RHCE

  RHCE

Red Hat Certified Engineer


(DAY 1)

Section 1 - Installing Red Hat Enterprise Linux 5


-practice time the lab is open

-test is on a Tuesday in 4 weeks


First Stage is available in three supported versions:


The Second Stage is Anaconda


-The Text MOde Installtion Interface can be selected by typing the command 'linux text' at the boot: prompt. This will load an ncurses-based interface. Should only be used if the system is not capable for displaying the GUI.

-The Graphical Installtion Interface is the default interface for Anaconda. This interface will start XOrg


Install Methods


After you have provided Anaconda with the installation method, the installer will detect your hardware, and you will then be prompted...


Virtual Consoles


note: can change over to the shell to start work early.


Installation Number


Disk Partitioning

Types of partitions:

primary - 4

extended - 1

logical - 15


File Systems may be created on primary or logical partitions.


-use disk druid in the install


Software RAID and LVM2 can be used to "combine" multiple partitions into a single virtual unit.


-can switch to the partition screen (CTRL + ALT + F5) to use 'parted' or 'fdisk' to part the disk


Disk Druid

IF you choose not to permit Anaconda to automatically partition your drives, you may manually partition them with the Disk Druid tool.

Only GUI will allow you to do LVM during the install.


File System Types


Software RAID


LVM

Physical partitions can be grouped together into a single logical volume.

The disk space in this logical volume can then be resized and reallocated very easily.

Once a volume has been resized, the file system on that volume can then be resized to take advantage of the new space.

If any physical volume within a logical volume fails, all data on that logical volume will be lost. There is no redundancy with LVM.

-the install will default to a LVM config if left at default


Package Selection

The default package selection has been optimized for workstations.

-watch the space needed during the test; prolly a good idea to leave as stripped as possible.

-in RHEL 5, there is no running ticker of the amount of space needed to install the selected packages

-also, it will not warn you if there is not enough space; it will start the install anyway and error out half way though


Confirming Your Installation

-will be prompted to reboot

-firstboot prog

/root/anaconda-ks.cfg


FIRSTBOOT program

-firewall config, frontend for iptables

-SELinux

-written during kernel 2.4 series by the NSA

-very powerful security software

While SELinux is running, access conrtol is determined based on the Mandatory Access Control (MAC) set by the SELinux policy. This policy controls the rights that processes have to files, directories, and network sockets (objects). This works in combination with traditional Directory Access Control (DAC) provided by Linux permissions.


Lab 1 : Installing RHEL 5

/var/log/messages

/var/log/dmesg

/root/install.log

/root/anaconda-ks.cfg



Section 2 - Boot Process


The Master Boot Record

The Master Boot Record (MBR) occupies the first 512 bytes on the boot drive. 

----~~~~


GRUB - The GRand Unified Boot Loaded

2 states - first in MBR, then second in /boot

/boot/grub/grub.conf

-check out the GRUB page!


Installing GRUB


# /sbin/grub-install /dev/hda


If that fails, you can reinstall GRUB manually using the grub shell:

# grub

> root (hd0, 0)

> setup (hd0)

> quit


The GRUB Shell


Kernel Initialization

GRUB loads the initial ram disk

kernel will perform the following functions at boot:

Note: If essentials drivers are compiled as modules (and are not compiled directly into the kernel), they must be included inthe initla ram disk (initrd). The ext module is an example .........


# file /boot/initrd

# gunzip < /boot/initrd-x.x.x.img > initrd.unzipped

# file initrd.unzipped

-cpio pre-dates tar

# cpio -i -d --no-absolute-filenames < initrd.unzipped

# less init


# mkinitrd


Init


/etc/inittab

When init starts, it parses inittab for the following:


/etc/inittab:

label : 0 or more run levels (0 is all run levels) : keyword special to init : full path to command to run with


-check man page for 'inittab'


Run-levels and pseudo run-levels


Pseudo run-levels

emergency /sbin/init call /sbin/sulogin instead of parsing /etc/inittab

init=/bin/bash /sbin/init is never called and a bash shell is started in its place


# /usr/bin/logger "log this text"

# telinit q

# telinit 3

# runlevel


-could create run levels as "maintenance" levels where certain processes are stopped and started based on run level


*deck vt100 dummy terminal


Pseudo run-levels

emergency /sbin/init calls /sbin/sulogin instead of parsing /etc/inittab.

init=/bin/bash /sbin/init is never called and a bash shell is started in its place.


# runlevel - tells which run-level's you have been in and are in

# init - this command can be run to change the system's runlevel


When changing runlevels, init will execute the runlevel specific kill (K) and start (S) scripts to make sure the appropriate services are running in the desired runlevel.


These scripts can be found in /etc/rc.d/rc#.d, where # is the number of a runlevel.


chkconfig

# chkconfig  - this basically controls all of these scripts and which to start and stop

# chkconfig --levels 245 sendmail off

-get default behavior from the rc script header


#chkconfig --add

#chkconfig --del

# chkconfig --list



Section 3 - Basic System Administration



Network Configuration

Global settings are configured in /etc/sysconfig/network

NETWORKING=yes|no

HOSTNAME=<fqdn>

GATEWAY=<gateway ip>

NISDOMAIN=<nis domain name>


/etc/sysconfig/network-scripts/ifcfg-ethx


DEVICE=eth0

BOOTPROTO=dhcp

ONBOOT=yes


or static ip address...


DEVICE=eth0

BOOTPROTO=static

IPADDR=<ip>

NETMASK=<netmask>

GATEWAY=<gateway ip> # if different than gateway defined in global config

ONBOOT=yes


/etc/resolve.conf holds the configuration for resolving hostnames:


search example.com

nameserver 192.168.0.254


# route -n

# netstat -rn

# ip addr

# ifconfig


# ifdown

# ifup

# service network restart



Printing Overview

RHEL 5 uses CUPS, the Common UNIX Printing System, as it's primary printing system.

CUPS supports IPP protocol (based on HTTP/1.1) and can communicate with LPD print servers.

CUPS can be administered serveral ways:


Helpful printing commands:


Task Automation with cron

Cron - The system scheduler


Cron reviews it's configuration files every minutes to determine if it is supposed to do anything.

-make sure crond it turned on!


/etc/crontab is the primary configuration file from which


Cront syntax (man 5 crontab)

minute - 0 - 59

hour - 0 - 23

day of month - 1 - 31

month - 1 - 12 (or names)

day of week - 0 - 7 (0 or 7 is Sun, or use names)


/etc/cron.d - This contains system cron scripts that need to run at times other than those specified in /etc/crontab


/var/spool/cron - This conatinas a copy of the system's user crontabs


/etc/cron.deny - This file can be used to specify which use can not have a cron


Cron Lab

1. Create a cron for root that list availble space on the system every Friday at 12:34pm.


# crontab -e

34 12 * * 5/bin/df -h

-this will get emailed to root from the standard output

-could ">> /var/log/df.log" to redirect output to logs

-or could also create global variable "MAILTO=user@domain.com" at the top


2. Create a cron as a regular user at 3:45am on Sunday, January 2.


# crontab -u rack -e

54 3 2 1 0 ls /tmp


Alert: 3 and 5th field are "optional". This will match 2 different matches


# crontab -r   -  this will completely remove crontab!!!

#crontab <file>   -  this will overwrite with the contents of <file>


crontab runs with SUID so regular users can access crontab files in /var/spool/cron, which are owened by root


# run-parts - runs everything in the directory



Key Log Files

dmesg

/bin/dmesg - The binary /bin/dmesg will print the kernel ring buffer, where most all hardware and kernel events are logged. This buffer is 16392 bytes by default.

/var/log/dmesg - The log file


/var/log/messages


/var/log/secure - This log file contains messages and errors from security-relates systems such as login, tcp_wrappers, and xinetd.


wtmp

/var/log/wtmp - This is a binary log of all successful logins (ssh, console, ftp)


/usr/bin/last - This binary will parse the wtmp log for human readable format


Logrotate

/etc/logrotate.conf - This is the main configuration file.


/etc/logrotate.d/


logrotate -vf /etc/logrotate.conf


example:

/var/log/audit/audit.log {

# missingok

create 0600 auditd auditd

monthly

rotate 12

notifempty

postrotate

/bin/kill -HUP `cat /var/run/audit.pid 2>/dev/null` 2> dev/null || true

endscript

}



Automating Installs with Kickstart

Kickstart is a component of the installer that automates installation.


At install, Anaconda must be told where the desired kickstart configuration file is located. This is done by typing the following at the boot: prompt.


If on floppy:

linux ks=floppy


If image is located on a webserver

linux ks=http://server1/path/to/ks.cfg


Creating Kickstart Images

Once an installation has completed, a kickstart file will be created in /root/anaconda.ks. This file may be used as a reference if you wish to create your own kickstart image.


Following Sections:


-be sure to comment out partition lines

-"autopart" gives default layout

-on line "clearpart" you need to add the flag "--initlabel" to it will work on new hard drives

-could use "-firefox" to exclude firefox package from @graphical-internet

-could use "user" function in the anaconda.cfg file

-"key --skip" to skip the installation key


# /usr/sbin/useradd student

# /bin/echo "redhat" | /usr/sbin/passwd --stdin student


Google: kickstart script


linux ks=ftp://server1/ks#.cfg




Section 4 - Managing File Systems


Administering Partitions

# fdisk /dev/hda

# partprobe - to recognize the new partitions

# mkfs - to create file systems


The ext3 file system

Ext3 benefits


Journaling Overview

Deleting a file in LInux requires two steps:


Journaling keeps a journal of the changes that are planned for the file system ahead of time. The journal can then replay the changes in the journal at any time to keep the file system clean.



File System Tools

# fsck - from rc.sysinit; this command will check ext2 and ext3 file systems for inconsistencies and attempt to repair them.

# e2label -  change the label of an ext2/ext3 file system




Fstab

-last 2 fields in /etc/fstab are dump frequency

-need to check grub when updating fstab and labels



The Automounter

the autofs service can be configure to monitor certain directories and automatically mount a file system when a call is made to files in that directory.


When autofs starts, it parses it's configuration file /etc/auto.master to determine which directories it should be monitoring. Each directory can then have it's own configuraiton file determining how each file system shoudl be mounted, or the default file /etc/auto.misc can be used.


# man 5 autofs can provide you with sample syntax for these files.


example:

/etc/auto.master

/server1 /etc/auto.server1


/etc/auto.server1

share -ro server1:/var/ftp/pub


-check /etc/sysconfig/autofs for the default config file



Extended File System Attributes

ext2/ext3 support attributes that affect how data can be manipulated

# chattr - change file attributes

# lsattr - list file attributes

Extended att can only be set by the root user unless "user_xattr" is set.


# chattr +i some_file - make file immutable, or unchangable in any way

# chattr +a some_file - makes the file only appendable

+S - syncronous data writing, or writing the data immediately


# for i in `seq 254`; do touch file$i; done


# lsattr -d .


After 254 files, the fs switched to hashed table. initially using linked list for directory.



Access Control Lists (ACLs)

ext3 supports access control lists, which allow for more flexible permissions than standard file system permissions.


ACL's can be listed with getfacl command.


They can be modified with the setfacl command.


To use ACLs, a file system must have the acl mount option.


Use "dumpe2fs -h <block device node>" to see default mount options.


# tune2fs -o -acl /dev/sda2

this if going to coorispond with the dumpe2fs -h /dev/sda2, "Default mount options: user_xattr acl" line


# getfacl <file>

# setfacl -m "u:student:rw" <file>


-setting a FACL will place a '+' at the end of permissions string "-rw-rw-r--+  1 root root   0 file"


# setfacl -x "u:student" <file> - to remove the FACLs

# setfacl -b <file> - reset file back to base, no more FACLs at all


-they are not included in one of our backups


examples to save with ACLs in tact:

# tar --acls

# cp -a

# getfacl file > file.acl

# cp file backup

# setfacl -M file.acl backup

- these can use the '-R' flag to run recursively




(DAY 2)

SELinux


SELinux Overview

Every process or object has an SELinux context:

identity:role:domain/type


SELinux policy controls:

-what identities can use which roles

-what roles can enter which domains

-what domains can access which types


first intro in RHEL 5. create by the NSA and included by Linus in the Linux kernel.



SELinux Contexts

Adding the -Z option to severel commands will show how they are running in regards to SELinux.


# ps -Z  -  lists the process contexts

# ls -Z  -  lists the file contexts


To change the 


# chcon -R --reference=/dir /dir


:virtual file systems: /proc /sys /selinux


# restorecon -F

-still a few files not corrected: /misc

# service autofs restart   - this will reset the automounts


# getenforce

# setenforce



Controlling SELinux

The tool system-config-selinux level can be used dto configure SELinux.


The file /etc/sysconfig/selinux can be edited to make these changes persistent across reboots.


The command 'getenforce' and 'setenforce'


To change the SELinux mode during boot, yo ucan pass the enforcing=0 option to the kernel in GRUB.


The


# system-config-selinux


# rpm -ql policycoreutils | egrep -w 's?bin'


# getsebool -a


# service setroubleshoot status - this service watches for se alerts

-check /var/log/messages for SELinux messages

# setsebool -P ftp_home_dir=1  -  this is from an alert in /var/log/messages


-checked /var/log/messages, got the following

# sealert -l 3a1bf736-48a6-442a-9e98-98d908ffdd83

# chcon -t httpd_sys_content_t./srv/index.html


# chcon -R --reference index.html /srv




Section 5 - Users and Groups


Files Associated with Users and Groups


/etc/passwd - This file contains the configuration information for local users in the following format:

username : x : UID : UPGID : GECOS : homedir : shell


/etc/shadow - This file contains the username (which must match an entry in /etc/passwd) and the user's MD5 encrypted password.


/etc/group - This file contains the configuration information for local groups in the following format:

groupname : x : GID : secondary users


/etc/gshadow - This file contains a list of groups on the server and their MD5 encrypted passwords.



Utilities for Administering Users and Groups

useradd / adduser - This command can be used to add new users to the system.

usermod - 

groupadd - 

groupmod - 

passwd - 

chage - This command can be used to create / edit password aging


UNIX Basics : File Permissions


Special Permissions:


Setuid / suid - Set UserID is used on UNIX systems for tasks that require higher privileges than what a common user has, such as changing passwords and pinging.


Setgid / sgid - Set GID is used to change group-based privileges within a process, like the suid flag does for user based privileges.


Stickybit - for world files where only user can remove their files



# find / -perm +4000   -   find suid files

# find / -perm +2000   -   find guid files


# chmod g+s some_dir

-any new files created inside that directory will be created with that group owner group


suid = 4000

sgid = 2000



The User Environment


/etc/skel - default template for a newly-added user's home directory


/etc/profile - sets environment variables used by all users


/etc/profile.d - contains scripts specific to certain rpms


/etc/bashrc - contains global aliases and system settings


~/.bashrc - contains user aliases and functions


~/.bash_profile - contains user environment settings and can be set to automatically start programs at 

login


# chmod 3070 work to set the sticky bit and only owner can remove their files



Pluggable Authenticaiton Modules


Applications which are compiled against libpam.so may use PAM's modules to customize how individual applications verify their users. The each application has it's own configuration file in /etc/pam.d


The first field of the configuration file indicates the type of module to be used:


cont.


The second field of the configuration file indicates the effect that the module will have on the application:


missed some shit....


Important PAM Modules

pam_unix - Authenticates users by UNIX password

pam_security - Only allows root to log in from secure terminals listed in /etc/security

pam_nologin - Will not allow any non-root user to login if /etc/nologin exists

pam_time - can be configured to allow/deny access based on the system time.

-Helpful PAM documentation can be found in /usr/share/doc/pam-<version>


# ldd `which su`   -   ldd shows which libraries are linked, prints shared library dependencies


PAM LAB

Using PAM, prevent "mike" from being able to login on virtual console 2. He should still be able to login elsewhere.

Hint: configure the pam_access module


# vi /etc/pam.d/login

add: "account required pam_access.so"


# man pam_access


# vi /etc/security/access.conf

add: "- : mike : tty2"



NIS Client Configuration

NIS Servers can be configured to centrally manage system and account information. These servers can share the contents of /etc/passwd, /etc/shadow, /etc/group, and several other files among any number of clients.


To configure a client, you must install the ypbind and portmap RPMs, and then you can run system-config-authentication. This command will make the proper entries in /etc/sys........MISSED SHIT!


- watch out for SELinux stuff!!! check /var/log/messages


/etc/auto.master

/home/nis /etc/auto.nis


/etc/auto.nis

* -rw server1:/home/nis/&



LDAP Client Configuration

LDAP Servers can also be configured to centreally manage system and account information. LDAP is much more secure than default NIS configuration, and as such is becoming much more popular.


to configure a client, you must.....MISSED MORE SHIT!!



The Linux Quota System

Quotas are implemented in the kernel on a per-file system basis.


to enable quotas, you must follow these steps:

You can review quotas with either the quota or repquota commands.


Example:

# vi /etc/fstab

add: usrquota


# mount -o remount /       -  do this to remount the running filesystem


# quotacheck -a -m       -   the '-m' to force the read, the results could be different when complete


# quotacheck -g   -  to create the groups database


# quotaon -a


# edquota -u <user>


1 block = 1 kilobyte


there are a limited number of inodes. all inodes are created when the filesystem is created. this is why we must limit the inode usage, they are a limited resource.


soft limit - is THE limit, but the kernel is lienient and will allow up to the hard limit

hard limit - there is nothing higher than this


# repquota -a   -   to get a report on all user quota's


# setquota   -  not too good, takes in command line options


# edquota -t - option to set the time or grace period, the "high water mark" will become the new hard limit


To test this:

# dd if=/dev/zero of=waste_space


# for i in `seq 205`; do touch file$i ; done





Section 6 - The Red Hat Kernel


Key Kernel Directories

/boot - contains the vmlinuz and initrd required to boot the system

/usr/src/kernels - directory for kernel sources, RHEL 5

/proc - virtual file system for seeing "into" the kernel


The /proc file system

The /proc file system, your window to the kernel



Sysctl

/proc/sys

The values of /proc/sys can be changed while the system is online, but those changes will not persist across reboots. To make permanent configuration changes, one should modify /etc/sysctl.conf.


sysctl

At boot, sysctl is called by /etc/rc.sysinit. Any parameters listed in /etc/sysctl.conf ....... MISSED


# sysctl -a    -   a list of variables


edit /etc/sysctl.conf

add:  fs.file-max = 543555

net.ipv4.icmp_echo_ignore_all = 1       <---->  these translate to /proc/net/ipv4/icmp_ech..


- check out swapiness



Working with Modules

/etc/modprobe.conf - Specifies how a modules will behave when it is loaded and unloaded


depmod -a  -  This can be run at any time to scan through your modules to determine the dependencies for each one. The results of this scan will be written to modules.dep. Once this has been run, any attempt to load or unload a module will first have to pass a dependency check.


modprobe  -  This command can be run to load or unload a module and its dependencies.


lsmod  -  This command will list the currently loaded modules.


-Located: /lib/modules/<kernel version>



Software RAID

Software RAID can be configured, monitored, and modified all with the mdadm command.


To create a RAID array, you can run the following command:

# mdadm -C <RAID dev> -l <LEVEL> -n <# DISKS> <partitions>


To verify the RAID array, you can run the following:

# mdadm --detail <RAID device>

# cat /proc/scsi/scsi






example:

# fdisk /dev/sda

:n

e for extended

Enter

Enter

:n

Enter

+1G Enter

:n

Enter

+1G Enter

:t

5

L - for a list of codes

fd

:t

6

fd

p  -  to print the partition table

:w   -   to write or commit the changes to the drive


# partprobe   -  to inform the system of the partition table changes


# ls /dev/md*


# mdadm -C /dev/md0 -l 1 -n 2 /dev/sda5 /dev/sda6

mdadm: array /dev/md0 started.


# cat /proc/mdstat

Personalities : [raid1]

md0 : active raid1 sda6[1] sda5[0]

  987840 blocks [2/2] [UU]


unused devices: <none>

----

Create a file system on this new RAID array

# mkfs.ext3 /dev/md0


Simulate a faulty drive

# mdadm /dev/md0 -f /dev/sda5

mdadm: set /dev/sda5 faulty in /dev/md0


Check the status of the RAID array, even watch it rebulid itself

# cat /prod/mdstat

Personalities : [raid1]

md0 : active raid1 sda6[1] sda5[2] (F)

  987840 blocks [2/1] [_U]


unused devices: <none>

----


# mdadm /dev/md0 -r /dev/sda5

mdadm: hot removed /dev/sda5


# mdadm /dev/md0 -a /dev/sda5

mdadm: re-added /dev/sda5


# watch -n 1 cat /proc/mdstat



Software RAID Lab:

Create a RAID-5 array on your machine, consisting of 4 partitions each 512MB in size, one of which should be reserved for use as a hot spare.


Format this array with ext3 and mount it with support for user quotas so that it will persist across reboots.


# fdisk /dev/sda


Do this to find the major and minor numbers, here is "9 and 0".

# ls -l /dev/md0

brw-r----- 1 root disk 9, 0 Aug 12 14:14 /dev/md0


# mknod /dev/md1 b 9 1


# mdadm -C /dev/md1 -l 5 -n 3 -x 1 /dev/sda5 /dev/sda6


-OR-


The --auto=yes will create the device file.

cd 

Can add the spare after already created. Will just be added as "spare".

# mdadm /dev/md1 -a /dev/sda10



# cat /proc/mdstat

.....output



Logical Volume Management

Key Terms


|----FS----|                                       *

|----LV----||----LV---||----LV----|     ^

|----------------VG-----------------|     ^

|-------PV-------||-------PV-------|     ^

---------------------------------------

Device Mapper



Creating Logical Volumes



example:

# pvcreate /dev/sda11

# vgcreate "rhce_demo" /dev/sda11

# vgdisplay - need to get the "Total PE" or total physical extents to use on the next command (478)

#lvcreate -l 478 -n "MyLV" rhce_demo

# mkfs.ext3 /dev/rhce_demo/MyLV

# mkdir /mnt/LVM

# mount /dev/rhce_demo/MyLV


-The device mapper is a feature of the kernel, an API, used to build on to manage hard drive space in Linux.


# man dmsetup


Adding a disk to the LVM

# fdisk /dev/sda    to create another partition

# pvcreate /dev/sda12

# pvdisplay

# vgextend rhce_demo /dev/sda12

# pvdisplay

# vgdisplay  -      vg has grown in size and in extents

# lvdisplay    -     lv still has not grown

# lvextend -L +500M /dev/rhce_demo/MyLV

# lvdisplay   -     lv has now grown, but the file system still has not grown (df -h)


# while sleep 1 ; do echo data >> file ; done &


# resize2fs /dev/rhce_demo/MyLV

# df -h    -   the file system has grown to the max size, finally


To create a snapshot

# modprobe dm-snapshot

# lvcreate -l 116 -n "lv-snap" -s /dev/rhce_demo/MyLV

# lvdisplay

# mkdir /mnt/snap

# mount /dev/rhce_demo/lv-snap /mnt/snap

# df -h


-this can be use to create a snapshot and then fsck that snapshot to see if there are any errors


# tune2fs -C 0 -T now /dev/rhce_demo/MyLV


-"extents" are little chunks of hard drive space



Resizing Logical Volume

some 

more

stuff


LVM Lab

Add logical volume management on top of your raid array. Use half the available space for a logical volume formatted with ext3 and mounted persistently across reboots. Take a snapshot of this logical volume and check the file system for errors. Assuming none are found, reset the counter for days and mounts until a check is forced on the original filesystem.


# pvcreate /dev/md1

# vgcreate "lvm_lab" /dev/md1

# vgdisplay

# lvcreate -L +500M -n "lvmOnRaid" lvm_lab

# mkfs.ext3 /dev/lvm_on_raid

# mkdir /mnt/lvm_on_raid

# lvcreate -l 100 -n "lv_raid_snap" -s /dev/lvm_lab/lvmOnRaid

# lvdisplay

# fsck /dev/lvm_lab/lv_raid_snap

# tune2fs -C 0 -T now /dev/lvm_lab/lvmOnRaid




Section 7 - RPM and YUM


Red Hat Linux : RPM

The RPM Package Manager

An RPM is a collection of files required for a program. These files include binaries, configuration files, documentation, and instructions on where and how each of those files should be installed.


The RPM Database


more....


RPM Query Options

Below are just a few examples of the types of queries you can run against the RPM database.


RPM Verify Options


RPM Verify Output


Intstalling RPMs

The general form of an rpm install command is:

# rpm -i <package>


Upgrading RPMs

# rpm -U <package>


Freshening RPMs

# rpm -F <package>


Technique for extracting package contents:

# cd /temp/dir

# rpm2cpio /path/to/package | cpio -i --make-directories --no-absolute-filenames --preserver-modification-time


YUM

Origianally the "YellowDog Update Manager", this meta- package- manager ca nresolve dependencies and retrieve packages over the network.


# yum <action> (<package>)


Repositories of packages must be listed in files in the /etc/yum.repos.d directory with names ending in .repo and having a format like:


[label-for-repo]

name = describtive text

baseurl = protocol://path/to/directory/of/packages


Access to the Red Hat Network, including any Satellite Servers, is implemented through a plugin to the yum tool itself, and not as a repository definition in the above format. RHN is still configured in the /etc/sysconfig/rhn/up2date as in RHEL 4.


example of /etc/yum.repos.d/server1.repo:

[server1]

name = server 1 repo

baseurl = file:///net/server1/var/ftp/pub/Server

gpgcheck = 0


To protect sensitive, customized, or locally installed packages from being updated or overwritten by yum, add them in a space separated list to the "exclude" variable in the /etc/yum.conf file. This variable supports shell-style wild-cards, and is the yum equivalent to the "skip list" in up2date.


/etc/yum.conf

exclude = *[mM][yY][sS][qQ][lL]*


# yum shell

> info httpd

> remove nmap



YUM Lab Exercise

  1. Install the "createrepo" package
  2. Download the OpenOffice archive from server1
  3. Extract all of its RPMs to somewhere logical on your machine
  4. Turn that directory into a yum repository
  5. Add that repository to your yum configuration
  6. Install the "openoffice.org-writer" package, and/or any others


# yum install createrepo


# tar -zxvf openoffice.org-packages


# createrepo /path/to/the/rpms


/etc/yum.repos.d/server1.repo

[myrepo]

name = my stuff

baseurl = http://localhost OR file:///var/pub/rpms

gpgcheck = 0



(Day 3)

Section 9 - Xorg


Xorg Overview

RHEL 5 comes with 6.9


Xorg has been designed as a flexible and powerful client/server-based system.



Functionality of the Xorg server is enhanced via the use of modules.



Configuring Xorg


For initial configuration of Xorg, you can use the command system-config-display. This can be run with the --noui and --reconfig


/etc/X11/xorg.conf


/etc/X11/prefdm


/etc/sysconfig/desktop

DISPLAYMANAGER="KDE"


Making Xorg Pretty


---- RHCE STUFF STARTS HERE ----




Section 8 - Network Sharing Services


NFS

NFS, or the Network File Service, is used to share data with other servers.


For this service to work properly, postmap and nfs-utils rpms must be installed and portmap and nfs buse be runing.


The command rpcinfo can be run to confirm


# rpcinfo


MISSED SHIT!



NFS (continued)

/etc/exports should be configured as follows:

<shared directory> <who> (<how>)


exportfs -r refreshes the server share list

exportfs -a exports all shares in /etc/exports

exportfs -u un-exports a share name (or all shares with -a)

showmount -e server shows all of the shares on server1


NFS mounts can be made persistent across reboots by adding the following to /etc/fstab:

server1:/var/ftp/pub /mnt/pub nfs defaults 0 0


netfs may be used to mount network file systems that are configured to be mounted in fstab


/etc/exports

/usr/share/doc 192.168.0.9(rw) 192.168.0.0/24(ro)


# service nfs restart

# chkconfig nfs on <------ DON'T FORGET THIS!


# showmount -e localhost


# man exports


options:

async - replys to request before any changes made, much faster

sync - safer, in the event of power failure the data is more likely safe. replys to requests only after the changes have been committed to stable storage

root_squash - prevent root users from connecting

all_squash - nobody can use their original and connecting UID


by default, the option "root_squash" is enabled to prevent users from being identified as UID 0 or root.



NFS Lab

Share your /srv directory with your neighbor. Only grant them read-only access to that directory.


Mount the NFS share from your neighbor, and add it to your fstab.


add to /etc/exports:

/srv 192.168.0.43(ro)

# service nfs restart

# mount 192.168.0.11:/srv /mnt/nfs_share

add to /etc/fstab:

192.168.0.11:/srv /mnt/nfs_share /mnt/nfs_share defaults 0 0


# service portmap status

# service netfs status



VSFTPd

the Very Secure FTP daemon


As of RHEL 3, VSFTPd is now the default ftp server, and it is no longer managed by xinetd - it is its own service.


The primary configuration file is /etc/vsftpd/vsftpd.conf.


Provides two levels of user access:


Individual users can be denied by placing their names in /etc/vsftpd/ftpusers.


-to chroot just a few users, then leave 'chroot_list_enable=NO' and just place these users in chroot_list


# man vsftpd.conf


-need to review 'userlist_enable' and the 'chroot_local_user' with the cooresponding list file


VSFTPd Lab

Configure VSFTPd to only allow the user mike to ftp to your server. Make sure that mike is chrooted to his home directory upon login.


the file ftp_users - users not allow to login at all!


# cat /etc/pam.d/vsftpd   -   pam_listfile.so   file=/etc/vsftpd/ftpusers



SAMBA Overview

SAMBA is an open source implemantation of Windows networking protocols. With SAMBA, it is possible to:


SAMBA provides the following services in Linux:


SAMBA Configuration

The following four packages must be installed for SAMBA to work as desired:


For SAMBA to work properly, the following services must be running:


The main configuration file for SAMBA is /etc/samba/smb.conf


This file is VERY well commented and has examples for just about anything thaty ou need to do.


Once you have made a configuration change, you can test it with the testparm command.


SAMBA Users

To have a SAMBA user, that user must first be created in /etc/passwd


The command smbpasswd -a can then be used to add a user to /etc/samba/smbpasswd for SAMBA authentication.


To see the SAMBA share a user has access to, you can use the smbclient as follows:

# smbclient -L <server> -U <user>%<passwd>


To mount a share, you can use the UNC path with the smbmount command:

# mount.cifs //server/share /mount/point -o username=<user>


To configure this mount to happen at boot, add the following to fstab:

//server/share /mount/point cifs credentials=/etc/samba/pub.cred 0 0

(where /etc/samba/pub.cred is a file that only root can read which contains usernames and passwords)


SAMBA Lab

Configure SAMBA to share your /srv directory only to one neighbor who must log in with the SAMBA username of mike.


Make this share read-only for the SAMBA user mike.


Mount the share from your neighbor. Configure it to mount automatically at boot time. Use a credentials file to store the account information securely.


add to /etc/samba/smb.conf:

[srv]

    path = /srv

    valid users = mike

    public = no

    writable = no

    hosts allow = 192.168.0.11


# smbpasswd -a mike


# man mount.cifs



X.x Web Services


Apache Configuration Files


/etc/httpd/conf/httpd/conf

/etc/httpd/conf.d/   -   this directory hold config files specific to Apache modules


Configuring a VirtualHost in Apache


<VirtualHost ->  // this can be ip address, domain name, *, or _default_

  ServerName

  ServerAlias

  DocumentRoot

  CustomLog /path/to/access_log combined

  ErrorLog /path/to/error_log

</VirtualHost>


The NameVirtualHost directive is used to specify an IP that can host multiple websites.

-if DocumentRoot is left out then it will assume the DocumentRoot from the main variable



Apache Lab 1

Configure two websites on your server.


wwwX.example.com should be served from /var/www/html and should also respond to requests for wwwX.


vhostX.example.com should be served from /home/mike/html and should also respond to requests for vhostX.


Both should be listening on your primary ip address, but wwwX.example.com should be default site.


<VirtualHost 192.168.0.12:80>

ServerName www12.example.com

ServerAlias www12

DocumentRoot /var/www/html

</VirtualHost>


# ldd `which httpd` | grep selinux

libselinux.so.1 => /lib/libselinux.so.1 (0x0099e1000)



Securing Apache

Apache allows for host-based access control on a per-Directory or per-File basis. There is support for statements of the form:


allow from <host | network | ALL>

deny from <host | network | ALL>


These can be applied in the given order:


Apache Lab, continued

This stations should be accessible to everyone except for the person sitting to your left.


<Directory /var/www/html>

  allow from 192.168.0.0/24

  deny from 192.168.0.13

  order allow,deny

</Directory>


This site should only be accessible to the person sitting to your right.


<Directory /home/mike/html>

  allow from 192.168.0.11

  deny from 192.168.0.0/24

  order deny,allow

</Directory>


Both should be listening on your primary ip address, but wwwX.example.com should be default site


-doing this causes an Error 403 - Forbidden

# curl -i vhost16



Squid Overview

Squid is designed to cache internet objects and can act as a proxy server for HTTP, FTP, and many other types of requests.


The configuration file for Squid is /etc/squid/squid.conf


Key Squid Configuration Settings include:


Squid port # (3128 by default)

visible_hostname # This is the hostname that Squid may broadcase


acl mynet src 192.168.0.0/255.255.255.0 # identifies 192.168.0.0/24 as mynet

acl mynet src 192.168.1.0/255.255.255.0 # identifies 192.168.1.0/24 as mynet


http_access allow mynet # mynet allowed to use Squid

http_access deny yournet # yournet denied access to Squid


Squid Lab

Configure your server to offer Squid proxy service to the person sitting on your right, but not the person sitting on your left.


This service should listen on port 8080.


to test:

# curl -x 192.168.0.12:8080 www.yahoo.com


-Be aware of the "INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS" in squid.conf to place the http_access





Section 13 --  Miscellaneous Services


xinetd

Xinetd is the extended internet services daemon.


This service acts as a super daemon by listening on key ports for certain types of requests. When a request is received, xinetd starts the appropriate service and then hands off the request so that it can be handled correctly.


Xinetd is configured in /etc/xinetd.conf, the services that it controls are configured in /etc/xinetd.d/.


-cps is connections per second   20 per second, rest for 30 seconds if exceeded


# chkconfig chargen-stream off


-Check out the Jargon File


socket_type =


Misc. Services LAB

Configure an anonymous rsync service to share the contents of your /srv directory.


add a file /etc/rsyncd.conf:

[srv]

path = /srv

comment = srv stuff


# chkconfig rsync on

# rsynd -av localhost::srv /tmp


CTRL + R on the command line to revers search



OpenSSH

stuf stuf stuf


in /etc/ssh/sshd_conf

PermitRootLogin without-password    -    for private key authentication


# man sshd_conf


If users can not login via SSH then consider the following:



Creating a Public Key for Authentication

# ssh-keygen -t dsa

# scp .ssh/id_dsa.pub student@localhsot:tmp-key



Misc. Services LAB

Configure your box to allow both the 'root' and 'student' users to login locally, but not over ssh.










(Day 4)

Section 11 - BIND


Bind Overview

BIND is the Berkeley Internet Name Domain.


On RHEL 5, this service is chrooted into /var/named/chroot for security.


The configuration file for BIND is /var/named/chroot/etc/named.conf


This configuration file contians a section for global settings, and a section for zone file settings.


-BIND thinks it is jsut /etc/named.conf

-symbolic link /etc/named -> /var/named/chroot/etc/named.conf



BIND Configuration

/var/named/chroot/etc/named.conf Global Settings


acl "mynet" { 192.168.0.0/24 ;};

options {

  directory "/var/named";

  forwarders { 192.168.0.254 ;};

  allow-query { mynet; };

  allow-transfer { mynet; };

};


acl - defines a network (similar to Squid)

Directory - based directory for named

Forwarders - where to send queries this server can't answer

Allow-query - defines hosts that can use this server

Allow-transfer define hosts that can copy the database



BIND Zone Configuration

To configure a new domain,


zone "mike.com" IN {

 type master;

 file "mike.com.zone";

};


For a slave configuration:


zone "mike.com" IN {

 type slave;

 file "slave.mike.com.zone";

 masters {

192.168.2.254;

 };

};



BIND Forward Zone File

A typical zone file would usually include items such as:


$TTL 600

mike.com. IN SOA  ns.rackspace.com. michael\.roberts.rackspace.com. (

2007080101 ; Serial

10800 ; Refresh 3 hours

3600 ; Retry 1 hour

604800 ; Expire 1 week

86400 ); Minimum 24 hours

IN A 192.168.0.1

IN NS ns.rackspace.com.

www IN A 192.168.0.1

web IN CNAME www.somewhereelse.com.

@ IN MX 10 www.mike.com.




BIND Reverse Zone Configuration

Should you need to configure a reverse zone outside of our network, you may do so first by adding the following to named.conf:


Zone "2.168.192.in-addr.arpa" IN {

type master;

file "mike.com.reverse.zone";

allow-update { none; };

};



BINE Reverse Zone File

The following record will then need to be created as /var/named/chroot/var/named/mike.com.reverse.zone:


$TTL 600

2.168.192.in-addr.arpa. IN SOA ns.rackspace.com. hostmaster.rackspace.com. (

2008 serials and stuff.....

8966

7878


IN NS ns.ra

1 IN PTR www.example.com



Setting this up from Scratch

# yum install caching-nameserver.i386  -  this for example config files


# cd /usr/share/doc/bind-9.3.3/sample/var/named/  -  for more zone file examples


-Split Horizon DNS is where a name server can give different responces depending on the network the request is coming from.


# nslookup

# host - reverse lookup, 

# host 192.168.0.254 server  -  directs queries to 'server1'

# dig

# dig +short  -  only reports a short answer

# dig +trace  -  a recursive lookup from the root nameservesrs

# dig @server1.example.com station16.example.com


# named-checkconf

# named-checkzone  

# echo $?



BIND Lab

Configure your machine to act as the authoritative nameserver fo a "demoX.example.com" domain and a "rhceX.example.com" domain, where X is your station number.


For both domains, configure these records:

All of the following should resolve to your IP address:

"www", "mail", "ns"

"web" should resolve to "www"

"mail" should be listed as the primary MTA for the domain

"ns" should be listed as the DNS server for the domain


Also configure your machine to respond to reverse DNS lookups, such as that your own IP address will resolve to "www.rhceX.example.com"



# cd /var/named/chroot/etc


# vi named.conf

options

{

directory "/var/named";

allow-query { 127.0.0.1; 192.168.0.0/24; };

};


zone "demo12.example.com" IN {

 type master;

 file "demo12.example.com.zone";

};


zone "rhce12.example.com" IN {

 type master;

 file "rhce12.example.com.zone";

};

-------------------


#  cp /usr/share/doc/bind-9.3.3/sample/var/named/localdomain.zone ./demo.zone


- because of "glue records" we know of these "chicken and egg" situations where a DNS server is serving for itself :)


------------------------------------------------------my-example-----------------------------------------------------------

$TTL 600

demo12.example.com. IN SOA  ns.demo12.example.com. eric\.hernandez.rackspace.com. (

                2007081402      ; Serial

                10800           ; Refresh 3 hours

                3600            ; Retry 1 hour

                604800          ; Expire 1 week

                86400           ); Minimum 24 hours

        IN      A       192.168.0.12

        IN      NS      192.168.0.12

www     IN      A       192.168.0.12

ns      IN      A       192.168.0.12

mail    IN      A       192.168.0.12

web     IN      CNAME   www

@       IN      MX      10 mail


-----------------------------------------------------end-example------------------------------------------------------------


-------------a more generic example---------------


$TTL    86400

@               IN SOA  station12.example.com. root (

                                2008081401              ; serial (d. adams)

                                        3H              ; refresh

                                        15M             ; retry

                                        1W              ; expiry

                                        1D )            ; minimum


www             IN A            192.168.0.12

mail            IN A            192.168.0.12

ns              IN A            192.168.0.12

web             IN CNAME        www

@               IN MX           50 mail

@               IN NS           ns

@               IN A            192.168.0.12


-----------END a more generic example-------------


-now we can use this 1 zone for all zones that are like this, because it does not actually reference the zone name (FQDM)

-check the permissions on the zone files, need to be either world readable or owned by 'named'


# named-checkzone -D rhce12.example.com demo.zone  -  to check the zone file

# named-checkconf /var/named/chroot/etc/named.conf 



# host web.demo12.example.com localhost

Using domain server:

Name: localhost

Address: 127.0.0.1#53

Aliases: 


web.demo12.example.com is an alias for www.demo12.example.com.

www.demo12.example.com has address 192.168.0.12

-------------


Now, the reverse entries:

# vi /var/named/chroot/etc/named.conf

zone "0.168.192.in-addr.arpa" IN {

 type master;

 file "0.168.192.in-addr.arpa.zone";

 allow-update { none; };

};


# vi 0.168.192.in-addr.arpa.zone

$TTL    86400

@               IN SOA  station12.example.com. root (

                                2008081401              ; serial (d. adams)

                                        3H              ; refresh

                                        15M             ; retry

                                        1W              ; expiry

                                        1D )            ; minimum


@               IN NS           ns.rhce12.example.com.

12              IN PTR          www.rhce12.example.com.

-----------------

To test this reverse PTR record:

# host 192.168.0.12 localhost

# dig @192.168.0.12 -x 192.168.0.12


-check /etc/sysconfig/named

-check to be sure we have the rpm package "bind-chroot"


-------------------------

-------new module--------

-------------------------


Section 12 - Email Services


Sendmail Overview

What is sendmail?


MUA versus MTA


# mutt - a great message user agent



Sendmail Configuration

-/etc/mail/sendmail.cf

Sendmail's main config


-/etc/mail/sendmail.mc

make changes here



-be sure to have the rmp package 'sendmail-cf'


# ls -lrt  -  listed in reverse order based on time stamp


# m4 < sendmail.mc > sendmail.cf   -   service sendmail restart does this


/etc/mail/local-host-names

- domains that sendmail is responcible for


To test sending an email message:

# echo this is a test messages | mail mike@rhce12.example.com


Ctrl + D = end of input


Telnet Test:

# telnet localhost 25

HELO localhost

MAIL FROM: <root@station12.example.com>

RCPT TO: <>

DATA

subject: this is the subject

from: root@domainl.com

my message

.

250 2.0.0 m7EGV0ov014932 Message accepted for delivery

-"250" responce code for a success

-could check mail log for "m7EGV0ov014932"

quit


-can check mail, mbox file, at /var/spool/mail  'mike' file



Virtusertable

/etc/mail/virtusertable - can be used to map accounts to different users

sales@rhce12.example.com mike

sales@demo12.example.com easye.h@gmail.com


# makemap hash virtusertable < virtusertable


for a catch all:

@demo12.example.com spam


/etc/aliases  -  to alias a user to another user, has 2 extra features;

- first, 'spam: /dev/null' to have mail routed to nowhere

- second, you can specify groups: 'rstops: mike,stuard,marisa'


# newaliases - to update the changes made in /etc/aliaes


# sendmail -bv mike@rhce12.example.com

mike@rhce12.example.com... deliverable: mailer local, user mike



Alternatives

Alternatives can be used when many packages provide the same service.


The executable that the sendmail init script invokes is really just a symbolic link to another symlink in the /etc/alternatives directory. For example take a look at /usr/sbin/sendmail. What type of file is it? Where does it link to?


# alternatives --display mta

# alternatives --config mta

# alternatives --set mta


# setenforce 0

# getenforce

Permissive


# yum install postfix

# setenforce 1


-still need to stop sendmail after running alternatives




Postfix

-------

Postfix was designed from the group up to be a replacement for Sendmail.


The Postfix group has the following goals for their product:

-It should be more efficient than Sendmail.

-be more secure than Sendmail.

-be easier to administer than Sendmail.

-be 100% Sendmail compatible.

To accomplish these goals, Postfix is made up of many individual programs which each handle a particicular aspect of mail transfer. All controlled by the 'master' daemon.



Configuring Postfix

-------------------

Postfix's configuration file is /etc/postfix/main.cf


The directives in this file can be changed manually, or postconf -e can be run to apply them from the command line. 

-postconf -e "myorigin = redhat.com"

-postconf -e "mydestination = redhat.com"

-postconf -e "my networks = 192.168.0.0/24, 127.0.0.1"

-postconf -e "inet_interfaces = all"


-postconf -n  -  can then be called to check your configuration for errors before restarting the service.



edit /etc/postfix/main.cf:

-inet_interfaces = all

-mydestination = mydestination = $myhostname, localhost.$mydomain, localhost, rhce12.example.com, hash:/etc/postfix/mydomains


# service postfix restart

# vi /etc/postfix/mydomains

rhce12.example.com OK

demo12.example.com OK


# postmap mydomains


to verify:

# ls -lrt   -  to see mydomains.db file created last


# echo this is a postfix messagse | mail -s "postfix rocks" student@rhce12.example.com


-Postfix stores messagse in mbox format and in /var/spool/mail/<user>


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

[root@station12 postfix]# cat /var/spool/mail/student 

From root@station12.example.com  Thu Aug 14 11:57:47 2008

Return-Path: <root@station12.example.com>

Received: from station12.example.com (localhost.localdomain [127.0.0.1])

        by station12.example.com (8.13.8/8.13.8) with ESMTP id m7EGvlAu015126

        for <rstops@rhce12.example.com>; Thu, 14 Aug 2008 11:57:47 -0500

Received: (from root@localhost)

        by station12.example.com (8.13.8/8.13.8/Submit) id m7EGvlbM015125

        for rstops@rhce12.example.com; Thu, 14 Aug 2008 11:57:47 -0500

Date: Thu, 14 Aug 2008 11:57:47 -0500

From: root <root@station12.example.com>

Message-Id: <200808141657.m7EGvlbM015125@station12.example.com>

To: rstops@rhce12.example.com


Hi Team


From root@station12.example.com  Thu Aug 14 13:44:14 2008

Return-Path: <root@station12.example.com>

X-Original-To: student@rhce12.example.com

Delivered-To: student@rhce12.example.com

Received: by station12.example.com (Postfix, from userid 0)

        id E639A19889B; Thu, 14 Aug 2008 13:44:14 -0500 (CDT)

To: student@rhce12.example.com

Subject: postfix rocks

Message-Id: <20080814184414.E639A19889B@station12.example.com>

Date: Thu, 14 Aug 2008 13:44:14 -0500 (CDT)

From: root@station12.example.com (root)


this is a postfix messagse



-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


Virtual Tables in Postfix

-------------------------

# vi virtual  -  to see help on setting this up

# postconf -e "virtual_alias_maps = hash:/etc/postfix/virtual"


-add to /etc/postfix/virtual:

sales@rhce12.example.com        marisa

sales@demo12.example.com        mike,stuart,marisa

@rhce12.example.com /dev/null


# postmap virtual

# ls -lrt


-Postfix does support the use of the /etc/alises file




Dovecot and mutt

----------------

Dovecot is the default POP/IMAP server for RHEL 5.


the configuration file is /etc/dovecot.conf


Usually, the only changes that need to be made are the enabling of the desired protocols.


mutt is a full-featured MUA for your terminal. You can use it to test pop3s and imaps:

# mutt -f protocol://server



Email Lab

---------

Configure Postfix to receive mail for stationX.example.com, and store user mailboxes in Maildir format.


When mail is received for rstops@stationX.example.com, that mail should be forwarded to the users mike and stuart.


Configure dovecot to serve user Maildirs on both imap and pop3. Generate a new key and self signed certificate for use with ssl encrypted imaps and pop3s and then enable those protocols to use it.


Test your secure mail server with mutt.


# cd /etc/pki/tls/certs

# make-dummy-cert


# postfix stop/start


pem = privacy enhanced mail


# mv server.pem /etc


in /etc/dovecot.conf:

protocols = imap imaps pop3 pop3s

ssl_cert_file = /etc/server.pem

ssl_key_file = /etc/server.pem

mail_location = ~/Maildir


#  mutt -f imap://station12.example.com





Section 14 - Securing Services


tcpwrappers

/etc/hosts.allow

/etc/hosts.deny

<daemon>: <client>

sshd: 192.168.2.200


1. first, hosts.allow

2. then, hosts.deny

3. finally, allow the reset


To determine if an application is compiled with support for tcp_wrappers, you can run the following steps:

1. Determine which binary the application runs as

# which sendmail

/usr/bin/sendmail

2. Check for libwrap support in the binary. If you see 'libwrap' support in the output, then you can configure access to the service with tcp_wrappers.

# ldd /usr/sbin/sendmail | grep wrap

libwrap.so.0 => /usr/lib/libwrap.so.0 (0x890324)


# vi /etc/hosts.deny

vsftpd: 127.0.0.0/255.255.255.0 EXCEPT 127.0.0.1


"mostly closed configuration" = sshd: ALL except 1.2.3.4


-Services that use tcp_wrappers: sshd, xinetd, vsftpd, portmap, sendmail


# man hosts.allow/hosts.deny




IPTables Chains

---------------

IPTables works at the kernel level. (since kernel 2.4) The "filter" table has the following chains:

- INPUT is responsible for filtering traffic destined for the local system.

- OUTPUT for handling traffice after it has left the sending process.

- FORWARD for controlling traffic routed between interfaces.


NAT, MANGLE tables


IPTables Configuration files

----------------------------

# iptables -L  -  displays the tables

# iptables-save  -  displays the rules in the same format to feed into IPTables


IPTables parses the file /etc/sysconfig/iptables for last minute configurations before......



IPTables Matching Policies

---------------------------

The iptables configuration is parsed from top to bottom.

IPTABLES will respond based on the first match that it finds.

If there is no specific match, the chain policy will apply.



IPTables Targets

----------------

IPTables uses targets to determine what action will be taken if traffic matches an existing rule. The basic targets are:


DROP - will drop the packet and send no information to the sender.

REJECT - will send a connection refused notice back to the sender.

ACCEPT - will allow the connection.

LOG - will log the connection attempt.


*on the exam use reject instead of drop, as we would normally.


Syntax

------

in /etc/sysconfig/iptables

-A INPUT -s 192.168.2.100 -j REJECT


# /sbin/iptables -A INPUT -s 192.168.2.100 -j REJECT


can match:

incoming interface (-i)

protocol (-p)

source ip address (-s)

destination ip address (-d)

destination port (--dport)



Helpful commands

----------------

iptables -L

iptables-save

iptables -D INPUT 3  -  To delete rule by line number.

iptables -D INPUT <rule>  -  To delete rule by "rule"

iptables -F  -  This command will flush the iptables rule set.


-m state --state ESTABLISHED, RELATED  ---  this is so the server can respond


# iptables-save > /etc/sysconfig/iptables

OR

# service iptables save


examples:

 1208  iptables -A INPUT -s 192.168.0.12 -p tcp --dport 21 -j ACCEPT

 1200  iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 21 -j REJECT



# service iptables panic

# iptables -P INPUT ACCEPT



Network Security LAB

--------------------

Configure your mail server NOT to accept connections from the 192.168.1.0/24 network, EXCEPT for the 192.168.1.2 host.


Dovecot ports = 993, 995, 110, 143

port 587 = sumission port

port 24 = SMTP


# iptables -A INPUT -s 192.168.1.2 -p tcp --dport 25 -j ACCEPT

# iptables -A INPUT -s 192.168.1.2 -p tcp --dport 993 -j ACCEPT

# iptables -A INPUT -s 192.168.1.2 -p tcp --dport 995 -j ACCEPT

# iptables -A INPUT -s 192.168.1.2 -p tcp --dport 110 -j ACCEPT

# iptables -A INPUT -s 192.168.1.2 -p tcp --dport 143 -j ACCEPT


# iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 25 -j DROP

...and the rest to deny all those ports from above.


-m mport --dports 25,993,995,110,143



--------------------------

empulsegroup.com

page index