Session 1

RHCE
Red Hat Certified Engineer
M. A. Agheli
1

History Of UNIX & Linux

1957: Bell Labs found they needed an operating system which at the time was running various batch jobs. 1965: Bell Labs create Multics (Multiplexed Information and Computing Service) 1969: Summer 1969 UNIX was developed by AT&T 1975: Sixth edition of UNIX released May 1975 1985: GNU project started 1991: Linux is introduced by Linus Benedict Torvalds who was a second year student of Computer Science at the University of Helsinki 1993: NetBSD & FreeBSD released 1994: Red Hat Linux is introduced
2

From: torvalds@klaava.Helsinki.FI (Linus Benedict Torvalds) Newsgroups: comp.os.minix Subject: What would you like to see most in minix? Summary: small poll for my new operating system Message-ID: <1991Aug25.205708.9541@klaava.Helsinki.FI> Date: 25 Aug 91 20:57:08 GMT Organization: University of Helsinki Hello everybody out there using minix I'm doing a (free) operating system (just a hobby, won't be big and professional like gnu) for 386(486) AT clones. This has been brewing since april, and is starting to get ready. I'd like any feedback on things people like/dislike in minix, as my OS resembles it somewhat (same physical layout of the file-system (due to practical reasons) among other things). I've currently ported bash(1.08) and gcc(1.40),and things seem to work.This implies that I'll get something practical within a few months, andI'd like to know what features most people would want.a Any suggestions are welcome, but I won't promise I'll implement them :-) Linus (torvalds@kruuna.helsinki.fi) PS. Yes - it's free of any minix code, and it has a multi-threaded fs. It is NOT protable (uses 386 task switching etc), and it probably never will support anything other than AT-harddisks, as that's all I have :-(.
3

First Article About Linux

GNU & GPL

GNU Project:
Focused on creating a Unix like operating systemthat could be freely distributed

GPL:
Global Public license(Copyleft)
4

Major Linux Distributors

Caldera Linux Corel Linux Debian Linux Kondara Linux Red Hat Linux

Mandrake Linux Slackware Linux SuSE Linux Turbo Linux Vector Linux

The Advantage of Linux

Low purchase cost Open Source Software (OSS) UNIX heritage Multi User Scalability Vendor support Reliable uptime Security Logging System

The Disadvantage of Linux

Steep

learning curve Hardware support End-user applications

A Comparison Of Win 9x, NT, and Linux

Feature
Scalability Desktop App. Support Enterprise App. Support Hardware Support Licensing Cost Network Performance Security

Win 9x
Poor Excellent None Excellent Good Good Poor

Win NT
Good Good Good Good Poor Good Good

Linux
Good Good Good Good Excellent Excellent Good
8

Linux Filesystem Hierarchy

/bin /boot /dev Essential Binary Files Boot Loader Files Device Files

/etc
/home /lib /mnt /proc

Configuration Files
User Home Directories Shared Libraries and Kernel Modules Mount Point for Temporarily Mounted FS System Information Virtual File System

/root
/sbin /tmp /usr /var

root User Home Directory

Essential System Binaries Temporary Files Shareable Files Non-Shareable Files
9

Session 2

RHCE
Red Hat Certified Engineer
M. A. Agheli
10

Installing Linux

Hardware Requirements Harddisk Partitioning Boot Loader Install Packages X Configuration

11

Overview of the Installation Process

1.

Starting the installation process

Installation Mode Language Keyboard Mouse

2. 3. 4. 5.

Partitioning Boot Loader Installation Network Configuration Setting the time zone

12

Overview of the Installation Process

5. 6. 7.

8.
9. 10. 11.

Firewall Configuration Specifying authentication options (optional) Specifying user accounts Selecting packages Installing packages Creating a boot disk Configuration the X Windows system (optional)
13

Installing Linux:
Console 1 2 3 4 5 7

Consoles & Message Logs

Contents

Keystrokes Ctrl+Alt+F1 Ctrl+Alt+F2 Ctrl+Alt+F3 Ctrl+Alt+F4 Ctrl+Alt+F5 Ctrl+Alt+F7

Text-based installation procedure Shell prompt Messages from installation program Kernel messages Other messages, including file system creation messages Graphical installation procedure
14

Configuring InstallTime Options after Installation

kbdconfig authconfig

mouseconfig
timeconfig sndconfig netconfig

ntsysv
setup redhat-config-

15

Session 3

RHCE
Red Hat Certified Engineer
M. A. Agheli
16

SHELL

bash (Bourne Again Shell)

ash tcsh
SHELL

sach mc
PS1 PS2

Some of Important BASH Variables

PATH

PS1, PS2 Switches

\u , \h , \W , \d , \t , \s , \$ , $
17

Some of Linux Commands(1)

echo cat

man tac

help cp

info mv

ls rm

cd
clear exit

touch
alias reboot

pwd
less halt

mkdir
date

rmdir
logout

18

Session 4

RHCE
Red Hat Certified Engineer
M. A. Agheli
19

 TAB key Features Review Pages & Commands

Quoting in BASH: value value

BASH

`value`
| 0 1 2
20

Redirection Operators:
> stdin stdout stderr >> << <

Standard Input & Standard Output:

Important Command Forms

cmd cmd & (fg, ctrl+z, bg) cmd1 ; cmd2 (cmd1 ; cmd2) cmd1 `cmd2` cmd1 | cmd2 cmd1 && cmd2 cmd1 || cmd2 { cmd1 ; cmd2 }

21

Linux File Types

Normal Directories Hard link Symbolic link Socket Named pipe Character device Block device d l s p c b
Shortcut to a file or directory Pass data between 2 process Like sockets, user cant work directly with Processes character hw communication Major & minor numbers for controling dev.
22

Normal file Normal directory

Bash Special Variables

$# $? $$ $! $@
Specifies number of arguments given to the command
Returns value of the last program to be used Processes number of the current shell Processes number of the last child process Specifies individually quoted arguments

$*
$n $0

Specifies all arguments quoted as whole

Specifies positional argument value, where n is the position Specifies name of the current shell
23

Some of Linux Commands(2)

Process

Text Streams Commands output

sort, cut, head, tail, split, wc, uniq, grep

Redirecting

tee
Create,

Monitor & Kill Processes Process Priority (renice)

24

ps, pstree, top, kill, killall

Modify

Session 5

RHCE
Red Hat Certified Engineer
M. A. Agheli
25

Some of Linux Commands(3)

Create

Partitions and Filesystem the Integrity of Filesystem Mounting & Umounting

fdisk, mke2fs, mkfs.*

Maintain

e2fsck, fsck.*, du, df

Filesystem

mount, umount, /etc/fstab

26

Some of Linux Commands(4)

Use

File Permissions

chmod, chown, chgrp, su

Create

Hard & Symbolic Links (ln) Find System Files (find, locate, which) Using Emergency & Single User Mode
27

vi Powerful Text Editor

Insert

Mode
Mode

Insert Text

dd Delete n+dd (Delete)

yy n+yy (Copy) p P / w v (Visual) q wq = x

Normal

(paste) (Paste) (Search) q! (Text Selection) r s///

28

Command

Mode

Session 6

RHCE
Red Hat Certified Engineer
M. A. Agheli
29

Run Levels
Run Levels 0 1 Definition This runlevel halts the system This runlevel sets single-user mode

2
3 4 5 6

Multiuser mode without networking

Multiuser mode with networking Not used X-based log in This runlevel reboot the system

init & chkconfig Commands

/etc/inittab
/etc/rc.d/init.d & /etc/rc[0123456].d/
30

Configuring Boot loader

LILO
Edit

/etc/lilo.conf & execute lilo command

/boot/grub/grub.conf

GRUB
Edit

31

Administrative Tasks
Manage Users, Groups & Related Files
useradd, userdel, groupadd, groupdel, passwd, vipw, vigr /etc/passwd, /etc/shadow, /etc/skel, /etc/profile,

Configure and use system log files

/etc/syslog.conf, /etc/logrotate.conf

Scheduling Jobs (at & crontab commands) Backup & Restore Tools
tar, bzip2, gzip
32

Session 7

RHCE
Red Hat Certified Engineer
M. A. Agheli
33

Linux Installation and Package Management

Make and Install Programs from Source RPM (Redhat Package Manager)

34

Kernel
About

Kernel and Loadable Modules Manage Kernel Modules at Runtime (/etc/modules.conf) Reconfigure, Build and Install a Custom Kernel
35

Session 8

RHCE
Red Hat Certified Engineer
M. A. Agheli
37

Shell Scripts
#

Comments #! Special Comments Assign a Value

x=y x=${y} x=$y x=${y}es x=$yes x=$y x=\$y export x,y,z export x=$y
38

 Control
read

Constructs

Shell Scripts

command test command ( [ ] ) if ; then ; else ; fi case ...; in pattern) ;; esac while ; do ; done until ; do ; done

x in ; do ; done break, continue, exit (for, while, until)

for

39

Session 9

RHCE
Red Hat Certified Engineer
M. A. Agheli
40

Installing and Configuring X

41

Basic X Concepts

X Client X Server X Protocol

42

Basic X Concepts

X Window Manager X Desktop Manager

X Display Manager
43

Installing X
1.

Determine the proper X server Install the proper packages

2.

44

X Server Selection

XFree86-*

Installation the Packages

freetype gtk+ XFree86-libs XFree86-75dpi-fonts redhat-config-xfree86

XFree86-xfs XFree86-xdm XFree86-twm XFree86-tools xinitrc

45

Configuring X

redhat-config-xfree86 xvidtune

46

Important X Directories & Files

/usr/X11R6/bin /etc/X11 /etc/X11/XF86Config

47

Configure and Use PPP

redhat-config-network-tui Command in Text Mode Modem Configuration Files kppp Command in X window

48

Session 10

RHCE
Red Hat Certified Engineer
M. A. Agheli
49

Network Basics
IP (network & host portion)
192.168.168.1 :

11000000.10101000.10101000.00000001
Dynamic IP

Static IP

Netmask Address
11111111.11111111.11111111.00000000

255.255.255.0 :

Network Address
11000000.10101000.10101000.00000000

192.168.168.0 :

Broadcast Address
50

192.168.168.255 : 11000000.10101000.10101000.11111111

Classfull Addressing System

Network Classes
Class A 1.0.0.0-126.0.0.0 Class B 128.0.0.0-191.0.0.0 Class C 192.0.0.0-223.0.0.0

(8 bits) (16 bits) (24 bits)

Reserved IP
127.0.0.0-127.255.255.255 224.0.0.0-239.255.255.255 240.0.0.0-255.255.255.255

(Loop back Addr.) (Multicast Protocols) (do not used)

Public & Private Networks (Valid & Invalid IPes)

10.0.0.0-10.255.255.255 172.16.0.0-172.31.255.255 192.168.0.0-192.168.255.255

51

Classless Addressing System (Subnet)

Net. Addr.: 192.168.168.0 = 11000000.10101000.10101000.00000000 Netmasks: 255.255.255.0 (*/24) : 11111111.11111111.11111111.00000000 255.255.255.128 (*/25) : 11111111.11111111.11111111.10000000

255.255.255.192 (*/26) : 11111111.11111111.11111111.11000000

255.255.255.224 (*/27) : 11111111.11111111.11111111.11100000 255.255.255.240 (*/28) : 11111111.11111111.11111111.11110000

255.255.255.248 (*/29) : 11111111.11111111.11111111.11111000

255.255.255.252 (*/30) : 11111111.11111111.11111111.11111100 255.255.255.254 (*/31) : 11111111.11111111.11111111.11111110
52

TCP/IP Model (1)

Application Protocols

Transport Protocols Internet Protocols Network Access Protocols

53

TCP/IP Model (2)

Network Access Protocols

All functions necessary to access the physical network

Internet Protocols

IP (Internet Protocol Connectionless) ICMP (Internet Control Message Protocol)

54

TCP/IP Model (3)

Transport Protocols

TCP (Transmission Control Protocol)

Connection-based

UDP (User Datagram Protocol)

Connectionless

Application Protocols

Previlage Ports (0-1023) /etc/services

55

Types of TCP/IP Services

Stand-alone

xinetd

(and its config)

56

Related TCP/IP Commands

ps x netstat -ap --inet | grep LISTEN

Controlling TCP/IP Daemons

Start the daemon Stop the daemon Restart the daemon Status the daemon
57

Session 11

RHCE
Red Hat Certified Engineer
M. A. Agheli
58

Configuration Network

Initializing Network Hardware

Load related module

Network Configuration Tools

netconfig redhat-config-network

59

Configuration Network

Other Network Tools

ifconfig ping traceroute netstat

tcpdump nmap tethereal iptraff

60

Configuration Network

Network Configuration Files

/etc/hosts /etc/host.conf /etc/services /etc/resolv.conf /etc/sysconfig/network /etc/sysconfig/network-scripts/*

61

IP Aliasing

Session 12

RHCE
Red Hat Certified Engineer
M. A. Agheli
62

DHCP

Advantage & disadvantage of DHCP DHCP Server Configuration

/etc/dhcpd.conf /var/lib/dhcp/dhcpd.leases netconfig command

DHCP Client Configuration

63

An Example of dhcpd.conf
ddns-update-style ad-hoc; subnet 192.168.0.0 netmask 255.255.255.0 { range 192.168.0.1 192.168.0.25; option routers 192.168.0.1; option subnet-mask 255.255.255.0; option domain-name "domain.com"; option domain-name-servers 192.168.1.1; default-lease-time 21600; max-lease-time 43200; # we want the nameserver to appear at a fixed address host dns1 { hardware ethernet 12:34:56:78:AB:CD; fixed-address 192.168.0.20; } }
64

dhcpd.leases Format
lease 192.168.1.8 { starts 3 2004/04/12 09:34:12 ends 6 2004/07/15 23:49:57 hardware ethernet 00:09:e6:88:0a:05 } ...

65

NFS

Related Daemons

rpc.nfsd rpc.portmap rpc.mountd

nfs-utils portmap
66

Installation

2004Agust

NFS Configuration

Server Side

Edit /etc/exports file PATH host_lists(options) Run exportfs r command redhat-config-nfs Command
mount t nfs server:PATH Mountpoint Edit /etc/fstab file server:PATH M.P. nfs ro 0

Client Side

0
67

SAMBA (1)

Related Services

smbd nmbd
samba samba-common samba-client
68

Related Packages

SAMBA (2)

Server Configuration

Global Directives Service Directives smbmount //server/share /m.p. smbclient //server/share

Client Configuration

Configuration with SWAT

69

Session 13

RHCE
Red Hat Certified Engineer
M. A. Agheli
70

TCP/IP Services
Client
Server

Process
Process
2. Client binds to port 3. Client connects to server

1. server binds to port and listens

Port
4. Server designates port

Port
5. Client and server communicate

Port
71

Remote Login

Telnet

Server & Client Server & Client

72

SSH

The Apache Web Server

Modules

mod_auth mod_info mod_php mod_include mod_perl mod_ssl

73

Installation Apache

rpm Uvh httpd-[^d]*.rpm

rpm Uvh httpd-devel*.rpm

(for support apache modules)

74

Basic Configuration

httpd.conf

Section 1:

The Global Environment The Main Configuration The Virtual Host Configuration
75

Section 2:

Section 3:

Apache Advanced Configuration

Authentication in Apache Configure with PHP Configure with SSL Configure Virtual Host
76

Authentication in Apache

Create /etc/httpd/.htpasswd file Configuring httpd.conf file

<Location /dir_name> AuthType Basic AuthName NAME AuthUserFile .htpasswd Require valid-user </Location>
77

Configure Apache with PHP

rpm Uvh php-4*.rpm

Configure Apache with SSL

rpm Uvh mod_ssl*.rpm

78

Configure Virtual Host

Configuring /etc/hosts file Configuring httpd.conf file

<VirtualHost 127.0.0.2> ServerAdmin webmaster@vh.com DocumentRoot /var/www/html/vh/ ServerName www.vh.com </VirtualHost>

79

Apache Administration
Start Stop Restart Reload Status

80

Troubleshooting the Apache

/var/log/messages /var/log/httpd/ /usr/sbin/httpd S

(for virtual host)

81

Securing Your Network

Using lokkit or redhat-configsecuritylevel Command Password & Physical Security Securing TCP/IP Using Tripwire Keeping Up-to-Date on Linux Security Issues
82

Session 14

RHCE
Red Hat Certified Engineer
M. A. Agheli
83

FTP

Installation
rpm ivh vsftp*.rpm Config File /etc/vsftpd/vsftpd.conf

Access Levels

Anonymouse Access (anonymouse_enable) User Access (tcp_wrappers needs)

84

Cache Server (Squid)

Install squid

rpm ivh squid*.rpm

Managing squid
start,

stop, restart, status, reload

85

Squid Log Files

/var/log/squid/access.log (cache_access_log) /var/log/squid/cache.log (cache_log)

/var/log/squid/store.log (cache_store_log)
86

An Example of squid.conf
http_port 8081 cache_effective_user squid cache_effective_group squid acl all src 0.0.0.0/0.0.0.0 http_access allow all cache_dir ufs /cache 1024 16 32

visible_hostname ws1
87

Running Squid

service squid start

squid d1 z

squid d1 f /etc/squid/squid.conf

88

The Kind of Proxies

Upstream Proxy
cache_peer yourproxy.com parent 3128 3130 prefer_direct off

Transparent Proxy
httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on
89

Session 15

RHCE
Red Hat Certified Engineer
M. A. Agheli
90

Configuring a Linux Router

Configuring Kernel

IP: advanced router

Enable IP Forwading

Add net.ipv4.ip_forward=1 to /etc/sysctl.conf echo 1 > /proc/sys/net/ipv4/ip_forward

91

Type of Routes

Static route Dynamic route

92

Components of Routing Rules

Destination IP Address An Interface An Optional Gateway IP Address

93

Routing Command

route add net net_addr netmask

mask_addr interface

route add host ip_addr interface

route add default gateway ip_addr

interface

94

An Example
Internet

192.168.1.2

192.168.100.2

B
Router 10.1.1.2 192.168.1.3
eth2
eth0 eth1

192.168.100.3 G

192.168.1.4 D

Gateway 192.168.1.1 192.168.100.11 0.1.1.1

192.168.100.4
H

192.168.1.5

192.168.100.5
95

Related Rules

route add net 192.168.1.0 netmask 255.255.255.0 eth0 route add net 192.168.100.0 netmask 255.255.255.0 eth1 route add net 10.1.1.0 netmask 255.255.255.0 eth2 route add default gateway 10.1.1.2 eth2

96

Destination

Gateway

Genmask

Result

Flags

Metric

Ref

Use

Iface

192.168.1.1 192.168.100.1 10.1.1.1 192.168.1.0 192.168.100.0

* * * * *

255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.0 255.255.255.0

UH UH UH U U

0 0 0 0 0

0 0 0 0 0

0 0 0 0 0

eth0 Eth1 Eth2 eth0 Eth1

10.1.1.0 0.0.0.0 127.0.0.0

* 10.1.1.2 *

255.255.255.0 0.0.0.0 255.0.0.0

U UG U

0 0 0

0 0 0

0 0 0

Eth2 eth2 lo

U: Network link is up

H: Dest. Addr. Refers to a host

G: Gateway
97

Electronic Mail

(Sendmail)
98

How Email Is Sent and Received

mail1 MTA mail2 MTA

?
user1@mail1.com

user2@mail2.com

99

MTA : Mail Transport Agent SMTP (server-to-server) POP (Mail Access)

Post Office Protocol

Concepts

Simple Mail Transport Protocol

IMAP (Mail Access)

Interim Mail Access Protocol MDA : Mail Delivery Agent

MUA : Mail User Agent

100

Advantage of Sendmail

Older MTA Powerful MTA

Disadvantage of Sendmail

Slow High Load Environment Crypto Configuration

101

MTAs

Sendmail Postfix Exim Qmail

MUAs

Evolution, Kmail (KDE) Balsa (GNOME) Mozilla Mail

102

Required Packages

sendmail sendmail-cf imap (Config xinetd)

(contains IMAP & POP3)
103

Sendmail Configuration

Config /etc/mail/sendmail.mc file

LOCAL_DOMAIN(example.com)dnl

Run make C /etc/mail/ Config DNS

104

Email Aliases

Edit /etc/aliases file

postmaster: joseph

Run newaliases Command

105

Rejecting Email

Edit /etc/mail/access file

spam.com REJECT yahoo.com OK

service sendmail restart

106

Session 16

RHCE
Red Hat Certified Engineer
M. A. Agheli
107

108

Where do I look?
/etc/nsswitch.conf

(nameservice switch)
t@localhost:~$ cat /etc/nsswitch.conf hosts: files dns

109

Files
Search order determined by nsswitch.conf It is polite to have /etc/hosts first!

sjh@mccoy:~$ cat /etc/hosts 127.0.0.1 localhost 193.62.81.135 mccoy.tardis.ed.ac.uk mccoy 193.62.81.134 baker.tardis.ed.ac.uk baker 193.62.81.132 packages.tardis.ed.ac.uk packages

110

DNS Traversal
1. 2. 3. 4.

Local files Dns server locally Item in cache? Root server, work your way down

111

Resolving Names
Configuration Files for the Local Host Name Resolution (important for testing) /etc/resolv.conf /etc/nsswitch.conf /etc/host.conf
112

DNS

BIND Berkley Internet Name Daemon Dents buggy as hell (still in alpha?) Djbdns Dan Bernsteins DNS server Banyan VINES dont go there!

113

Named (name dee)

/etc/named.conf:

this defines a directory to store the DNS config files Contains info about what zones we serve, and where to find config files! Config file for named tells us if we are master / slave, allow or deny zone transfers, what the IPs of other master / slave servers are, etc. Contains "pointers" to the Root Servers

<DNSROOT>/root.hints:

<DNSROOT>/127.0.0:

Config for reverse-lookup to the local host/subnet

Config for zone

<DNSROOT>/<zone>:

<DNSROOT>/<in-addr.arpa file>

Config for reverse lookup for your zone

114

A simple named.conf
## named.custom - custom configuration for bind zone "." { type hint; file "root.lists"; }; options { directory "/var/named/"; }; zone "0.0.127.in-addr.arpa" { type master; file "127.0.0"; }; zone "hq.alim.ir" { type master; file "hq.alim.ir"; }; zone "168.168.192.in-addr.arpa" { type master; file "192.168.168"; };
115

DNS Data
DNS databases contain more than just hostname-to-address records: SOA Start Of Authority it is the daddy! IN NS Name Server IN MX Mail eXchanger IN A A record (Address record) IN CNAME Canonical NAME

116

A simple zone file

@ SOA hq.alim.ir. root.hq.alim.ir. ( 199609206 ; serial, todays date + todays serial # 8H ; refresh, seconds 2H ; retry, seconds 4W ; expire, seconds 1D ) ; minimum, seconds NS hq.alim.ir. MX 10 hq.alim.ir. ; Primary Mail Exchanger TXT "Alim IT Center" localhost A 127.0.0.1 router A 192.168.168.1 hq.alim.ir. A 192.168.168.2 ns A 192.168.168.3 www A 207.159.141.192 ftp CNAME hq.alim.ir. mail CNAME hq.alim.ir. news CNAME hq.alim.ir.
117

IN

A simple in-addr.arpa file

$TTL 3D @ IN SOA hq.alim.ir. root.hq.alim.ir. ( 199609206 ; Serial 28800 ; Refresh 7200 ; Retry 604800 ; Expire 86400) ; Minimum TTL NS hq.alim.ir.

; 1 2 2 ; 200 201 202

Servers PTR router.hq.alim.ir. PTR hq.alim.ir. PTR funn.hq.alim.ir. Workstations PTR ws-177200.hq.alim.ir. PTR ws-177201.hq.alim.ir. PTR ws-177202.hq.alim.ir.

118

Forward DNS

hq.alim.ir (as per /etc/named.conf) SOA Start Of Authority it is the daddy! IN NS Name Server IN MX Mail eXchanger IN A A record (Address record) IN CNAME Canonical NAME

119

Reverse DNS

192.168.168 (as per /etc/named.conf)

SOA IN NS IN PTR Pointer

120

DNS Round Robin

Fault tolerance? Through nifty DNS hacks

60 60 60 IN IN IN A A A 10.0.1.100 10.0.2.100 10.0.3.100

www.teviot.com. www.teviot.com. www.teviot.com.

121

Common Mistakes

Forgetting to increment the Serial Number! CNAME pointing at another CNAME! Forgetting the . In appropriate places! Underscores in hostnames! Forgetting to reload the daemon! Version control issues clobber changes! TTL Issues
122

Test Tools
nslookup dig

dig mail.hq.alim.ir dig -x 192.168.168.2 dig 168.168.192.in-addr.arpa. AXFR

whois
http://www.squish.net/dnscheck/

James Ponders DNS check web page

123

Session 17

RHCE
Red Hat Certified Engineer
M. A. Agheli
124

Firewall
Required Properties:

Control

Allow only those packets that you are interested to pass through.

Security

Reject packets from malicious outsiders

Watchfulness

Log packets to/from outside world

125

Firewall Types

Packet Filtering Proxy-Based Firewall

Statefull
Stateless

126

Packet Filter under Linux

1st generation

ipfw (from BSD)

2nd generation

ipfwadm (Linux 2.0)

3rd generation

ipchains (Linux 2.2)

4th generation

iptable (Linux 2.4 & 2.6)

127

Installing Iptables

Kernel Supports Iptables

Networking Options -> TCP/IP Networking ->Network Packet Filtering Networking Options -> TCP/IP Networking ->IP: advanced router -> * Networking Options -> IP: NetfilterNetworking Options -> IP: Netfilter Networking Options> QoS and/or fair queueing -> *

For Packets Traffic Control :

# rpm -ivh \ iptables-1.2.6a-2.i386.rpm

128

Chains of Tables

INPUT
Controls

packets entering your system packets leaving your system

OUTPUT
Controls

FORWARD
Controls

what packets can move from one network to another through your system
129

Routing Decision

Forward

Output Input Local Process

130

1.

2.

When a packet comes in, the kernel first looks at the destination of the packet: this is called routing. If its destined for this box
Passes downwards in the diagram To INPUT chain
If it passes, any processes waiting for that packet will receive it.

Otherwise go to step 3

Continue
131

3. If forwarding is not enabled The packet will be dropped

If forwarding is enable and the packet is destined for another network interface. The packet goes rightwards on our diagram to the FORWARD chain. If it is accepted, it will be sent out.

4. Packets generated from local process pass to the OUPUT chain immediately.
If its says accept, the packet will be sent out.

132

Packet Status in Iptables

Established New Related Invalid

133

Results of Packet Checking

ACCEPT DROP REJECT

134

Tables of Iptables

Filter NAT Mangle

135

The Path of Packet in Iptables

Network

Mangle Table PREROUTING Chain NAT Table PREROUTING Chain

Destination NAT

Routing decision
Mangle INPUT Filter INPUT Local process Routing decision Mangle OUTPUT NAT OUTPUT Filter OUTPUT NAT POSTROUTING Chain Mangle POSTROUTING Mangle FORWARD

Filter FORWARD

Source NAT Based on routing

Network
136

Tables of Chains
Chain POSTROUTI INPUT OUTPUT FORWARD PREROUTING NG table
MANGLE NAT FILTER

* *

* * *

* *

* * -

* * -

137

Building a Rule source/destination

iptables s 200.200.200.1
Refers to packet from a specific IP address The -s refers to the source of the packet, where the packet is coming from. A corresponding -d refers to the destination, where the packet is going to.

138

Building a Rule Action

iptables s 200.200.200.1 -j DROP

The -j determines what happens to the

Building a Rule IP address ranges

iptables s 200.200.200.0/24 -j DROP

IPs that match 200.200.200.* The /24 refers to the number of bits that are fixed, counting from the left.

139

Other Actions

REDIRECT
Sends

packets to a proxy

LOG
Tracks

packets as they match rules user defined chains

RETURN
Terminates

140

Building a Rule appending rules to tables

iptables A INPUT s 200.200.200.1 -j DROP

The -A appends the rule to an iptable The INPUT specifies the iptable This command makes your system to ignore all packets from 200.200.200.1

iptables A OUTPUT d 200.200.200.1 j DROP

This command does not allow your system to sent packets to 200.200.200.1
141

Building a Rule only blocking some packets

iptables A INPUT s 200.200.200.1 p tcp --destination-port telenet j DROP

The -p specifies a specific protocol: tcp, udp, or icmp The -destination-port is where the packet is going

You can user the service name or the port number

Could use 23 in this example

Keep in mind that the source-port is very different from the destination-port. In this example the inbound message is going to your telenet server. The telenet client that is sending you the message could be running on any port. --dport == --destination-port --sport == --source-port

142

Building a Rule multiple network interfaces

Assume your machine has two interface cards. One to a LAN named eth0 and the other to the Internet named ppp0 iptables A INPUT p tcp --dport telnet i ppp0 j DROP

The -i option specifies the input interface

The is also a -o option for the output interface

iptables A INPUT p tcp --dport telnet i eth0 j ACCEPT

Together these rules would accept telnet requests from the LAN but block telnet requests from the Internet.
143

Building a Rule Table Policies

iptables P FORWARD ACCEPT

The -P option followed by a table name and action determines the default policy of the table. If no rule in the table matches this default action is taken.

The usual policies are

INPUT = ACCEPT OUTPUT = ACCEPT FORWARD = DENY

144

Building a Rule Adding Rules to Tables

iptables A INPUT s 200.200.200.1 -j DROP

Appends the rule to the end of the table Inserts the rule as rule 3 in the table, moving all other rules down 1. Replaces rule 3 in the table

iptables I INPUT 3 s 200.200.200.1 -j DROP

iptables R INPUT 3 s 200.200.200.1 -j DROP

iptables D INPUT 3

Deletes rule 3 in the table

145

Operations to manage whole chains

-N -X -P Create a new chain Delete an empty chain Change the policy for a built-in chain

-L
-F -Z

List the rules in a chain

Flush the rules out of a chain Zero the packet and byte counters on all rules in a chain
146

Manipulate rules inside a chain

-A -I -R -D -D Append a new rule to a chain

Insert a new rule at some position in a chain

Replace a rule at some position in a chain Delete a rule at some position in a chain Delete the first rule that matches in a chain
147

An Example
Firewall
192.168.1.1
Web Server SSH Server
Accessible ONLY via LAN

eth1 eth0

Internet

192.168.1.5
GW: 192.168.1.1

192.168.1.6
GW: 192.168.1.1

192.168.1.7
GW: 192.168.1.1

148

Session 18

RHCE
Red Hat Certified Engineer

Advanced
M. A. Agheli
149

Traffic Shaping (CBQ)

/etc/rc.d/init.d/cbq.init
(http://ovh.dl.sourceforge.net/sourceforge/cbqinit/cbq.init-v0.7.3)

Install shapecfg RPM

/etc/sysconfig/cbq/*(0002-FFFF) /etc/rc.d/init.d/cbq.init start
150

Sample of CBQ Configuration

DEVICE=eth0,10Mbit,1Mbit RATE=10 Kbit PRIO=5 RULE=:21,192.168.1.0/24

151

The End
Good Luck
152