SSL

rpm –Uvh mod_ssl*.rpm

78

Configure Virtual Host

Configuring ‘/etc/hosts’ file
Configuring ‘httpd.conf’ file
<VirtualHost 127.0.0.2>
ServerAdmin
webmaster@vh.com
DocumentRoot /var/www/html/vh/
ServerName
www.vh.com
</VirtualHost>
79

Apache Administration
Start
 Stop
 Restart
 Reload
 Status

80

Troubleshooting the Apache

/var/log/messages

/var/log/httpd/

/usr/sbin/httpd –S
(for virtual host)

81

Securing Your Network




Using ‘lokkit’ or ‘redhatconfig-securitylevel’
Command
Password & Physical Security
Securing TCP/IP
Using Tripwire
Keeping Up-to-Date on Linux
Security Issues
82

Session 14

RHCE
Red Hat Certified Engineer

M. A. Agheli
83

FTP

Installation

rpm –ivh vsftp*.rpm
Config File
 /etc/vsftpd/vsftpd.conf

Access Levels

Anonymouse Access
(anonymouse_enable)
User Access (tcp_wrappers needs)
84

)Cache Server (Squid

Install squid

rpm –ivh squid*.rpm

Managing squid
 start,

stop, restart,
status, reload
85

Squid Log Files

/var/log/squid/access.log
(cache_access_log)
/var/log/squid/cache.log
(cache_log)
/var/log/squid/store.log
(cache_store_log)
86

An Example of ‘squid.conf’
http_port 8081
cache_effective_user squid
cache_effective_group squid
acl all src 0.0.0.0/0.0.0.0
http_access allow all
cache_dir ufs /cache 1024 16
32
visible_hostname ws1
87

Running Squid

service squid start
squid –d1 –z


squid –d1 –f /etc/squid/squid.conf

88

The Kind of Proxies

Upstream Proxy
cache_peer yourproxy.com parent
3128 3130
prefer_direct off

Transparent Proxy
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
89

Session 15

RHCE
Red Hat Certified Engineer

M. A. Agheli
90

Configuring a Linux Router

Configuring Kernel
IP:

advanced router

Enable IP Forwading
Add

‘net.ipv4.ip_forward=1’ to
/etc/sysctl.conf
echo “1” >
/proc/sys/net/ipv4/ip_forward
91

Type of Routes

Static route

Dynamic
route
92

Components of Routing Rules


Destination IP
Address
An Interface
An Optional Gateway
IP Address
93

Routing Command

route add –net net_addr
netmask mask_addr interface

route add –host ip_addr
interface

route add default gateway
ip_addr interface
94

A

An Example
Internet

192.168.1.2

E

192.168.100.2

B
Router
10.1.1.2

192.168.1.3
C

192.168.1.4
D

192.168.1.5

F

192.168.100.3

eth2
eth0

eth1

Gateway
192.168.1.1
192.168.100.1
10.1.1.1

G

192.168.100.4
H

192.168.100.5
95

Related Rules

route add –net 192.168.1.0 netmask
255.255.255.0 eth0
route add –net 192.168.100.0 netmask
255.255.255.0 eth1
route add –net 10.1.1.0 netmask
255.255.255.0 eth2
route add default gateway 10.1.1.2
eth2

96

Result

Destination

Gateway Genmask

192.168.1.1

*

255.255.255.2 UH
55

0

0

0

eth0

192.168.100. *
1

255.255.255.2 UH
55

0

0

0

Eth1

10.1.1.1

*

255.255.255.2 UH
55

0

0

0

Eth2

192.168.1.0

*

255.255.255.0 U

0

0

0

eth0

192.168.100. *
0

255.255.255.0 U

0

0

0

Eth1

10.1.1.0

255.255.255.0 U

0

0

0

Eth2

*

Flags Metric Ref Use Iface

U: Network link 10.1.1.
is up
H:
Dest. Addr. RefersUG
to a host
0.0.0.0
0.0.0.0
0
2

127.0.0.0

*

255.0.0.0

U

0

G:0Gateway
0
eth2
97

0

0

lo

Electronic
Mail

(Sendmail)
98

How Email Is Sent and Received
mail1 MTA

user1@mail1.com

mail2 MTA

?

?

user2@mail2.com

99


Concepts
MTA :

MTA : Mail Transport Agent
SMTP (server-to-server)
Simple Mail Transport Protocol

POP (Mail Access)
Post Office Protocol

IMAP (Mail Access)

Interim Mail Access Protocol
MDA : Mail Delivery Agent
MUA : Mail User Agent

100

Advantage of Sendmail

Older MTA
Powerful MTA

Disadvantage of Sendmail


Slow
High Load Environment
Crypto Configuration
101

MTAs




Sendmail
Postfix
Exim
Qmail

MUAs


Evolution, Kmail (KDE)
Balsa
(GNOME)
Mozilla Mail
102

Required Packages
sendmail
 sendmail-cf
 imap (Config xinetd)

(contains IMAP &
POP3)
103

Sendmail
Configuration

Config
‘/etc/mail/sendmail.mc’ file


LOCAL_DOMAIN(‘example.com’
)dnl

Run ‘make –C /etc/mail/’
Config DNS
104

Email Aliases

Edit ‘/etc/aliases’ file
postmaster: joseph

Run ‘newaliases’ Command

105

Rejecting Email

Edit ‘/etc/mail/access’ file
spam.com
yahoo.com

REJECT
OK

service sendmail restart

106

Session 16

RHCE
Red Hat Certified Engineer

M. A. Agheli
107

DNS
108

?Where do I look
 /etc/nsswitch.conf

(nameservice switch)
t@localhost:~$ cat /etc/nsswitch.conf
hosts:
files dns

109

Files
Search order determined by
nsswitch.conf
 It is polite to have /etc/hosts
first!

sjh@mccoy:~$ cat /etc/hosts
127.0.0.1
localhost
193.62.81.135
mccoy.tardis.ed.ac.uk
mccoy
193.62.81.134
baker.tardis.ed.ac.uk
baker
193.62.81.132
packages.tardis.ed.ac.uk packages
110

DNS Traversal
1.
2.
3.
4.

Local files
Dns server locally
Item in cache?
Root server, work your
way down…

111

Resolving Names
Configuration Files for the
Local Host Name Resolution
(important for testing)
 /etc/resolv.conf
 /etc/nsswitch.conf
 /etc/host.conf
112

DNS



BIND – Berkley Internet Name Daemon
Dents – buggy as hell (still in alpha?)
Djbdns – Dan Bernstein’s DNS server
Banyan VINES – don’t go there!

113

)Named (name dee

/etc/named.conf:


<DNSROOT>/root.hints:

Config for reverse-lookup to the local host/subnet

<DNSROOT>/<zone>:

Contains "pointers" to the Root Servers

<DNSROOT>/127.0.0:

this defines a directory to store the DNS config files
Contains info about what zones we serve, and where
to find config files!
Config file for named – tells us if we are master /
slave, allow or deny zone transfers, what the IPs of
other master / slave servers are, etc.

Config for zone

<DNSROOT>/<in-addr.arpa file>

Config for reverse lookup for your zone

114

A simple named.conf
## named.custom - custom configuration for bind
zone "." {
type hint;
file "root.lists";
};
options {
directory "/var/named/";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "127.0.0";
};
zone "hq.alim.ir" {
type master;
file "hq.alim.ir";
};
zone "168.168.192.in-addr.arpa" {
type master;
file "192.168.168";
};
115

DNS Data
DNS databases contain more than
just hostname-to-address records:
 SOA – Start Of Authority – it is the
daddy!
 IN NS – Name Server
 IN MX – Mail eXchanger
 IN A – A record (Address record)
 IN CNAME – Canonical NAME
116

A simple zone file
@

IN
serial #

SOA
hq.alim.ir. root.hq.alim.ir. (
199609206
; serial, todays date + todays

8H
; refresh, seconds
2H
; retry, seconds
4W
; expire, seconds
1D )
; minimum, seconds
NS hq.alim.ir.
MX 10 hq.alim.ir. ; Primary Mail Exchanger
TXT "Alim IT Center"
localhost
A
127.0.0.1
router A
192.168.168.1
hq.alim.ir.
A
192.168.168.2
ns A
192.168.168.3
www
A
207.159.141.192
ftp CNAME
hq.alim.ir.
mail
CNAME hq.alim.ir.
news
CNAME hq.alim.ir.
117

A simple in-addr.arpa file
$TTL 3D
@

;
1
2
2
;
200
201
202

IN

SOA
hq.alim.ir. root.hq.alim.ir. (
199609206
; Serial
28800 ; Refresh
7200 ; Retry
604800 ; Expire
86400) ; Minimum TTL
NS
hq.alim.ir.

Servers
PTR
router.hq.alim.ir.
PTR
hq.alim.ir.
PTR
funn.hq.alim.ir.
Workstations
PTR
ws-177200.hq.alim.ir.
PTR
ws-177201.hq.alim.ir.
PTR
ws-177202.hq.alim.ir.

118

Forward DNS

hq.alim.ir (as per /etc/named.conf)

SOA – Start Of Authority – it is the
daddy!
IN NS – Name Server
IN MX – Mail eXchanger
IN A – A record (Address record)
IN CNAME – Canonical NAME




119

Reverse DNS

192.168.168 (as per
/etc/named.conf)

SOA
 IN NS
 IN PTR – Pointer

120

DNS Round Robin

Fault tolerance? Through
nifty DNS hacks

www.teviot.com.
www.teviot.com.
www.teviot.com.

60
60
60

IN
IN
IN

A
A
A

10.0.1.100
10.0.2.100
10.0.3.100

121

Common Mistakes






Forgetting to increment the Serial Number!
CNAME pointing at another CNAME!
Forgetting the “.” In appropriate places!
Underscores in hostnames!
Forgetting to reload the daemon!
Version control issues – clobber changes!
TTL Issues

122

Test Tools
nslookup
 dig



dig mail.hq.alim.ir
dig -x 192.168.168.2
dig 168.168.192.in-addr.arpa. AXFR

whois

http://www.squish.net/dnscheck/

James Ponder’s DNS check web page
123

Session 17

RHCE
Red Hat Certified Engineer

M. A. Agheli
124

Firewall

:Required Properties

Control

Allow only those packets that you
are interested to pass through.

Security

Reject packets from malicious
outsiders

Watchfulness

Log packets to/from outside world

125

Firewall Types

Packet Filtering

Statefull
Stateless

Proxy-Based Firewall

126

Packet Filter under Linux

1st generation

ipfw (from BSD)

2nd generation

ipfwadm (Linux 2.0)

3rd generation

ipchains (Linux 2.2)

4th generation

iptable (Linux 2.4 & 2.6)
127

Installing Iptables

Kernel Supports Iptables

Networking Options -> TCP/IP Networking ->Network Packet
Filtering
Networking Options -> TCP/IP Networking ->IP: advanced
router -> *
Networking Options -> IP: NetfilterNetworking Options -> IP:
Netfilter

For Packets Traffic Control :

Networking Options> QoS and/or fair queueing -> *

# rpm -ivh \
iptables-1.2.6a-2.i386.rpm
128

Chains of Tables

INPUT
 Controls

OUTPUT
 Controls

packets entering your system
packets leaving your system

FORWARD
 Controls

what packets can move from
one network to another through your
system
129

Routing
Decision

Forward

Output
Input

Local Process

130

When a packet comes in, the kernel
first looks at the destination of the
packet: this is called routing.
If it’s destined for this box

1.

2.

Passes downwards in the diagram
To INPUT chain
If it passes, any processes waiting for that
packet will receive it.

Otherwise go to step 3
…Continue
131

3.

If forwarding is not enabled The
packet will be dropped
If forwarding is enable and the packet is destined for another
network interface.
The packet goes rightwards on our diagram to the FORWARD
chain.
If it is accepted, it will be sent out.

4.

Packets generated from local process
pass to the OUPUT chain immediately.
If its says accept, the packet will be sent out.

132

Packet Status in
Iptables



Established
New
Related
Invalid
133

Results of Packet Checking



ACCEPT
DROP
REJECT

134

Tables of Iptables


Filter
NAT
Mangle

135

The Path of Packet
in Iptables

Network

Mangle Table
PREROUTING Chain
NAT Table
PREROUTING Chain

Destination NAT

Routing
decision
Mangle INPUT

Mangle FORWARD

Filter INPUT

Filter FORWARD

Local process
Mangle
POSTROUTING

Routing decision
Mangle OUTPUT

NAT
POSTROUTING Chain

NAT OUTPUT

Source NAT
Based on routing

Filter OUTPUT

Network
136

Tables of Chains
Chain INPUT OUTPUT FORWARD PREROUTING POSTROUTI
NG
table
MANGLE

*

*

*

*

*

NAT

-

*

-

*

*

FILTER

*

*

*

-

-

137

Building a Rule source/destination

iptables –s 200.200.200.1
Refers to packet from a specific IP address
 The “-s” refers to the source of the packet, where
the packet is coming from.
 A corresponding “-d” refers to the destination,
where the packet is going to.

138

Building a Rule Action

iptables –s 200.200.200.1 -j DROP

The “-j” determines what happens to the

Building a Rule
IP address ranges

iptables –s 200.200.200.0/24 -j DROP
IPs that match 200.200.200.*
 The “/24” refers to the number of bits that are
fixed, counting from the left.

139

Other Actions

REDIRECT
 Sends

LOG
 Tracks

rules

packets to a proxy
packets as they match

RETURN
 Terminates

user defined chains
140

Building a Rule
appending rules to tables

iptables –A INPUT –s 200.200.200.1 -j DROP
The “-A” appends the rule to an iptable
 The “INPUT” specifies the iptable
 This command makes your system to ignore all
packets from 200.200.200.1

iptables –A OUTPUT –d 200.200.200.1 –j DROP

This command does not allow your system to sent packets to
200.200.200.1

141

Building a Rule
only blocking some packets

iptables –A INPUT –s 200.200.200.1 –p
port telenet –j DROP

tcp --destination-

The “-p” specifies a specific protocol: tcp, udp, or
icmp
The “-destination-port” is where the packet is going

You can user the service name or the port number


Could use 23 in this example

Keep in mind that the source-port is very different from the
destination-port. In this example the inbound message is
going to your telenet server. The telenet client that is
sending you the message could be running on any port.
--dport == --destination-port
--sport == --source-port
142

Building a Rule
multiple network interfaces

Assume your machine has two interface cards. One to a LAN
named eth0 and the other to the Internet named ppp0

iptables –A INPUT –p tcp --dport telnet –i ppp0 –j DROP

The “-i” option specifies the input interface

The is also a “-o” option for the output interface

iptables –A INPUT –p tcp --dport telnet –i eth0 –j ACCEPT

Together these rules would accept telnet requests from the LAN
but block telnet requests from the Internet.

143

Building a Rule Table Policies

iptables –P FORWARD ACCEPT

The “-P” option followed by a table
name and action determines the default
policy of the table. If no rule in the table
matches this default action is taken.

The usual policies are
INPUT = ACCEPT
 OUTPUT = ACCEPT
 FORWARD = DENY

144

Building a Rule
Adding Rules to Tables

iptables –A INPUT –s 200.200.200.1 -j DROP

iptables –I INPUT 3 –s 200.200.200.1 -j DROP

Inserts the rule as rule 3 in the table, moving all other
rules down 1.

iptables –R INPUT 3 –s 200.200.200.1 -j DROP

Appends the rule to the end of the table

Replaces rule 3 in the table

iptables –D INPUT 3

Deletes rule 3 in the table

145

Operations to manage whole
chains
N-

Create a new chain

X-

Delete an empty chain

P-

Change the policy for a built-in
chain

L-

List the rules in a chain

F-

Flush the rules out of a chain

Z-

Zero the packet and byte counters
on all rules in a chain
146

Manipulate rules inside a chain
-A

Append a new rule to a chain

-I

Insert a new rule at some position
in a chain

-R

Replace a rule at some position in
a chain

-D

Delete a rule at some position in a
chain

-D

Delete the first rule that matches
in a chain
147

An Example
Firewall
192.168.1.1
Web Server

eth1

Internet

SSH Server
Accessible ONLY via LAN

eth0

192.168.1.5

192.168.1.6

192.168.1.7

GW: 192.168.1.1

GW: 192.168.1.1

GW: 192.168.1.1

148

Session 18

RHCE
Red Hat Certified Engineer

Advanced
M. A. Agheli
149

Traffic Shaping (CBQ)

/etc/rc.d/init.d/cbq.init
(

http://ovh.dl.sourceforge.net/sourceforge/cbqinit/cbq.init-v0.7.3

)

Install ‘shapecfg’ RPM

/etc/sysconfig/cbq/*(0002FFFF)

/etc/rc.d/init.d/cbq.init start
150

Sample of CBQ
Configuration
DEVICE=eth0,10Mbit,1Mb
it RATE=10 Kbit
PRIO=5
RULE=:21,192.168.1.0/24

151

The
End
Good Luck

152

Sign up to vote on this title
UsefulNot useful