2. 2
History Of UNIX & LinuxHistory Of UNIX & Linux
1957:1957: Bell Labs found they needed an operating systemBell Labs found they needed an operating system
which at the time was running various batch jobs.which at the time was running various batch jobs.
1965:1965: Bell Labs create MulticsBell Labs create Multics ((Multiplexed Information andMultiplexed Information and
Computing ServiceComputing Service))
1969:1969: Summer 1969 UNIX was developed by AT&TSummer 1969 UNIX was developed by AT&T
1975:1975: Sixth edition of UNIX released May 1975Sixth edition of UNIX released May 1975
19851985: GNU project startedGNU project started
19911991: Linux is introduced by Linus Benedict Torvalds whoLinux is introduced by Linus Benedict Torvalds who
was a second year student of Computer Science at thewas a second year student of Computer Science at the
University of HelsinkiUniversity of Helsinki
19931993: NetBSD & FreeBSD releasedNetBSD & FreeBSD released
19941994: Red Hat Linux is introducedRed Hat Linux is introduced
3. 3
First Article About LinuxFirst Article About Linux
From: torvalds@klaava.Helsinki.FI (Linus Benedict Torvalds)From: torvalds@klaava.Helsinki.FI (Linus Benedict Torvalds)
Newsgroups: comp.os.minixNewsgroups: comp.os.minix
Subject: What would you like to see most in minix?Subject: What would you like to see most in minix?
Summary: small poll for my new operating systemSummary: small poll for my new operating system
Message-ID: <1991Aug25.205708.9541@klaava.Helsinki.FI>Message-ID: <1991Aug25.205708.9541@klaava.Helsinki.FI>
Date: 25 Aug 91 20:57:08 GMTDate: 25 Aug 91 20:57:08 GMT
Organization: University of HelsinkiOrganization: University of Helsinki
Hello everybody out there usingHello everybody out there using minixminix --
I'm doing a (free) operating system (just a hobby, won't be big andI'm doing a (free) operating system (just a hobby, won't be big and
professional like gnu) for 386(486) AT clones. This has been brewingprofessional like gnu) for 386(486) AT clones. This has been brewing
since april, and is starting to get ready. I'd like any feedback onsince april, and is starting to get ready. I'd like any feedback on
things people like/dislike in minix, as my OS resembles it somewhatthings people like/dislike in minix, as my OS resembles it somewhat
(same physical layout of the file-system (due to practical reasons)(same physical layout of the file-system (due to practical reasons)
among other things). I've currently ported bash(1.08) and gcc(1.40),andamong other things). I've currently ported bash(1.08) and gcc(1.40),and
things seem to work.This implies that I'll get something practical within athings seem to work.This implies that I'll get something practical within a
few months, andI'd like to know what features most people would want.afew months, andI'd like to know what features most people would want.a
Any suggestions are welcome, but I won't promise I'll implementAny suggestions are welcome, but I won't promise I'll implement
them :-)them :-)
Linus (torvalds@kruuna.helsinki.fi)Linus (torvalds@kruuna.helsinki.fi)
PS. Yes - it's free of any minix code, and it has a multi-threaded fs.PS. Yes - it's free of any minix code, and it has a multi-threaded fs.
It is NOT protable (uses 386 task switching etc), and it probably neverIt is NOT protable (uses 386 task switching etc), and it probably never
will support anything other than AT-harddisks, as that's all I have :-(.will support anything other than AT-harddisks, as that's all I have :-(.
4. 4
GNU & GPLGNU & GPL
GNU Project:
Focused on creating a Unix
like operating systemthat
could be freely distributed
GPL:
Global Public
license(Copyleft)
5. 5
Major Linux DistributorsMajor Linux Distributors
Caldera LinuxCaldera Linux
Corel LinuxCorel Linux
Debian LinuxDebian Linux
Kondara LinuxKondara Linux
Red Hat LinuxRed Hat Linux
Mandrake LinuxMandrake Linux
Slackware LinuxSlackware Linux
SuSE LinuxSuSE Linux
Turbo LinuxTurbo Linux
Vector LinuxVector Linux
6. 6
The Advantage of LinuxThe Advantage of Linux
Low purchase costLow purchase cost
Open Source Software (OSS)Open Source Software (OSS)
UNIX heritageUNIX heritage
Multi UserMulti User
ScalabilityScalability
Vendor supportVendor support
Reliable uptimeReliable uptime
SecuritySecurity
Logging SystemLogging System
……
7. 7
The Disadvantage of LinuxThe Disadvantage of Linux
Steep learning curveSteep learning curve
Hardware supportHardware support
End-user applicationsEnd-user applications
8. 8
A Comparison Of Win 9x, NT, andA Comparison Of Win 9x, NT, and
LinuxLinux
FeatureFeature Win 9xWin 9x Win NTWin NT LinuxLinux
ScalabilityScalability PoorPoor GoodGood GoodGood
Desktop App. SupportDesktop App. Support ExcellentExcellent GoodGood GoodGood
Enterprise App. SupportEnterprise App. Support NoneNone GoodGood GoodGood
Hardware SupportHardware Support ExcellentExcellent GoodGood GoodGood
Licensing CostLicensing Cost GoodGood PoorPoor ExcellentExcellent
Network PerformanceNetwork Performance GoodGood GoodGood ExcellentExcellent
SecuritySecurity PoorPoor GoodGood GoodGood
9. 9
Linux Filesystem HierarchyLinux Filesystem Hierarchy
//binbin Essential Binary FilesEssential Binary Files
//bootboot Boot Loader FilesBoot Loader Files
//devdev Device FilesDevice Files
//etcetc Configuration FilesConfiguration Files
//homehome User Home DirectoriesUser Home Directories
//liblib Shared Libraries and Kernel ModulesShared Libraries and Kernel Modules
//mntmnt Mount Point for Temporarily Mounted FSMount Point for Temporarily Mounted FS
//procproc System Information Virtual File SystemSystem Information Virtual File System
//rootroot root User Home Directoryroot User Home Directory
//sbinsbin Essential System BinariesEssential System Binaries
//tmptmp Temporary FilesTemporary Files
//usrusr Shareable FilesShareable Files
//varvar Non-Shareable FilesNon-Shareable Files
12. 12
Overview of the Installation ProcessOverview of the Installation Process
1.1. Starting the installation processStarting the installation process
Installation ModeInstallation Mode
LanguageLanguage
KeyboardKeyboard
MouseMouse
2.2. PartitioningPartitioning
3.3. Boot Loader InstallationBoot Loader Installation
4.4. Network ConfigurationNetwork Configuration
5.5. Setting the time zoneSetting the time zone
13. 13
5.5. Firewall ConfigurationFirewall Configuration
6.6. Specifying authentication optionsSpecifying authentication options
(optional)(optional)
7.7. Specifying user accountsSpecifying user accounts
8.8. Selecting packagesSelecting packages
9.9. Installing packagesInstalling packages
10.10. Creating a boot diskCreating a boot disk
11.11. Configuration the X Windows systemConfiguration the X Windows system
(optional)(optional)
Overview of the Installation ProcessOverview of the Installation Process
14. 14
Installing Linux:Installing Linux: Consoles & Message LogsConsoles & Message Logs
Console Keystrokes Contents
1 Ctrl+Alt+F1 Text-based installation procedure
2 Ctrl+Alt+F2 Shell prompt
3 Ctrl+Alt+F3 Messages from installation program
4 Ctrl+Alt+F4 Kernel messages
5 Ctrl+Alt+F5
Other messages, including file
system creation messages
7 Ctrl+Alt+F7 Graphical installation procedure
17. 17
SHELLSHELL
Some of Important BASH VariablesSome of Important BASH Variables
PATHPATH SHELLSHELL PS1PS1 PS2PS2
bash (Bourne Again Shell)bash (Bourne Again Shell)
ashash sachsach
tcshtcsh mcmc
PS1, PS2 SwitchesPS1, PS2 Switches
u , h , W , d , t , s , $ , $u , h , W , d , t , s , $ , $
22. 22
Linux File TypesLinux File Types
NormalNormal -- Normal fileNormal file
DirectoriesDirectories dd Normal directoryNormal directory
Hard linkHard link --
Symbolic linkSymbolic link ll Shortcut to a file or directoryShortcut to a file or directory
SocketSocket ss Pass data between 2 processPass data between 2 process
Named pipeNamed pipe pp Like sockets, user can’t work directly withLike sockets, user can’t work directly with
Character deviceCharacter device cc Processes character hw communicationProcesses character hw communication
Block deviceBlock device bb Major & minor numbers for controling dev.Major & minor numbers for controling dev.
23. 23
Bash Special VariablesBash Special Variables
$#$# Specifies number of arguments given to the commandSpecifies number of arguments given to the command
$?$? Returns value of the last program to be usedReturns value of the last program to be used
$$$$ Processes number of the current shellProcesses number of the current shell
$!$! Processes number of the last child processProcesses number of the last child process
$@$@ Specifies individually quoted argumentsSpecifies individually quoted arguments
$*$* Specifies all arguments quoted as wholeSpecifies all arguments quoted as whole
$n$n Specifies positional argument value, whereSpecifies positional argument value, where nn is the positionis the position
$0$0 Specifies name of the current shellSpecifies name of the current shell
24. 24
Process Text StreamsProcess Text Streams
sort, cut, head, tail, split, wc, uniq, grepsort, cut, head, tail, split, wc, uniq, grep
Redirecting Command’s outputRedirecting Command’s output
teetee
Create, Monitor & Kill ProcessesCreate, Monitor & Kill Processes
ps, pstree, top, kill, killallps, pstree, top, kill, killall
Modify Process PriorityModify Process Priority ((renicerenice))
Some of Linux CommandsSome of Linux Commands(2(2((
26. 26
Create Partitions and FilesystemCreate Partitions and Filesystem
fdisk, mke2fs, mkfs.*fdisk, mke2fs, mkfs.*
Maintain the Integrity of FilesystemMaintain the Integrity of Filesystem
e2fsck, fsck.*, du, dfe2fsck, fsck.*, du, df
Filesystem Mounting & UmountingFilesystem Mounting & Umounting
mount, umount, /etc/fstabmount, umount, /etc/fstab
Some of Linux CommandsSome of Linux Commands(3(3((
27. 27
Use File PermissionsUse File Permissions
chmod, chown, chgrp, suchmod, chown, chgrp, su
Create Hard & Symbolic Links (Create Hard & Symbolic Links (lnln))
Find System Files (Find System Files (find, locate, whichfind, locate, which))
Using Emergency & Single UserUsing Emergency & Single User
ModeMode
Some of Linux CommandsSome of Linux Commands(4(4((
28. 28
Insert ModeInsert Mode
Normal ModeNormal Mode
Command ModeCommand Mode
‘‘vi’ Powerful Text Editorvi’ Powerful Text Editor
• dd n+dd (Delete)
• yy n+yy (Copy)
• p (paste)
• P (Paste)
• / (Search)
• v (Visual) (Text Selection)
• Insert Text
• Delete
• w
• q
• wq = x
• q!
• r
• s///
30. 30
Run LevelsRun Levels
Run Levels Definition
0 This runlevel halts the system
1 This runlevel sets single-user mode
2 Multiuser mode without networking
3 Multiuser mode with networking
4 Not used
5 X-based log in
6 This runlevel reboot the system
init & chkconfig Commandsinit & chkconfig Commands
/etc/inittab/etc/inittab
/etc/rc.d/init.d & /etc/rc[0123456].d//etc/rc.d/init.d & /etc/rc[0123456].d/
34. 34
Linux Installation andLinux Installation and
Package ManagementPackage Management
Make and Install ProgramsMake and Install Programs
from Sourcefrom Source
RPMRPM
(Redhat Package Manager)(Redhat Package Manager)
35. 35
KernelKernel
About Kernel and LoadableAbout Kernel and Loadable
ModulesModules
Manage Kernel Modules atManage Kernel Modules at
Runtime (Runtime (/etc/modules.conf/etc/modules.conf))
Reconfigure, Build and Install aReconfigure, Build and Install a
Custom KernelCustom Kernel
37. 38
Shell ScriptsShell Scripts
# Comments# Comments
#! Special Comments#! Special Comments
Assign a ValueAssign a Value
x=yx=y x=‘$y’x=‘$y’
x=${y}x=${y} x=$yx=$y
x=$yx=$y export x,y,zexport x,y,z
x=${y}esx=${y}es export x=$yexport x=$y
x=$yesx=$yes
38. 39
Shell ScriptsShell Scripts
Control ConstructsControl Constructs
‘‘read’ commandread’ command
‘‘test’ command ( [ ] )test’ command ( [ ] )
if …; then …; else …; fiif …; then …; else …; fi
case ...; in pattern) …;; esaccase ...; in pattern) …;; esac
while …; do …; donewhile …; do …; done
until …; do …; doneuntil …; do …; done
for x in …; do …; donefor x in …; do …; done
break, continue, exit (for, while, until)break, continue, exit (for, while, until)
41. 42
Basic X ConceptsBasic X Concepts
X ClientX Client
X ServerX Server
X ProtocolX Protocol
42. 43
Basic X ConceptsBasic X Concepts
X Window ManagerX Window Manager
X Desktop ManagerX Desktop Manager
X Display ManagerX Display Manager
43. 44
Installing XInstalling X
1.1. Determine the proper X serverDetermine the proper X server
2.2. Install the proper packagesInstall the proper packages
44. 45
X Server SelectionX Server Selection
XFree86-*XFree86-*
Installation the PackagesInstallation the Packages
freetypefreetype
gtk+gtk+
XFree86-libsXFree86-libs
XFree86-75dpi-fontsXFree86-75dpi-fonts
redhat-config-xfree86redhat-config-xfree86
XFree86-xfsXFree86-xfs
XFree86-xdmXFree86-xdm
XFree86-twmXFree86-twm
XFree86-toolsXFree86-tools
xinitrcxinitrc
46. 47
Important X Directories & FilesImportant X Directories & Files
/usr/X11R6/bin/usr/X11R6/bin
/etc/X11/etc/X11
/etc/X11/XF86Config/etc/X11/XF86Config
47. 48
Configure and Use PPPConfigure and Use PPP
‘‘redhat-config-network-tui’redhat-config-network-tui’
Command in Text ModeCommand in Text Mode
Modem Configuration FilesModem Configuration Files
kppp Command in X windowkppp Command in X window
52. 53
TCP/IP Model (1)TCP/IP Model (1)
Application
Protocols
Transport
Protocols
Internet
Protocols
Network Access
Protocols
53. 54
TCP/IP Model (2TCP/IP Model (2))
Network Access ProtocolsNetwork Access Protocols
All functions necessary to access the physicalAll functions necessary to access the physical
networknetwork
Internet ProtocolsInternet Protocols
IPIP ((Internet Protocol – ConnectionlessInternet Protocol – Connectionless))
ICMPICMP ((Internet Control Message ProtocolInternet Control Message Protocol))
54. 55
TCP/IP Model (3TCP/IP Model (3))
Transport ProtocolsTransport Protocols
TCPTCP (Transmission Control Protocol)(Transmission Control Protocol)
Connection-basedConnection-based
UDPUDP (User Datagram Protocol)(User Datagram Protocol)
ConnectionlessConnectionless
Application ProtocolsApplication Protocols
Previlage Ports (0-1023)Previlage Ports (0-1023)
/etc/services/etc/services
55. 56
Types of TCP/IP ServicesTypes of TCP/IP Services
Stand-aloneStand-alone
xinetdxinetd (and its config)(and its config)
56. 57
Related TCP/IP CommandsRelated TCP/IP Commands
ps xps x
netstat -ap --inet | grep LISTENnetstat -ap --inet | grep LISTEN
Start the daemonStart the daemon
Stop the daemonStop the daemon
Restart the daemonRestart the daemon
Status the daemonStatus the daemon
Controlling TCP/IP DaemonsControlling TCP/IP Daemons
70. 71
TCP/IP ServicesTCP/IP Services
Client Server
Process
Port
Port
Port
Process
2. Client binds
to port
1. server binds to
port and listens
4. Server
designates port
3. Client connects
to server
5. Client and server
communicate
80. 81
Troubleshooting the ApacheTroubleshooting the Apache
/var/log/messages/var/log/messages
/var/log/httpd//var/log/httpd/
/usr/sbin/httpd –S/usr/sbin/httpd –S
(for virtual host)(for virtual host)
81. 82
Securing Your NetworkSecuring Your Network
Using ‘Using ‘lokkitlokkit’ or ‘’ or ‘redhat-config-redhat-config-
securitylevelsecuritylevel’ Command’ Command
Password & Physical SecurityPassword & Physical Security
Securing TCP/IPSecuring TCP/IP
Using TripwireUsing Tripwire
Keeping Up-to-Date on Linux SecurityKeeping Up-to-Date on Linux Security
IssuesIssues
90. 91
Configuring a Linux RouterConfiguring a Linux Router
Configuring KernelConfiguring Kernel
IP: advanced routerIP: advanced router
Enable IP ForwadingEnable IP Forwading
Add ‘net.ipv4.ip_forward=1’ to /etc/sysctl.confAdd ‘net.ipv4.ip_forward=1’ to /etc/sysctl.conf
echo “1” > /proc/sys/net/ipv4/ip_forwardecho “1” > /proc/sys/net/ipv4/ip_forward
91. 92
Type of RoutesType of Routes
Static routeStatic route
Dynamic routeDynamic route
92. 93
Components of Routing RulesComponents of Routing Rules
Destination IP AddressDestination IP Address
An InterfaceAn Interface
An Optional Gateway IPAn Optional Gateway IP
AddressAddress
98. 99
How Email Is Sent and ReceivedHow Email Is Sent and Received
mail2 MTA
user2@mail2.comuser1@mail1.com
mail1 MTA
?
?
99. 100
ConceptsConcepts MTA :MTA : Mail Transport AgentMail Transport Agent
SMTP (server-to-server)SMTP (server-to-server)
Simple Mail Transport ProtocolSimple Mail Transport Protocol
POP (Mail Access)POP (Mail Access)
Post Office ProtocolPost Office Protocol
IMAP (Mail Access)IMAP (Mail Access)
Interim Mail Access ProtocolInterim Mail Access Protocol
MDA :MDA : Mail Delivery AgentMail Delivery Agent
MUA :MUA : Mail User AgentMail User Agent
100. 101
Advantage of SendmailAdvantage of Sendmail
Older MTAOlder MTA
Powerful MTAPowerful MTA
Disadvantage of SendmailDisadvantage of Sendmail
SlowSlow
High Load EnvironmentHigh Load Environment
Crypto ConfigurationCrypto Configuration
108. 109
Where do I lookWhere do I look??
/etc/nsswitch.conf/etc/nsswitch.conf
(nameservice switch)(nameservice switch)
t@localhost:~$ cat /etc/nsswitch.conft@localhost:~$ cat /etc/nsswitch.conf
hosts: files dnshosts: files dns
109. 110
FilesFiles
Search order determined bySearch order determined by
nsswitch.confnsswitch.conf
It is polite to have /etc/hosts first!It is polite to have /etc/hosts first!
sjh@mccoy:~$ cat /etc/hostssjh@mccoy:~$ cat /etc/hosts
127.0.0.1127.0.0.1 localhostlocalhost
193.62.81.135193.62.81.135 mccoy.tardis.ed.ac.uk mccoymccoy.tardis.ed.ac.uk mccoy
193.62.81.134193.62.81.134 baker.tardis.ed.ac.uk bakerbaker.tardis.ed.ac.uk baker
193.62.81.132193.62.81.132 packages.tardis.ed.ac.uk packagespackages.tardis.ed.ac.uk packages
110. 111
DNS TraversalDNS Traversal
1.1. Local filesLocal files
2.2. Dns server locallyDns server locally
3.3. Item in cache?Item in cache?
4.4. Root server, work your wayRoot server, work your way
down…down…
111. 112
Resolving NamesResolving Names
Configuration Files for the LocalConfiguration Files for the Local
Host Name Resolution (importantHost Name Resolution (important
for testing)for testing)
/etc/resolv.conf/etc/resolv.conf
/etc/nsswitch.conf/etc/nsswitch.conf
/etc/host.conf/etc/host.conf
112. 113
DNSDNS
BIND – Berkley Internet Name DaemonBIND – Berkley Internet Name Daemon
Dents – buggy as hell (still in alpha?)Dents – buggy as hell (still in alpha?)
Djbdns – Dan Bernstein’s DNS serverDjbdns – Dan Bernstein’s DNS server
Banyan VINES – don’t go there!Banyan VINES – don’t go there!
113. 114
Named (name deeNamed (name dee((
/etc/named.conf:/etc/named.conf:
this defines a directory to store the DNS config filesthis defines a directory to store the DNS config files
Contains info about what zones we serve, and where to find configContains info about what zones we serve, and where to find config
files!files!
Config file for named – tells us if we are master / slave, allow orConfig file for named – tells us if we are master / slave, allow or
deny zone transfers, what the IPs of other master / slave serversdeny zone transfers, what the IPs of other master / slave servers
are, etc.are, etc.
<DNSROOT>/root.hints:<DNSROOT>/root.hints:
Contains "pointers" to the Root ServersContains "pointers" to the Root Servers
<DNSROOT>/127.0.0:<DNSROOT>/127.0.0:
Config for reverse-lookup to the local host/subnetConfig for reverse-lookup to the local host/subnet
<DNSROOT>/<zone>:<DNSROOT>/<zone>:
Config for zoneConfig for zone
<DNSROOT>/<in-addr.arpa file><DNSROOT>/<in-addr.arpa file>
Config for reverse lookup for your zoneConfig for reverse lookup for your zone
114. 115
A simple named.confA simple named.conf
## named.custom - custom configuration for bind## named.custom - custom configuration for bind
zone "." {zone "." {
type hint;type hint;
file "root.lists";file "root.lists";
};};
options {options {
directory "/var/named/";directory "/var/named/";
};};
zone "0.0.127.in-addr.arpa" {zone "0.0.127.in-addr.arpa" {
type master;type master;
file "127.0.0";file "127.0.0";
};};
zone "hq.alim.ir" {zone "hq.alim.ir" {
type master;type master;
file "hq.alim.ir";file "hq.alim.ir";
};};
zone "168.168.192.in-addr.arpa" {zone "168.168.192.in-addr.arpa" {
type master;type master;
file "192.168.168";file "192.168.168";
};};
115. 116
DNS DataDNS Data
DNS databases contain more than justDNS databases contain more than just
hostname-to-address records:hostname-to-address records:
SOA – Start Of Authority – it is the daddy!SOA – Start Of Authority – it is the daddy!
IN NS – Name ServerIN NS – Name Server
IN MX – Mail eXchangerIN MX – Mail eXchanger
IN A – A record (Address record)IN A – A record (Address record)
IN CNAME – Canonical NAMEIN CNAME – Canonical NAME
116. 117
A simple zone fileA simple zone file
@ IN SOA hq.alim.ir. root.hq.alim.ir. (@ IN SOA hq.alim.ir. root.hq.alim.ir. (
199609206 ; serial, todays date + todays serial #199609206 ; serial, todays date + todays serial #
8H ; refresh, seconds8H ; refresh, seconds
2H ; retry, seconds2H ; retry, seconds
4W ; expire, seconds4W ; expire, seconds
1D ) ; minimum, seconds1D ) ; minimum, seconds
NSNS hq.alim.ir.hq.alim.ir.
MXMX 10 hq.alim.ir. ; Primary Mail Exchanger10 hq.alim.ir. ; Primary Mail Exchanger
TXTTXT "Alim IT Center""Alim IT Center"
localhostlocalhost A 127.0.0.1A 127.0.0.1
routerrouter A 192.168.168.1A 192.168.168.1
hq.alim.ir.hq.alim.ir. A 192.168.168.2A 192.168.168.2
nsns A 192.168.168.3A 192.168.168.3
wwwwww A 207.159.141.192A 207.159.141.192
ftpftp CNAMECNAME hq.alim.ir.hq.alim.ir.
mailmail CNAMECNAME hq.alim.ir.hq.alim.ir.
newsnews CNAMECNAME hq.alim.ir.hq.alim.ir.
118. 119
Forward DNSForward DNS
hq.alim.ir (as per /etc/named.conf)hq.alim.ir (as per /etc/named.conf)
SOA – Start Of Authority – it is the daddy!SOA – Start Of Authority – it is the daddy!
IN NS – Name ServerIN NS – Name Server
IN MX – Mail eXchangerIN MX – Mail eXchanger
IN A – A record (Address record)IN A – A record (Address record)
IN CNAME – Canonical NAMEIN CNAME – Canonical NAME
119. 120
Reverse DNSReverse DNS
192.168.168192.168.168 ((as per /etc/named.confas per /etc/named.conf))
SOASOA
IN NSIN NS
IN PTR – PointerIN PTR – Pointer
120. 121
DNS Round RobinDNS Round Robin
Fault tolerance? Through nifty DNSFault tolerance? Through nifty DNS
hackshacks
www.teviot.com.www.teviot.com. 6060 ININ AA 10.0.1.10010.0.1.100
www.teviot.com.www.teviot.com. 6060 ININ AA 10.0.2.10010.0.2.100
www.teviot.com.www.teviot.com. 6060 ININ AA 10.0.3.10010.0.3.100
121. 122
Common MistakesCommon Mistakes
Forgetting to increment the Serial Number!Forgetting to increment the Serial Number!
CNAME pointing at another CNAME!CNAME pointing at another CNAME!
Forgetting the “.” In appropriate places!Forgetting the “.” In appropriate places!
Underscores in hostnames!Underscores in hostnames!
Forgetting to reload the daemon!Forgetting to reload the daemon!
Version control issues – clobber changes!Version control issues – clobber changes!
TTL IssuesTTL Issues
122. 123
Test ToolsTest Tools
nslookupnslookup
digdig
dig mail.hq.alim.irdig mail.hq.alim.ir
dig -x 192.168.168.2dig -x 192.168.168.2
dig 168.168.192.in-addr.arpa. AXFRdig 168.168.192.in-addr.arpa. AXFR
whoiswhois
http://www.squish.net/dnscheck/http://www.squish.net/dnscheck/
James Ponder’s DNS check web pageJames Ponder’s DNS check web page
124. 125
FirewallFirewall
ControlControl
Allow only those packets that you areAllow only those packets that you are
interested to pass through.interested to pass through.
SecuritySecurity
Reject packets from malicious outsidersReject packets from malicious outsiders
WatchfulnessWatchfulness
Log packets to/from outside worldLog packets to/from outside world
Required PropertiesRequired Properties::
128. 129
INPUTINPUT
Controls packets entering your systemControls packets entering your system
OUTPUTOUTPUT
Controls packets leaving your systemControls packets leaving your system
FORWARDFORWARD
Controls what packets can move from oneControls what packets can move from one
network to another through your systemnetwork to another through your system
Chains of TablesChains of Tables
130. 131
1.1. When a packet comes in, the kernel first looks atWhen a packet comes in, the kernel first looks at
the destination of the packet: this is called routing.the destination of the packet: this is called routing.
2.2. If it’s destined for this boxIf it’s destined for this box
• Passes downwards in the diagramPasses downwards in the diagram
• To INPUT chainTo INPUT chain
If it passes, any processes waiting for that packet will receiveIf it passes, any processes waiting for that packet will receive
it.it.
Otherwise go to step 3Otherwise go to step 3
Continue…
131. 132
3.3. If forwarding is not enabled The packet will beIf forwarding is not enabled The packet will be
droppeddropped
If forwarding is enable and the packet is destined for another network interface.If forwarding is enable and the packet is destined for another network interface.
The packet goes rightwards on our diagram to the FORWARD chain.The packet goes rightwards on our diagram to the FORWARD chain.
If it is accepted, it will be sent out.If it is accepted, it will be sent out.
4.4. Packets generated from local process pass to thePackets generated from local process pass to the
OUPUT chain immediately.OUPUT chain immediately.
If its says accept, the packet will be sent out.If its says accept, the packet will be sent out.
132. 133
Packet Status inPacket Status in
IptablesIptables
EstablishedEstablished
NewNew
RelatedRelated
InvalidInvalid
133. 134
Results of Packet CheckingResults of Packet Checking
ACCEPTACCEPT
DROPDROP
REJECTREJECT
……
137. 138
Building a Rule source/destinationBuilding a Rule source/destination
iptables –s 200.200.200.1iptables –s 200.200.200.1
Refers to packet from a specific IP addressRefers to packet from a specific IP address
The “-s” refers to the source of the packet, whereThe “-s” refers to the source of the packet, where
the packet is coming from.the packet is coming from.
A corresponding “-d” refers to the destination,A corresponding “-d” refers to the destination,
where the packet is going to.where the packet is going to.
138. 139
Building a Rule ActionBuilding a Rule Action
iptables –s 200.200.200.1iptables –s 200.200.200.1 -j DROP-j DROP
The “-j” determines what happens to theThe “-j” determines what happens to the
Building a RuleBuilding a Rule
IP address rangesIP address ranges
iptables –siptables –s 200.200.200.0/24200.200.200.0/24 -j DROP-j DROP
IPs that match 200.200.200.*IPs that match 200.200.200.*
The “/24” refers to the number of bits that areThe “/24” refers to the number of bits that are
fixed, counting from the left.fixed, counting from the left.
139. 140
Other ActionsOther Actions
REDIRECTREDIRECT
Sends packets to a proxySends packets to a proxy
LOGLOG
Tracks packets as they match rulesTracks packets as they match rules
RETURNRETURN
Terminates user defined chainsTerminates user defined chains
140. 141
Building a RuleBuilding a Rule
appending rules to tablesappending rules to tables
iptablesiptables –A–A INPUTINPUT –s 200.200.200.1 -j DROP–s 200.200.200.1 -j DROP
The “-A” appends the rule to an iptableThe “-A” appends the rule to an iptable
The “INPUT” specifies the iptableThe “INPUT” specifies the iptable
This command makes your system to ignore all packetsThis command makes your system to ignore all packets
from 200.200.200.1from 200.200.200.1
iptables –Aiptables –A OUTPUTOUTPUT –d–d 200.200.200.1 –j DROP200.200.200.1 –j DROP
This command does not allow your system to sent packets toThis command does not allow your system to sent packets to
200.200.200.1200.200.200.1
141. 142
Building a RuleBuilding a Rule
only blocking some packetsonly blocking some packets
iptables –A INPUT –s 200.200.200.1iptables –A INPUT –s 200.200.200.1 –p tcp --destination-port telenet–p tcp --destination-port telenet –j–j
DROPDROP
The “-p” specifies a specific protocol: tcp, udp, or icmpThe “-p” specifies a specific protocol: tcp, udp, or icmp
The “-destination-port” is where the packet is goingThe “-destination-port” is where the packet is going
You can user the service name or the port numberYou can user the service name or the port number
Could use 23 in this exampleCould use 23 in this example
Keep in mind that the source-port is very different from the destination-port.Keep in mind that the source-port is very different from the destination-port.
In this example the inbound message is going to your telenet server. TheIn this example the inbound message is going to your telenet server. The
telenet client that is sending you the message could be running on any port.telenet client that is sending you the message could be running on any port.
--dport == --destination-port--dport == --destination-port
--sport == --source-port--sport == --source-port
142. 143
Building a RuleBuilding a Rule
multiple network interfacesmultiple network interfaces
Assume your machine has two interface cards. One to a LAN namedAssume your machine has two interface cards. One to a LAN named
eth0 and the other to the Internet named ppp0eth0 and the other to the Internet named ppp0
iptables –A INPUT –p tcp --dport telnet –i ppp0 –j DROPiptables –A INPUT –p tcp --dport telnet –i ppp0 –j DROP
The “-i” option specifies the input interfaceThe “-i” option specifies the input interface
The is also a “-o” option for the output interfaceThe is also a “-o” option for the output interface
iptables –A INPUT –p tcp --dport telnet –i eth0 –j ACCEPTiptables –A INPUT –p tcp --dport telnet –i eth0 –j ACCEPT
Together these rules would accept telnet requests from the LAN butTogether these rules would accept telnet requests from the LAN but
block telnet requests from the Internet.block telnet requests from the Internet.
143. 144
Building a Rule Table PoliciesBuilding a Rule Table Policies
iptables –P FORWARD ACCEPTiptables –P FORWARD ACCEPT
The “-P” option followed by a table name and actionThe “-P” option followed by a table name and action
determines the default policy of the table. If no ruledetermines the default policy of the table. If no rule
in the table matches this default action is taken.in the table matches this default action is taken.
The usual policies areThe usual policies are
INPUT = ACCEPTINPUT = ACCEPT
OUTPUT = ACCEPTOUTPUT = ACCEPT
FORWARD = DENYFORWARD = DENY
144. 145
Building a RuleBuilding a Rule
Adding Rules to TablesAdding Rules to Tables
iptables –A INPUT –s 200.200.200.1 -j DROPiptables –A INPUT –s 200.200.200.1 -j DROP
Appends the rule to the end of the tableAppends the rule to the end of the table
iptables –I INPUT 3 –s 200.200.200.1 -j DROPiptables –I INPUT 3 –s 200.200.200.1 -j DROP
Inserts the rule as rule 3 in the table, moving all other rulesInserts the rule as rule 3 in the table, moving all other rules
down 1.down 1.
iptables –R INPUT 3 –s 200.200.200.1 -j DROPiptables –R INPUT 3 –s 200.200.200.1 -j DROP
Replaces rule 3 in the tableReplaces rule 3 in the table
iptables –D INPUT 3iptables –D INPUT 3
Deletes rule 3 in the tableDeletes rule 3 in the table
145. 146
Operations to manage wholeOperations to manage whole
chainschains
--NN Create a new chainCreate a new chain
--XX Delete an empty chainDelete an empty chain
--PP Change the policy for a built-in chainChange the policy for a built-in chain
--LL List the rules in a chainList the rules in a chain
--FF Flush the rules out of a chainFlush the rules out of a chain
--ZZ Zero the packet and byte counters on allZero the packet and byte counters on all
rules in a chainrules in a chain
146. 147
Manipulate rules inside a chainManipulate rules inside a chain
-A-A Append a new rule to a chainAppend a new rule to a chain
-I-I
Insert a new rule at some position in aInsert a new rule at some position in a
chainchain
-R-R Replace a rule at some position in a chainReplace a rule at some position in a chain
-D-D Delete a rule at some position in a chainDelete a rule at some position in a chain
-D-D Delete the first rule that matches in a chainDelete the first rule that matches in a chain
147. 148
An ExampleAn Example
192.168.1.5
GW: 192.168.1.1
192.168.1.6
GW: 192.168.1.1
192.168.1.7
GW: 192.168.1.1
192.168.1.1
Internet
Firewall
eth0
eth1Web Server
SSH Server
Accessible ONLY via LAN
&lt;number&gt;
CNAMEs should only point at A records
RR – Resource Record
LOC – GPS Location
HINFO – Hardware Info
See print out
&lt;number&gt;
CNAMEs should only point at A records
RR – Resource Record
LOC – GPS Location
HINFO – Hardware Info
See print out
&lt;number&gt;
CNAMEs should only point at A records
RR – Resource Record
LOC – GPS Location
HINFO – Hardware Info
See print out
&lt;number&gt;
CNAMEs should only point at A records
RR – Resource Record
LOC – GPS Location
HINFO – Hardware Info
See print out
&lt;number&gt;
CNAMEs should only point at A records
RR – Resource Record
LOC – GPS Location
HINFO – Hardware Info
See print out
&lt;number&gt;
See print out.
&lt;number&gt;
The 60s there are TTLs – overrides the default TTL in the SOA
Worth noting that the address closest to the requesting host will be returned first…
Mention hesiod – home dir locations through DNS, and other such stuff.