PPT – RHCE PowerPoint presentation | free to download

About This Presentation

Title:

RHCE

Description:

1991: Linux is introduced by Linus Benedict Torvalds who was a second year ... From: torvalds_at_klaava.Helsinki.FI (Linus Benedict Torvalds) Newsgroups: comp.os.minix ... – PowerPoint PPT presentation

Number of Views:2414

Avg rating:3.0/5.0

Slides: 152

Provided by: mohammada8

Category:

more less

Transcript and Presenter's Notes

Title: RHCE

1
RHCE
Session 1

Red Hat Certified Engineer

M. A. Agheli
2
History Of UNIX Linux

1957 Bell Labs found they needed an operating
system which at the time was running
various batch jobs.
1965 Bell Labs create Multics (Multiplexed
Information and Computing Service)
1969 Summer 1969 UNIX was developed by ATT
1975 Sixth edition of UNIX released May 1975
1985 GNU project started
1991 Linux is introduced by Linus Benedict
Torvalds who was a second year student of
Computer Science at the University of
Helsinki
1993 NetBSD FreeBSD released
1994 Red Hat Linux is introduced

3
First Article About Linux
From torvalds_at_klaava.Helsinki.FI (Linus Benedict
Torvalds) Newsgroups comp.os.minix Subject
What would you like to see most in minix?
Summary small poll for my new operating system
Message-ID lt1991Aug25.205708.9541_at_klaava.Helsink
i.FIgt Date 25 Aug 91 205708 GMT
Organization University of Helsinki Hello
everybody out there using minix - I'm doing a
(free) operating system (just a hobby, won't be
big and professional like gnu) for 386(486) AT
clones. This has been brewing since april, and
is starting to get ready. I'd like any feedback
on things people like/dislike in minix, as my OS
resembles it somewhat (same physical layout of
the file-system (due to practical reasons) among
other things). I've currently ported bash(1.08)
and gcc(1.40),and things seem to work.This
implies that I'll get something practical within
a few months, andI'd like to know what features
most people would want.a Any
suggestions are welcome, but I won't promise I'll
implement them -) Linus (torvalds_at_kruuna.helsink
i.fi) PS. Yes - it's free of any minix code, and
it has a multi-threaded fs. It is NOT protable
(uses 386 task switching etc), and it probably
never will support anything other than
AT-harddisks, as that's all I have -(.
4
GNU GPL
GNU Project Focused on creating a Unix like
operating systemthat could be freely
distributed GPL Global Public license(Copyleft)
5
Major Linux Distributors
6
The Advantage of Linux

Low purchase cost
Open Source Software (OSS)
UNIX heritage
Multi User
Scalability
Vendor support
Reliable uptime
Security
Logging System

7
The Disadvantage of Linux

Steep learning curve
Hardware support
End-user applications

8
A Comparison Of Win 9x, NT, and Linux
9
Linux Filesystem Hierarchy
10
RHCE
Session 2

Red Hat Certified Engineer

M. A. Agheli
11
Installing Linux

Hardware Requirements
Harddisk Partitioning
Boot Loader
Install Packages
X Configuration

12
Overview of the Installation Process

Starting the installation process
Installation Mode
Language
Keyboard
Mouse
Partitioning
Boot Loader Installation
Network Configuration
Setting the time zone

13
Overview of the Installation Process

Firewall Configuration
Specifying authentication options (optional)
Specifying user accounts
Selecting packages
Installing packages
Creating a boot disk
Configuration the X Windows system (optional)

14
Installing Linux Consoles Message Logs
15
Configuring InstallTime Options after Installation
16
RHCE
Session 3

Red Hat Certified Engineer

M. A. Agheli
17
SHELL

Some of Important BASH Variables
PATH SHELL PS1 PS2

PS1, PS2 Switches \u , \h , \W , \d , \t , \s ,
\ ,
18
Some of Linux Commands(1)
19
RHCE
Session 4

Red Hat Certified Engineer

M. A. Agheli
20
BASH

TAB key Features
Review Pages Commands
Quoting in BASH
value value value
Redirection Operators
gt gtgt ltlt lt
Standard Input Standard Output
stdin 0
stdout 1
stderr 2

21
Important Command Forms
cmd cmd (fg, ctrlz, bg) cmd1 cmd2 (cmd1
cmd2) cmd1 cmd2 cmd1 cmd2 cmd1 cmd2 cmd1
cmd2 cmd1 cmd2
22
Linux File Types
23
Bash Special Variables

24
Some of Linux Commands(2)

Process Text Streams
sort, cut, head, tail, split, wc, uniq, grep
Redirecting Commands output
tee
Create, Monitor Kill Processes
ps, pstree, top, kill, killall
Modify Process Priority (renice)

25
RHCE
Session 5

Red Hat Certified Engineer

M. A. Agheli
26
Some of Linux Commands(3)

Create Partitions and Filesystem
fdisk, mke2fs, mkfs.
Maintain the Integrity of Filesystem
e2fsck, fsck., du, df
Filesystem Mounting Umounting
mount, umount, /etc/fstab

27
Some of Linux Commands(4)

Use File Permissions
chmod, chown, chgrp, su
Create Hard Symbolic Links (ln)
Find System Files (find, locate, which)
Using Emergency Single User Mode

28
vi Powerful Text Editor

Insert Mode
Normal Mode
Command Mode

Insert Text
Delete

dd ? ndd (Delete)
yy ? nyy (Copy)
p (paste)
P (Paste)
/ (Search)
v (Visual) (Text Selection)

w
q
wq x

q!
r
s///

29
RHCE
Session 6

Red Hat Certified Engineer

M. A. Agheli
30
Run Levels

init chkconfig Commands
/etc/inittab
/etc/rc.d/init.d /etc/rc0123456.d/

31
Configuring Boot loader

LILO
Edit /etc/lilo.conf execute lilo command
GRUB
Edit /boot/grub/grub.conf

32
Administrative Tasks

Manage Users, Groups Related Files
useradd, userdel, groupadd, groupdel, passwd,
vipw, vigr
/etc/passwd, /etc/shadow, /etc/skel,
/etc/profile,
Configure and use system log files
/etc/syslog.conf, /etc/logrotate.conf
Scheduling Jobs (at crontab commands)
Backup Restore Tools
tar, bzip2, gzip

33
RHCE
Session 7

Red Hat Certified Engineer

M. A. Agheli
34
Linux Installation and Package Management

Make and Install Programs from Source
RPM
(Redhat Package Manager)

35
Kernel

About Kernel and Loadable Modules
Manage Kernel Modules at Runtime
(/etc/modules.conf)
Reconfigure, Build and Install a Custom Kernel

36
Configuring Modems

redhat-config-network-tui Command in Text Mode
Modem Configuration Files
kppp Command in X window

37
RHCE
Session 8

Red Hat Certified Engineer

M. A. Agheli
38
Shell Scripts

Comments
! Special Comments
Assign a Value
xy xy
xy x\y
xy export x,y,z
xyes export xy
xyes

39
Shell Scripts

Control Constructs
read command
test command ( )
if then else fi
case ... in pattern) esac
while do done
until do done
for x in do done
break, continue, exit (for, while, until)

40
RHCE
Session 9

Red Hat Certified Engineer

M. A. Agheli
41
Installing and ConfiguringX
42
Basic X Concepts

X Client
X Server
X Protocol

43
Basic X Concepts

X Window Manager
X Desktop Manager
X Display Manager

44
Installing X

Determine the proper X server
Install the proper packages

45
X Server Selection

XFree86-

Installation the Packages

freetype
gtk
XFree86-libs
XFree86-75dpi-fonts
redhat-config-xfree86

XFree86-xfs
XFree86-xdm
XFree86-twm
XFree86-tools
xinitrc

46
Configuring X

redhat-config-xfree86
xvidtune

47
Important X Directories Files

/usr/X11R6/bin
/etc/X11
/etc/X11/XF86Config

48
Configure and Use PPP

redhat-config-network-tui Command in Text Mode
Modem Configuration Files
kppp Command in X window

49
RHCE
Session 10

Red Hat Certified Engineer

M. A. Agheli
50
Network Basics

IP (network host portion)
192.168.168.1 11000000.10101000.10101000.0000000
1
Static IP Dynamic IP
Netmask Address
255.255.255.0 11111111.11111111.11111111.0000000
0
Network Address
192.168.168.0 11000000.10101000.10101000.0000000
0
Broadcast Address
192.168.168.255 11000000.10101000.10101000.11111
111

51
Classfull Addressing System

Network Classes
Class A 1.0.0.0-126.0.0.0 (8 bits)
Class B 128.0.0.0-191.0.0.0 (16 bits)
Class C 192.0.0.0-223.0.0.0 (24 bits)
Reserved IP
127.0.0.0-127.255.255.255 (Loop back Addr.)
224.0.0.0-239.255.255.255 (Multicast Protocols)
240.0.0.0-255.255.255.255 (do not used)
Public Private Networks (Valid Invalid IPes)
10.0.0.0-10.255.255.255
172.16.0.0-172.31.255.255
192.168.0.0-192.168.255.255

52
Classless Addressing System (Subnet)

Net. Addr. 192.168.168.0 11000000.10101000.1010
1000.00000000
Netmasks
255.255.255.0 (/24) 11111111.11111111.11111
111.00000000
255.255.255.128 (/25) 11111111.11111111.1111111
1.10000000
255.255.255.192 (/26) 11111111.11111111.1111111
1.11000000
255.255.255.224 (/27) 11111111.11111111.1111111
1.11100000
255.255.255.240 (/28) 11111111.11111111.1111111
1.11110000
255.255.255.248 (/29) 11111111.11111111.1111111
1.11111000
255.255.255.252 (/30) 11111111.11111111.1111111
1.11111100
255.255.255.254 (/31) 11111111.11111111.1111111
1.11111110

53
TCP/IP Model (1)
54
TCP/IP Model (2)

Network Access Protocols
All functions necessary to access the physical
network
Internet Protocols
IP (Internet Protocol Connectionless)
ICMP (Internet Control Message Protocol)

55
TCP/IP Model (3)

Transport Protocols
TCP (Transmission Control Protocol)
Connection-based
UDP (User Datagram Protocol)
Connectionless
Application Protocols
Previlage Ports (0-1023)
/etc/services

56
Types of TCP/IP Services

Stand-alone
xinetd (and its config)

57
Related TCP/IP Commands

ps x
netstat -ap --inet grep LISTEN

Controlling TCP/IP Daemons

Start the daemon
Stop the daemon
Restart the daemon
Status the daemon

58
RHCE
Session 11

Red Hat Certified Engineer

M. A. Agheli
59
Configuration Network

Initializing Network Hardware
Load related module
Network Configuration Tools
netconfig
redhat-config-network

60
Configuration Network

Other Network Tools

61
Configuration Network

Network Configuration Files
/etc/hosts
/etc/host.conf
/etc/services
/etc/resolv.conf
/etc/sysconfig/network
/etc/sysconfig/network-scripts/
IP Aliasing

62
RHCE
Session 12

Red Hat Certified Engineer

M. A. Agheli
63
DHCP

Advantage disadvantage of DHCP
DHCP Server Configuration
/etc/dhcpd.conf
/var/lib/dhcp/dhcpd.leases
DHCP Client Configuration
netconfig command

64
An Example of dhcpd.conf

ddns-update-style ad-hoc
subnet 192.168.0.0 netmask 255.255.255.0
range 192.168.0.1 192.168.0.25
option routers 192.168.0.1
option subnet-mask 255.255.255.0
option domain-name "domain.com"
option domain-name-servers 192.168.1.1
default-lease-time 21600
max-lease-time 43200
we want the nameserver to appear at a fixed
address
host dns1
hardware ethernet 12345678ABCD
fixed-address 192.168.0.20

65
dhcpd.leases Format

lease 192.168.1.8
starts 3 2004/04/12 093412
ends 6 2004/07/15 234957
hardware ethernet 0009e6880a05
...

66
NFS

Related Daemons
rpc.nfsd
rpc.portmap
rpc.mountd
Installation
nfs-utils
portmap

67
NFS Configuration

Server Side
Edit /etc/exports file
PATH host_lists(options)
Run exportfs r command
redhat-config-nfs Command
Client Side
mount t nfs serverPATH Mountpoint
Edit /etc/fstab file
serverPATH M.P. nfs ro 0 0

68
SAMBA (1)

Related Services
smbd
nmbd
Related Packages
samba
samba-common
samba-client

69
SAMBA (2)

Server Configuration
Global Directives
Service Directives
Client Configuration
smbmount //server/share /m.p.
smbclient //server/share
Configuration with SWAT

70
RHCE
Session 13

Red Hat Certified Engineer

M. A. Agheli
71
TCP/IP Services
Server
Client
Process
Process
1. server binds to port and listens
2. Client binds to port
3. Client connects to server
Port
4. Server designates port
Port
Port
5. Client and server communicate
72
Remote Login

Telnet
Server Client
SSH
Server Client

73
The Apache Web Server

Modules
mod_auth
mod_info
mod_php
mod_include
mod_perl
mod_ssl

74
Installation Apache

rpm Uvh httpd-d.rpm
rpm Uvh httpd-devel.rpm
(for support apache modules)

75
Basic Configuration

httpd.conf
Section 1
The Global Environment
Section 2
The Main Configuration
Section 3
The Virtual Host Configuration

76
Apache Advanced Configuration

Authentication in Apache
Configure with PHP
Configure with SSL
Configure Virtual Host

77
Authentication in Apache

Create /etc/httpd/.htpasswd file
Configuring httpd.conf file

ltLocation /dir_namegt
AuthType Basic
AuthName NAME
AuthUserFile .htpasswd
Require valid-user
lt/Locationgt

78
Configure Apache with PHP

rpm Uvh php-4.rpm

Configure Apache with SSL

rpm Uvh mod_ssl.rpm

79
Configure Virtual Host

Configuring /etc/hosts file
Configuring httpd.conf file

ltVirtualHost 127.0.0.2gt
ServerAdmin webmaster_at_vh.com
DocumentRoot /var/www/html/vh/
ServerName www.vh.com
lt/VirtualHostgt

80
Apache Administration

Start
Stop
Restart
Reload
Status

81
Troubleshooting the Apache

/var/log/messages
/var/log/httpd/
/usr/sbin/httpd S
(for virtual host)

82
Securing Your Network

Using lokkit or redhat-config-securitylevel
Command
Password Physical Security
Securing TCP/IP
Using Tripwire
Keeping Up-to-Date on Linux Security Issues

83
RHCE
Session 14

Red Hat Certified Engineer

M. A. Agheli
84
FTP

Installation
rpm ivh vsftp.rpm
Config File
/etc/vsftpd/vsftpd.conf
Access Levels
Anonymouse Access (anonymouse_enable)
User Access (tcp_wrappers needs)

85
Cache Server (Squid)

Install squid
rpm ivh squid.rpm
Managing squid
start, stop, restart, status, reload

86
Squid Log Files

/var/log/squid/access.log (cache_access_log)
/var/log/squid/cache.log (cache_log)
/var/log/squid/store.log (cache_store_log)

87
An Example of squid.conf

http_port 8081
cache_effective_user squid
cache_effective_group squid
acl all src 0.0.0.0/0.0.0.0
http_access allow all
cache_dir ufs /cache 1024 16 32
visible_hostname ws1

88
Running Squid

service squid start
squid d1 z
squid d1 f /etc/squid/squid.conf

89
The Kind of Proxies

Upstream Proxy
cache_peer yourproxy.com parent 3128 3130
prefer_direct off
Transparent Proxy
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

90
RHCE
Session 15

Red Hat Certified Engineer

M. A. Agheli
91
Configuring a Linux Router

Configuring Kernel
IP advanced router
Enable IP Forwading
Add net.ipv4.ip_forward1 to /etc/sysctl.conf
echo 1 gt /proc/sys/net/ipv4/ip_forward

92
Type of Routes

Static route
Dynamic route

93
Components of Routing Rules

Destination IP Address
An Interface
An Optional Gateway IP Address

94
Routing Command

route add net net_addr netmask mask_addr
interface
route add host ip_addr interface
route add default gateway ip_addr interface

95
An Example
A 192.168.1.2
E 192.168.100.2
Internet
B 192.168.1.3
F 192.168.100.3
Router 10.1.1.2
eth2
eth0
eth1
C 192.168.1.4
G 192.168.100.4
Gateway 192.168.1.1 192.168.100.110.1.1.1
D 192.168.1.5
H 192.168.100.5
96
Related Rules

route add net 192.168.1.0 netmask 255.255.255.0
eth0
route add net 192.168.100.0 netmask
255.255.255.0 eth1
route add net 10.1.1.0 netmask 255.255.255.0
eth2
route add default gateway 10.1.1.2 eth2

97
Result
U Network link is up H Dest. Addr. Refers to a
host G Gateway
98
Electronic Mail(Sendmail)
99
How Email Is Sent and Received
?
mail2 MTA
mail1 MTA
?
user1_at_mail1.com
user2_at_mail2.com
100
Concepts

MTA Mail Transport Agent
SMTP (server-to-server)
Simple Mail Transport Protocol
POP (Mail Access)
Post Office Protocol
IMAP (Mail Access)
Interim Mail Access Protocol
MDA Mail Delivery Agent
MUA Mail User Agent

101
Advantage of Sendmail

Older MTA
Powerful MTA

Disadvantage of Sendmail

Slow
High Load Environment
Crypto Configuration

102
MTAs

Sendmail
Postfix
Exim
Qmail

MUAs

Evolution, Kmail (KDE)
Balsa (GNOME)
Mozilla Mail

103
Required Packages

sendmail
sendmail-cf
imap (Config xinetd)
(contains IMAP POP3)

104
Sendmail Configuration

Config /etc/mail/sendmail.mc file
LOCAL_DOMAIN(example.com)dnl
Run make C /etc/mail/
Config DNS

105
Email Aliases

Edit /etc/aliases file
postmaster joseph
Run newaliases Command

106
Rejecting Email

Edit /etc/mail/access file
spam.com REJECT
yahoo.com OK
service sendmail restart

107
RHCE
Session 16

Red Hat Certified Engineer

M. A. Agheli
108
DNS
109
Where do I look?

/etc/nsswitch.conf
(nameservice switch)
t_at_localhost cat /etc/nsswitch.conf
hosts files dns

110
Files

Search order determined by nsswitch.conf
It is polite to have /etc/hosts first!
sjh_at_mccoy cat /etc/hosts
127.0.0.1 localhost
193.62.81.135 mccoy.tardis.ed.ac.uk mccoy
193.62.81.134 baker.tardis.ed.ac.uk baker
193.62.81.132 packages.tardis.ed.ac.uk packages

111
DNS Traversal

Local files
Dns server locally
Item in cache?
Root server, work your way down

112
Resolving Names

Configuration Files for the Local Host Name
Resolution (important for testing)
/etc/resolv.conf
/etc/nsswitch.conf
/etc/host.conf

113
DNS

BIND Berkley Internet Name Daemon
Dents buggy as hell (still in alpha?)
Djbdns Dan Bernsteins DNS server
Banyan VINES dont go there!

114
Named (name dee)

/etc/named.conf
this defines a directory to store the DNS config
files
Contains info about what zones we serve, and
where to find config files!
Config file for named tells us if we are master
/ slave, allow or deny zone transfers, what the
IPs of other master / slave servers are, etc.
ltDNSROOTgt/root.hints
Contains "pointers" to the Root Servers
ltDNSROOTgt/127.0.0
Config for reverse-lookup to the local
host/subnet
ltDNSROOTgt/ltzonegt
Config for zone
ltDNSROOTgt/ltin-addr.arpa filegt
Config for reverse lookup for your zone

115
A simple named.conf

named.custom - custom configuration for bind
zone "."
type hint
file "root.lists"
options
directory "/var/named/"
zone "0.0.127.in-addr.arpa"
type master
file "127.0.0"
zone "hq.alim.ir"
type master
file "hq.alim.ir"
zone "168.168.192.in-addr.arpa"
type master
file "192.168.168"

116
DNS Data

DNS databases contain more than just
hostname-to-address records
SOA Start Of Authority it is the daddy!
IN NS Name Server
IN MX Mail eXchanger
IN A A record (Address record)
IN CNAME Canonical NAME

117
A simple zone file

_at_ IN SOA hq.alim.ir.
root.hq.alim.ir. (
199609206 serial,
todays date todays serial
8H
refresh, seconds
2H retry,
seconds
4W expire,
seconds
1D )
minimum, seconds
NS hq.alim.ir.
MX 10 hq.alim.ir. Primary Mail Exchanger
TXT "Alim IT Center"
localhost A 127.0.0.1
router A 192.168.168.1
hq.alim.ir. A 192.168.168.2
ns A 192.168.168.3
www A 207.159.141.192
ftp CNAME hq.alim.ir.
mail CNAME hq.alim.ir.
news CNAME hq.alim.ir.

118
A simple in-addr.arpa file

TTL 3D
_at_ IN SOA hq.alim.ir.
root.hq.alim.ir. (
199609206
Serial
28800 Refresh
7200 Retry
604800 Expire
86400) Minimum
TTL
NS hq.alim.ir.
Servers
1 PTR router.hq.alim.ir.
2 PTR hq.alim.ir.
2 PTR funn.hq.alim.ir.
Workstations
200 PTR ws-177200.hq.alim.ir.
201 PTR ws-177201.hq.alim.ir.
202 PTR ws-177202.hq.alim.ir.

119
Forward DNS

hq.alim.ir (as per /etc/named.conf)
SOA Start Of Authority it is the daddy!
IN NS Name Server
IN MX Mail eXchanger
IN A A record (Address record)
IN CNAME Canonical NAME

120
Reverse DNS

192.168.168 (as per /etc/named.conf)
SOA
IN NS
IN PTR Pointer

121
DNS Round Robin

Fault tolerance? Through nifty DNS hacks
www.teviot.com. 60 IN A 10.0.1.100
www.teviot.com. 60 IN A 10.0.2.100
www.teviot.com. 60 IN A 10.0.3.100

122
Common Mistakes

Forgetting to increment the Serial Number!
CNAME pointing at another CNAME!
Forgetting the . In appropriate places!
Underscores in hostnames!
Forgetting to reload the daemon!
Version control issues clobber changes!
TTL Issues

123
Test Tools

nslookup
dig
dig mail.hq.alim.ir
dig -x 192.168.168.2
dig 168.168.192.in-addr.arpa. AXFR
whois
http//www.squish.net/dnscheck/
James Ponders DNS check web page

124
RHCE
Session 17

Red Hat Certified Engineer

M. A. Agheli
125
Firewall
Required Properties

Control
Allow only those packets that you are interested
to pass through.
Security
Reject packets from malicious outsiders
Watchfulness
Log packets to/from outside world

126
Firewall Types
Statefull Stateless

Packet Filtering
Proxy-Based Firewall

127
Packet Filter under Linux

1st generation
ipfw (from BSD)
2nd generation
ipfwadm (Linux 2.0)
3rd generation
ipchains (Linux 2.2)
4th generation
iptable (Linux 2.4 2.6)

128
Installing Iptables

Kernel Supports Iptables
Networking Options -gt TCP/IP Networking -gtNetwork
Packet Filtering
Networking Options -gt TCP/IP Networking -gtIP
advanced router -gt
Networking Options -gt IP NetfilterNetworking
Options -gt IP Netfilter
For Packets Traffic Control
Networking Optionsgt QoS and/or fair queueing -gt
rpm -ivh \
iptables-1.2.6a-2.i386.rpm

129
Chains of Tables

INPUT
Controls packets entering your system
OUTPUT
Controls packets leaving your system
FORWARD
Controls what packets can move from one network
to another through your system

130
Forward
Routing Decision
Output
Input
Local Process
131

When a packet comes in, the kernel first looks at
the destination of the packet this is called
routing.
If its destined for this box
Passes downwards in the diagram
To INPUT chain
If it passes, any processes waiting for that
packet will receive it.
Otherwise go to step 3

Continue
132

If forwarding is not enabled The packet will be
dropped
If forwarding is enable and the packet is
destined for another network interface.
The packet goes rightwards on our diagram to the
FORWARD chain.
If it is accepted, it will be sent out.
Packets generated from local process pass to the
OUPUT chain immediately.
If its says accept, the packet will be sent out.

133
Packet Status in Iptables

Established
New
Related
Invalid

134
Results of Packet Checking

ACCEPT
DROP
REJECT

135
Tables of Iptables

Filter
NAT
Mangle

136
The Path of Packet in Iptables
Network
Mangle Table PREROUTING Chain
NAT Table PREROUTING Chain
Destination NAT
Routing decision
Mangle FORWARD
Mangle INPUT
Filter INPUT
Filter FORWARD
Local process
Mangle POSTROUTING
Routing decision
Mangle OUTPUT
Source NAT Based on routing
NAT POSTROUTING Chain
NAT OUTPUT
Filter OUTPUT
Network
137
Tables of Chains
138
Building a Rule source/destination

iptables s 200.200.200.1
Refers to packet from a specific IP address
The -s refers to the source of the packet,
where the packet is coming from.
A corresponding -d refers to the destination,
where the packet is going to.

139
Building a Rule Action

iptables s 200.200.200.1 -j DROP
The -j determines what happens to the

Building a RuleIP address ranges

iptables s 200.200.200.0/24 -j DROP
IPs that match 200.200.200.
The /24 refers to the number of bits that are
fixed, counting from the left.

140
Other Actions

REDIRECT
Sends packets to a proxy
LOG
Tracks packets as they match rules
RETURN
Terminates user defined chains

141
Building a Ruleappending rules to tables

iptables A INPUT s 200.200.200.1 -j DROP
The -A appends the rule to an iptable
The INPUT specifies the iptable
This command makes your system to ignore all
packets from 200.200.200.1
iptables A OUTPUT d 200.200.200.1 j DROP
This command does not allow your system to sent
packets to 200.200.200.1

142
Building a Ruleonly blocking some packets

iptables A INPUT s 200.200.200.1 p tcp
--destination-port telenet j DROP
The -p specifies a specific protocol tcp, udp,
or icmp
The -destination-port is where the packet is
going
You can user the service name or the port number
Could use 23 in this example
Keep in mind that the source-port is very
different from the destination-port. In this
example the inbound message is going to your
telenet server. The telenet client that is
sending you the message could be running on any
port.
--dport --destination-port
--sport --source-port

143
Building a Rulemultiple network interfaces

Assume your machine has two interface cards. One
to a LAN named eth0 and the other to the Internet
named ppp0
iptables A INPUT p tcp --dport telnet i ppp0
j DROP
The -i option specifies the input interface
The is also a -o option for the output
interface
iptables A INPUT p tcp --dport telnet i eth0
j ACCEPT
Together these rules would accept telnet requests
from the LAN but block telnet requests from the
Internet.

144
Building a Rule Table Policies

iptables P FORWARD ACCEPT
The -P option followed by a table name and
action determines the default policy of the
table. If no rule in the table matches this
default action is taken.
The usual policies are
INPUT ACCEPT
OUTPUT ACCEPT
FORWARD DENY

145
Building a RuleAdding Rules to Tables

iptables A INPUT s 200.200.200.1 -j DROP
Appends the rule to the end of the table
iptables I INPUT 3 s 200.200.200.1 -j DROP
Inserts the rule as rule 3 in the table, moving
all other rules down 1.
iptables R INPUT 3 s 200.200.200.1 -j DROP
Replaces rule 3 in the table
iptables D INPUT 3
Deletes rule 3 in the table

146
Operations to manage whole chains
147
Manipulate rules inside a chain
148
An Example
Firewall
192.168.1.1
Internet
Web Server SSH Server Accessible ONLY via LAN
eth1
eth0
192.168.1.5 GW 192.168.1.1
192.168.1.6 GW 192.168.1.1
192.168.1.7 GW 192.168.1.1
149
RHCE
Session 18