Docstoc

RHCE

Document Sample
RHCE Powered By Docstoc
					          Session 1




  RHCE
Red Hat Certified Engineer



           M. A. Agheli
                             1
        History Of UNIX & Linux
   1957: Bell Labs found they needed an operating system
          which at the time was running various batch jobs.
   1965: Bell Labs create Multics (Multiplexed Information and
          Computing Service)
   1969: Summer 1969 UNIX was developed by AT&T
   1975: Sixth edition of UNIX released May 1975
   1985: GNU project started
   1991: Linux is introduced by Linus Benedict Torvalds who
          was a second year student of Computer Science at the
          University of Helsinki
   1993: NetBSD & FreeBSD released
   1994: Red Hat Linux is introduced
                                                            2
           First Article About Linux
From: torvalds@klaava.Helsinki.FI (Linus Benedict Torvalds)
   Newsgroups: comp.os.minix
   Subject: What would you like to see most in minix?
   Summary: small poll for my new operating system
   Message-ID: <1991Aug25.205708.9541@klaava.Helsinki.FI>
   Date: 25 Aug 91 20:57:08 GMT
   Organization: University of Helsinki
Hello everybody out there using minix -
   I'm doing a (free) operating system (just a hobby, won't be big and
   professional like gnu) for 386(486) AT clones. This has been brewing
   since april, and is starting to get ready. I'd like any feedback on
   things people like/dislike in minix, as my OS resembles it somewhat
   (same physical layout of the file-system (due to practical reasons)
   among other things). I've currently ported bash(1.08) and gcc(1.40),and
   things seem to work.This implies that I'll get something practical within a
   few months, andI'd like to know what features most people would want.a
   Any suggestions are welcome, but I won't promise I'll implement them :-)
   Linus (torvalds@kruuna.helsinki.fi)
   PS. Yes - it's free of any minix code, and it has a multi-threaded fs.
   It is NOT protable (uses 386 task switching etc), and it probably never
   will support anything other than AT-harddisks, as that's all I have :-(.
                                                                                 3
         GNU & GPL
GNU Project:
Focused on creating a Unix
like operating systemthat
could be freely distributed
GPL:
Global Public license(Copyleft)
                                  4
    Major Linux Distributors

 Caldera Linux    Mandrake Linux
 Corel Linux      Slackware Linux

 Debian Linux     SuSE Linux

 Kondara Linux    Turbo Linux

 Red Hat Linux    Vector Linux




                                      5
The Advantage of Linux
   Low purchase cost
   Open Source Software (OSS)
   UNIX heritage
   Multi User
   Scalability
   Vendor support
   Reliable uptime
   Security
   Logging System
   …                            6
The Disadvantage of Linux


   Steeplearning curve
   Hardware support

   End-user applications




                            7
 A Comparison Of Win 9x, NT, and
             Linux
        Feature           Win 9x      Win NT    Linux
      Scalability           Poor      Good      Good
Desktop App. Support      Excellent   Good      Good
Enterprise App. Support    None       Good      Good
  Hardware Support        Excellent   Good      Good
    Licensing Cost         Good        Poor    Excellent
 Network Performance       Good       Good     Excellent
       Security             Poor      Good      Good
                                                        8
        Linux Filesystem Hierarchy
/bin         Essential Binary Files
/boot        Boot Loader Files
/dev         Device Files
/etc         Configuration Files
/home        User Home Directories
/lib         Shared Libraries and Kernel Modules
/mnt         Mount Point for Temporarily Mounted FS
/proc        System Information Virtual File System
/root        root User Home Directory
/sbin        Essential System Binaries
/tmp         Temporary Files
/usr         Shareable Files
/var         Non-Shareable Files
                                                      9
          Session 2




  RHCE
Red Hat Certified Engineer



           M. A. Agheli
                             10
        Installing Linux
   Hardware Requirements
   Harddisk Partitioning
   Boot Loader
   Install Packages
   X Configuration

                            11
     Overview of the Installation Process
1.   Starting the installation process
        Installation Mode
        Language
        Keyboard
        Mouse
2.   Partitioning
3.   Boot Loader Installation
4.   Network Configuration
5.   Setting the time zone
                                         12
 Overview of the Installation Process
5.    Firewall Configuration
6.    Specifying authentication options
      (optional)
7.    Specifying user accounts
8.    Selecting packages
9.    Installing packages
10.   Creating a boot disk
11.   Configuration the X Windows system
      (optional)
                                           13
Installing Linux:   Consoles & Message Logs
Console     Keystrokes                   Contents

  1         Ctrl+Alt+F1   Text-based installation procedure

  2         Ctrl+Alt+F2   Shell prompt

  3         Ctrl+Alt+F3   Messages from installation program

  4         Ctrl+Alt+F4   Kernel messages
                          Other messages, including file
  5         Ctrl+Alt+F5
                          system creation messages
  7         Ctrl+Alt+F7   Graphical installation procedure
                                                              14
  Configuring InstallTime Options
         after Installation
kbdconfig       authconfig

mouseconfig     ntsysv

timeconfig      setup

sndconfig       redhat-config-…

netconfig


                                    15
          Session 3




  RHCE
Red Hat Certified Engineer



           M. A. Agheli
                             16
                  SHELL
     bash (Bourne Again Shell)
     ash                  sach
     tcsh                 mc
Some of Important BASH Variables
PATH           SHELL               PS1       PS2

             PS1, PS2 Switches
      \u , \h , \W , \d , \t , \s , \$ , $
                                                   17
    Some of Linux Commands(1)
   echo       man         help      info       ls

   cat        tac         cp        mv         rm

   cd         touch       pwd       mkdir      rmdir

   clear      alias       less      date       logout

   exit       reboot      halt
                                                            18
          Session 4




  RHCE
Red Hat Certified Engineer



           M. A. Agheli
                             19
                       BASH
• TAB key Features
• Review Pages & Commands

 Quoting in BASH:
“value”        „value‟           `value`

   Redirection Operators:
       >          >>         |         <<   <

 Standard Input & Standard Output:
       stdin                 0
       stdout                1
       stderr                2
                                            20
Important Command Forms
   cmd
   cmd & (fg, ctrl+z, bg)
   cmd1 ; cmd2
   (cmd1 ; cmd2)
   cmd1 `cmd2`
   cmd1 | cmd2
   cmd1 && cmd2
   cmd1 || cmd2
   { cmd1 ; cmd2 }          21
                Linux File Types
    Normal         -   Normal file

  Directories      d   Normal directory

   Hard link       -
 Symbolic link     l   Shortcut to a file or directory

    Socket         s   Pass data between 2 process

  Named pipe       p   Like sockets, user can‟t work directly with

Character device   c   Processes character hw communication

 Block device      b   Major & minor numbers for controling dev.
                                                                     22
          Bash Special Variables
$#   Specifies number of arguments given to the command

$?   Returns value of the last program to be used

$$   Processes number of the current shell

$!   Processes number of the last child process

$@   Specifies individually quoted arguments

$*   Specifies all arguments quoted as whole

$n   Specifies positional argument value, where n is the position

$0   Specifies name of the current shell
                                                             23
  Some of Linux Commands(2)
 Process    Text Streams
 sort, cut, head, tail, split, wc, uniq, grep
 Redirecting      Command‟s output
 tee
 Create,   Monitor & Kill Processes
 ps, pstree, top, kill, killall
 Modify     Process Priority (renice)
                                                24
          Session 5




  RHCE
Red Hat Certified Engineer



           M. A. Agheli
                             25
  Some of Linux Commands(3)
 Create   Partitions and Filesystem
 fdisk, mke2fs, mkfs.*
 Maintain   the Integrity of Filesystem
 e2fsck, fsck.*, du, df
 Filesystem    Mounting & Umounting
 mount, umount, /etc/fstab

                                           26
   Some of Linux Commands(4)
 Use File   Permissions
 chmod, chown, chgrp, su
 Create Hard & Symbolic Links (ln)
 Find System Files (find, locate, which)

 Using Emergency & Single User
  Mode
                                            27
    „vi‟ Powerful Text Editor

                  • Insert Text
 Insert Mode
                       • dd
                  • Delete  n+dd (Delete)
                       • yy  n+yy (Copy)
                       •p              (paste)
 Normal   Mode        •P              (Paste)
                       •/              (Search)
                          •w           • q!
                       • v (Visual)    (Text Selection)
 Command   Mode          •q           •r
                            • wq = x   • s///
                                                          28
          Session 6




  RHCE
Red Hat Certified Engineer



           M. A. Agheli
                             29
                   Run Levels
Run Levels                            Definition
    0        This runlevel halts the system
    1        This runlevel sets single-user mode
    2        Multiuser mode without networking
    3        Multiuser mode with networking
    4        Not used
    5        X-based log in
    6        This runlevel reboot the system

 init & chkconfig Commands
 /etc/inittab
 /etc/rc.d/init.d & /etc/rc[0123456].d/           30
Configuring Boot loader

 LILO
  Edit /etc/lilo.conf   & execute „lilo‟
  command
 GRUB
  Edit /boot/grub/grub.conf



                                            31
          Administrative Tasks
 Manage Users, Groups & Related Files
useradd, userdel, groupadd, groupdel, passwd, vipw, vigr
/etc/passwd, /etc/shadow, /etc/skel, /etc/profile, …
 Configure and use system log files
        /etc/syslog.conf, /etc/logrotate.conf
 Scheduling Jobs (at & crontab commands)
 Backup & Restore Tools
                    tar, bzip2, gzip

                                                     32
          Session 7




  RHCE
Red Hat Certified Engineer



           M. A. Agheli
                             33
    Linux Installation and
    Package Management

 Make and Install Programs
 from Source
 RPM

   (Redhat Package Manager)
                             34
             Kernel
 About Kernel   and Loadable
  Modules
 Manage Kernel Modules at
  Runtime (/etc/modules.conf)
 Reconfigure, Build and Install a
  Custom Kernel
                                     35
          Session 8




  RHCE
Red Hat Certified Engineer



           M. A. Agheli
                             37
             Shell Scripts
#  Comments
 #! Special Comments

 Assign a Value
  x=y            x=„$y‟
  x=${y}         x=\$y
  x=$y           export x,y,z
  x=${y}es       export x=$y
  x=$yes
                                38
                 Shell Scripts
 Control   Constructs
   „read‟ command

   „test‟ command     ([])
   if …; then …; else …; fi

   case ...; in pattern) …;; esac

   while …; do …; done

   until …; do …; done

   forx in …; do …; done
   break, continue, exit (for, while, until)
                                                39
         Session 9




 RHCE
Red Hat Certified Engineer




          M. A. Agheli
                             40
Installing and
 Configuring
       X
                 41
Basic X Concepts
    X Client

    X Server

    X Protocol
                   42
    Basic X Concepts
   X Window Manager

   X Desktop Manager

   X Display Manager

                        43
             Installing X

1.   Determine the proper X server

2.   Install the proper packages




                                     44
             X Server Selection
        XFree86-*


        Installation the Packages
       freetype                   XFree86-xfs
       gtk+                       XFree86-xdm
       XFree86-libs               XFree86-twm
       XFree86-75dpi-fonts        XFree86-tools
       redhat-config-xfree86      xinitrc


                                                    45
        Configuring X

   redhat-config-xfree86

   xvidtune



                            46
Important X Directories & Files


   /usr/X11R6/bin
   /etc/X11
   /etc/X11/XF86Config


                                  47
    Configure and Use PPP

   „redhat-config-network-tui‟
    Command in Text Mode
   Modem Configuration Files
   kppp Command in X window


                                  48
         Session 10




 RHCE
Red Hat Certified Engineer




          M. A. Agheli
                             49
              Network Basics
 IP (network & host portion)
192.168.168.1 :    11000000.10101000.10101000.00000001
            Static IP               Dynamic IP
   Netmask Address
255.255.255.0 :    11111111.11111111.11111111.00000000
   Network Address
192.168.168.0 :    11000000.10101000.10101000.00000000
   Broadcast Address
192.168.168.255 : 11000000.10101000.10101000.11111111   50
    Classfull Addressing System
   Network Classes
      Class A 1.0.0.0-126.0.0.0     (8 bits)
      Class B 128.0.0.0-191.0.0.0   (16 bits)
      Class C 192.0.0.0-223.0.0.0   (24 bits)
   Reserved IP
      127.0.0.0-127.255.255.255     (Loop back Addr.)
      224.0.0.0-239.255.255.255     (Multicast Protocols)
      240.0.0.0-255.255.255.255     (do not used)
   Public & Private Networks (Valid & Invalid IPes)
      10.0.0.0-10.255.255.255
      172.16.0.0-172.31.255.255
      192.168.0.0-192.168.255.255
                                                             51
 Classless Addressing System (Subnet)
Net. Addr.: 192.168.168.0 = 11000000.10101000.10101000.00000000
Netmasks:
255.255.255.0 (*/24) : 11111111.11111111.11111111.00000000
255.255.255.128 (*/25) : 11111111.11111111.11111111.10000000
255.255.255.192 (*/26) : 11111111.11111111.11111111.11000000
255.255.255.224 (*/27) : 11111111.11111111.11111111.11100000
255.255.255.240 (*/28) : 11111111.11111111.11111111.11110000
255.255.255.248 (*/29) : 11111111.11111111.11111111.11111000
255.255.255.252 (*/30) : 11111111.11111111.11111111.11111100
255.255.255.254 (*/31) : 11111111.11111111.11111111.11111110
                                                            52
TCP/IP Model (1)
       Application
        Protocols

      Transport
      Protocols

       Internet
      Protocols

    Network Access
       Protocols
                     53
          TCP/IP Model (2)
   Network Access Protocols
       All functions necessary to access the physical
        network


   Internet Protocols
       IP   (Internet Protocol – Connectionless)
       ICMP (Internet Control Message Protocol)


                                                         54
         TCP/IP Model (3)
   Transport Protocols
       TCP (Transmission Control Protocol)
            Connection-based
       UDP (User Datagram Protocol)
            Connectionless
   Application Protocols
       Previlage Ports (0-1023)
       /etc/services
                                              55
    Types of TCP/IP Services

   Stand-alone

   xinetd   (and its config)




                                56
    Related TCP/IP Commands
   ps x
   netstat -ap --inet | grep LISTEN


Controlling TCP/IP Daemons
   Start the daemon
   Stop the daemon
   Restart the daemon
   Status the daemon
                                       57
         Session 11




 RHCE
Red Hat Certified Engineer




          M. A. Agheli
                             58
        Configuration Network

   Initializing Network Hardware
       Load related module


   Network Configuration Tools
       netconfig
       redhat-config-network




                                    59
      Configuration Network
   Other Network Tools

•   ifconfig          •   tcpdump
•   ping              •   nmap
•   traceroute        •   tethereal
•   netstat           •   iptraff

                                      60
        Configuration Network
   Network Configuration Files
       /etc/hosts
       /etc/host.conf
       /etc/services
       /etc/resolv.conf
       /etc/sysconfig/network
       /etc/sysconfig/network-scripts/*
   IP Aliasing
                                           61
         Session 12




 RHCE
Red Hat Certified Engineer




          M. A. Agheli
                             62
                DHCP
   Advantage & disadvantage of
    DHCP
   DHCP Server Configuration
       /etc/dhcpd.conf
       /var/lib/dhcp/dhcpd.leases
   DHCP Client Configuration
       netconfig command


                                     63
       An Example of dhcpd.conf
ddns-update-style ad-hoc;
subnet 192.168.0.0 netmask 255.255.255.0 {
   range 192.168.0.1 192.168.0.25;
   option routers                  192.168.0.1;
   option subnet-mask              255.255.255.0;
   option domain-name              "domain.com";
   option domain-name-servers 192.168.1.1;
   default-lease-time 21600;
   max-lease-time 43200;
    # we want the nameserver to appear at a fixed address
    host dns1 {
       hardware ethernet 12:34:56:78:AB:CD;
       fixed-address 192.168.0.20;
    }
}
                                                            64
       dhcpd.leases Format
lease 192.168.1.8 {
    starts 3 2004/04/12 09:34:12
    ends 6 2004/07/15 23:49:57
    hardware ethernet 00:09:e6:88:0a:05
}
...


                                          65
                            NFS
           Related Daemons
               rpc.nfsd
               rpc.portmap
               rpc.mountd
           Installation
               nfs-utils
               portmap


2004Agust                         66
         NFS Configuration
   Server Side
       Edit /etc/exports file
              PATH             host_lists(options)
       Run „exportfs –r‟ command
       „redhat-config-nfs‟ Command
   Client Side
       mount –t nfs server:PATH Mountpoint
       Edit „/etc/fstab‟ file
        server:PATH M.P.       nfs ro   0        0
                                                     67
           SAMBA (1)
   Related Services
       smbd
       nmbd
   Related Packages
       samba
       samba-common
       samba-client

                       68
           SAMBA (2)
   Server Configuration
       Global Directives
       Service Directives
   Client Configuration
       smbmount //server/share /m.p.
       smbclient //server/share
   Configuration with SWAT

                                        69
         Session 13




 RHCE
Red Hat Certified Engineer




          M. A. Agheli
                             70
           TCP/IP Services

  Client                                         Server


                                           Process
Process                                        1. server binds to
    2. Client binds                            port and listens
                      3. Client connects
    to port                                 Port
                      to server
                                               4. Server
 Port                                          designates port
                 5. Client and server       Port
                 communicate

                                                                    71
        Remote Login

   Telnet
       Server & Client
   SSH
       Server & Client

                          72
The Apache Web Server
       Modules
           mod_auth
           mod_info
           mod_php
           mod_include
           mod_perl
           mod_ssl

                          73
      Installation Apache

   rpm –Uvh httpd-[^d]*.rpm



   rpm –Uvh httpd-devel*.rpm
      (for support apache modules)



                                     74
        Basic Configuration
   httpd.conf
       Section 1:
            The Global Environment
       Section 2:
            The Main Configuration
       Section 3:
            The Virtual Host Configuration


                                              75
    Apache Advanced
     Configuration
   Authentication in Apache
   Configure with PHP
   Configure with SSL
   Configure Virtual Host

                               76
    Authentication in Apache
   Create „/etc/httpd/.htpasswd‟ file
   Configuring „httpd.conf‟ file

      <Location /dir_name>
        AuthType       Basic
        AuthName       “NAME”
        AuthUserFile “.htpasswd”
        Require valid-user
      </Location>

                                         77
Configure Apache with PHP

   rpm –Uvh php-4*.rpm


Configure Apache with SSL
   rpm –Uvh mod_ssl*.rpm


                            78
     Configure Virtual Host
   Configuring „/etc/hosts‟ file
   Configuring „httpd.conf‟ file

    <VirtualHost 127.0.0.2>
      ServerAdmin webmaster@vh.com
      DocumentRoot          /var/www/html/vh/
      ServerName www.vh.com
    </VirtualHost>



                                                79
Apache Administration
   Start
   Stop
   Restart
   Reload
   Status

                        80
Troubleshooting the Apache

   /var/log/messages

   /var/log/httpd/

   /usr/sbin/httpd –S
      (for virtual host)



                             81
     Securing Your Network
   Using „lokkit‟ or „redhat-config-
    securitylevel‟ Command
   Password & Physical Security
   Securing TCP/IP
   Using Tripwire
   Keeping Up-to-Date on Linux Security
    Issues

                                           82
         Session 14




 RHCE
Red Hat Certified Engineer




          M. A. Agheli
                             83
                      FTP
   Installation
      rpm –ivh vsftp*.rpm
   Config File
      /etc/vsftpd/vsftpd.conf

   Access Levels
       Anonymouse Access (anonymouse_enable)
       User Access (tcp_wrappers needs)

                                                84
    Cache Server (Squid)
   Install squid
       rpm –ivh squid*.rpm

   Managing squid
       start, stop, restart, status,
        reload

                                        85
     Squid Log Files
   /var/log/squid/access.log
    (cache_access_log)
   /var/log/squid/cache.log
    (cache_log)
   /var/log/squid/store.log
    (cache_store_log)

                                86
An Example of ‘squid.conf’
http_port 8081
cache_effective_user squid
cache_effective_group squid
acl all src 0.0.0.0/0.0.0.0
http_access allow all
cache_dir ufs /cache 1024 16 32
visible_hostname ws1

                                  87
      Running Squid
   service squid start
     squid –d1 –z



     squid –d1 –f /etc/squid/squid.conf




                                          88
        The Kind of Proxies
   Upstream Proxy
    cache_peer yourproxy.com parent 3128 3130
    prefer_direct off

   Transparent Proxy
    httpd_accel_host virtual
    httpd_accel_port 80
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on

                                                89
         Session 15




 RHCE
Red Hat Certified Engineer




          M. A. Agheli
                             90
     Configuring a Linux Router
   Configuring Kernel
       IP: advanced router


   Enable IP Forwading
       Add „net.ipv4.ip_forward=1‟ to /etc/sysctl.conf
       echo “1” > /proc/sys/net/ipv4/ip_forward



                                                      91
Type of Routes
    Static route

    Dynamic route


                     92
    Components of Routing Rules

    Destination IP Address
    An Interface
    An Optional Gateway IP
     Address


                                  93
    Routing Command
   route add –net net_addr netmask
    mask_addr interface

   route add –host ip_addr interface

   route add default gateway ip_addr
    interface


                                        94
    A           An Example                     E


192.168.1.2            Internet           192.168.100.2

    B
                                                F
                        Router
                        10.1.1.2
192.168.1.3
                          eth2            192.168.100.3

    C         eth0                 eth1
                                                G


192.168.1.4            Gateway             192.168.100.4
                      192.168.1.1
    D                192.168.100.11             H
                         0.1.1.1

192.168.1.5                                192.168.100.5
                                                           95
             Related Rules
   route add –net 192.168.1.0 netmask 255.255.255.0 eth0
   route add –net 192.168.100.0 netmask 255.255.255.0
    eth1
   route add –net 10.1.1.0 netmask 255.255.255.0 eth2
   route add default gateway 10.1.1.2 eth2




                                                       96
Destination       Gateway
                               Result
                              Genmask              Flags   Metric   Ref   Use   Iface

192.168.1.1       *           255.255.255.255      UH      0        0     0     eth0
192.168.100.1     *           255.255.255.255      UH      0        0     0     Eth1
10.1.1.1          *           255.255.255.255      UH      0        0     0     Eth2
192.168.1.0       *           255.255.255.0        U       0        0     0     eth0
192.168.100.0     *           255.255.255.0        U       0        0     0     Eth1
10.1.1.0          *           255.255.255.0        U       0        0     0     Eth2
0.0.0.0           10.1.1.2    0.0.0.0              UG      0        0     0     eth2
127.0.0.0         *           255.0.0.0            U       0        0     0     lo

  U: Network link is up      H: Dest. Addr. Refers to a host    G: Gateway

                                                                                 97
Electronic
   Mail
(Sendmail)
             98
How Email Is Sent and Received
  mail1 MTA          mail2 MTA



                         ?
 user1@mail1.com
                         ?
                     user2@mail2.com


                                       99
             Concepts
   MTA : Mail Transport Agent
   SMTP (server-to-server)
     Simple Mail Transport Protocol
   POP (Mail Access)
     Post Office Protocol
   IMAP (Mail Access)
  Interim Mail Access Protocol
 MDA : Mail Delivery Agent
   MUA : Mail User Agent

                                      100
 Advantage of Sendmail
     Older MTA
     Powerful MTA

Disadvantage of Sendmail
     Slow
     High Load Environment
     Crypto Configuration

                              101
            MTAs
         Sendmail
         Postfix
         Exim
         Qmail

            MUAs
   Evolution, Kmail (KDE)
   Balsa        (GNOME)
   Mozilla Mail

                             102
    Required Packages
   sendmail
   sendmail-cf
   imap (Config xinetd)
    (contains IMAP & POP3)

                             103
             Sendmail
           Configuration
   Config „/etc/mail/sendmail.mc‟ file
       LOCAL_DOMAIN(„example.com‟)dnl
   Run „make –C /etc/mail/‟
   Config DNS



                                          104
     Email Aliases
   Edit „/etc/aliases‟ file
     postmaster: joseph


   Run „newaliases‟ Command



                               105
    Rejecting Email
   Edit „/etc/mail/access‟ file
    spam.com     REJECT
    yahoo.com OK

   service sendmail restart


                                   106
         Session 16




 RHCE
Red Hat Certified Engineer




          M. A. Agheli
                             107
108
         Where do I look?
 /etc/nsswitch.conf
  (nameservice switch)
t@localhost:~$ cat /etc/nsswitch.conf
hosts:          files dns




                                        109
                      Files
 Search order determined by
  nsswitch.conf
 It is polite to have /etc/hosts first!

sjh@mccoy:~$ cat /etc/hosts
127.0.0.1         localhost
193.62.81.135     mccoy.tardis.ed.ac.uk   mccoy
193.62.81.134     baker.tardis.ed.ac.uk   baker
193.62.81.132     packages.tardis.ed.ac.uk packages



                                                      110
           DNS Traversal
1.   Local files
2.   Dns server locally
3.   Item in cache?
4.   Root server, work your way
     down…


                                  111
     Resolving Names
Configuration Files for the Local
Host Name Resolution (important
for testing)
 /etc/resolv.conf

 /etc/nsswitch.conf

 /etc/host.conf

                                112
                    DNS

   BIND – Berkley Internet Name Daemon
   Dents – buggy as hell (still in alpha?)
   Djbdns – Dan Bernstein‟s DNS server
   Banyan VINES – don‟t go there!




                                              113
              Named (name dee)
   /etc/named.conf:
        this defines a directory to store the DNS config files
       Contains info about what zones we serve, and where to find config
        files!
       Config file for named – tells us if we are master / slave, allow or
        deny zone transfers, what the IPs of other master / slave servers are,
        etc.
   <DNSROOT>/root.hints:
       Contains "pointers" to the Root Servers
   <DNSROOT>/127.0.0:
       Config for reverse-lookup to the local host/subnet
   <DNSROOT>/<zone>:
       Config for zone
   <DNSROOT>/<in-addr.arpa file>
       Config for reverse lookup for your zone

                                                                           114
A simple named.conf
## named.custom - custom configuration for bind
zone "." {
    type hint;
    file "root.lists";
};
options {
    directory "/var/named/";
};
zone "0.0.127.in-addr.arpa" {
    type master;
    file "127.0.0";
};
zone "hq.alim.ir" {
    type master;
    file "hq.alim.ir";
};
zone "168.168.192.in-addr.arpa" {
    type master;
    file "192.168.168";
};

                                                  115
                DNS Data
DNS databases contain more than just
  hostname-to-address records:
 SOA – Start Of Authority – it is the daddy!
 IN NS – Name Server
 IN MX – Mail eXchanger
 IN A – A record (Address record)
 IN CNAME – Canonical NAME




                                                116
             A simple zone file
@     IN      SOA hq.alim.ir. root.hq.alim.ir. (
               199609206       ; serial, todays date + todays serial #
               8H          ; refresh, seconds
               2H          ; retry, seconds
               4W         ; expire, seconds
               1D )        ; minimum, seconds
            NS        hq.alim.ir.
            MX        10 hq.alim.ir. ; Primary Mail Exchanger
            TXT       "Alim IT Center"
localhost             A      127.0.0.1
router                A      192.168.168.1
hq.alim.ir. A    192.168.168.2
ns                    A      192.168.168.3
www                   A      207.159.141.192
ftp         CNAME hq.alim.ir.
mail        CNAME hq.alim.ir.
news        CNAME hq.alim.ir.


                                                                         117
A simple in-addr.arpa file
 $TTL 3D
 @       IN       SOA hq.alim.ir. root.hq.alim.ir. (
                   199609206     ; Serial
                   28800 ; Refresh
                   7200 ; Retry
                   604800 ; Expire
                   86400) ; Minimum TTL
               NS    hq.alim.ir.
 ;     Servers
 1     PTR router.hq.alim.ir.
 2     PTR hq.alim.ir.
 2     PTR funn.hq.alim.ir.
 ;     Workstations
 200    PTR ws-177200.hq.alim.ir.
 201    PTR ws-177201.hq.alim.ir.
 202    PTR ws-177202.hq.alim.ir.



                                                       118
               Forward DNS
   hq.alim.ir (as per /etc/named.conf)

   SOA – Start Of Authority – it is the daddy!
   IN NS – Name Server
   IN MX – Mail eXchanger
   IN A – A record (Address record)
   IN CNAME – Canonical NAME


                                                  119
              Reverse DNS
   192.168.168 (as per /etc/named.conf)
 SOA
 IN NS

 IN PTR – Pointer




                                           120
         DNS Round Robin
   Fault tolerance? Through nifty DNS
    hacks

www.teviot.com.   60   IN   A   10.0.1.100
www.teviot.com.   60   IN   A   10.0.2.100
www.teviot.com.   60   IN   A   10.0.3.100



                                       121
           Common Mistakes
   Forgetting to increment the Serial Number!
   CNAME pointing at another CNAME!
   Forgetting the “.” In appropriate places!
   Underscores in hostnames!
   Forgetting to reload the daemon!
   Version control issues – clobber changes!
   TTL Issues

                                                 122
                     Test Tools
 nslookup
 dig
       dig mail.hq.alim.ir
       dig -x 192.168.168.2
       dig 168.168.192.in-addr.arpa. AXFR
   whois

   http://www.squish.net/dnscheck/
       James Ponder‟s DNS check web page

                                             123
         Session 17




 RHCE
Red Hat Certified Engineer




          M. A. Agheli
                             124
               Firewall
      Required Properties:
   Control
     Allow only those packets that you are
        interested to pass through.
   Security
     Reject packets from malicious outsiders
   Watchfulness
     Log packets to/from outside world




                                               125
        Firewall Types
                           Statefull
   Packet Filtering
                           Stateless


   Proxy-Based Firewall



                                       126
Packet Filter under Linux
       1st generation
         ipfw (from BSD)
       2nd generation
         ipfwadm (Linux 2.0)
       3rd generation
         ipchains (Linux 2.2)
       4th generation
         iptable (Linux 2.4 & 2.6)

                                     127
                 Installing Iptables
   Kernel Supports Iptables
        Networking Options -> TCP/IP Networking ->Network Packet Filtering
        Networking Options -> TCP/IP Networking ->IP: advanced router -> *
        Networking Options -> IP: NetfilterNetworking Options -> IP: Netfilter
     For Packets Traffic Control :
        Networking Options> QoS and/or fair queueing -> *



   # rpm -ivh \
    iptables-1.2.6a-2.i386.rpm

                                                                              128
            Chains of Tables
   INPUT
     Controls packets   entering your system
   OUTPUT
     Controls packets   leaving your system
   FORWARD
     Controls whatpackets can move from one
     network to another through your system

                                                129
Routing       Forward
Decision




                            Output

    Input
            Local Process




                                     130
1.       When a packet comes in, the kernel first looks at
         the destination of the packet: this is called routing.
2.       If it‟s destined for this box
     •     Passes downwards in the diagram
     •     To INPUT chain
             If it passes, any processes waiting for that packet will receive
             it.
         Otherwise go to step 3


                               Continue…
                                                                         131
3. If forwarding is not enabled The packet will be
   dropped
    If forwarding is enable and the packet is destined for another network interface.
    The packet goes rightwards on our diagram to the FORWARD chain.

    If it is accepted, it will be sent out.

4. Packets generated from local process pass to the
   OUPUT chain immediately.
    If its says accept, the packet will be sent out.




                                                                                 132
Packet Status in
   Iptables
    Established
    New
    Related
    Invalid
                   133
Results of Packet Checking
        ACCEPT
        DROP
        REJECT
        …

                         134
Tables of Iptables

      Filter
      NAT
      Mangle


                     135
The Path of Packet             Network


   in Iptables                Mangle Table
                            PREROUTING Chain

                                NAT Table
                            PREROUTING Chain   Destination NAT


                               Routing
                               decision
          Mangle INPUT                               Mangle FORWARD


           Filter INPUT                              Filter FORWARD


          Local process

                                                         Mangle
         Routing decision                             POSTROUTING

         Mangle OUTPUT
                                                         NAT             Source NAT
                                                   POSTROUTING Chain
          NAT OUTPUT                                                   Based on routing

         Filter OUTPUT
                               Network

                                                                              136
         Tables of Chains
    Chain                                 POSTROUTI
          INPUT OUTPUT FORWARD PREROUTING
table                                        NG

MANGLE    *     *        *         *          *
 NAT      -     *        -         *          *
FILTER    *     *        *         -          -



                                                  137
Building a Rule source/destination

   iptables –s 200.200.200.1
     Refers to packet from a specific IP address
     The “-s” refers to the source of the packet, where the
      packet is coming from.
     A corresponding “-d” refers to the destination, where
      the packet is going to.



                                                          138
             Building a Rule Action
       iptables –s 200.200.200.1 -j DROP
           The “-j” determines what happens to the

                  Building a Rule
                 IP address ranges
   iptables –s 200.200.200.0/24 -j DROP
     IPs that match 200.200.200.*
     The “/24” refers to the number of bits that are fixed,
      counting from the left.
                                                         139
               Other Actions
   REDIRECT
     Sends packets   to a proxy
   LOG
     Tracks   packets as they match rules
   RETURN
     Terminates user   defined chains


                                             140
                   Building a Rule
               appending rules to tables
   iptables –A INPUT –s 200.200.200.1 -j DROP
     The “-A” appends the rule to an iptable
     The “INPUT” specifies the iptable

     This command makes your system to ignore all packets
      from 200.200.200.1
   iptables –A OUTPUT –d 200.200.200.1 –j DROP
       This command does not allow your system to sent packets to
        200.200.200.1


                                                                     141
                   Building a Rule
             only blocking some packets
   iptables –A INPUT –s 200.200.200.1 –p tcp --destination-port telenet –j
    DROP
       The “-p” specifies a specific protocol: tcp, udp, or icmp
       The “-destination-port” is where the packet is going
            You can user the service name or the port number
                  Could use 23 in this example
            Keep in mind that the source-port is very different from the destination-port.
             In this example the inbound message is going to your telenet server. The
             telenet client that is sending you the message could be running on any port.
            --dport == --destination-port
            --sport == --source-port



                                                                                   142
                   Building a Rule
              multiple network interfaces
   Assume your machine has two interface cards. One to a LAN named
    eth0 and the other to the Internet named ppp0

   iptables –A INPUT –p tcp --dport telnet –i ppp0 –j DROP
       The “-i” option specifies the input interface
            The is also a “-o” option for the output interface


   iptables –A INPUT –p tcp --dport telnet –i eth0 –j ACCEPT

   Together these rules would accept telnet requests from the LAN but
    block telnet requests from the Internet.


                                                                   143
     Building a Rule Table Policies
   iptables –P FORWARD ACCEPT
       The “-P” option followed by a table name and action
        determines the default policy of the table. If no rule
        in the table matches this default action is taken.
   The usual policies are
     INPUT = ACCEPT
     OUTPUT = ACCEPT

     FORWARD = DENY



                                                             144
                Building a Rule
             Adding Rules to Tables
   iptables –A INPUT –s 200.200.200.1 -j DROP
       Appends the rule to the end of the table
   iptables –I INPUT 3 –s 200.200.200.1 -j DROP
       Inserts the rule as rule 3 in the table, moving all other rules
        down 1.
   iptables –R INPUT 3 –s 200.200.200.1 -j DROP
       Replaces rule 3 in the table
   iptables –D INPUT 3
       Deletes rule 3 in the table

                                                                          145
 Operations to manage whole
           chains
-N   Create a new chain

-X   Delete an empty chain

-P   Change the policy for a built-in chain

-L   List the rules in a chain

-F   Flush the rules out of a chain

-Z   Zero the packet and byte counters on all
     rules in a chain
                                                146
Manipulate rules inside a chain

-A    Append a new rule to a chain
      Insert a new rule at some position in a
 -I
      chain

 -R   Replace a rule at some position in a chain

-D    Delete a rule at some position in a chain

-D    Delete the first rule that matches in a chain

                                                   147
                          An Example
                                    Firewall
                                    192.168.1.1
            Web Server                         eth1    Internet
            SSH Server
          Accessible ONLY via LAN
                                       eth0




 192.168.1.5                        192.168.1.6        192.168.1.7
GW: 192.168.1.1                 GW: 192.168.1.1       GW: 192.168.1.1



                                                                     148
         Session 18




  RHCE
Red Hat Certified Engineer


Advanced
          M. A. Agheli
                             149
Traffic Shaping (CBQ)
   /etc/rc.d/init.d/cbq.init
    (http://ovh.dl.sourceforge.net/sourceforge/cbqinit/cbq.init-v0.7.3)


   Install „shapecfg‟ RPM

   /etc/sysconfig/cbq/*(0002-FFFF)

   /etc/rc.d/init.d/cbq.init start
                                                                          150
    Sample of CBQ
     Configuration
DEVICE=eth0,10Mbit,1Mbit
RATE=10 Kbit
PRIO=5
RULE=:21,192.168.1.0/24


                           151
The End
 Good Luck



             152

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:15
posted:12/2/2011
language:English
pages:151