1. 1
RHC
E
Red Hat Certified
Engineer
Session 1Session 1
M. A. AgheliM. A. Agheli

2. 2
History Of UNIX & LinuxHistory Of UNIX & Linux
 1957:1957: Bell Labs found they needed an operating systemBell Labs found they needed an operating system
which at the time was running various batch jobs.which at the time was running various batch jobs.
 1965:1965: Bell Labs create MulticsBell Labs create Multics ((Multiplexed Information andMultiplexed Information and
Computing ServiceComputing Service))
 1969:1969: Summer 1969 UNIX was developed by AT&TSummer 1969 UNIX was developed by AT&T
 1975:1975: Sixth edition of UNIX released May 1975Sixth edition of UNIX released May 1975
 19851985: GNU project startedGNU project started
 19911991: Linux is introduced by Linus Benedict Torvalds whoLinux is introduced by Linus Benedict Torvalds who
was a second year student of Computer Science at thewas a second year student of Computer Science at the
University of HelsinkiUniversity of Helsinki
 19931993: NetBSD & FreeBSD releasedNetBSD & FreeBSD released
 19941994: Red Hat Linux is introducedRed Hat Linux is introduced

3. 3
First Article About LinuxFirst Article About Linux
From: torvalds@klaava.Helsinki.FI (Linus Benedict Torvalds)From: torvalds@klaava.Helsinki.FI (Linus Benedict Torvalds)
Newsgroups: comp.os.minixNewsgroups: comp.os.minix
Subject: What would you like to see most in minix?Subject: What would you like to see most in minix?
Summary: small poll for my new operating systemSummary: small poll for my new operating system
Message-ID: <1991Aug25.205708.9541@klaava.Helsinki.FI>Message-ID: <1991Aug25.205708.9541@klaava.Helsinki.FI>
Date: 25 Aug 91 20:57:08 GMTDate: 25 Aug 91 20:57:08 GMT
Organization: University of HelsinkiOrganization: University of Helsinki
Hello everybody out there usingHello everybody out there using minixminix --
I'm doing a (free) operating system (just a hobby, won't be big andI'm doing a (free) operating system (just a hobby, won't be big and
professional like gnu) for 386(486) AT clones. This has been brewingprofessional like gnu) for 386(486) AT clones. This has been brewing
since april, and is starting to get ready. I'd like any feedback onsince april, and is starting to get ready. I'd like any feedback on
things people like/dislike in minix, as my OS resembles it somewhatthings people like/dislike in minix, as my OS resembles it somewhat
(same physical layout of the file-system (due to practical reasons)(same physical layout of the file-system (due to practical reasons)
among other things). I've currently ported bash(1.08) and gcc(1.40),andamong other things). I've currently ported bash(1.08) and gcc(1.40),and
things seem to work.This implies that I'll get something practical within athings seem to work.This implies that I'll get something practical within a
few months, andI'd like to know what features most people would want.afew months, andI'd like to know what features most people would want.a
Any suggestions are welcome, but I won't promise I'll implementAny suggestions are welcome, but I won't promise I'll implement
them :-)them :-)
Linus (torvalds@kruuna.helsinki.fi)Linus (torvalds@kruuna.helsinki.fi)
PS. Yes - it's free of any minix code, and it has a multi-threaded fs.PS. Yes - it's free of any minix code, and it has a multi-threaded fs.
It is NOT protable (uses 386 task switching etc), and it probably neverIt is NOT protable (uses 386 task switching etc), and it probably never
will support anything other than AT-harddisks, as that's all I have :-(.will support anything other than AT-harddisks, as that's all I have :-(.

4. 4
GNU & GPLGNU & GPL
GNU Project:
Focused on creating a Unix
like operating systemthat
could be freely distributed
GPL:
Global Public
license(Copyleft)

5. 5
Major Linux DistributorsMajor Linux Distributors
 Caldera LinuxCaldera Linux
 Corel LinuxCorel Linux
 Debian LinuxDebian Linux
 Kondara LinuxKondara Linux
 Red Hat LinuxRed Hat Linux
 Mandrake LinuxMandrake Linux
 Slackware LinuxSlackware Linux
 SuSE LinuxSuSE Linux
 Turbo LinuxTurbo Linux
 Vector LinuxVector Linux

6. 6
The Advantage of LinuxThe Advantage of Linux
 Low purchase costLow purchase cost
 Open Source Software (OSS)Open Source Software (OSS)
 UNIX heritageUNIX heritage
 Multi UserMulti User
 ScalabilityScalability
 Vendor supportVendor support
 Reliable uptimeReliable uptime
 SecuritySecurity
 Logging SystemLogging System
 ……

7. 7
The Disadvantage of LinuxThe Disadvantage of Linux
 Steep learning curveSteep learning curve
 Hardware supportHardware support
 End-user applicationsEnd-user applications

8. 8
A Comparison Of Win 9x, NT, andA Comparison Of Win 9x, NT, and
LinuxLinux
FeatureFeature Win 9xWin 9x Win NTWin NT LinuxLinux
ScalabilityScalability PoorPoor GoodGood GoodGood
Desktop App. SupportDesktop App. Support ExcellentExcellent GoodGood GoodGood
Enterprise App. SupportEnterprise App. Support NoneNone GoodGood GoodGood
Hardware SupportHardware Support ExcellentExcellent GoodGood GoodGood
Licensing CostLicensing Cost GoodGood PoorPoor ExcellentExcellent
Network PerformanceNetwork Performance GoodGood GoodGood ExcellentExcellent
SecuritySecurity PoorPoor GoodGood GoodGood

9. 9
Linux Filesystem HierarchyLinux Filesystem Hierarchy
//binbin Essential Binary FilesEssential Binary Files
//bootboot Boot Loader FilesBoot Loader Files
//devdev Device FilesDevice Files
//etcetc Configuration FilesConfiguration Files
//homehome User Home DirectoriesUser Home Directories
//liblib Shared Libraries and Kernel ModulesShared Libraries and Kernel Modules
//mntmnt Mount Point for Temporarily Mounted FSMount Point for Temporarily Mounted FS
//procproc System Information Virtual File SystemSystem Information Virtual File System
//rootroot root User Home Directoryroot User Home Directory
//sbinsbin Essential System BinariesEssential System Binaries
//tmptmp Temporary FilesTemporary Files
//usrusr Shareable FilesShareable Files
//varvar Non-Shareable FilesNon-Shareable Files

10. 10
RHC
E
Red Hat Certified
Engineer
Session 2Session 2
M. A. AgheliM. A. Agheli

11. 11
Installing LinuxInstalling Linux
 Hardware RequirementsHardware Requirements
 Harddisk PartitioningHarddisk Partitioning
 Boot LoaderBoot Loader
 Install PackagesInstall Packages
 X ConfigurationX Configuration

12. 12
Overview of the Installation ProcessOverview of the Installation Process
1.1. Starting the installation processStarting the installation process
 Installation ModeInstallation Mode
 LanguageLanguage
 KeyboardKeyboard
 MouseMouse
2.2. PartitioningPartitioning
3.3. Boot Loader InstallationBoot Loader Installation
4.4. Network ConfigurationNetwork Configuration
5.5. Setting the time zoneSetting the time zone

13. 13
5.5. Firewall ConfigurationFirewall Configuration
6.6. Specifying authentication optionsSpecifying authentication options
(optional)(optional)
7.7. Specifying user accountsSpecifying user accounts
8.8. Selecting packagesSelecting packages
9.9. Installing packagesInstalling packages
10.10. Creating a boot diskCreating a boot disk
11.11. Configuration the X Windows systemConfiguration the X Windows system
(optional)(optional)
Overview of the Installation ProcessOverview of the Installation Process

14. 14
Installing Linux:Installing Linux: Consoles & Message LogsConsoles & Message Logs
Console Keystrokes Contents
1 Ctrl+Alt+F1 Text-based installation procedure
2 Ctrl+Alt+F2 Shell prompt
3 Ctrl+Alt+F3 Messages from installation program
4 Ctrl+Alt+F4 Kernel messages
5 Ctrl+Alt+F5
Other messages, including file
system creation messages
7 Ctrl+Alt+F7 Graphical installation procedure

15. 15
Configuring InstallTime OptionsConfiguring InstallTime Options
after Installationafter Installation
kbdconfigkbdconfig
mouseconfigmouseconfig
timeconfigtimeconfig
sndconfigsndconfig
netconfignetconfig
authconfigauthconfig
ntsysvntsysv
setupsetup
redhat-config-…redhat-config-…

16. 16
RHC
E
Red Hat Certified
Engineer
Session 3Session 3
M. A. AgheliM. A. Agheli

17. 17
SHELLSHELL
Some of Important BASH VariablesSome of Important BASH Variables
PATHPATH SHELLSHELL PS1PS1 PS2PS2
 bash (Bourne Again Shell)bash (Bourne Again Shell)
 ashash  sachsach
 tcshtcsh  mcmc
PS1, PS2 SwitchesPS1, PS2 Switches
u , h , W , d , t , s , $ , $u , h , W , d , t , s , $ , $

18. 18
Some of Linux CommandsSome of Linux Commands(1(1((
 echoecho  manman  helphelp  infoinfo  lsls
 catcat  tactac  cpcp  mvmv  rmrm
 cdcd  touchtouch  pwdpwd  mkdirmkdir  rmdirrmdir
 clearclear  aliasalias  lessless  datedate  logoutlogout
 exitexit  rebootreboot  halthalt

19. 19
RHC
E
Red Hat Certified
Engineer
Session 4Session 4
M. A. AgheliM. A. Agheli

20. 20
BASHBASH
• TAB key FeaturesTAB key Features
• Review Pages & CommandsReview Pages & Commands
 Quoting in BASH:Quoting in BASH:
““value”value” ‘value’‘value’ `value``value`
 Redirection Operators:Redirection Operators:
>> >>>> || <<<< <<
 Standard Input & Standard Output:Standard Input & Standard Output:
stdinstdin 00
stdoutstdout 11
stderrstderr 22

21. 21
Important Command FormsImportant Command Forms
cmdcmd
cmd &cmd & (fg, ctrl+z, bg)(fg, ctrl+z, bg)
cmd1 ; cmd2cmd1 ; cmd2
(cmd1 ; cmd2)(cmd1 ; cmd2)
cmd1 `cmd2`cmd1 `cmd2`
cmd1 | cmd2cmd1 | cmd2
cmd1 && cmd2cmd1 && cmd2
cmd1 || cmd2cmd1 || cmd2
{ cmd1 ; cmd2 }{ cmd1 ; cmd2 }

22. 22
Linux File TypesLinux File Types
NormalNormal -- Normal fileNormal file
DirectoriesDirectories dd Normal directoryNormal directory
Hard linkHard link --
Symbolic linkSymbolic link ll Shortcut to a file or directoryShortcut to a file or directory
SocketSocket ss Pass data between 2 processPass data between 2 process
Named pipeNamed pipe pp Like sockets, user can’t work directly withLike sockets, user can’t work directly with
Character deviceCharacter device cc Processes character hw communicationProcesses character hw communication
Block deviceBlock device bb Major & minor numbers for controling dev.Major & minor numbers for controling dev.

23. 23
Bash Special VariablesBash Special Variables
$#$# Specifies number of arguments given to the commandSpecifies number of arguments given to the command
$?$? Returns value of the last program to be usedReturns value of the last program to be used
$$$$ Processes number of the current shellProcesses number of the current shell
$!$! Processes number of the last child processProcesses number of the last child process
$@$@ Specifies individually quoted argumentsSpecifies individually quoted arguments
$*$* Specifies all arguments quoted as wholeSpecifies all arguments quoted as whole
$n$n Specifies positional argument value, whereSpecifies positional argument value, where nn is the positionis the position
$0$0 Specifies name of the current shellSpecifies name of the current shell

24. 24
 Process Text StreamsProcess Text Streams
sort, cut, head, tail, split, wc, uniq, grepsort, cut, head, tail, split, wc, uniq, grep
 Redirecting Command’s outputRedirecting Command’s output
teetee
 Create, Monitor & Kill ProcessesCreate, Monitor & Kill Processes
ps, pstree, top, kill, killallps, pstree, top, kill, killall
 Modify Process PriorityModify Process Priority ((renicerenice))
Some of Linux CommandsSome of Linux Commands(2(2((

25. 25
RHC
E
Red Hat Certified
Engineer
M. A. AgheliM. A. Agheli
Session 5Session 5

26. 26
 Create Partitions and FilesystemCreate Partitions and Filesystem
fdisk, mke2fs, mkfs.*fdisk, mke2fs, mkfs.*
 Maintain the Integrity of FilesystemMaintain the Integrity of Filesystem
e2fsck, fsck.*, du, dfe2fsck, fsck.*, du, df
 Filesystem Mounting & UmountingFilesystem Mounting & Umounting
mount, umount, /etc/fstabmount, umount, /etc/fstab
Some of Linux CommandsSome of Linux Commands(3(3((

27. 27
 Use File PermissionsUse File Permissions
chmod, chown, chgrp, suchmod, chown, chgrp, su
 Create Hard & Symbolic Links (Create Hard & Symbolic Links (lnln))
 Find System Files (Find System Files (find, locate, whichfind, locate, which))
 Using Emergency & Single UserUsing Emergency & Single User
ModeMode
Some of Linux CommandsSome of Linux Commands(4(4((

28. 28
 Insert ModeInsert Mode
 Normal ModeNormal Mode
 Command ModeCommand Mode
‘‘vi’ Powerful Text Editorvi’ Powerful Text Editor
• dd  n+dd (Delete)
• yy  n+yy (Copy)
• p (paste)
• P (Paste)
• / (Search)
• v (Visual) (Text Selection)
• Insert Text
• Delete
• w
• q
• wq = x
• q!
• r
• s///

29. 29
RHC
E
Red Hat Certified
Engineer
M. A. AgheliM. A. Agheli
Session 6Session 6

30. 30
Run LevelsRun Levels
Run Levels Definition
0 This runlevel halts the system
1 This runlevel sets single-user mode
2 Multiuser mode without networking
3 Multiuser mode with networking
4 Not used
5 X-based log in
6 This runlevel reboot the system
 init & chkconfig Commandsinit & chkconfig Commands
 /etc/inittab/etc/inittab
 /etc/rc.d/init.d & /etc/rc[0123456].d//etc/rc.d/init.d & /etc/rc[0123456].d/

31. 31
Configuring Boot loaderConfiguring Boot loader
 LILOLILO
 Edit /etc/lilo.conf & execute ‘lilo’Edit /etc/lilo.conf & execute ‘lilo’
commandcommand
 GRUBGRUB
 Edit /boot/grub/grub.confEdit /boot/grub/grub.conf

32. 32
 Manage Users, Groups & Related FilesManage Users, Groups & Related Files
useradd, userdel, groupadd, groupdel, passwd, vipw, vigruseradd, userdel, groupadd, groupdel, passwd, vipw, vigr
/etc/passwd, /etc/shadow, /etc/skel, /etc/profile, …/etc/passwd, /etc/shadow, /etc/skel, /etc/profile, …
 Configure and use system log filesConfigure and use system log files
/etc/syslog.conf, /etc/logrotate.conf/etc/syslog.conf, /etc/logrotate.conf
 Scheduling Jobs (at & crontab commands)Scheduling Jobs (at & crontab commands)
 Backup & Restore ToolsBackup & Restore Tools
tar, bzip2, gziptar, bzip2, gzip
Administrative TasksAdministrative Tasks

33. 33
RHC
E
Red Hat Certified
Engineer
M. A. AgheliM. A. Agheli
Session 7Session 7

34. 34
Linux Installation andLinux Installation and
Package ManagementPackage Management
 Make and Install ProgramsMake and Install Programs
from Sourcefrom Source
 RPMRPM
(Redhat Package Manager)(Redhat Package Manager)

35. 35
KernelKernel
 About Kernel and LoadableAbout Kernel and Loadable
ModulesModules
 Manage Kernel Modules atManage Kernel Modules at
Runtime (Runtime (/etc/modules.conf/etc/modules.conf))
 Reconfigure, Build and Install aReconfigure, Build and Install a
Custom KernelCustom Kernel

36. 37
RHC
E
Red Hat Certified
Engineer
M. A. AgheliM. A. Agheli
Session 8Session 8

37. 38
Shell ScriptsShell Scripts
 # Comments# Comments
 #! Special Comments#! Special Comments
 Assign a ValueAssign a Value
x=yx=y x=‘$y’x=‘$y’
x=${y}x=${y} x=$yx=$y
x=$yx=$y export x,y,zexport x,y,z
x=${y}esx=${y}es export x=$yexport x=$y
x=$yesx=$yes

38. 39
Shell ScriptsShell Scripts
 Control ConstructsControl Constructs
 ‘‘read’ commandread’ command
 ‘‘test’ command ( [ ] )test’ command ( [ ] )
 if …; then …; else …; fiif …; then …; else …; fi
 case ...; in pattern) …;; esaccase ...; in pattern) …;; esac
 while …; do …; donewhile …; do …; done
 until …; do …; doneuntil …; do …; done
 for x in …; do …; donefor x in …; do …; done
 break, continue, exit (for, while, until)break, continue, exit (for, while, until)

39. 40
RHC
E
Red Hat Certified Engineer
M. A. AgheliM. A. Agheli
Session 9Session 9

40. 41
Installing andInstalling and
ConfiguringConfiguring
XX

41. 42
Basic X ConceptsBasic X Concepts
 X ClientX Client
 X ServerX Server
 X ProtocolX Protocol

42. 43
Basic X ConceptsBasic X Concepts
 X Window ManagerX Window Manager
 X Desktop ManagerX Desktop Manager
 X Display ManagerX Display Manager

43. 44
Installing XInstalling X
1.1. Determine the proper X serverDetermine the proper X server
2.2. Install the proper packagesInstall the proper packages

44. 45
X Server SelectionX Server Selection
 XFree86-*XFree86-*
Installation the PackagesInstallation the Packages
 freetypefreetype
 gtk+gtk+
 XFree86-libsXFree86-libs
 XFree86-75dpi-fontsXFree86-75dpi-fonts
 redhat-config-xfree86redhat-config-xfree86
 XFree86-xfsXFree86-xfs
 XFree86-xdmXFree86-xdm
 XFree86-twmXFree86-twm
 XFree86-toolsXFree86-tools
 xinitrcxinitrc

45. 46
Configuring XConfiguring X
 redhat-config-xfree86redhat-config-xfree86
 xvidtunexvidtune

46. 47
Important X Directories & FilesImportant X Directories & Files
 /usr/X11R6/bin/usr/X11R6/bin
 /etc/X11/etc/X11
 /etc/X11/XF86Config/etc/X11/XF86Config

47. 48
Configure and Use PPPConfigure and Use PPP
 ‘‘redhat-config-network-tui’redhat-config-network-tui’
Command in Text ModeCommand in Text Mode
 Modem Configuration FilesModem Configuration Files
 kppp Command in X windowkppp Command in X window

48. 49
RHC
ERed Hat Certified Engineer
M. A. AgheliM. A. Agheli
Session 10Session 10

49. 50
 IP (network & host portion)IP (network & host portion)
192.168.168.1192.168.168.1 :: 1100000011000000..1010100010101000..1010100010101000..0000000100000001
Static IPStatic IP Dynamic IPDynamic IP
 Netmask AddressNetmask Address
255.255.255.0 :255.255.255.0 : 1111111111111111..1111111111111111..1111111111111111..0000000000000000
 Network AddressNetwork Address
192.168.168.0 :192.168.168.0 : 1100000011000000..1010100010101000..1010100010101000..0000000000000000
 Broadcast AddressBroadcast Address
192.168.168.255 :192.168.168.255 : 1100000011000000..1010100010101000..1010100010101000..1111111111111111
Network BasicsNetwork Basics

50. 51
Classfull Addressing SystemClassfull Addressing System

Network ClassesNetwork Classes
 Class AClass A 1.0.0.0-126.0.0.01.0.0.0-126.0.0.0 (8 bits)(8 bits)
 Class BClass B 128.0.0.0-191.0.0.0128.0.0.0-191.0.0.0 (16 bits)(16 bits)
 Class CClass C 192.0.0.0-223.0.0.0192.0.0.0-223.0.0.0 (24 bits)(24 bits)
 Reserved IPReserved IP
 127.0.0.0-127.255.255.255127.0.0.0-127.255.255.255 (Loop back Addr.)(Loop back Addr.)
 224.0.0.0-239.255.255.255224.0.0.0-239.255.255.255 (Multicast Protocols)(Multicast Protocols)
 240.0.0.0-255.255.255.255240.0.0.0-255.255.255.255 (do not used)(do not used)
 Public & Private Networks (Valid & Invalid IPes)Public & Private Networks (Valid & Invalid IPes)
 10.0.0.0-10.255.255.25510.0.0.0-10.255.255.255
 172.16.0.0-172.31.255.255172.16.0.0-172.31.255.255
 192.168.0.0-192.168.255.255192.168.0.0-192.168.255.255

51. 52
Net. Addr.:Net. Addr.: 192.168.168.0 = 11000000192.168.168.0 = 11000000..1010100010101000..1010100010101000..0000000000000000
Netmasks:Netmasks:
255.255.255.0 (*/24) :255.255.255.0 (*/24) : 1111111111111111..1111111111111111..1111111111111111..0000000000000000
255.255.255.128 (*/25) :255.255.255.128 (*/25) : 1111111111111111..1111111111111111..1111111111111111..1100000000000000
255.255.255.192 (*/26) :255.255.255.192 (*/26) : 1111111111111111..1111111111111111..1111111111111111..1111000000000000
255.255.255.224 (*/27) :255.255.255.224 (*/27) : 1111111111111111..1111111111111111..1111111111111111..1111110000000000
255.255.255.240 (*/28) :255.255.255.240 (*/28) : 1111111111111111..1111111111111111..1111111111111111..1111111100000000
255.255.255.248 (*/29) :255.255.255.248 (*/29) : 1111111111111111..1111111111111111..1111111111111111..1111111111000000
255.255.255.252 (*/30) :255.255.255.252 (*/30) : 1111111111111111..1111111111111111..1111111111111111..1111111111110000
255.255.255.254 (*/31) :255.255.255.254 (*/31) : 1111111111111111..1111111111111111..1111111111111111..1111111111111100
Classless Addressing SystemClassless Addressing System (Subnet)(Subnet)

52. 53
TCP/IP Model (1)TCP/IP Model (1)
Application
Protocols
Transport
Protocols
Internet
Protocols
Network Access
Protocols

53. 54
TCP/IP Model (2TCP/IP Model (2))
 Network Access ProtocolsNetwork Access Protocols
 All functions necessary to access the physicalAll functions necessary to access the physical
networknetwork
 Internet ProtocolsInternet Protocols
 IPIP ((Internet Protocol – ConnectionlessInternet Protocol – Connectionless))
 ICMPICMP ((Internet Control Message ProtocolInternet Control Message Protocol))

54. 55
TCP/IP Model (3TCP/IP Model (3))
 Transport ProtocolsTransport Protocols
 TCPTCP (Transmission Control Protocol)(Transmission Control Protocol)
 Connection-basedConnection-based
 UDPUDP (User Datagram Protocol)(User Datagram Protocol)
 ConnectionlessConnectionless
 Application ProtocolsApplication Protocols
 Previlage Ports (0-1023)Previlage Ports (0-1023)
 /etc/services/etc/services

55. 56
Types of TCP/IP ServicesTypes of TCP/IP Services
 Stand-aloneStand-alone
 xinetdxinetd (and its config)(and its config)

56. 57
Related TCP/IP CommandsRelated TCP/IP Commands
 ps xps x
 netstat -ap --inet | grep LISTENnetstat -ap --inet | grep LISTEN
 Start the daemonStart the daemon
 Stop the daemonStop the daemon
 Restart the daemonRestart the daemon
 Status the daemonStatus the daemon
Controlling TCP/IP DaemonsControlling TCP/IP Daemons

57. 58
RHC
ERed Hat Certified Engineer
M. A. AgheliM. A. Agheli
Session 11Session 11

58. 59
Configuration NetworkConfiguration Network
 Initializing Network HardwareInitializing Network Hardware
 Load related moduleLoad related module
 Network Configuration ToolsNetwork Configuration Tools
 netconfignetconfig
 redhat-config-networkredhat-config-network

59. 60
Configuration NetworkConfiguration Network
 Other Network ToolsOther Network Tools
•ifconfigifconfig
•pingping
•traceroutetraceroute
•netstatnetstat
•tcpdumptcpdump
•nmapnmap
•tetherealtethereal
•iptraffiptraff

60. 61
Configuration NetworkConfiguration Network
 Network Configuration FilesNetwork Configuration Files
 /etc/hosts/etc/hosts
 /etc/host.conf/etc/host.conf
 /etc/services/etc/services
 /etc/resolv.conf/etc/resolv.conf
 /etc/sysconfig/network/etc/sysconfig/network
 /etc/sysconfig/network-scripts/*/etc/sysconfig/network-scripts/*
 IP AliasingIP Aliasing

61. 62
RHC
ERed Hat Certified Engineer
M. A. AgheliM. A. Agheli
Session 12Session 12

62. 63
DHCPDHCP
 Advantage & disadvantage ofAdvantage & disadvantage of
DHCPDHCP
 DHCP Server ConfigurationDHCP Server Configuration
 /etc/dhcpd.conf/etc/dhcpd.conf
 /var/lib/dhcp/dhcpd.leases/var/lib/dhcp/dhcpd.leases
 DHCP Client ConfigurationDHCP Client Configuration
 netconfig commandnetconfig command

63. 64
An Example of dhcpd.confAn Example of dhcpd.conf
ddns-update-style ad-hocddns-update-style ad-hoc;;
subnet 192.168.0.0 netmask 255.255.255.0 {subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.1 192.168.0.25range 192.168.0.1 192.168.0.25;;
option routersoption routers 192.168.0.1192.168.0.1;;
option subnet-maskoption subnet-mask 255.255.255.0255.255.255.0;;
option domain-nameoption domain-name "domain.com""domain.com";;
option domain-name-serversoption domain-name-servers 192.168.1.1192.168.1.1;;
default-lease-time 21600default-lease-time 21600;;
max-lease-time 43200max-lease-time 43200;;
# we want the nameserver to appear at a fixed address# we want the nameserver to appear at a fixed address
host dns1 {host dns1 {
hardware ethernet 12:34:56:78:AB:CDhardware ethernet 12:34:56:78:AB:CD;;
fixed-address 192.168.0.20fixed-address 192.168.0.20;;
}}
}}

64. 65
dhcpd.leases Formatdhcpd.leases Format
lease 192.168.1.8 {lease 192.168.1.8 {
starts 3 2004/04/12 09:34:12starts 3 2004/04/12 09:34:12
ends 6 2004/07/15 23:49:57ends 6 2004/07/15 23:49:57
hardware ethernet 00:09:e6:88:0a:05hardware ethernet 00:09:e6:88:0a:05
}}
......

65. 2004 Agust 66
NFSNFS
 Related DaemonsRelated Daemons
 rpc.nfsdrpc.nfsd
 rpc.portmaprpc.portmap
 rpc.mountdrpc.mountd
 InstallationInstallation
 nfs-utilsnfs-utils
 portmapportmap

66. 67
NFS ConfigurationNFS Configuration
 Server SideServer Side
 Edit /etc/exports fileEdit /etc/exports file
PATHPATH host_lists(options)host_lists(options)
 Run ‘exportfs –r’ commandRun ‘exportfs –r’ command
 ‘‘redhat-config-nfsredhat-config-nfs’ Command’ Command
 Client SideClient Side
 mount –t nfs server:PATH Mountpointmount –t nfs server:PATH Mountpoint
 Edit ‘/etc/fstab’ fileEdit ‘/etc/fstab’ file
server:PATH M.P.server:PATH M.P. nfsnfs roro 00 00

67. 68
SAMBA (1SAMBA (1))
 Related ServicesRelated Services
 smbdsmbd
 nmbdnmbd
 Related PackagesRelated Packages
 sambasamba
 samba-commonsamba-common
 samba-clientsamba-client

68. 69
SAMBA (2SAMBA (2))
 Server ConfigurationServer Configuration
 Global DirectivesGlobal Directives
 Service DirectivesService Directives
 Client ConfigurationClient Configuration
 smbmount //server/share /m.p.smbmount //server/share /m.p.
 smbclient //server/sharesmbclient //server/share
 Configuration with SWATConfiguration with SWAT

69. 70
RHC
ERed Hat Certified Engineer
M. A. AgheliM. A. Agheli
Session 13Session 13

70. 71
TCP/IP ServicesTCP/IP Services
Client Server
Process
Port
Port
Port
Process
2. Client binds
to port
1. server binds to
port and listens
4. Server
designates port
3. Client connects
to server
5. Client and server
communicate

71. 72
Remote LoginRemote Login
 TelnetTelnet
 Server & ClientServer & Client
 SSHSSH
 Server & ClientServer & Client

72. 73
The Apache Web ServerThe Apache Web Server
 ModulesModules
 mod_authmod_auth
 mod_infomod_info
 mod_phpmod_php
 mod_includemod_include
 mod_perlmod_perl
 mod_sslmod_ssl

73. 74
Installation ApacheInstallation Apache
 rpm –Uvh httpd-[^d]*.rpmrpm –Uvh httpd-[^d]*.rpm
 rpm –Uvh httpd-devel*.rpmrpm –Uvh httpd-devel*.rpm
(for support apache modules)(for support apache modules)

74. 75
Basic ConfigurationBasic Configuration
 httpd.confhttpd.conf
 Section 1:Section 1:
 The Global EnvironmentThe Global Environment
 Section 2:Section 2:
 The Main ConfigurationThe Main Configuration
 Section 3:Section 3:
 The Virtual Host ConfigurationThe Virtual Host Configuration

75. 76
Apache AdvancedApache Advanced
ConfigurationConfiguration
 Authentication in ApacheAuthentication in Apache
 Configure with PHPConfigure with PHP
 Configure with SSLConfigure with SSL
 Configure Virtual HostConfigure Virtual Host

76. 77
Authentication in ApacheAuthentication in Apache
<Location /dir_name><Location /dir_name>
AuthTypeAuthType BasicBasic
AuthNameAuthName “NAME”“NAME”
AuthUserFileAuthUserFile “.htpasswd”“.htpasswd”
RequireRequire valid-uservalid-user
</Location></Location>
 Create ‘/etc/httpd/.htpasswd’ fileCreate ‘/etc/httpd/.htpasswd’ file
 Configuring ‘httpd.conf’ fileConfiguring ‘httpd.conf’ file

77. 78
Configure Apache with PHPConfigure Apache with PHP
 rpm –Uvh php-4*.rpmrpm –Uvh php-4*.rpm
Configure Apache with SSLConfigure Apache with SSL
 rpm –Uvh mod_ssl*.rpmrpm –Uvh mod_ssl*.rpm

78. 79
Configure Virtual HostConfigure Virtual Host
<VirtualHost 127.0.0.2><VirtualHost 127.0.0.2>
ServerAdminServerAdmin webmaster@vh.comwebmaster@vh.com
DocumentRootDocumentRoot /var/www/html/vh//var/www/html/vh/
ServerNameServerName www.vh.comwww.vh.com
</VirtualHost></VirtualHost>
 Configuring ‘/etc/hosts’ fileConfiguring ‘/etc/hosts’ file
 Configuring ‘httpd.conf’ fileConfiguring ‘httpd.conf’ file

79. 80
 StartStart
 StopStop
 RestartRestart
 ReloadReload
 StatusStatus
Apache AdministrationApache Administration

80. 81
Troubleshooting the ApacheTroubleshooting the Apache
 /var/log/messages/var/log/messages
 /var/log/httpd//var/log/httpd/
 /usr/sbin/httpd –S/usr/sbin/httpd –S
(for virtual host)(for virtual host)

81. 82
Securing Your NetworkSecuring Your Network
 Using ‘Using ‘lokkitlokkit’ or ‘’ or ‘redhat-config-redhat-config-
securitylevelsecuritylevel’ Command’ Command
 Password & Physical SecurityPassword & Physical Security
 Securing TCP/IPSecuring TCP/IP
 Using TripwireUsing Tripwire
 Keeping Up-to-Date on Linux SecurityKeeping Up-to-Date on Linux Security
IssuesIssues

82. 83
RHC
ERed Hat Certified Engineer
M. A. AgheliM. A. Agheli
Session 14Session 14

83. 84
FTPFTP
 InstallationInstallation
 rpm –ivh vsftp*.rpmrpm –ivh vsftp*.rpm
 Config FileConfig File
 /etc/vsftpd/vsftpd.conf/etc/vsftpd/vsftpd.conf
 Access LevelsAccess Levels
 Anonymouse Access (Anonymouse Access (anonymouse_enableanonymouse_enable))
 User Access (User Access (tcp_wrappers needstcp_wrappers needs))

84. 85
Cache Server (SquidCache Server (Squid((
 Install squidInstall squid
 rpm –ivh squid*.rpmrpm –ivh squid*.rpm
 Managing squidManaging squid
 start, stop, restart, status,start, stop, restart, status,
reloadreload

85. 86
Squid Log FilesSquid Log Files
 /var/log/squid/access.log/var/log/squid/access.log
((cache_access_logcache_access_log))
 //varvar//loglog//squidsquid//cachecache..loglog
((cache_logcache_log))
 //varvar//loglog//squidsquid//storestore..loglog
((cache_store_logcache_store_log))

86. 87
An Example of ‘squid.conf’An Example of ‘squid.conf’
http_port 8081http_port 8081
cache_effective_user squidcache_effective_user squid
cache_effective_group squidcache_effective_group squid
acl all src 0.0.0.0/0.0.0.0acl all src 0.0.0.0/0.0.0.0
http_access allow allhttp_access allow all
cache_dir ufs /cache 1024 16 32cache_dir ufs /cache 1024 16 32
visible_hostname ws1visible_hostname ws1

87. 88
Running SquidRunning Squid
 service squid startservice squid start
squid –d1 –zsquid –d1 –z

squid –d1 –f /etc/squid/squid.confsquid –d1 –f /etc/squid/squid.conf

88. 89
The Kind of ProxiesThe Kind of Proxies
 Upstream ProxyUpstream Proxy
cache_peercache_peer youryourproxy.com parent 3128 3130proxy.com parent 3128 3130
prefer_direct ofprefer_direct offf
 TransparentTransparent ProxyProxy
httpd_accel_host virtualhttpd_accel_host virtual
httpd_accel_port 80httpd_accel_port 80
httpd_accel_with_proxy onhttpd_accel_with_proxy on
httpd_accel_uses_host_header onhttpd_accel_uses_host_header on

89. 90
RHC
ERed Hat Certified Engineer
M. A. AgheliM. A. Agheli
Session 15Session 15

90. 91
Configuring a Linux RouterConfiguring a Linux Router
 Configuring KernelConfiguring Kernel
IP: advanced routerIP: advanced router
 Enable IP ForwadingEnable IP Forwading
Add ‘net.ipv4.ip_forward=1’ to /etc/sysctl.confAdd ‘net.ipv4.ip_forward=1’ to /etc/sysctl.conf
echo “1” > /proc/sys/net/ipv4/ip_forwardecho “1” > /proc/sys/net/ipv4/ip_forward

91. 92
Type of RoutesType of Routes
 Static routeStatic route
 Dynamic routeDynamic route

92. 93
Components of Routing RulesComponents of Routing Rules
 Destination IP AddressDestination IP Address
 An InterfaceAn Interface
 An Optional Gateway IPAn Optional Gateway IP
AddressAddress

93. 94
Routing CommandRouting Command
 route add –netroute add –net net_addrnet_addr netmasknetmask
mask_addrmask_addr interfaceinterface
 route add –hostroute add –host ip_addrip_addr interfaceinterface
 route add default gatewayroute add default gateway ip_addrip_addr
interfaceinterface

94. 95
A
192.168.1.2
B
192.168.1.3
C
192.168.1.4
D
192.168.1.5
E
192.168.100.2
F
192.168.100.3
G
192.168.100.4
H
192.168.100.5
Gateway
192.168.1.1
192.168.100.1
10.1.1.1
Router
10.1.1.2
Internet
eth0 eth1
eth2
An ExampleAn Example

95. 96
Related RulesRelated Rules
 route add –net 192.168.1.0 netmask 255.255.255.0 eth0route add –net 192.168.1.0 netmask 255.255.255.0 eth0
 route add –net 192.168.100.0 netmask 255.255.255.0route add –net 192.168.100.0 netmask 255.255.255.0
eth1eth1
 route add –net 10.1.1.0 netmask 255.255.255.0 eth2route add –net 10.1.1.0 netmask 255.255.255.0 eth2
 route add default gateway 10.1.1.2 eth2route add default gateway 10.1.1.2 eth2

96. 97
ResultResultDestinationDestination GatewayGateway GenmaskGenmask FlagsFlags MetricMetric RefRef UseUse IfaceIface
192.168.1.1192.168.1.1 ** 255.255.255.255255.255.255.255 UHUH 00 00 00 eth0eth0
192.168.100.1192.168.100.1 ** 255.255.255.255255.255.255.255 UHUH 00 00 00 Eth1Eth1
10.1.1.110.1.1.1 ** 255.255.255.255255.255.255.255 UHUH 00 00 00 Eth2Eth2
192.168.1.0192.168.1.0 ** 255.255.255.0255.255.255.0 UU 00 00 00 eth0eth0
192.168.100.0192.168.100.0 ** 255.255.255.0255.255.255.0 UU 00 00 00 Eth1Eth1
10.1.1.010.1.1.0 ** 255.255.255.0255.255.255.0 UU 00 00 00 Eth2Eth2
0.0.0.00.0.0.0 10.1.1.210.1.1.2 0.0.0.00.0.0.0 UGUG 00 00 00 eth2eth2
127.0.0.0127.0.0.0 ** 255.0.0.0255.0.0.0 UU 00 00 00 lolo
U: Network link is up H: Dest. Addr. Refers to a host G: Gateway

97. 98
ElectronicElectronic
MailMail
(Sendmail((Sendmail(

98. 99
How Email Is Sent and ReceivedHow Email Is Sent and Received
mail2 MTA
user2@mail2.comuser1@mail1.com
mail1 MTA
?
?

99. 100
ConceptsConcepts MTA :MTA : Mail Transport AgentMail Transport Agent
 SMTP (server-to-server)SMTP (server-to-server)
Simple Mail Transport ProtocolSimple Mail Transport Protocol
 POP (Mail Access)POP (Mail Access)
Post Office ProtocolPost Office Protocol
 IMAP (Mail Access)IMAP (Mail Access)
Interim Mail Access ProtocolInterim Mail Access Protocol
 MDA :MDA : Mail Delivery AgentMail Delivery Agent
 MUA :MUA : Mail User AgentMail User Agent

100. 101
Advantage of SendmailAdvantage of Sendmail
 Older MTAOlder MTA
 Powerful MTAPowerful MTA
Disadvantage of SendmailDisadvantage of Sendmail
 SlowSlow
 High Load EnvironmentHigh Load Environment
 Crypto ConfigurationCrypto Configuration

101. 102
MTAsMTAs
 SendmailSendmail
 PostfixPostfix
 EximExim
 QmailQmail
MUAsMUAs
 Evolution, KmailEvolution, Kmail (KDE)(KDE)
 BalsaBalsa (GNOME)(GNOME)
 Mozilla MailMozilla Mail

102. 103
Required PackagesRequired Packages
 sendmailsendmail
 sendmail-cfsendmail-cf
 imapimap (Config xinetd)(Config xinetd)
(contains IMAP & POP3)(contains IMAP & POP3)

103. 104
SendmailSendmail
ConfigurationConfiguration
 Config ‘/etc/mail/sendmail.mc’ fileConfig ‘/etc/mail/sendmail.mc’ file
 LOCAL_DOMAIN(‘example.com’)dnlLOCAL_DOMAIN(‘example.com’)dnl
 Run ‘make –C /etc/mail/’Run ‘make –C /etc/mail/’
 Config DNSConfig DNS

104. 105
Email AliasesEmail Aliases
 Edit ‘/etc/aliases’ fileEdit ‘/etc/aliases’ file
postmaster: josephpostmaster: joseph
 Run ‘newaliases’ CommandRun ‘newaliases’ Command

105. 106
Rejecting EmailRejecting Email
 Edit ‘/etc/mail/access’ fileEdit ‘/etc/mail/access’ file
spam.comspam.com REJECTREJECT
yahoo.comyahoo.com OKOK
 service sendmail restartservice sendmail restart

106. 107
RHC
ERed Hat Certified Engineer
M. A. AgheliM. A. Agheli
Session 16Session 16

107. 108
DNSDNS

108. 109
Where do I lookWhere do I look??
 /etc/nsswitch.conf/etc/nsswitch.conf
(nameservice switch)(nameservice switch)
t@localhost:~$ cat /etc/nsswitch.conft@localhost:~$ cat /etc/nsswitch.conf
hosts: files dnshosts: files dns

109. 110
FilesFiles
 Search order determined bySearch order determined by
nsswitch.confnsswitch.conf
 It is polite to have /etc/hosts first!It is polite to have /etc/hosts first!
sjh@mccoy:~$ cat /etc/hostssjh@mccoy:~$ cat /etc/hosts
127.0.0.1127.0.0.1 localhostlocalhost
193.62.81.135193.62.81.135 mccoy.tardis.ed.ac.uk mccoymccoy.tardis.ed.ac.uk mccoy
193.62.81.134193.62.81.134 baker.tardis.ed.ac.uk bakerbaker.tardis.ed.ac.uk baker
193.62.81.132193.62.81.132 packages.tardis.ed.ac.uk packagespackages.tardis.ed.ac.uk packages

110. 111
DNS TraversalDNS Traversal
1.1. Local filesLocal files
2.2. Dns server locallyDns server locally
3.3. Item in cache?Item in cache?
4.4. Root server, work your wayRoot server, work your way
down…down…

111. 112
Resolving NamesResolving Names
Configuration Files for the LocalConfiguration Files for the Local
Host Name Resolution (importantHost Name Resolution (important
for testing)for testing)
 /etc/resolv.conf/etc/resolv.conf
 /etc/nsswitch.conf/etc/nsswitch.conf
 /etc/host.conf/etc/host.conf

112. 113
DNSDNS
 BIND – Berkley Internet Name DaemonBIND – Berkley Internet Name Daemon
 Dents – buggy as hell (still in alpha?)Dents – buggy as hell (still in alpha?)
 Djbdns – Dan Bernstein’s DNS serverDjbdns – Dan Bernstein’s DNS server
 Banyan VINES – don’t go there!Banyan VINES – don’t go there!

113. 114
Named (name deeNamed (name dee((
 /etc/named.conf:/etc/named.conf:
 this defines a directory to store the DNS config filesthis defines a directory to store the DNS config files
 Contains info about what zones we serve, and where to find configContains info about what zones we serve, and where to find config
files!files!
 Config file for named – tells us if we are master / slave, allow orConfig file for named – tells us if we are master / slave, allow or
deny zone transfers, what the IPs of other master / slave serversdeny zone transfers, what the IPs of other master / slave servers
are, etc.are, etc.
 <DNSROOT>/root.hints:<DNSROOT>/root.hints:
 Contains "pointers" to the Root ServersContains "pointers" to the Root Servers
 <DNSROOT>/127.0.0:<DNSROOT>/127.0.0:
 Config for reverse-lookup to the local host/subnetConfig for reverse-lookup to the local host/subnet
 <DNSROOT>/<zone>:<DNSROOT>/<zone>:
 Config for zoneConfig for zone
 <DNSROOT>/<in-addr.arpa file><DNSROOT>/<in-addr.arpa file>
 Config for reverse lookup for your zoneConfig for reverse lookup for your zone

114. 115
A simple named.confA simple named.conf
## named.custom - custom configuration for bind## named.custom - custom configuration for bind
zone "." {zone "." {
type hint;type hint;
file "root.lists";file "root.lists";
};};
options {options {
directory "/var/named/";directory "/var/named/";
};};
zone "0.0.127.in-addr.arpa" {zone "0.0.127.in-addr.arpa" {
type master;type master;
file "127.0.0";file "127.0.0";
};};
zone "hq.alim.ir" {zone "hq.alim.ir" {
type master;type master;
file "hq.alim.ir";file "hq.alim.ir";
};};
zone "168.168.192.in-addr.arpa" {zone "168.168.192.in-addr.arpa" {
type master;type master;
file "192.168.168";file "192.168.168";
};};

115. 116
DNS DataDNS Data
DNS databases contain more than justDNS databases contain more than just
hostname-to-address records:hostname-to-address records:
 SOA – Start Of Authority – it is the daddy!SOA – Start Of Authority – it is the daddy!
 IN NS – Name ServerIN NS – Name Server
 IN MX – Mail eXchangerIN MX – Mail eXchanger
 IN A – A record (Address record)IN A – A record (Address record)
 IN CNAME – Canonical NAMEIN CNAME – Canonical NAME

116. 117
A simple zone fileA simple zone file
@ IN SOA hq.alim.ir. root.hq.alim.ir. (@ IN SOA hq.alim.ir. root.hq.alim.ir. (
199609206 ; serial, todays date + todays serial #199609206 ; serial, todays date + todays serial #
8H ; refresh, seconds8H ; refresh, seconds
2H ; retry, seconds2H ; retry, seconds
4W ; expire, seconds4W ; expire, seconds
1D ) ; minimum, seconds1D ) ; minimum, seconds
NSNS hq.alim.ir.hq.alim.ir.
MXMX 10 hq.alim.ir. ; Primary Mail Exchanger10 hq.alim.ir. ; Primary Mail Exchanger
TXTTXT "Alim IT Center""Alim IT Center"
localhostlocalhost A 127.0.0.1A 127.0.0.1
routerrouter A 192.168.168.1A 192.168.168.1
hq.alim.ir.hq.alim.ir. A 192.168.168.2A 192.168.168.2
nsns A 192.168.168.3A 192.168.168.3
wwwwww A 207.159.141.192A 207.159.141.192
ftpftp CNAMECNAME hq.alim.ir.hq.alim.ir.
mailmail CNAMECNAME hq.alim.ir.hq.alim.ir.
newsnews CNAMECNAME hq.alim.ir.hq.alim.ir.

117. 118
A simple in-addr.arpa fileA simple in-addr.arpa file
$TTL 3D$TTL 3D
@ IN SOA hq.alim.ir. root.hq.alim.ir. (@ IN SOA hq.alim.ir. root.hq.alim.ir. (
199609206 ; Serial199609206 ; Serial
28800 ; Refresh28800 ; Refresh
7200 ; Retry7200 ; Retry
604800 ; Expire604800 ; Expire
86400) ; Minimum TTL86400) ; Minimum TTL
NS hq.alim.ir.NS hq.alim.ir.
; Servers; Servers
1 PTR router.hq.alim.ir.1 PTR router.hq.alim.ir.
2 PTR hq.alim.ir.2 PTR hq.alim.ir.
2 PTR funn.hq.alim.ir.2 PTR funn.hq.alim.ir.
; Workstations; Workstations
200 PTR ws-177200.hq.alim.ir.200 PTR ws-177200.hq.alim.ir.
201 PTR ws-177201.hq.alim.ir.201 PTR ws-177201.hq.alim.ir.
202 PTR ws-177202.hq.alim.ir.202 PTR ws-177202.hq.alim.ir.

118. 119
Forward DNSForward DNS
 hq.alim.ir (as per /etc/named.conf)hq.alim.ir (as per /etc/named.conf)
 SOA – Start Of Authority – it is the daddy!SOA – Start Of Authority – it is the daddy!
 IN NS – Name ServerIN NS – Name Server
 IN MX – Mail eXchangerIN MX – Mail eXchanger
 IN A – A record (Address record)IN A – A record (Address record)
 IN CNAME – Canonical NAMEIN CNAME – Canonical NAME

119. 120
Reverse DNSReverse DNS
 192.168.168192.168.168 ((as per /etc/named.confas per /etc/named.conf))
 SOASOA
 IN NSIN NS
 IN PTR – PointerIN PTR – Pointer

120. 121
DNS Round RobinDNS Round Robin
 Fault tolerance? Through nifty DNSFault tolerance? Through nifty DNS
hackshacks
www.teviot.com.www.teviot.com. 6060 ININ AA 10.0.1.10010.0.1.100
www.teviot.com.www.teviot.com. 6060 ININ AA 10.0.2.10010.0.2.100
www.teviot.com.www.teviot.com. 6060 ININ AA 10.0.3.10010.0.3.100

121. 122
Common MistakesCommon Mistakes
 Forgetting to increment the Serial Number!Forgetting to increment the Serial Number!
 CNAME pointing at another CNAME!CNAME pointing at another CNAME!
 Forgetting the “.” In appropriate places!Forgetting the “.” In appropriate places!
 Underscores in hostnames!Underscores in hostnames!
 Forgetting to reload the daemon!Forgetting to reload the daemon!
 Version control issues – clobber changes!Version control issues – clobber changes!
 TTL IssuesTTL Issues

122. 123
Test ToolsTest Tools
 nslookupnslookup
 digdig
 dig mail.hq.alim.irdig mail.hq.alim.ir
 dig -x 192.168.168.2dig -x 192.168.168.2
 dig 168.168.192.in-addr.arpa. AXFRdig 168.168.192.in-addr.arpa. AXFR
 whoiswhois
 http://www.squish.net/dnscheck/http://www.squish.net/dnscheck/
 James Ponder’s DNS check web pageJames Ponder’s DNS check web page

123. 124
RHC
ERed Hat Certified Engineer
M. A. AgheliM. A. Agheli
Session 17Session 17

124. 125
FirewallFirewall
 ControlControl
Allow only those packets that you areAllow only those packets that you are
interested to pass through.interested to pass through.
 SecuritySecurity
Reject packets from malicious outsidersReject packets from malicious outsiders
 WatchfulnessWatchfulness
Log packets to/from outside worldLog packets to/from outside world
Required PropertiesRequired Properties::

125. 126
Firewall TypesFirewall Types
 Packet FilteringPacket Filtering
 Proxy-Based FirewallProxy-Based Firewall
Statefull
Stateless

126. 127
Packet Filter under LinuxPacket Filter under Linux
 1st generation1st generation
ipfw (from BSD)ipfw (from BSD)
 2nd generation2nd generation
ipfwadm (Linux 2.0)ipfwadm (Linux 2.0)
 3rd generation3rd generation
ipchains (Linux 2.2)ipchains (Linux 2.2)
 4th generation4th generation
iptable (Linux 2.4 & 2.6)iptable (Linux 2.4 & 2.6)

127. 128
Installing IptablesInstalling Iptables
 Kernel Supports IptablesKernel Supports Iptables
 Networking Options -> TCP/IP Networking ->Network Packet FilteringNetworking Options -> TCP/IP Networking ->Network Packet Filtering
 Networking Options -> TCP/IP Networking ->IP: advanced router -> *Networking Options -> TCP/IP Networking ->IP: advanced router -> *
 Networking Options -> IP: NetfilterNetworking Options -> IP: NetfilterNetworking Options -> IP: NetfilterNetworking Options -> IP: Netfilter
For Packets Traffic Control :For Packets Traffic Control :
 Networking Options> QoS and/or fair queueing -> *Networking Options> QoS and/or fair queueing -> *
 # rpm -ivh # rpm -ivh
iptables-1.2.6a-2.i386.rpmiptables-1.2.6a-2.i386.rpm

128. 129
 INPUTINPUT
 Controls packets entering your systemControls packets entering your system
 OUTPUTOUTPUT
 Controls packets leaving your systemControls packets leaving your system
 FORWARDFORWARD
 Controls what packets can move from oneControls what packets can move from one
network to another through your systemnetwork to another through your system
Chains of TablesChains of Tables

129. 130
Forward
Input
Output
Local Process
Routing
Decision

130. 131
1.1. When a packet comes in, the kernel first looks atWhen a packet comes in, the kernel first looks at
the destination of the packet: this is called routing.the destination of the packet: this is called routing.
2.2. If it’s destined for this boxIf it’s destined for this box
• Passes downwards in the diagramPasses downwards in the diagram
• To INPUT chainTo INPUT chain
If it passes, any processes waiting for that packet will receiveIf it passes, any processes waiting for that packet will receive
it.it.
Otherwise go to step 3Otherwise go to step 3
Continue…

131. 132
3.3. If forwarding is not enabled The packet will beIf forwarding is not enabled The packet will be
droppeddropped
If forwarding is enable and the packet is destined for another network interface.If forwarding is enable and the packet is destined for another network interface.
The packet goes rightwards on our diagram to the FORWARD chain.The packet goes rightwards on our diagram to the FORWARD chain.
If it is accepted, it will be sent out.If it is accepted, it will be sent out.
4.4. Packets generated from local process pass to thePackets generated from local process pass to the
OUPUT chain immediately.OUPUT chain immediately.
If its says accept, the packet will be sent out.If its says accept, the packet will be sent out.

132. 133
Packet Status inPacket Status in
IptablesIptables
 EstablishedEstablished
 NewNew
 RelatedRelated
 InvalidInvalid

133. 134
Results of Packet CheckingResults of Packet Checking
 ACCEPTACCEPT
 DROPDROP
 REJECTREJECT
 ……

134. 135
Tables of IptablesTables of Iptables
 FilterFilter
 NATNAT
 MangleMangle

135. 136
Network
Mangle Table
PREROUTING Chain
NAT Table
PREROUTING Chain Destination NAT
Mangle INPUT
Filter INPUT
Local process
Routing decision
Mangle OUTPUT
Mangle FORWARD
Mangle
POSTROUTING
NAT
POSTROUTING Chain
Network
Source NAT
Based on routing
Routing
decision
The Path of PacketThe Path of Packet
in Iptablesin Iptables
NAT OUTPUT
Filter OUTPUT
Filter FORWARD

136. 137
Tables of ChainsTables of Chains
ChainChain
tabletable
INPUTINPUT OUTPUTOUTPUT FORWARDFORWARD PREROUTINGPREROUTING
POSTROUTIPOSTROUTI
NGNG
MANGLEMANGLE ** ** ** ** **
NATNAT -- ** -- ** **
FILTERFILTER ** ** ** -- --

137. 138
Building a Rule source/destinationBuilding a Rule source/destination
 iptables –s 200.200.200.1iptables –s 200.200.200.1
 Refers to packet from a specific IP addressRefers to packet from a specific IP address
 The “-s” refers to the source of the packet, whereThe “-s” refers to the source of the packet, where
the packet is coming from.the packet is coming from.
 A corresponding “-d” refers to the destination,A corresponding “-d” refers to the destination,
where the packet is going to.where the packet is going to.

138. 139
Building a Rule ActionBuilding a Rule Action
 iptables –s 200.200.200.1iptables –s 200.200.200.1 -j DROP-j DROP
 The “-j” determines what happens to theThe “-j” determines what happens to the
Building a RuleBuilding a Rule
IP address rangesIP address ranges
 iptables –siptables –s 200.200.200.0/24200.200.200.0/24 -j DROP-j DROP
 IPs that match 200.200.200.*IPs that match 200.200.200.*
 The “/24” refers to the number of bits that areThe “/24” refers to the number of bits that are
fixed, counting from the left.fixed, counting from the left.

139. 140
Other ActionsOther Actions
 REDIRECTREDIRECT
 Sends packets to a proxySends packets to a proxy
 LOGLOG
 Tracks packets as they match rulesTracks packets as they match rules
 RETURNRETURN
 Terminates user defined chainsTerminates user defined chains

140. 141
Building a RuleBuilding a Rule
appending rules to tablesappending rules to tables
 iptablesiptables –A–A INPUTINPUT –s 200.200.200.1 -j DROP–s 200.200.200.1 -j DROP
 The “-A” appends the rule to an iptableThe “-A” appends the rule to an iptable
 The “INPUT” specifies the iptableThe “INPUT” specifies the iptable
 This command makes your system to ignore all packetsThis command makes your system to ignore all packets
from 200.200.200.1from 200.200.200.1
 iptables –Aiptables –A OUTPUTOUTPUT –d–d 200.200.200.1 –j DROP200.200.200.1 –j DROP
 This command does not allow your system to sent packets toThis command does not allow your system to sent packets to
200.200.200.1200.200.200.1

141. 142
Building a RuleBuilding a Rule
only blocking some packetsonly blocking some packets
 iptables –A INPUT –s 200.200.200.1iptables –A INPUT –s 200.200.200.1 –p tcp --destination-port telenet–p tcp --destination-port telenet –j–j
DROPDROP
 The “-p” specifies a specific protocol: tcp, udp, or icmpThe “-p” specifies a specific protocol: tcp, udp, or icmp
 The “-destination-port” is where the packet is goingThe “-destination-port” is where the packet is going
 You can user the service name or the port numberYou can user the service name or the port number
 Could use 23 in this exampleCould use 23 in this example
 Keep in mind that the source-port is very different from the destination-port.Keep in mind that the source-port is very different from the destination-port.
In this example the inbound message is going to your telenet server. TheIn this example the inbound message is going to your telenet server. The
telenet client that is sending you the message could be running on any port.telenet client that is sending you the message could be running on any port.
 --dport == --destination-port--dport == --destination-port
 --sport == --source-port--sport == --source-port

142. 143
Building a RuleBuilding a Rule
multiple network interfacesmultiple network interfaces
 Assume your machine has two interface cards. One to a LAN namedAssume your machine has two interface cards. One to a LAN named
eth0 and the other to the Internet named ppp0eth0 and the other to the Internet named ppp0
 iptables –A INPUT –p tcp --dport telnet –i ppp0 –j DROPiptables –A INPUT –p tcp --dport telnet –i ppp0 –j DROP
 The “-i” option specifies the input interfaceThe “-i” option specifies the input interface
 The is also a “-o” option for the output interfaceThe is also a “-o” option for the output interface
 iptables –A INPUT –p tcp --dport telnet –i eth0 –j ACCEPTiptables –A INPUT –p tcp --dport telnet –i eth0 –j ACCEPT
 Together these rules would accept telnet requests from the LAN butTogether these rules would accept telnet requests from the LAN but
block telnet requests from the Internet.block telnet requests from the Internet.

143. 144
Building a Rule Table PoliciesBuilding a Rule Table Policies
 iptables –P FORWARD ACCEPTiptables –P FORWARD ACCEPT
 The “-P” option followed by a table name and actionThe “-P” option followed by a table name and action
determines the default policy of the table. If no ruledetermines the default policy of the table. If no rule
in the table matches this default action is taken.in the table matches this default action is taken.
 The usual policies areThe usual policies are
 INPUT = ACCEPTINPUT = ACCEPT
 OUTPUT = ACCEPTOUTPUT = ACCEPT
 FORWARD = DENYFORWARD = DENY

144. 145
Building a RuleBuilding a Rule
Adding Rules to TablesAdding Rules to Tables
 iptables –A INPUT –s 200.200.200.1 -j DROPiptables –A INPUT –s 200.200.200.1 -j DROP
 Appends the rule to the end of the tableAppends the rule to the end of the table
 iptables –I INPUT 3 –s 200.200.200.1 -j DROPiptables –I INPUT 3 –s 200.200.200.1 -j DROP
 Inserts the rule as rule 3 in the table, moving all other rulesInserts the rule as rule 3 in the table, moving all other rules
down 1.down 1.
 iptables –R INPUT 3 –s 200.200.200.1 -j DROPiptables –R INPUT 3 –s 200.200.200.1 -j DROP
 Replaces rule 3 in the tableReplaces rule 3 in the table
 iptables –D INPUT 3iptables –D INPUT 3
 Deletes rule 3 in the tableDeletes rule 3 in the table

145. 146
Operations to manage wholeOperations to manage whole
chainschains
--NN Create a new chainCreate a new chain
--XX Delete an empty chainDelete an empty chain
--PP Change the policy for a built-in chainChange the policy for a built-in chain
--LL List the rules in a chainList the rules in a chain
--FF Flush the rules out of a chainFlush the rules out of a chain
--ZZ Zero the packet and byte counters on allZero the packet and byte counters on all
rules in a chainrules in a chain

146. 147
Manipulate rules inside a chainManipulate rules inside a chain
-A-A Append a new rule to a chainAppend a new rule to a chain
-I-I
Insert a new rule at some position in aInsert a new rule at some position in a
chainchain
-R-R Replace a rule at some position in a chainReplace a rule at some position in a chain
-D-D Delete a rule at some position in a chainDelete a rule at some position in a chain
-D-D Delete the first rule that matches in a chainDelete the first rule that matches in a chain

147. 148
An ExampleAn Example
192.168.1.5
GW: 192.168.1.1
192.168.1.6
GW: 192.168.1.1
192.168.1.7
GW: 192.168.1.1
192.168.1.1
Internet
Firewall
eth0
eth1Web Server
SSH Server
Accessible ONLY via LAN

148. 149
RHC
E
Red Hat Certified Engineer
M. A. AgheliM. A. Agheli
Session 18Session 18
AdvancedAdvanced

149. 150
Traffic Shaping (CBQ)Traffic Shaping (CBQ)
 /etc/rc.d/init.d/cbq.init/etc/rc.d/init.d/cbq.init
((http://ovh.dl.sourceforge.net/sourceforge/cbqinit/cbq.init-v0.7.3http://ovh.dl.sourceforge.net/sourceforge/cbqinit/cbq.init-v0.7.3))
 Install ‘shapecfg’ RPMInstall ‘shapecfg’ RPM
 /etc/sysconfig/cbq/*/etc/sysconfig/cbq/*(0002-FFFF)(0002-FFFF)
 /etc/rc.d/init.d/cbq.init start/etc/rc.d/init.d/cbq.init start

150. 151
Sample of CBQSample of CBQ
ConfigurationConfiguration
DEVICE=eth0,10Mbit,1MbitDEVICE=eth0,10Mbit,1Mbit
RATE=10 KbitRATE=10 Kbit
PRIO=5PRIO=5
RULE=:21,192.168.1.0/24RULE=:21,192.168.1.0/24

151. 152
The
End
Good Luck