Table of Contents
RedHat EX300 objectives (20130304)
System configuration and management
Route IP traffic and create static routes.
Show route
ip r netstat -rn route
Add route
ip r add 192.168.40.0 via 192.168.40.1 dev eth0
Delete route
ip r del 192.168.40.0 via 192.168.40.1 dev eth0
Persistent route
#/etc/sysconfig/network-scripts/route-eth0 ADDRESS0=192.168.40.0 NETMASK0=255.255.255.255 GATEWAY0=192.168.40.1
Use iptables to implement packet filtering and configure network address translation (NAT).
Show iptables
iptables -nvL
iptables config; settings, modules (conntrack, nat, ftp, etc)
/etc/sysconfig/iptables-config
iptables config; firewall rules
/etc/sysconfig/iptables
save/restore iptables
iptables-save iptables-restore
Set up NAT
iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
Port forward
iptables -t nat -A PREROUTING -i eth+ -p tcp -dport 20:21 -j DNAT -to-destination 192.168.15.36:20-21 iptables -t filter -A FORWARD -i eth+ -m state -state NEW -m tcp -p tcp -d 192.168.15.36 -dport 20:21 -j ACCEPT
Enable forwarding
sysctl -w net.ipv4.conf.all.forwarding=1
Use /proc/sys and sysctl to modify and set kernel runtime parameters.
Show value
sysctl net.ipv4.ip_forward #Output: net.ipv4.ip_forward = 0
cat /proc/sys/net/ipv4/ip_forward #Output: 0
Change setting
sysctl -w net.ipv4.ip_forward=1 or echo 1 > /proc/sys/net/ipv4/ip_forward
Persistent config
#/etc/sysctl.conf # Controls IP packet forwarding net.ipv4.ip_forward = 0
Configure a system to authenticate using Kerberos.
yum -y install krb5-workstation system-config-authentication
Textbased
authconfig-tui
Build a simple RPM that packages a single file.
Install the rpm tools.
yum install rpmdevtools
Create a directory with a simple script.
mkdir myscript-0.1 vi myscript-0.1/hello.sh chmod +x myscript-0.1/hello.sh
Edit a (vi) template spec file.
vi myscript.spec
Name: myscript Version: 0.1 Release: 1%{?dist} Summary: myscript test rpm Group: none License: none URL: none Source0: myscript-0.1.tar.gz BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) BuildRequires: /bin/cp Requires: /bin/bash %description Test RPM for EX300 exam %prep %setup -q %build echo "OK" %install rm -rf %{buildroot} mkdir -p %{buildroot}/tmp/myscript cp -R * %{buildroot}/tmp/myscript %clean rm -rf %{buildroot} %files /tmp/myscript/hello.sh %defattr(-,root,root,-) %doc %changelog
Run rpmbuild in order to create a RPM tree. This will generate an error, but create the tree.
rpmbuild -ba myscript.spec
Create an archive tar.gz in the SOURCES directory.
tar czvf rpmbuild/SOURCES/myscript-0.1.tar.gz myscript-0.1/
Copy the spec file to SPEC directory.
cp myscript.spec rpmbuild/SPECS/
Build the RPM.
rpmbuild -ba rpmbuild/SPECS/myscript.spec
Test the RPM install.
rpm -ivh rpmbuild/RPMS/x86_64/myscript-0.1-1.el6.x86_64.rpm
Configure a system as an iSCSI initiator that persistently mounts an iSCSI target.
Install utils
yum install iscsi-initiator-utils
Discover targets
iscsiadm -m discovery -t st -p <remote host>
Log in to target:
iscsiadm -m node -T <fqdn> -p <remote host> -l
Show added device
dmesg
List running sessions
iscsiadm -m session
Produce and deliver reports on system utilization (processor, memory, disk, and network).
yum instal sysstat chkconfig sysstat on service sysstat start
Read log files:
sar -f /var/log/sa/sa17
Use shell scripting to automate system maintenance tasks.
Configure a system to log to a remote system.
Edit /etc/rsyslog.conf
*.* @splunk.home:514
Restart resyslog
service rsyslog restart
Configure a system to accept logging from a remote system.
Edit /etc/rsyslog.conf
# Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514
Add iptables rules to /etc/sysconfig/iptables.
-A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
Network services
Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:
Install the packages needed to provide the service.
yum provides */<filename, daemon, etc..>
Configure SELinux to support the service.
See EX200 objectives.
Configure the service to start when the system is booted.
chkconfig
Or
/etc/rc.local
Configure the service for basic operation.
Check for config in /etc and /etc/sysconfig.
Configure host-based and user-based security for the service.
Hostbased: TCP wrappers, iptables, application config.
Userbased: users, groups, application config.
HTTP/HTTPS
yum -y groupinstall "Web Server" chkconfig httpd on service httpd start
Edit iptables config: /etc/sysconfig/iptables.
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
Restart iptables
service iptables restart
Configure a virtual host.
Create DocumentRoot
mkdir -p /var/www/web1 mkdir -p /var/www/web2
Create /var/www/web1/index.html
<html> web1 test page </html>
Create /var/www/web2/index.html
<html> web2 test page </html>
Edit /etc/http/conf/httpd.conf
NameVirtualHost *:80
Create new virtual host config /etc/httpd/conf.d/web.conf
<VirtualHost *:80> ServerAdmin webmaster@dummy-host.example.com DocumentRoot /var/www/web1 ServerName web1.study.home ErrorLog logs/web1-error_log CustomLog logs/web1-access_log common </VirtualHost> <VirtualHost *:80> ServerAdmin webmaster@dummy-host.example.com DocumentRoot /var/www/web2 ServerName web2.study.home ErrorLog logs/web2-error_log CustomLog logs/web2-access_log common </VirtualHost>
Restart Apache
service httpd restart
Configure private directories.
Create private directory
mkdir /var/www/web1/private
Create /var/www/web1/private/index.html
<html> Private HTML page </html>
Create passwd file
htpasswd -c /etc/httpd/.htpasswd privateuser
Add config to /etc/http/conf.d/web.conf
<Directory /var/www/web1/private> AuthName "Private Directory" AuthType basic AuthUserFile /etc/httpd/.htpasswd Require valid-user </Directory>
Deploy a basic CGI application.
Create CGI directory
/var/www/web1/cgi
Edit script /var/www/web1/cgi/openports.cgi
#!/bin/sh echo -e "Content-type: text/html\n\n"; echo "<pre>" echo "`netstat -tan`" # THIS WILL GIVE SELINUX TROUBLES echo "</pre>"
Make it executable
chmod +x openports.cgi
Edit /etc/http/conf.d/web.conf
<Directory /var/www/web1/cgi> Options +ExecCGI AddHandler cgi-script pl cgi </Directory>
Configure group-managed content.
Create group
groupadd admins
Add users to admins
Set rights
mkdir -p /var/www/web1/admins chown apache.admins /var/www/web1/admins chmod 775 /www/site1 chmod g+s /www/site1
DNS
Configure a caching-only name server.
yum -y install bind chkconfig named on service named start
There is a know bug generating the /etc/rndc.key. If this happens run:
rndc-confgen -a -r /dev/urandom
Open port 53 udp
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
Restart iptables
service iptables restart
Configure a caching-only name server to forward DNS queries.
Note: Candidates are not expected to configure master or slave name servers.
Edit /etc/named.conf
listen-on port 53 { 127.0.0.1; 192.168.1.32; }; allow-query { localhost; 192.168.1.0/24; }; forward only; forwarders { 192.168.1.1; }; dnssec-enable no; dnssec-validation no;
FTP
Configure anonymous-only download.
yum -y groupinstall "FTP server" service vsftpd start chkconfig vsftpd on
Open iptables port
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
Edit /etc/sysconfig/iptables-config
IPTABLES_MODULES="ip_conntrack_ftp"
service iptables restart
NFS
Provide network shares to specific clients.
yum -y groupinstall "NFS file server" service rpcbind start chkconfig rpcbind on service nfs start chkconfig nfs on
Edit /etc/exports
/var/ftp/pub 192.168.42.0/24(ro,insecure)
Export filesystems
exportfs -a
Edit NFS config /etc/sysconfig/nfs
LOCKD_TCPPORT=32803 LOCKD_UDPPORT=32769 MOUNTD_PORT=892 STATD_PORT=662
Edit iptables and restart
-A INPUT -m state --state NEW -m udp -p udp --dport 32802 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 32769 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 892 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 662 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 32802 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 32769 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 892 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 662 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
Restart iptables
service iptables restart
Provide network shares suitable for group collaboration.
Edit /etc/exports
/opt/data/share 192.168.42.0/24(rw,insecure)
Export filesystems
exportfs -a
Change rights to path
chmod g+w ....
SMB
Provide network shares to specific clients.
yum install samba -y chkconfig smb on chkconfig nmb on
Edit iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 137 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 138 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 139 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 445 -j ACCEPT
Restart iptables
service iptables restart
Edit /etc/samba/smb.conf
[samba] comment= RHEL samba share path = /opt/data/samba browseable = yes writable = yes valid users=benst hosts allow = 192.168.1. hosts deny = 192.168.1.33
Add user password
smbpasswd -a <username>
Set selinux label on dir
chcon -t samba_share_t /opt/data/samba
Give appropriate filesystem rights to share
chown / chmod ...
Set bools RO:
setsebool -P samba_export_all_ro 1
RW:
setsebool -P samba_export_all_rw 1
Start samba
service smb start service nmb start
Provide network shares suitable for group collaboration.
SMTP
Configure a mail transfer agent (MTA) to accept inbound email from other systems.
Edit /etc/postfix/main.cf
inet_interfaces = all
Edit iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
Restart iptables and postfix
service postfix restart service iptables restart
Configure an MTA to forward (relay) email through a smart host.
Edit /etc/postfix/main.cf
relay_domains = domainname.com relayhost = mail.hostname.com
Restart postfix
service postfix restart