Session 1

RHCE
Red Hat Certified Engineer

M. A. Agheli
1
 History Of UNIX & Linux
 1957: Bell Labs found they needed an operating system
which at the time was running various batch jobs.
 1965: Bell Labs create Multics (Multiplexed Information and
Computing Service)
 1969: Summer 1969 UNIX was developed by AT&T
 1975: Sixth edition of UNIX released May 1975
 1985:
1985 GNU project started
 1991:
1991 Linux is introduced by Linus Benedict Torvalds who
was a second year student of Computer Science at the
University of Helsinki
 1993:
1993 NetBSD & FreeBSD released
 1994:
1994 Red Hat Linux is introduced
2
 First Article About Linux
From: torvalds@klaava.Helsinki.FI (Linus Benedict Torvalds)
Newsgroups: comp.os.minix
Subject: What would you like to see most in minix?
Summary: small poll for my new operating system
Message-ID: <1991Aug25.205708.9541@klaava.Helsinki.FI>
Date: 25 Aug 91 20:57:08 GMT
Organization: University of Helsinki
Hello everybody out there using minix -
I'm doing a (free) operating system (just a hobby, won't be big and
professional like gnu) for 386(486) AT clones. This has been brewing
since april, and is starting to get ready. I'd like any feedback on
things people like/dislike in minix, as my OS resembles it somewhat
(same physical layout of the file-system (due to practical reasons)
among other things). I've currently ported bash(1.08) and gcc(1.40),and
things seem to work.This implies that I'll get something practical within a
few months, andI'd like to know what features most people would want.a
Any suggestions are welcome, but I won't promise I'll implement them :-)
Linus (torvalds@kruuna.helsinki.fi)
PS. Yes - it's free of any minix code, and it has a multi-threaded fs.
It is NOT protable (uses 386 task switching etc), and it probably never
will support anything other than AT-harddisks, as that's all I have :-(.
3
 GNU & GPL
GNU Project:
Focused on creating a Unix like
operating systemthat could be
freely distributed
GPL:
Global Public license(Copyleft)
4
 Major Linux Distributors

 Mandrake  Caldera Linux

Linux  Corel Linux
 Slackware  Debian Linux
Linux  Kondara Linux
 SuSE Linux
 Red Hat Linux
 Turbo Linux

 Vector Linux
5
The Advantage of Linux
 Low purchase cost
 Open Source Software (OSS)
 UNIX heritage
 Multi User
 Scalability
 Vendor support
 Reliable uptime
 Security
 Logging System
 …
6
The Disadvantage of Linux

 Steep learning curve

 Hardware support

 End-user applications

7
 A Comparison Of Win 9x, NT, and
Linux
Linux Win NT Win 9x Feature
Good Good Poor Scalability
Good Good Excellen Desktop App. Support
t
Good Good None Enterprise App. Support
Good Good Excellen Hardware Support
t
Excellent Poor Good Licensing Cost
Excellent Good Good Network Performance
Good Good Poor Security
8
 Linux Filesystem Hierarchy
Essential Binary Files bin/
Boot Loader Files boot/
Device Files dev/
Configuration Files etc/
User Home Directories home/
Shared Libraries and Kernel Modules lib/
Mount Point for Temporarily Mounted FS mnt/
System Information Virtual File System proc/
root User Home Directory root/
Essential System Binaries sbin/
Temporary Files tmp/
Shareable Files usr/
Non-Shareable Files var/
9
 Session 2

RHCE
Red Hat Certified Engineer

M. A. Agheli
10
 Installing Linux
 Hardware Requirements
 Harddisk Partitioning
 Boot Loader
 Install Packages
 X Configuration

11
 Overview of the Installation Process
1. Starting the installation process
 Installation Mode
 Language
 Keyboard
 Mouse
2. Partitioning
3. Boot Loader Installation
4. Network Configuration
5. Setting the time zone 12
Overview of the Installation Process
5. Firewall Configuration
6. Specifying authentication options
(optional)
7. Specifying user accounts
8. Selecting packages
9. Installing packages
10. Creating a boot disk
11. Configuration the X Windows system
(optional)
13
 Installing Linux: Consoles & Message Logs
Contents Keystrokes Console

Text-based installation procedure Ctrl+Alt+F1 1

Shell prompt Ctrl+Alt+F2 2

Messages from installation program Ctrl+Alt+F3 3

Kernel messages Ctrl+Alt+F4 4

Other messages, including file Ctrl+Alt+F5 5

system creation messages
Graphical installation procedure Ctrl+Alt+F7 7

14
 Configuring InstallTime Options
after Installation
authconfig kbdconfig

ntsysv mouseconfig

setup timeconfig

redhat-config- sndconfig
… netconfig

15
 Session 3

RHCE
Red Hat Certified Engineer

M. A. Agheli
16
 SHELL
 bash (Bourne Again Shell)
 sach  ash
 mc  tcsh
Some of Important BASH Variables
PATH SHELL PS1 PS2

PS1, PS2 Switches

\u , \h , \W , \d , \t , \s , \$ , $
17
 Some of Linux Commands(1)
 ls  info  help  man  echo

 rm  mv  cp  tac  cat

 rmdir  mkdir  pwd  touch  cd

 logout  date  less  alias  clear

 halt  reboot  exit

18
 Session 4

RHCE
Red Hat Certified Engineer

M. A. Agheli
19
 BASH
• TAB key Features
• Review Pages & Commands
 Quoting in BASH:
“value” ‘value’ `value`
 Redirection Operators:
> >> | << <

 Standard Input & Standard Output:

stdin 0
stdout 1
stderr 2
20
Important Command Forms
cmd
cmd & (fg, ctrl+z, bg)
cmd1 ; cmd2
(cmd1 ; cmd2)
cmd1 `cmd2`
cmd1 | cmd2
cmd1 && cmd2
cmd1 || cmd2
{ cmd1 ; cmd2 } 21
 Linux File Types
Normal file - Normal
Normal directory d Directories
- Hard link
Shortcut to a file or directory l Symbolic link
Pass data between 2 process s Socket
Like sockets, user can’t work directly with p Named pipe
Processes character hw communication c Character device
Major & minor numbers for controling
dev. b Block device
22
 Bash Special Variables
Specifies number of arguments given to the command $#
Returns value of the last program to be used $?
Processes number of the current shell $$
Processes number of the last child process $!
Specifies individually quoted arguments $@
Specifies all arguments quoted as whole $*
Specifies positional argument value, where n is the position $n
Specifies name of the current shell $0
23
 Some of Linux Commands(2)
 Process Text Streams
sort, cut, head, tail, split, wc, uniq, grep
 Redirecting Command’s output
tee
 Create, Monitor & Kill Processes

ps, pstree, top, kill, killall

 Modify Process Priority (renice)
24
 Session 5

RHCE
Red Hat Certified Engineer

M. A. Agheli
25
 Some of Linux Commands(3)
 Create Partitions and Filesystem

fdisk, mke2fs, mkfs.*

 Maintain the Integrity of Filesystem

e2fsck, fsck.*, du, df

 Filesystem Mounting & Umounting

mount, umount, /etc/fstab

26
 Some of Linux Commands(4)
 Use File Permissions

chmod, chown, chgrp, su

 Create Hard & Symbolic Links ( ln)

 Find System Files (find, locate, which)

 Using Emergency & Single User

Mode
27
 vi’ Powerful Text Editor‘

• Insert Text
 Insert Mode
• dd  n+dd (Delete)
• Delete
• yy  n+yy (Copy)
•p (paste)
 Normal Mode
•P (Paste)
•/ (Search)
•w • q!
• v (Visual) (Text Selection)
 Command Mode •q •r
• wq = x • s///
28
 Session 6

RHCE
Red Hat Certified Engineer

M. A. Agheli
29
 Run Levels
Definition Run Levels
This runlevel halts the system 0
This runlevel sets single-user mode 1
Multiuser mode without networking 2
Multiuser mode with networking 3
Not used 4
X-based log in 5
This runlevel reboot the system 6

 init & chkconfig Commands

 /etc/inittab
 /etc/rc.d/init.d & /etc/rc[0123456].d/ 30
Configuring Boot loader

 LILO
 Edit /etc/lilo.conf & execute ‘lilo’
command
 GRUB
 Edit /boot/grub/grub.conf

31
 Administrative Tasks
 Manage Users, Groups & Related Files
useradd, userdel, groupadd, groupdel, passwd, vipw, vigr
/etc/passwd, /etc/shadow, /etc/skel, /etc/profile, …
 Configure and use system log files
/etc/syslog.conf, /etc/logrotate.conf
 Scheduling Jobs (at & crontab commands)
 Backup & Restore Tools
tar, bzip2, gzip

32
 Session 7

RHCE
Red Hat Certified Engineer

M. A. Agheli
33
 Linux Installation and
Package Management

 Make and Install Programs

from Source
 RPM

(Redhat Package Manager)

34
 Kernel
 About Kernel and Loadable
Modules
 Manage Kernel Modules at
Runtime (/etc/modules.conf)
 Reconfigure, Build and Install a
Custom Kernel
35
 Session 8

RHCE
Red Hat Certified Engineer

M. A. Agheli
37
 Shell Scripts
 # Comments

 #! Special Comments

 Assign a Value
x=y x=‘$y’
x=${y} x=\$y
x=$y export x,y,z
x=${y}es export x=$y
x=$yes
38
 Shell Scripts
 Control Constructs
 ‘read’ command

 ‘test’ command ( [ ] )

 if …; then …; else …; fi

 case ...; in pattern) …;; esac

 while …; do …; done

 until …; do …; done

 for x in …; do …; done

 break, continue, exit (for, while, until)

39
 Session 9

RHCE
Red Hat Certified Engineer

M. A. Agheli
40
Installing and
Configuring
X
41
Basic X Concepts
 X Client

 X Server

 X Protocol
42
 Basic X Concepts
 X Window Manager

 X Desktop Manager

 X Display Manager

43
 Installing X

1. Determine the proper X server

2. Install the proper packages

44
 X Server Selection
 XFree86-*

Installation the Packages

 freetype  XFree86-xfs
 gtk+  XFree86-xdm
 XFree86-libs  XFree86-twm
 XFree86-75dpi-fonts  XFree86-tools
 redhat-config-xfree86  xinitrc

45
 Configuring X

 redhat-config-xfree86

 xvidtune

46
Important X Directories & Files

 /usr/X11R6/bin
 /etc/X11
 /etc/X11/XF86Config

47
 Configure and Use PPP
 ‘redhat-config-network-tui’
Command in Text Mode
 Modem Configuration Files
 kppp Command in X window

48
 Session 10

RHCE
Red Hat Certified Engineer

M. A. Agheli
49
 Network Basics
 IP (network & host portion)
192.168.168.1 :
11000000.10101000.10101000.00000001
Static IP Dynamic IP
 Netmask Address
255.255.255.0 : 11111111.11111111.11111111.00000000
 Network Address
192.168.168.0 :
11000000.10101000.10101000.00000000
 Broadcast Address 50
 Classfull Addressing System
 Network Classes
 Class A 1.0.0.0-126.0.0.0 (8 bits)
 Class B 128.0.0.0-191.0.0.0 (16 bits)
 Class C 192.0.0.0-223.0.0.0 (24 bits)
 Reserved IP
 127.0.0.0-127.255.255.255 (Loop back Addr.)
 224.0.0.0-239.255.255.255 (Multicast Protocols)
 240.0.0.0-255.255.255.255 (do not used)
 Public & Private Networks (Valid & Invalid
IPes)
 10.0.0.0-10.255.255.255
 172.16.0.0-172.31.255.255
51
 192.168.0.0-192.168.255.255
 Classless Addressing System (Subnet)
Net. Addr.: 192.168.168.0 =
11000000.10101000.10101000.00000000
Netmasks:
255.255.255.0 (*/24) : 11111111.11111111.11111111.00000000
255.255.255.128 (*/25) : 11111111.11111111.11111111.10000000
255.255.255.192 (*/26) : 11111111.11111111.11111111.11000000
255.255.255.224 (*/27) : 11111111.11111111.11111111.11100000
255.255.255.240 (*/28) : 11111111.11111111.11111111.11110000
255.255.255.248 (*/29) : 11111111.11111111.11111111.11111000
255.255.255.252 (*/30) : 11111111.11111111.11111111.11111100
255.255.255.254 (*/31) : 11111111.11111111.11111111
52
.11111110
TCP/IP Model (1)
Application
Protocols

Transport
Protocols

Internet
Protocols

Network Access
Protocols
53
 TCP/IP Model (2)
 Network Access Protocols
 All functions necessary to access the
physical network

 Internet Protocols
 IP (Internet Protocol – Connectionless)
 ICMP (Internet Control Message Protocol)

54
 TCP/IP Model (3)
 Transport Protocols
 TCP (Transmission Control Protocol)
 Connection-based
 UDP (User Datagram Protocol)
 Connectionless
 Application Protocols
 Previlage Ports (0-1023)
 /etc/services
55
 Types of TCP/IP Services

 Stand-alone

 xinetd (and its config)

56
 Related TCP/IP Commands
 ps x
 netstat -ap --inet | grep LISTEN

Controlling TCP/IP Daemons

 Start the daemon
 Stop the daemon
 Restart the daemon
 Status the daemon
57
 Session 11

RHCE
Red Hat Certified Engineer

M. A. Agheli
58
 Configuration Network
 Initializing Network Hardware
 Load related module

 Network Configuration Tools

 netconfig
 redhat-config-network

59
 Configuration Network
 Other Network Tools

•tcpdump •ifconfig

•nmap •ping

•tethereal •traceroute

•iptraff •netstat

60
 Configuration Network
 Network Configuration Files
 /etc/hosts
 /etc/host.conf
 /etc/services
 /etc/resolv.conf
 /etc/sysconfig/network
 /etc/sysconfig/network-scripts/*
 IP Aliasing
61
 Session 12

RHCE
Red Hat Certified Engineer

M. A. Agheli
62
 DHCP
 Advantage & disadvantage of
DHCP
 DHCP Server Configuration
 /etc/dhcpd.conf
 /var/lib/dhcp/dhcpd.leases
 DHCP Client Configuration
 netconfig command

63
 An Example of dhcpd.conf
ddns-update-style ad-hoc;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.1 192.168.0.25;
option routers 192.168.0.1;
option subnet-mask 255.255.255.0;
option domain-name "domain.com";
option domain-name-servers 192.168.1.1;
default-lease-time 21600;
max-lease-time 43200;
# we want the nameserver to appear at a fixed address
host dns1 {
hardware ethernet 12:34:56:78:AB:CD;
fixed-address 192.168.0.20;
}
} 64
 dhcpd.leases Format
lease 192.168.1.8 {
starts 3 2004/04/12 09:34:12
ends 6 2004/07/15 23:49:57
hardware ethernet 00:09:e6:88:0a:05
}
...

65
 NFS
 Related Daemons
 rpc.nfsd
 rpc.portmap
 rpc.mountd
 Installation
 nfs-utils
 portmap

2004 Agust 66
 NFS Configuration
 Server Side
 Edit /etc/exports file
PATH host_lists(options)
 Run ‘exportfs –r’ command
 ‘redhat-config-nfs’ Command
 Client Side
 mount –t nfs server:PATH Mountpoint
 Edit ‘/etc/fstab’ file
server:PATH M.P. nfs ro 0 0
67
 SAMBA (1)
 Related Services
 smbd
 nmbd
 Related Packages
 samba
 samba-common
 samba-client

68
 SAMBA (2)
 Server Configuration
 Global Directives
 Service Directives
 Client Configuration
 smbmount //server/share /m.p.
 smbclient //server/share
 Configuration with SWAT

69
 Session 13

RHCE
Red Hat Certified Engineer

M. A. Agheli
70
 TCP/IP Services

Client Server

Process
Process 1. server binds to
2. Client binds port and listens
3. Client connects
to port Port
to server
4. Server
Port designates port
5. Client and server Port
communicate

71
 Remote Login

 Telnet
 Server & Client
 SSH
 Server & Client

72
The Apache Web Server
 Modules
 mod_auth
 mod_info
 mod_php
 mod_include
 mod_perl
 mod_ssl

73
 Installation Apache

 rpm –Uvh httpd-[^d]*.rpm

 rpm –Uvh httpd-devel*.rpm

(for support apache modules)

74
 Basic Configuration
 httpd.conf
 Section 1:
 The Global Environment
 Section 2:
 The Main Configuration
 Section 3:
 The Virtual Host Configuration

75
 Apache Advanced
Configuration
 Authentication in Apache
 Configure with PHP
 Configure with SSL
 Configure Virtual Host

76
 Authentication in Apache
 Create ‘/etc/httpd/.htpasswd’ file
 Configuring ‘httpd.conf’ file

<Location /dir_name>
AuthType Basic
AuthName “NAME”
AuthUserFile “.htpasswd”
Require valid-user
</Location>

77
Configure Apache with PHP
 rpm –Uvh php-4*.rpm

Configure Apache with SSL

 rpm –Uvh mod_ssl*.rpm

78
 Configure Virtual Host
 Configuring ‘/etc/hosts’ file
 Configuring ‘httpd.conf’ file

<VirtualHost 127.0.0.2>
ServerAdmin webmaster@vh.com
DocumentRoot /var/www/html/vh/
ServerName www.vh.com
</VirtualHost>

79
Apache Administration
 Start
 Stop
 Restart
 Reload
 Status

80
Troubleshooting the Apache
 /var/log/messages

 /var/log/httpd/

 /usr/sbin/httpd –S
(for virtual host)

81
 Securing Your Network
 Using ‘lokkit’ or ‘redhat-config-
securitylevel’ Command
 Password & Physical Security
 Securing TCP/IP
 Using Tripwire
 Keeping Up-to-Date on Linux Security
Issues

82
 Session 14

RHCE
Red Hat Certified Engineer

M. A. Agheli
83
 FTP
 Installation
 rpm –ivh vsftp*.rpm
 Config File
 /etc/vsftpd/vsftpd.conf

 Access Levels
 Anonymouse Access (anonymouse_enable)
 User Access (tcp_wrappers needs)

84
 Cache Server (Squid)
 Install squid
 rpm –ivh squid*.rpm

 Managing squid
 start, stop, restart, status,
reload

85
 Squid Log Files
 /var/log/squid/access.log
(cache_access_log)
 /var/log/squid/cache.log (cache_log)
 /var/log/squid/store.log
(cache_store_log)

86
An Example of ‘squid.conf’
http_port 8081
cache_effective_user squid
cache_effective_group squid
acl all src 0.0.0.0/0.0.0.0
http_access allow all
cache_dir ufs /cache 1024 16 32
visible_hostname ws1

87
 Running Squid
 service squid start
squid –d1 –z


squid –d1 –f /etc/squid/squid.conf

88
 The Kind of Proxies
 Upstream Proxy
cache_peer yourproxy.com parent 3128 3130
prefer_direct off

 Transparent Proxy
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

89
 Session 15

RHCE
Red Hat Certified Engineer

M. A. Agheli
90
 Configuring a Linux Router
 Configuring Kernel
IP: advanced router

 Enable IP Forwading
Add ‘net.ipv4.ip_forward=1’ to /etc/sysctl.conf

echo “1” > /proc/sys/net/ipv4/ip_forward

91
Type of Routes
 Static route

 Dynamic route

92
Components of Routing Rules

 Destination IP Address
 An Interface
 An Optional Gateway IP
Address

93
 Routing Command
 route add –net net_addr netmask
mask_addr interface

 route add –host ip_addr interface

 route add default gateway ip_addr

interface

94
 A An Example E

192.168.1.2 Internet 192.168.100.2

B
F
Router
10.1.1.2
192.168.1.3
eth2 192.168.100.3

C eth0 eth1
G

192.168.1.4 Gateway 192.168.100.4

192.168.1.1
D 192.168.100.1 H
10.1.1.1

192.168.1.5 192.168.100.5
95
 Related Rules
 route add –net 192.168.1.0 netmask 255.255.255.0
eth0
 route add –net 192.168.100.0 netmask 255.255.255.0
eth1
 route add –net 10.1.1.0 netmask 255.255.255.0 eth2
 route add default gateway 10.1.1.2 eth2

96
Iface Use Ref
Result
Metric Flags Genmask Gateway Destination

eth0 0 0 0 UH 255.255.255.255 * 192.168.1.1

Eth1 0 0 0 UH 255.255.255.255 * 192.168.100.1
Eth2 0 0 0 UH 255.255.255.255 * 10.1.1.1
eth0 0 0 0 U 255.255.255.0 * 192.168.1.0
Eth1 0 0 0 U 255.255.255.0 * 192.168.100.0
Eth2 0 0 0 U 255.255.255.0 * 10.1.1.0
eth2 0 0 0 UG 0.0.0.0 10.1.1.2 0.0.0.0
lo 0 0 0 U 255.0.0.0 * 127.0.0.0

U: Network link is up H: Dest. Addr. Refers to a host G: Gateway

97
Electronic
Mail
(Sendmail)
98
How Email Is Sent and Received
mail1 MTA mail2 MTA

?
user1@mail1.com
?
user2@mail2.com

99
 Concepts
 MTA : Mail Transport Agent
 SMTP (server-to-server)
Simple Mail Transport Protocol
 POP (Mail Access)
Post Office Protocol
 IMAP (Mail Access)
Interim Mail Access Protocol
 MDA : Mail Delivery Agent
 MUA : Mail User Agent

100
 Advantage of Sendmail
 Older MTA
 Powerful MTA

Disadvantage of Sendmail
 Slow
 High Load Environment
 Crypto Configuration

101
 MTAs
 Sendmail
 Postfix
 Exim
 Qmail

MUAs
 Evolution, Kmail (KDE)
 Balsa (GNOME)
 Mozilla Mail
102
Required Packages
 sendmail
 sendmail-cf
 imap (Config xinetd)
(contains IMAP & POP3)

103
 Sendmail
Configuration
 Config ‘/etc/mail/sendmail.mc’ file
 LOCAL_DOMAIN(‘example.com’)dnl
 Run ‘make –C /etc/mail/’
 Config DNS

104
 Email Aliases
 Edit ‘/etc/aliases’ file
postmaster: joseph

 Run ‘newaliases’ Command

105
Rejecting Email
 Edit ‘/etc/mail/access’ file
spam.com REJECT
yahoo.com OK

 service sendmail restart

106
 Session 16

RHCE
Red Hat Certified Engineer

M. A. Agheli
107
DNS
108
 ?Where do I look
 /etc/nsswitch.conf

(nameservice switch)
t@localhost:~$ cat /etc/nsswitch.conf
hosts: files dns

109
 Files
 Search order determined by
nsswitch.conf
 It is polite to have /etc/hosts first!

sjh@mccoy:~$ cat /etc/hosts

127.0.0.1 localhost
193.62.81.135 mccoy.tardis.ed.ac.uk mccoy
193.62.81.134 baker.tardis.ed.ac.uk baker
193.62.81.132 packages.tardis.ed.ac.uk packages

110
 DNS Traversal
1. Local files
2. Dns server locally
3. Item in cache?
4. Root server, work your way
down…

111
 Resolving Names
Configuration Files for the Local
Host Name Resolution (important
for testing)
 /etc/resolv.conf

 /etc/nsswitch.conf

 /etc/host.conf

112
 DNS
 BIND – Berkley Internet Name Daemon
 Dents – buggy as hell (still in alpha?)
 Djbdns – Dan Bernstein’s DNS server
 Banyan VINES – don’t go there!

113
 Named (name dee)
 /etc/named.conf:
 this defines a directory to store the DNS config files
 Contains info about what zones we serve, and where to find config
files!
 Config file for named – tells us if we are master / slave, allow or deny
zone transfers, what the IPs of other master / slave servers are, etc.
 <DNSROOT>/root.hints:
 Contains "pointers" to the Root Servers
 <DNSROOT>/127.0.0:
 Config for reverse-lookup to the local host/subnet
 <DNSROOT>/<zone>:
 Config for zone
 <DNSROOT>/<in-addr.arpa file>
 Config for reverse lookup for your zone

114
A simple named.conf
## named.custom - custom configuration for bind
zone "." {
type hint;
file "root.lists";
};
options {
directory "/var/named/";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "127.0.0";
};
zone "hq.alim.ir" {
type master;
file "hq.alim.ir";
};
zone "168.168.192.in-addr.arpa" {
type master;
file "192.168.168";
};
115
 DNS Data
DNS databases contain more than just
hostname-to-address records:
 SOA – Start Of Authority – it is the daddy!
 IN NS – Name Server
 IN MX – Mail eXchanger
 IN A – A record (Address record)
 IN CNAME – Canonical NAME

116
 A simple zone file
@ IN SOA hq.alim.ir. root.hq.alim.ir. (
199609206 ; serial, todays date + todays serial #
8H ; refresh, seconds
2H ; retry, seconds
4W ; expire, seconds
1D ) ; minimum, seconds
NS hq.alim.ir.
MX 10 hq.alim.ir. ; Primary Mail Exchanger
TXT "Alim IT Center"
localhost A 127.0.0.1
router A 192.168.168.1
hq.alim.ir. A 192.168.168.2
ns A 192.168.168.3
www A 207.159.141.192
ftp CNAME hq.alim.ir.
mail CNAME hq.alim.ir.
news CNAME hq.alim.ir.

117
A simple in-addr.arpa file
$TTL 3D
@ IN SOA hq.alim.ir. root.hq.alim.ir. (
199609206 ; Serial
28800 ; Refresh
7200 ; Retry
604800 ; Expire
86400) ; Minimum TTL
NS hq.alim.ir.
; Servers
1 PTR router.hq.alim.ir.
2 PTR hq.alim.ir.
2 PTR funn.hq.alim.ir.
; Workstations
200 PTR ws-177200.hq.alim.ir.
201 PTR ws-177201.hq.alim.ir.
202 PTR ws-177202.hq.alim.ir.

118
 Forward DNS
 hq.alim.ir (as per /etc/named.conf)

 SOA – Start Of Authority – it is the daddy!

 IN NS – Name Server
 IN MX – Mail eXchanger
 IN A – A record (Address record)
 IN CNAME – Canonical NAME

119
 Reverse DNS
 192.168.168 (as per /etc/named.conf)
 SOA
 IN NS

 IN PTR – Pointer

120
 DNS Round Robin
 Fault tolerance? Through nifty DNS
hacks

www.teviot.com. 60 IN A 10.0.1.100
www.teviot.com. 60 IN A 10.0.2.100
www.teviot.com. 60 IN A 10.0.3.100

121
 Common Mistakes
 Forgetting to increment the Serial Number!
 CNAME pointing at another CNAME!
 Forgetting the “.” In appropriate places!
 Underscores in hostnames!
 Forgetting to reload the daemon!
 Version control issues – clobber changes!
 TTL Issues

122
 Test Tools
 nslookup
 dig
 dig mail.hq.alim.ir
 dig -x 192.168.168.2
 dig 168.168.192.in-addr.arpa. AXFR
 whois
 http://www.squish.net/dnscheck/
 James Ponder’s DNS check web page

123
 Session 17

RHCE
Red Hat Certified Engineer

M. A. Agheli
124
 Firewall
:Required Properties
 Control
Allow only those packets that you are
interested to pass through.
 Security
Reject packets from malicious outsiders
 Watchfulness
Log packets to/from outside world

125
 Firewall Types
Statefull
 Packet Filtering
Stateless

 Proxy-Based Firewall

126
Packet Filter under Linux
 1st generation
ipfw (from BSD)
 2nd generation
ipfwadm (Linux 2.0)
 3rd generation
ipchains (Linux 2.2)
 4th generation
iptable (Linux 2.4 & 2.6)

127
 Installing Iptables
 Kernel Supports Iptables
 Networking Options -> TCP/IP Networking ->Network Packet Filtering
 Networking Options -> TCP/IP Networking ->IP: advanced router -> *
 Networking Options -> IP: NetfilterNetworking Options -> IP: Netfilter
For Packets Traffic Control :
 Networking Options> QoS and/or fair queueing -> *

 # rpm -ivh \
iptables-1.2.6a-2.i386.rpm
128
 Chains of Tables
 INPUT
 Controls packets entering your system

 OUTPUT
 Controls packets leaving your system

 FORWARD
 Controls what packets can move from one
network to another through your system

129
Routing Forward
Decision

Output

Input
Local Process

130
1. When a packet comes in, the kernel first looks at
the destination of the packet: this is called
routing.
2. If it’s destined for this box
• Passes downwards in the diagram
• To INPUT chain
If it passes, any processes waiting for that packet will
receive it.
Otherwise go to step 3

…Continue
131
3. If forwarding is not enabled The packet will be
dropped
If forwarding is enable and the packet is destined for another network
interface.
The packet goes rightwards on our diagram to the FORWARD chain.

If it is accepted, it will be sent out.

4. Packets generated from local process pass to the

OUPUT chain immediately.
If its says accept, the packet will be sent out.

132
Packet Status in
Iptables
 Established
 New
 Related
 Invalid
133
Results of Packet Checking
 ACCEPT
 DROP
 REJECT
 …

134
Tables of Iptables

 Filter
 NAT
 Mangle

135
The Path of Packet Network

in Iptables Mangle Table

PREROUTING Chain

NAT Table
PREROUTING Chain Destination NAT

Routing
decision
Mangle INPUT Mangle FORWARD

Filter INPUT Filter FORWARD

Local process

Mangle
Routing decision POSTROUTING

Mangle OUTPUT
NAT Source NAT
POSTROUTING Chain
NAT OUTPUT Based on routing

Filter OUTPUT
Network

136
 Tables of Chains
POSTROUTI Chain
PREROUTING FORWARD OUTPUT INPUT
NG table

* * * * * MANGLE

* * - * - NAT

- - * * * FILTER

137
Building a Rule source/destination

 iptables –s 200.200.200.1
 Refers to packet from a specific IP address
 The “-s” refers to the source of the packet, where
the packet is coming from.
 A corresponding “-d” refers to the destination,
where the packet is going to.

138
 Building a Rule Action
 iptables –s 200.200.200.1 -j DROP
 The “-j” determines what happens to the

Building a Rule
IP address ranges
 iptables –s 200.200.200.0/24 -j DROP
 IPs that match 200.200.200.*
 The “/24” refers to the number of bits that are
fixed, counting from the left.
139
 Other Actions
 REDIRECT
 Sends packets to a proxy

 LOG
 Tracks packets as they match rules

 RETURN
 Terminates user defined chains

140
 Building a Rule
appending rules to tables
 iptables –A INPUT –s 200.200.200.1 -j DROP
 The “-A” appends the rule to an iptable
 The “INPUT” specifies the iptable

 This command makes your system to ignore all packets

from 200.200.200.1
 iptables –A OUTPUT –d 200.200.200.1 –j DROP
 This command does not allow your system to sent packets to
200.200.200.1

141
 Building a Rule
only blocking some packets
 iptables –A INPUT –s 200.200.200.1 –p tcp --destination-port telenet –j
DROP
 The “-p” specifies a specific protocol: tcp, udp, or icmp
 The “-destination-port” is where the packet is going
 You can user the service name or the port number
 Could use 23 in this example
 Keep in mind that the source-port is very different from the destination-
port. In this example the inbound message is going to your telenet server.
The telenet client that is sending you the message could be running on any
port.
 --dport == --destination-port
 --sport == --source-port

142
 Building a Rule
multiple network interfaces
 Assume your machine has two interface cards. One to a LAN
named eth0 and the other to the Internet named ppp0

 iptables –A INPUT –p tcp --dport telnet –i ppp0 –j DROP

 The “-i” option specifies the input interface
 The is also a “-o” option for the output interface

 iptables –A INPUT –p tcp --dport telnet –i eth0 –j ACCEPT

 Together these rules would accept telnet requests from the LAN but
block telnet requests from the Internet.

143
 Building a Rule Table Policies
 iptables –P FORWARD ACCEPT
 The “-P” option followed by a table name and
action determines the default policy of the table. If
no rule in the table matches this default action is
taken.
 The usual policies are
 INPUT = ACCEPT
 OUTPUT = ACCEPT

 FORWARD = DENY

144
 Building a Rule
Adding Rules to Tables
 iptables –A INPUT –s 200.200.200.1 -j DROP
 Appends the rule to the end of the table
 iptables –I INPUT 3 –s 200.200.200.1 -j DROP
 Inserts the rule as rule 3 in the table, moving all other rules
down 1.
 iptables –R INPUT 3 –s 200.200.200.1 -j DROP
 Replaces rule 3 in the table
 iptables –D INPUT 3
 Deletes rule 3 in the table

145
 Operations to manage whole
chains
Create a new chain N-

Delete an empty chain X-

Change the policy for a built-in chain P-
List the rules in a chain L-
Flush the rules out of a chain F-

Zero the packet and byte counters on all Z-

rules in a chain
146
 Manipulate rules inside a chain

Append a new rule to a chain -A

Insert a new rule at some position in a
-I
chain

Replace a rule at some position in a chain -R

Delete a rule at some position in a chain -D

Delete the first rule that matches in a

-D
chain
147
 An Example
Firewall
192.168.1.1
Web Server eth1 Internet
SSH Server
Accessible ONLY via LAN
eth0

192.168.1.5 192.168.1.6 192.168.1.7

GW: 192.168.1.1 GW: 192.168.1.1 GW: 192.168.1.1

148
 Session 18

RHCE
Red Hat Certified Engineer

Advanced
M. A. Agheli
149
Traffic Shaping (CBQ)
 /etc/rc.d/init.d/cbq.init
(http://ovh.dl.sourceforge.net/sourceforge/cbqinit/cbq.init-v0.7.3 )

 Install ‘shapecfg’ RPM

 /etc/sysconfig/cbq/*(0002-FFFF)

 /etc/rc.d/init.d/cbq.init start
150
 Sample of CBQ
Configuration
DEVICE=eth0,10Mbit,1Mbit
RATE=10 Kbit
PRIO=5
RULE=:21,192.168.1.0/24

151
The
End
Good Luck

152