Show route
ip r netstat -rn route
Add route
ip r add 192.168.40.0 via 192.168.40.1 dev eth0
Delete route
ip r del 192.168.40.0 via 192.168.40.1 dev eth0
Persistent route
#/etc/sysconfig/network-scripts/route-eth0 ADDRESS0=192.168.40.0 NETMASK0=255.255.255.255 GATEWAY0=192.168.40.1
Show iptables
iptables -nvL
iptables config; settings, modules (conntrack, nat, ftp, etc)
/etc/sysconfig/iptables-config
iptables config; firewall rules
/etc/sysconfig/iptables
save/restore iptables
iptables-save iptables-restore
Set up NAT
iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
Port forward
iptables -t nat -A PREROUTING -i eth+ -p tcp -dport 20:21 -j DNAT -to-destination 192.168.15.36:20-21 iptables -t filter -A FORWARD -i eth+ -m state -state NEW -m tcp -p tcp -d 192.168.15.36 -dport 20:21 -j ACCEPT
Enable forwarding
sysctl -w net.ipv4.conf.all.forwarding=1
Show value
sysctl net.ipv4.ip_forward #Output: net.ipv4.ip_forward = 0
cat /proc/sys/net/ipv4/ip_forward #Output: 0
Change setting
sysctl -w net.ipv4.ip_forward=1 or echo 1 > /proc/sys/net/ipv4/ip_forward
Persistent config
#/etc/sysctl.conf # Controls IP packet forwarding net.ipv4.ip_forward = 0
yum -y install krb5-workstation system-config-authentication
Textbased
authconfig-tui
Install the rpm tools.
yum install rpmdevtools
Create a directory with a simple script.
mkdir myscript-0.1 vi myscript-0.1/hello.sh chmod +x myscript-0.1/hello.sh
Edit a (vi) template spec file.
vi myscript.spec
Name: myscript Version: 0.1 Release: 1%{?dist} Summary: myscript test rpm Group: none License: none URL: none Source0: myscript-0.1.tar.gz BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) BuildRequires: /bin/cp Requires: /bin/bash %description Test RPM for EX300 exam %prep %setup -q %build echo "OK" %install rm -rf %{buildroot} mkdir -p %{buildroot}/tmp/myscript cp -R * %{buildroot}/tmp/myscript %clean rm -rf %{buildroot} %files /tmp/myscript/hello.sh %defattr(-,root,root,-) %doc %changelog
Run rpmbuild in order to create a RPM tree. This will generate an error, but create the tree.
rpmbuild -ba myscript.spec
Create an archive tar.gz in the SOURCES directory.
tar czvf rpmbuild/SOURCES/myscript-0.1.tar.gz myscript-0.1/
Copy the spec file to SPEC directory.
cp myscript.spec rpmbuild/SPECS/
Build the RPM.
rpmbuild -ba rpmbuild/SPECS/myscript.spec
Test the RPM install.
rpm -ivh rpmbuild/RPMS/x86_64/myscript-0.1-1.el6.x86_64.rpm
Install utils
yum install iscsi-initiator-utils
Discover targets
iscsiadm -m discovery -t st -p <remote host>
Log in to target:
iscsiadm -m node -T <fqdn> -p <remote host> -l
Show added device
dmesg
List running sessions
iscsiadm -m session
yum instal sysstat chkconfig sysstat on service sysstat start
Read log files:
sar -f /var/log/sa/sa17
Edit /etc/rsyslog.conf
*.* @splunk.home:514
Restart resyslog
service rsyslog restart
Edit /etc/rsyslog.conf
# Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514
Add iptables rules to /etc/sysconfig/iptables.
-A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:
yum provides */<filename, daemon, etc..>
See EX200 objectives.
chkconfig
Or
/etc/rc.local
Check for config in /etc and /etc/sysconfig.
Hostbased: TCP wrappers, iptables, application config.
Userbased: users, groups, application config.
yum -y groupinstall "Web Server" chkconfig httpd on service httpd start
Edit iptables config: /etc/sysconfig/iptables.
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
Restart iptables
service iptables restart
Create DocumentRoot
mkdir -p /var/www/web1 mkdir -p /var/www/web2
Create /var/www/web1/index.html
<html> web1 test page </html>
Create /var/www/web2/index.html
<html> web2 test page </html>
Edit /etc/http/conf/httpd.conf
NameVirtualHost *:80
Create new virtual host config /etc/httpd/conf.d/web.conf
<VirtualHost *:80> ServerAdmin webmaster@dummy-host.example.com DocumentRoot /var/www/web1 ServerName web1.study.home ErrorLog logs/web1-error_log CustomLog logs/web1-access_log common </VirtualHost> <VirtualHost *:80> ServerAdmin webmaster@dummy-host.example.com DocumentRoot /var/www/web2 ServerName web2.study.home ErrorLog logs/web2-error_log CustomLog logs/web2-access_log common </VirtualHost>
Restart Apache
service httpd restart
Create private directory
mkdir /var/www/web1/private
Create /var/www/web1/private/index.html
<html> Private HTML page </html>
Create passwd file
htpasswd -c /etc/httpd/.htpasswd privateuser
Add config to /etc/http/conf.d/web.conf
<Directory /var/www/web1/private> AuthName "Private Directory" AuthType basic AuthUserFile /etc/httpd/.htpasswd Require valid-user </Directory>
Create CGI directory
/var/www/web1/cgi
Edit script /var/www/web1/cgi/openports.cgi
#!/bin/sh echo -e "Content-type: text/html\n\n"; echo "<pre>" echo "`netstat -tan`" # THIS WILL GIVE SELINUX TROUBLES echo "</pre>"
Make it executable
chmod +x openports.cgi
Edit /etc/http/conf.d/web.conf
<Directory /var/www/web1/cgi> Options +ExecCGI AddHandler cgi-script pl cgi </Directory>
Create group
groupadd admins
Add users to admins
Set rights
mkdir -p /var/www/web1/admins chown apache.admins /var/www/web1/admins chmod 775 /www/site1 chmod g+s /www/site1
yum -y install bind chkconfig named on service named start
There is a know bug generating the /etc/rndc.key. If this happens run:
rndc-confgen -a -r /dev/urandom
Open port 53 udp
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
Restart iptables
service iptables restart
Note: Candidates are not expected to configure master or slave name servers.
Edit /etc/named.conf
listen-on port 53 { 127.0.0.1; 192.168.1.32; }; allow-query { localhost; 192.168.1.0/24; }; forward only; forwarders { 192.168.1.1; }; dnssec-enable no; dnssec-validation no;
yum -y groupinstall "FTP server" service vsftpd start chkconfig vsftpd on
Open iptables port
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
Edit /etc/sysconfig/iptables-config
IPTABLES_MODULES="ip_conntrack_ftp"
service iptables restart
yum -y groupinstall "NFS file server" service rpcbind start chkconfig rpcbind on service nfs start chkconfig nfs on
Edit /etc/exports
/var/ftp/pub 192.168.42.0/24(ro,insecure)
Export filesystems
exportfs -a
Edit NFS config /etc/sysconfig/nfs
LOCKD_TCPPORT=32803 LOCKD_UDPPORT=32769 MOUNTD_PORT=892 STATD_PORT=662
Edit iptables and restart
-A INPUT -m state --state NEW -m udp -p udp --dport 32802 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 32769 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 892 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 662 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 32802 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 32769 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 892 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 662 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
Restart iptables
service iptables restart
Edit /etc/exports
/opt/data/share 192.168.42.0/24(rw,insecure)
Export filesystems
exportfs -a
Change rights to path
chmod g+w ....
yum install samba -y chkconfig smb on chkconfig nmb on
Edit iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 137 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 138 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 139 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 445 -j ACCEPT
Restart iptables
service iptables restart
Edit /etc/samba/smb.conf
[samba] comment= RHEL samba share path = /opt/data/samba browseable = yes writable = yes valid users=benst hosts allow = 192.168.1. hosts deny = 192.168.1.33
Add user password
smbpasswd -a <username>
Set selinux label on dir
chcon -t samba_share_t /opt/data/samba
Give appropriate filesystem rights to share
chown / chmod ...
Set bools RO:
setsebool -P samba_export_all_ro 1
RW:
setsebool -P samba_export_all_rw 1
Start samba
service smb start service nmb start
Edit /etc/postfix/main.cf
inet_interfaces = all
Edit iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
Restart iptables and postfix
service postfix restart service iptables restart
Edit /etc/postfix/main.cf
relay_domains = domainname.com relayhost = mail.hostname.com
Restart postfix
service postfix restart