Presentation is loading. Please wait.

Presentation is loading. Please wait.

Red Hat Certified Engineer

Similar presentations


Presentation on theme: "Red Hat Certified Engineer"— Presentation transcript:

1 Red Hat Certified Engineer
Session 1 RHCE Red Hat Certified Engineer Asif Raza

2 History Of UNIX & Linux 1957: Bell Labs found they needed an operating system which at the time was running various batch jobs. 1965: Bell Labs create Multics (Multiplexed Information and Computing Service) 1969: Summer 1969 UNIX was developed by AT&T 1975: Sixth edition of UNIX released May 1975 1985: GNU project started 1991: Linux is introduced by Linus Benedict Torvalds who was a second year student of Computer Science at the University of Helsinki 1993: NetBSD & FreeBSD released 1994: Red Hat Linux is introduced

3 First Article About Linux
From: (Linus Benedict Torvalds) Newsgroups: comp.os.minix Subject: What would you like to see most in minix? Summary: small poll for my new operating system Message-ID: Date: 25 Aug 91 20:57:08 GMT Organization: University of Helsinki Hello everybody out there using minix - I'm doing a (free) operating system (just a hobby, won't be big and professional like gnu) for 386(486) AT clones. This has been brewing since april, and is starting to get ready. I'd like any feedback on things people like/dislike in minix, as my OS resembles it somewhat (same physical layout of the file-system (due to practical reasons) among other things). I've currently ported bash(1.08) and gcc(1.40),and things seem to work.This implies that I'll get something practical within a few months, andI'd like to know what features most people would want.a Any suggestions are welcome, but I won't promise I'll implement them :-) Linus PS. Yes - it's free of any minix code, and it has a multi-threaded fs. It is NOT protable (uses 386 task switching etc), and it probably never will support anything other than AT-harddisks, as that's all I have :-(.

4 GNU & GPL GNU Project: Focused on creating a Unix like operating systemthat could be freely distributed GPL: Global Public license(Copyleft)

5 Major Linux Distributors
Mandrake Linux Slackware Linux SuSE Linux Turbo Linux Vector Linux Caldera Linux Corel Linux Debian Linux Kondara Linux Red Hat Linux

6 The Advantage of Linux Low purchase cost Open Source Software (OSS)
UNIX heritage Multi User Scalability Vendor support Reliable uptime Security Logging System

7 The Disadvantage of Linux
Steep learning curve Hardware support End-user applications

8 A Comparison Of Win 9x, NT, and Linux
Win NT Win 9x Feature Good Poor Scalability Excellent Desktop App. Support None Enterprise App. Support Hardware Support Licensing Cost Network Performance Security

9 Linux Filesystem Hierarchy
Essential Binary Files /bin Boot Loader Files /boot Device Files /dev Configuration Files /etc User Home Directories /home Shared Libraries and Kernel Modules /lib Mount Point for Temporarily Mounted FS /mnt System Information Virtual File System /proc root User Home Directory /root Essential System Binaries /sbin Temporary Files /tmp Shareable Files /usr Non-Shareable Files /var

10 Red Hat Certified Engineer
Session 2 RHCE Red Hat Certified Engineer Asif Raza

11 Installing Linux Hardware Requirements Harddisk Partitioning Boot Loader Install Packages X Configuration

12 Overview of the Installation Process
Starting the installation process Installation Mode Language Keyboard Mouse Partitioning Boot Loader Installation Network Configuration Setting the time zone

13 Overview of the Installation Process
Firewall Configuration Specifying authentication options (optional) Specifying user accounts Selecting packages Installing packages Creating a boot disk Configuration the X Windows system (optional)

14 Installing Linux: Consoles & Message Logs
Contents Keystrokes Console Text-based installation procedure Ctrl+Alt+F1 1 Shell prompt Ctrl+Alt+F2 2 Messages from installation program Ctrl+Alt+F3 3 Kernel messages Ctrl+Alt+F4 4 Other messages, including file system creation messages Ctrl+Alt+F5 5 Graphical installation procedure Ctrl+Alt+F7 7

15 Configuring InstallTime Options after Installation
authconfig ntsysv setup redhat-config-… kbdconfig mouseconfig timeconfig sndconfig netconfig

16 Red Hat Certified Engineer
Session 3 RHCE Red Hat Certified Engineer Asif Raza

17 Some of Important BASH Variables
SHELL bash (Bourne Again Shell) ash sach tcsh mc Some of Important BASH Variables PATH SHELL PS1 PS2 PS1, PS2 Switches \u , \h , \W , \d , \t , \s , \$ , $

18 Some of Linux Commands(1)
ls info help man echo rm mv cp tac cat rmdir mkdir pwd touch cd logout date less alias clear halt reboot exit

19 Red Hat Certified Engineer
Session 4 RHCE Red Hat Certified Engineer Asif Raza

20 BASH Standard Input & Standard Output: TAB key Features
Review Pages & Commands Quoting in BASH: “value” ‘value’ `value` Redirection Operators: > >> | << < Standard Input & Standard Output: stdin 0 stdout 1 stderr 2

21 Important Command Forms
cmd cmd & (fg, ctrl+z, bg) cmd1 ; cmd2 (cmd1 ; cmd2) cmd1 `cmd2` cmd1 | cmd2 cmd1 && cmd2 cmd1 || cmd2 { cmd1 ; cmd2 }

22 Linux File Types - Normal d Directories Hard link l Symbolic link s
Normal file - Normal Normal directory d Directories Hard link Shortcut to a file or directory l Symbolic link Pass data between 2 process s Socket Like sockets, user can’t work directly with p Named pipe Processes character hw communication c Character device Major & minor numbers for controling dev. b Block device

23 Bash Special Variables
Specifies number of arguments given to the command $# Returns value of the last program to be used $? Processes number of the current shell $$ Processes number of the last child process $! Specifies individually quoted arguments Specifies all arguments quoted as whole $* Specifies positional argument value, where n is the position $n Specifies name of the current shell $0

24 Some of Linux Commands(2)
Process Text Streams sort, cut, head, tail, split, wc, uniq, grep Redirecting Command’s output tee Create, Monitor & Kill Processes ps, pstree, top, kill, killall Modify Process Priority (renice)

25 Red Hat Certified Engineer
Session 5 RHCE Red Hat Certified Engineer Asif Raza

26 Some of Linux Commands(3)
Create Partitions and Filesystem fdisk, mke2fs, mkfs.* Maintain the Integrity of Filesystem e2fsck, fsck.*, du, df Filesystem Mounting & Umounting mount, umount, /etc/fstab

27 Some of Linux Commands(4)
Use File Permissions chmod, chown, chgrp, su Create Hard & Symbolic Links (ln) Find System Files (find, locate, which) Using Emergency & Single User Mode

28 ‘vi’ Powerful Text Editor
Insert Mode Normal Mode Command Mode Insert Text Delete dd  n+dd (Delete) yy  n+yy (Copy) p (paste) P (Paste) / (Search) v (Visual) (Text Selection) w q wq = x q! r s///

29 Red Hat Certified Engineer
Session 6 RHCE Red Hat Certified Engineer

30 Run Levels init & chkconfig Commands /etc/inittab
Definition Run Levels This runlevel halts the system This runlevel sets single-user mode 1 Multiuser mode without networking 2 Multiuser mode with networking 3 Not used 4 X-based log in 5 This runlevel reboot the system 6 init & chkconfig Commands /etc/inittab /etc/rc.d/init.d & /etc/rc[ ].d/

31 Configuring Boot loader
LILO Edit /etc/lilo.conf & execute ‘lilo’ command GRUB Edit /boot/grub/grub.conf

32 Administrative Tasks Manage Users, Groups & Related Files
useradd, userdel, groupadd, groupdel, passwd, vipw, vigr /etc/passwd, /etc/shadow, /etc/skel, /etc/profile, … Configure and use system log files /etc/syslog.conf, /etc/logrotate.conf Scheduling Jobs (at & crontab commands) Backup & Restore Tools tar, bzip2, gzip

33 Red Hat Certified Engineer
Session 7 RHCE Red Hat Certified Engineer

34 Linux Installation and Package Management
Make and Install Programs from Source RPM (Redhat Package Manager)

35 Kernel About Kernel and Loadable Modules
Manage Kernel Modules at Runtime (/etc/modules.conf) Reconfigure, Build and Install a Custom Kernel

36 Configuring Modems redhat-config-network-tui Command in Text Mode
Modem Configuration Files kppp Command in X window

37 Red Hat Certified Engineer
Session 8 RHCE Red Hat Certified Engineer

38 Shell Scripts # Comments #! Special Comments Assign a Value x=y x=‘$y’
x=$y export x,y,z x=${y}es export x=$y x=$yes

39 Shell Scripts Control Constructs for x in …; do …; done
‘read’ command ‘test’ command ( [ ] ) if …; then …; else …; fi case ...; in pattern) …;; esac while …; do …; done until …; do …; done for x in …; do …; done break, continue, exit (for, while, until)

40 Red Hat Certified Engineer
Session 9 RHCE Red Hat Certified Engineer Asif Raza

41 Installing and Configuring X

42 X Client X Server X Protocol
Basic X Concepts X Client X Server X Protocol

43 X Window Manager X Desktop Manager X Display Manager
Basic X Concepts X Window Manager X Desktop Manager X Display Manager

44 Determine the proper X server Install the proper packages
Installing X Determine the proper X server Install the proper packages

45 Installation the Packages
X Server Selection XFree86-* Installation the Packages freetype gtk+ XFree86-libs XFree86-75dpi-fonts redhat-config-xfree86 XFree86-xfs XFree86-xdm XFree86-twm XFree86-tools xinitrc

46 redhat-config-xfree86 xvidtune
Configuring X redhat-config-xfree86 xvidtune

47 Important X Directories & Files
/usr/X11R6/bin /etc/X11 /etc/X11/XF86Config

48 Configure and Use PPP ‘redhat-config-network-tui’ Command in Text Mode
Modem Configuration Files kppp Command in X window

49 Red Hat Certified Engineer
Session 10 RHCE Red Hat Certified Engineer

50 Network Basics IP (network & host portion) Netmask Address
: Static IP Dynamic IP Netmask Address : Network Address : Broadcast Address :

51 Classfull Addressing System
Network Classes Class A (8 bits) Class B (16 bits) Class C (24 bits) Reserved IP (Loop back Addr.) (Multicast Protocols) (do not used) Public & Private Networks (Valid & Invalid IPes)

52 Classless Addressing System (Subnet)
Net. Addr.: = Netmasks: (*/24) : (*/25) : (*/26) : (*/27) : (*/28) : (*/29) : (*/30) : (*/31) :

53 TCP/IP Model (1)

54 TCP/IP Model (2) Network Access Protocols Internet Protocols
All functions necessary to access the physical network Internet Protocols IP (Internet Protocol – Connectionless) ICMP (Internet Control Message Protocol)

55 TCP/IP Model (3) Transport Protocols Application Protocols
TCP (Transmission Control Protocol) Connection-based UDP (User Datagram Protocol) Connectionless Application Protocols Previlage Ports (0-1023) /etc/services

56 Types of TCP/IP Services
Stand-alone xinetd (and its config)

57 Related TCP/IP Commands
ps x netstat -ap --inet | grep LISTEN Controlling TCP/IP Daemons Start the daemon Stop the daemon Restart the daemon Status the daemon

58 Red Hat Certified Engineer
Session 11 RHCE Red Hat Certified Engineer Asif Raza

59 Configuration Network
Initializing Network Hardware Load related module Network Configuration Tools netconfig redhat-config-network

60 Configuration Network
Other Network Tools tcpdump nmap tethereal iptraff ifconfig ping traceroute netstat

61 Configuration Network
Network Configuration Files /etc/hosts /etc/host.conf /etc/services /etc/resolv.conf /etc/sysconfig/network /etc/sysconfig/network-scripts/* IP Aliasing

62 Red Hat Certified Engineer
Session 12 RHCE Red Hat Certified Engineer Asif Raza

63 DHCP Advantage & disadvantage of DHCP DHCP Server Configuration
/etc/dhcpd.conf /var/lib/dhcp/dhcpd.leases DHCP Client Configuration netconfig command

64 An Example of dhcpd.conf
ddns-update-style ad-hoc; subnet netmask { range ; option routers ; option subnet-mask ; option domain-name "domain.com"; option domain-name-servers ; default-lease-time 21600; max-lease-time 43200; # we want the nameserver to appear at a fixed address host dns1 { hardware ethernet 12:34:56:78:AB:CD; fixed-address ; }

65 dhcpd.leases Format lease 192.168.1.8 { starts 3 2004/04/12 09:34:12
ends /07/15 23:49:57 hardware ethernet 00:09:e6:88:0a:05 } ...

66 NFS Related Daemons Installation rpc.nfsd rpc.portmap rpc.mountd
nfs-utils portmap 2004 Agust

67 NFS Configuration Server Side Client Side Edit /etc/exports file
PATH host_lists(options) Run ‘exportfs –r’ command ‘redhat-config-nfs’ Command Client Side mount –t nfs server:PATH Mountpoint Edit ‘/etc/fstab’ file server:PATH M.P. nfs ro 0 0

68 SAMBA (1) Related Services Related Packages smbd nmbd samba
samba-common samba-client

69 SAMBA (2) Server Configuration Client Configuration
Global Directives Service Directives Client Configuration smbmount //server/share /m.p. smbclient //server/share Configuration with SWAT

70 Red Hat Certified Engineer
Session 13 RHCE Red Hat Certified Engineer Asif Raza

71 TCP/IP Services Process Process Port Port Port Server Client
1. server binds to port and listens 2. Client binds to port 3. Client connects to server Port 4. Server designates port Port Port 5. Client and server communicate

72 Telnet Server & Client SSH
Remote Login Telnet Server & Client SSH

73 Modules mod_auth mod_info mod_php mod_include mod_perl mod_ssl
The Apache Web Server Modules mod_auth mod_info mod_php mod_include mod_perl mod_ssl

74 Installation Apache rpm –Uvh httpd-[^d]*.rpm rpm –Uvh httpd-devel*.rpm
(for support apache modules)

75 Basic Configuration httpd.conf Section 1: Section 2: Section 3:
The Global Environment Section 2: The Main Configuration Section 3: The Virtual Host Configuration

76 Apache Advanced Configuration
Authentication in Apache Configure with PHP Configure with SSL Configure Virtual Host

77 Authentication in Apache
Create ‘/etc/httpd/.htpasswd’ file Configuring ‘httpd.conf’ file <Location /dir_name> AuthType Basic AuthName “NAME” AuthUserFile “.htpasswd” Require valid-user </Location>

78 Configure Apache with PHP
rpm –Uvh php-4*.rpm Configure Apache with SSL rpm –Uvh mod_ssl*.rpm

79 Configure Virtual Host
Configuring ‘/etc/hosts’ file Configuring ‘httpd.conf’ file <VirtualHost > ServerAdmin DocumentRoot /var/www/html/vh/ ServerName </VirtualHost>

80 Start Stop Restart Reload Status
Apache Administration Start Stop Restart Reload Status

81 Troubleshooting the Apache
/var/log/messages /var/log/httpd/ /usr/sbin/httpd –S (for virtual host)

82 Securing Your Network Using ‘lokkit’ or ‘redhat-config-securitylevel’ Command Password & Physical Security Securing TCP/IP Using Tripwire Keeping Up-to-Date on Linux Security Issues

83 Red Hat Certified Engineer
Session 14 RHCE Red Hat Certified Engineer Asif Raza

84 FTP Installation Access Levels rpm –ivh vsftp*.rpm Config File
/etc/vsftpd/vsftpd.conf Access Levels Anonymouse Access (anonymouse_enable) User Access (tcp_wrappers needs)

85 Cache Server (Squid) Install squid Managing squid rpm –ivh squid*.rpm
start, stop, restart, status, reload

86 Squid Log Files /var/log/squid/access.log (cache_access_log)
/var/log/squid/cache.log (cache_log) /var/log/squid/store.log (cache_store_log)

87 An Example of ‘squid.conf’
http_port 8081 cache_effective_user squid cache_effective_group squid acl all src / http_access allow all cache_dir ufs /cache visible_hostname ws1

88 service squid start squid –d1 –z squid –d1 –f /etc/squid/squid.conf
Running Squid service squid start squid –d1 –z squid –d1 –f /etc/squid/squid.conf

89 The Kind of Proxies Upstream Proxy Transparent Proxy
cache_peer yourproxy.com parent prefer_direct off Transparent Proxy httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on

90 Red Hat Certified Engineer
Session 15 RHCE Red Hat Certified Engineer Asif Raza

91 Configuring a Linux Router
Configuring Kernel IP: advanced router Enable IP Forwading Add ‘net.ipv4.ip_forward=1’ to /etc/sysctl.conf echo “1” > /proc/sys/net/ipv4/ip_forward

92 Static route Dynamic route
Type of Routes Static route Dynamic route

93 Components of Routing Rules
Destination IP Address An Interface An Optional Gateway IP Address

94 Routing Command route add –net net_addr netmask mask_addr interface
route add –host ip_addr interface route add default gateway ip_addr interface

95 An Example Internet A 192.168.1.2 E 192.168.100.2 B 192.168.1.3 F
Router eth2 eth0 eth1 C G Gateway D H

96 Related Rules route add –net 192.168.1.0 netmask 255.255.255.0 eth0
route add default gateway eth2

97 Result Iface Use Ref Metric Flags Genmask Gateway Destination eth0 UH * Eth1 Eth2 U eth2 UG lo U: Network link is up H: Dest. Addr. Refers to a host G: Gateway

98 Electronic Mail (Sendmail)

99 How Email Is Sent and Received
mail1 MTA mail2 MTA ? ?

100 Concepts MTA : Mail Transport Agent SMTP (server-to-server)
Simple Mail Transport Protocol POP (Mail Access) Post Office Protocol IMAP (Mail Access) Interim Mail Access Protocol MDA : Mail Delivery Agent MUA : Mail User Agent

101 Disadvantage of Sendmail
Older MTA Powerful MTA Disadvantage of Sendmail Slow High Load Environment Crypto Configuration

102 Sendmail Postfix Exim Qmail
MTAs Sendmail Postfix Exim Qmail MUAs Evolution, Kmail (KDE) Balsa (GNOME) Mozilla Mail

103 sendmail sendmail-cf imap (Config xinetd) (contains IMAP & POP3)
Required Packages sendmail sendmail-cf imap (Config xinetd) (contains IMAP & POP3)

104 Sendmail Configuration
Config ‘/etc/mail/sendmail.mc’ file LOCAL_DOMAIN(‘example.com’)dnl Run ‘make –C /etc/mail/’ Config DNS

105 Edit ‘/etc/aliases’ file postmaster: joseph Run ‘newaliases’ Command
Aliases Edit ‘/etc/aliases’ file postmaster: joseph Run ‘newaliases’ Command

106 Rejecting Email Edit ‘/etc/mail/access’ file service sendmail restart
spam.com REJECT yahoo.com OK service sendmail restart

107 Red Hat Certified Engineer
Session 16 RHCE Red Hat Certified Engineer Asif Raza

108 DNS

109 Where do I look? /etc/nsswitch.conf (nameservice switch)
cat /etc/nsswitch.conf hosts: files dns

110 Files Search order determined by nsswitch.conf
It is polite to have /etc/hosts first! cat /etc/hosts localhost mccoy.tardis.ed.ac.uk mccoy baker.tardis.ed.ac.uk baker packages.tardis.ed.ac.uk packages

111 DNS Traversal Local files Dns server locally Item in cache?
Root server, work your way down…

112 Resolving Names Configuration Files for the Local Host Name Resolution (important for testing) /etc/resolv.conf /etc/nsswitch.conf /etc/host.conf

113 DNS BIND – Berkley Internet Name Daemon
Dents – buggy as hell (still in alpha?) Djbdns – Dan Bernstein’s DNS server Banyan VINES – don’t go there!

114 Named (name dee) /etc/named.conf: <DNSROOT>/root.hints:
this defines a directory to store the DNS config files Contains info about what zones we serve, and where to find config files! Config file for named – tells us if we are master / slave, allow or deny zone transfers, what the IPs of other master / slave servers are, etc. <DNSROOT>/root.hints: Contains "pointers" to the Root Servers <DNSROOT>/ : Config for reverse-lookup to the local host/subnet <DNSROOT>/<zone>: Config for zone <DNSROOT>/<in-addr.arpa file> Config for reverse lookup for your zone See print out.

115 A simple named.conf ## named.custom - custom configuration for bind
zone "." { type hint; file "root.lists"; }; options { directory "/var/named/"; zone " in-addr.arpa" { type master; file " "; zone "hq.alim.ir" { file "hq.alim.ir"; zone " in-addr.arpa" { file " "; CNAMEs should only point at A records RR – Resource Record LOC – GPS Location HINFO – Hardware Info See print out

116 DNS Data DNS databases contain more than just hostname-to-address records: SOA – Start Of Authority – it is the daddy! IN NS – Name Server IN MX – Mail eXchanger IN A – A record (Address record) IN CNAME – Canonical NAME CNAMEs should only point at A records RR – Resource Record LOC – GPS Location HINFO – Hardware Info See print out

117 A simple zone file @ IN SOA hq.alim.ir. root.hq.alim.ir. (
; serial, todays date + todays serial # 8H ; refresh, seconds 2H ; retry, seconds 4W ; expire, seconds 1D ) ; minimum, seconds NS hq.alim.ir. MX 10 hq.alim.ir. ; Primary Mail Exchanger TXT "Alim IT Center" localhost A router A hq.alim.ir. A ns A www A ftp CNAME hq.alim.ir. mail CNAME hq.alim.ir. news CNAME hq.alim.ir. CNAMEs should only point at A records RR – Resource Record LOC – GPS Location HINFO – Hardware Info See print out

118 A simple in-addr.arpa file
$TTL 3D @ IN SOA hq.alim.ir. root.hq.alim.ir. ( ; Serial ; Refresh ; Retry ; Expire 86400) ; Minimum TTL NS hq.alim.ir. ; Servers PTR router.hq.alim.ir. PTR hq.alim.ir. PTR funn.hq.alim.ir. ; Workstations PTR ws hq.alim.ir. PTR ws hq.alim.ir. PTR ws hq.alim.ir. CNAMEs should only point at A records RR – Resource Record LOC – GPS Location HINFO – Hardware Info See print out

119 Forward DNS hq.alim.ir (as per /etc/named.conf)
SOA – Start Of Authority – it is the daddy! IN NS – Name Server IN MX – Mail eXchanger IN A – A record (Address record) IN CNAME – Canonical NAME CNAMEs should only point at A records RR – Resource Record LOC – GPS Location HINFO – Hardware Info See print out

120 Reverse DNS SOA IN NS IN PTR – Pointer
(as per /etc/named.conf) SOA IN NS IN PTR – Pointer See print out.

121 DNS Round Robin Fault tolerance? Through nifty DNS hacks
60 IN A 60 IN A 60 IN A The 60s there are TTLs – overrides the default TTL in the SOA Worth noting that the address closest to the requesting host will be returned first… Mention hesiod – home dir locations through DNS, and other such stuff.

122 Common Mistakes Forgetting to increment the Serial Number!
CNAME pointing at another CNAME! Forgetting the “.” In appropriate places! Underscores in hostnames! Forgetting to reload the daemon! Version control issues – clobber changes! TTL Issues

123 Test Tools nslookup dig whois http://www.squish.net/dnscheck/
dig mail.hq.alim.ir dig -x dig in-addr.arpa. AXFR whois James Ponder’s DNS check web page

124 Red Hat Certified Engineer
Session 17 RHCE Red Hat Certified Engineer Asif Raza

125 Firewall Required Properties:
Control Allow only those packets that you are interested to pass through. Security Reject packets from malicious outsiders Watchfulness Log packets to/from outside world

126 Packet Filtering Proxy-Based Firewall
Firewall Types Statefull Stateless Packet Filtering Proxy-Based Firewall

127 Packet Filter under Linux
1st generation ipfw (from BSD) 2nd generation ipfwadm (Linux 2.0) 3rd generation ipchains (Linux 2.2) 4th generation iptable (Linux 2.4 & 2.6)

128 Installing Iptables # rpm -ivh \ iptables-1.2.6a-2.i386.rpm
Kernel Supports Iptables Networking Options -> TCP/IP Networking ->Network Packet Filtering Networking Options -> TCP/IP Networking ->IP: advanced router -> * Networking Options -> IP: NetfilterNetworking Options -> IP: Netfilter For Packets Traffic Control : Networking Options> QoS and/or fair queueing -> * # rpm -ivh \ iptables-1.2.6a-2.i386.rpm

129 Chains of Tables INPUT OUTPUT FORWARD
Controls packets entering your system OUTPUT Controls packets leaving your system FORWARD Controls what packets can move from one network to another through your system

130 Forward Routing Decision Output Input Local Process

131 If it’s destined for this box
When a packet comes in, the kernel first looks at the destination of the packet: this is called routing. If it’s destined for this box Passes downwards in the diagram To INPUT chain If it passes, any processes waiting for that packet will receive it. Otherwise go to step 3 Continue…

132 If forwarding is not enabled The packet will be dropped
If forwarding is enable and the packet is destined for another network interface. The packet goes rightwards on our diagram to the FORWARD chain. If it is accepted, it will be sent out. Packets generated from local process pass to the OUPUT chain immediately. If its says accept, the packet will be sent out.

133 Packet Status in Iptables
Established New Related Invalid

134 Results of Packet Checking
ACCEPT DROP REJECT

135 Tables of Iptables Filter NAT Mangle

136 The Path of Packet in Iptables
Network Mangle Table PREROUTING Chain NAT Table PREROUTING Chain Destination NAT Routing decision Mangle INPUT Mangle FORWARD Filter INPUT Filter FORWARD Local process Mangle POSTROUTING Routing decision Mangle OUTPUT NAT POSTROUTING Chain Source NAT Based on routing NAT OUTPUT Filter OUTPUT Network

137 Tables of Chains * - Chain table POSTROUTING PREROUTING FORWARD OUTPUT
INPUT Chain table * MANGLE - NAT FILTER

138 Building a Rule source/destination
iptables –s Refers to packet from a specific IP address The “-s” refers to the source of the packet, where the packet is coming from. A corresponding “-d” refers to the destination, where the packet is going to.

139 Building a Rule IP address ranges
Building a Rule Action iptables –s j DROP The “-j” determines what happens to the Building a Rule IP address ranges iptables –s /24 -j DROP IPs that match * The “/24” refers to the number of bits that are fixed, counting from the left.

140 Other Actions REDIRECT LOG RETURN Sends packets to a proxy
Tracks packets as they match rules RETURN Terminates user defined chains

141 Building a Rule appending rules to tables
iptables –A INPUT –s j DROP The “-A” appends the rule to an iptable The “INPUT” specifies the iptable This command makes your system to ignore all packets from iptables –A OUTPUT –d –j DROP This command does not allow your system to sent packets to

142 Building a Rule only blocking some packets
iptables –A INPUT –s –p tcp --destination-port telenet –j DROP The “-p” specifies a specific protocol: tcp, udp, or icmp The “-destination-port” is where the packet is going You can user the service name or the port number Could use 23 in this example Keep in mind that the source-port is very different from the destination-port. In this example the inbound message is going to your telenet server. The telenet client that is sending you the message could be running on any port. --dport == --destination-port --sport == --source-port

143 Building a Rule multiple network interfaces
Assume your machine has two interface cards. One to a LAN named eth0 and the other to the Internet named ppp0 iptables –A INPUT –p tcp --dport telnet –i ppp0 –j DROP The “-i” option specifies the input interface The is also a “-o” option for the output interface iptables –A INPUT –p tcp --dport telnet –i eth0 –j ACCEPT Together these rules would accept telnet requests from the LAN but block telnet requests from the Internet.

144 Building a Rule Table Policies
iptables –P FORWARD ACCEPT The “-P” option followed by a table name and action determines the default policy of the table. If no rule in the table matches this default action is taken. The usual policies are INPUT = ACCEPT OUTPUT = ACCEPT FORWARD = DENY

145 Building a Rule Adding Rules to Tables
iptables –A INPUT –s j DROP Appends the rule to the end of the table iptables –I INPUT 3 –s j DROP Inserts the rule as rule 3 in the table, moving all other rules down 1. iptables –R INPUT 3 –s j DROP Replaces rule 3 in the table iptables –D INPUT 3 Deletes rule 3 in the table

146 Operations to manage whole chains
Create a new chain -X Delete an empty chain -P Change the policy for a built-in chain -L List the rules in a chain -F Flush the rules out of a chain -Z Zero the packet and byte counters on all rules in a chain

147 Manipulate rules inside a chain
Append a new rule to a chain -I Insert a new rule at some position in a chain -R Replace a rule at some position in a chain -D Delete a rule at some position in a chain Delete the first rule that matches in a chain

148 Accessible ONLY via LAN
An Example Firewall Internet Web Server SSH Server Accessible ONLY via LAN eth1 eth0 GW: GW: GW:

149 Red Hat Certified Engineer
Session 18 RHCE Red Hat Certified Engineer Advanced Asif Raza

150 Traffic Shaping (CBQ) /etc/rc.d/init.d/cbq.init Install ‘shapecfg’ RPM
(http://ovh.dl.sourceforge.net/sourceforge/cbqinit/cbq.init-v0.7.3) Install ‘shapecfg’ RPM /etc/sysconfig/cbq/*(0002-FFFF) /etc/rc.d/init.d/cbq.init start

151 Sample of CBQ Configuration
DEVICE=eth0,10Mbit,1Mbit RATE=10 Kbit PRIO=5 RULE=:21, /24

152 The End Good Luck


Download ppt "Red Hat Certified Engineer"

Similar presentations


Ads by Google