Network Operating Systems Lab Manual
Javid Ali
The Practice of Knowledge
Department of Computer Science COMSATS Institute of Information Technology Abbottabad
Network Operating Systems Lab Manual
Javid Ali Tahir Maqsood
TABLE OF CONTENTS Lab No. 01: Linux Basic Installation............................................................................................................... 6 Lab No. 02: Linux shell and Basic shell commands ..................................................................................... 19 Lab No. 03: Command Line File Manipulation ............................................................................................ 23 Lab No. 04: Command Line File processing ................................................................................................ 28 Lab No. 05: Command line Text Editors (Vim) ............................................................................................ 34 Lab No. 06: Managing the file system ........................................................................................................ 39 Lab No. 07: Command line Process Management ...................................................................................... 44 Lab No. 08: Basic Bash Scripting, writing and executing bash scripts........................................................ 48 Lab No. 09: Advance Bash Scripting 1 .................................................................................................... 51 Lab No. 10: Advance Bash Scripting 2 ........................................................................................................ 54 Lab No. 11: Introduction to gcc.................................................................................................................. 57 Lab No. 12: Linux Networking 1 ................................................................................................................. 62 Lab No. 13: Linux Networking 2 .................................................................................................................. 65 Lab No. 14: Network troubleshooting ....................................................................................................... 69 Lab No. 15: Installing Linux Software .......................................................................................................... 83 Lab No. 16: Linux Boot Process .................................................................................................................. 89 Lab No. 17: Configuring Linux DHCP Server ............................................................................................... 93 Lab No. 18: Managing Linux Users and sudo ............................................................................................. 97 Lab No. 19: Configuring Samba ................................................................................................................ 101 Lab No. 20: Sharing Resources using samba ............................................................................................ 107 Lab No. 21 Linux firewalls using iptables.............................................................................................. 111 Lab No. 22: Configuring Linux FTP Server ................................................................................................ 120 Lab No. 23: Telnet and TFTP and XINETD................................................................................................. 126 Lab No. 24: Web Hosting With the Apache Web Server.......................................................................... 131
Lab No. 25: Monitoring Server Performance ............................................................................................ 134 Lab No. 26: Network Based Linux Installation .......................................................................................... 148 Lab No. 27: Remote Disk Access with NFS ................................................................................................ 159 Lab No. 28: Controlling Web Usage with Squid ....................................................................................... 168 Lab No. 29: DNS Configuration 1.............................................................................................................. 173 Lab No. 30: DNS Configuration 2.............................................................................................................. 177 Lab No. 31: DNS Configuration 3.............................................................................................................. 182 Lab No. 32: Dynamic DNS......................................................................................................................... 185
Lab No. 01: Linux Basic Installation Objective: This lab provides a basic step-by-step installation of Linux Operation system. A simple approach has been adopted out of many ways available for different configuration.
Scope: On completing this exercise, the students will be able to: • Install linux operating system • Cearte and manage linux disk partitions • Configure differents system resources during installation • Select packages during installation
Useful Concepts: Partition •
A space in hard disk set aside as a separate disk and has separate filesystem
Mount point •
A logical location in a file system that provide a link to another file system
•
An application that can be installed on a UNIX/ Linux system.
Package Boot loader •
A small program that runs a the system boot and starts an operating system
Exercise-1:- This exercise demonstrates step-by-step installation of Linux Operation system. The procedure is shown in Figure 1 – Figure 19 as follows: • • • • • •
in the boot screen, press Enter in the installation welcome screen, click Next in the language selection screen, click Next in the keyboard configuration screen, click Next in the installation type screen, choose Server and click Next in the disk partitioning screen, you can select the following option remove all linux partition remove all partion on this disk keep all partition and use free space
If you choose manual partition, select free space and create the following partition: Mount Point:
Size (MB)
Filesystem Type
/boot
200
ext3
--------
(size for RAM)*2
swap
/
all available free space
ext3
Clicking Next:
• • • • • • • • • •
• • •
in the partition warning screen, click Yes in the partition removal screen, click Next in the partitioning removal warning screen, click Yes in the disk setup screen, click Next in the boot loader screen, click Next in the network configuration screen, click Next in the firewall configuration screen, click Next in the time zone selection screen, choose Asia/Riyadh in the root password screen, enter the root password (min. 6 characters) and confirm it, click Next In the package group selection screen, you can select different packages to install. Packages are grouped in different categories. Choose pachages of your choice to install. Server group has server packages like apache, hdcp, squid etc. If you did not select the server installation option in step five, here is the chance that you can select servers of your choice. After selecting packages click next to go to the next screen in the about to install screen, click Next in the installation status screen, wait while files are installed in the installation complete screen, take out the DVD and click Reboot
Figure 1. Fedora Core boot screen.
Figure 2. Fedora Core installation welcome screen.
Figure 3. Language selection screen.
Figure 4. Keyboard configuration screen.
Figure 5. Installation type screen.
Figure6. Disk partitioning screen.
Figure 7 Partition warning screen.
Figure 8. Partition removal screen.
Figure 9. Partitioning removal warning screen.
Figure 10. Disk setup screen.
Figure 11. Boot loader screen.
Figure 12. Network configuration screen.
Figure 13. Firewall configuration screen.
Figure 14. Time zone selection screen.
Figure 15. Root password screen.
Figure 16. Package group selection screen.
Figure 17. About to install screen.
Figure 18. Installation status screen.
Figure 19. Installation complete screen.
Exercises for lab: Exercise 1:- Actual configuration of the system is left to your discretion except for those particular sections of the installation for which specific directions are given. Record every configuration at each step in your notebook clear enough to allow someone else to exactly follow your installation steps.
Home Work: 1)
List any problems you had during the installation process, and their solutions. Also, answer the following questions: • • • •
2)
Why did you put /boot in the first location of the hard drive and forced it to be a primary partition? What is the advantage of using different partitions for different sections of the filesystem? Specifically describe the critical difference between the partitions /dev/hda1 and /dev/hda5. Why don’t you want to use root as the regular login on your machine?
How can shadow passwords, when enabled, help in security?
Lab 02: Linux shell and Basic shell commands
To understand the Linux Commands
Lab No. 02: Linux shell and Basic shell commands Objective: To introduce the student to Linux most popular command line shell, the BASH. This lab will cover basic commands used in Unix/Linux.
Scope: On the completion of this lab, you will be able to: • • •
Describe the bash and its features. Understand the bash environment. Use some frequently-used command in UNIX/ Linux environment.
Useful Concepts: Shell • • •
•
A piece of software that provides an interface for users. Typically, an operating system shell which provides access to the services of a kernel. Generally fall into one of two categories: i. command-line ii. graphical Bash (Bourne-again shell) is the default shell on most systems built on top of the Linux kernel as well as on Mac OS X and it can be run on most Unix-like operating systems.
Terminal An instant of a shell that provide an editor for the user to enter commands and run processes Shell Prompt • •
Location in the terminal where you can enter commands. Represented by $ or >
Root directory / is the primary directory where all other directories reside. Mount point The location in the operating system's directory structure where a mounted file system appears Package Computer software packaged in an archive format to be installed by a package management system or a self-sufficient installer Boot loader The small program that starts loading OS into RAM, also known as a bootstrap loader, or bootstrap or boot loader
Exercise-1:- This exercise illustrates how to view content of a directory and move around the file system. To get a listing of the directory contents, type: ls
For a long view of the listing with time stamps, file permissions and file ownerships type: ls -l
To move to directory-name directory type: cd directory-name
To go to the /etc directory you simply type cd /etc
To go one step back type: cd ..
To go to user's home directory, type: cd ~
To display the path to the directory you r currently working in, type: pwd
At any point using the TAB key after typing a few characters in at the bash prompt will make bash fill in the rest of the file or directory name that matches what you have typed. If there is more than one match, tap the tab key twice and it will list all the matches.
Exercise-2:- This exercise illustrates how to clear screen contents and display history of command already used in the shell. If you what to see the list of all commands you have used on the shell, type: history
To clear the terminal screen, type: clear
Exercise-3:- This exercise illustrates how to Display or change system date and display calendar of different months and years. To display calendar of the current month type: cal
To display calendar of the prev/current/next month type cal -3
To display weeks that starts on Monday, type: cal -m
To display calendar of March 1988, type: cal 03 1988 To display current system date, type: date
To change date to Thu Mar 3 23:05:25 2009, type: date –s
"Thu Mar
3 23:05:25 2009"
Exercise-4:- This exercise illustrates who to Get help about command and search or command instances: To go to manual page of a command, say ls, type: man ls
To get information about command usage, say ls, type: info ls
To Report all known instances of a command e.g. ls, type: whereis ls
To locate a program file in the user's path, type: which command_name
Exercise-5:- This exercise illustrates the use of miscellaneous commands: To print system name, type: hostname
To set host name to mylinuxbox@linuxserver, type: hostname mylinuxbox@linuxserver
To display the linux system information, type: uname -r To print
all usernames currently logged in, issue the following command. who
To print the current user id and name, type whoami
Exercises for lab: Exercise 1:- Open a shell and practice all the commands given above. Use man command to explore the manual page of each command and then try these commands with different options. Note the effect of the options on the output.
Home Work: 1)
Write a note on Linux shell?
2)
Compare bash shell with C shell and K shell. What are the new features added to bash shell.
Lab 3: Command Line File Manipulation
To understand the File Manipulation using shell.
Lab No. 03: Command Line File Manipulation Objective: To familiarize the students with basic file and directory management using shell.
Scope: Student will be able to perform the following tasks at the end of this lab: • • • • • • • •
The Working Directory Listing Directory Contents Viewing Files Copying Files Moving and Renaming Files Searching for Files by File Name & by Content Creating & Creating Subdirectories Creating Symbolic Links
Useful Concepts: Working Directory • •
A special directory remembered by the shell, and is interpreted to be the directory you are currently “in”. Important for situation where relative paths are in use.
Symbolic link •
A symbolic (or soft) link is an indirect reference to a file, similar to an “alias” in Mac OS or a “shortcut” in Windows.
Meta characters • •
Characters having special meaning to the terminal Wildcards are Meta characters that can represent different characters in a string.
Following are some Special Characters with a brief description: Character
\
Function
Examples
Escape character. If you want to reference a special cha- touch /tmp/filename\* racter, you must “escape” it with a backslash first.
/
Directory separator, used to separate a string of directory /usr/src/linux names.
.
Current directory. Can also “hide” files when it is the first .htaccess character in a filename.
..
Parent directory
cd ..
~
User's home directory
cd ~
*
Represents 0 or more characters in a filename, or by it- More details in next section self, all files in a directory.
?
Represents a single character in a filename.
[]
Can be used to represent a range of values, e.g. [0-9], [A- hello[0-2].txt represents Z], etc names hello0.txt,
hello?.txt can represent hello1.txt, helloz.txt, but not hello22.txt
hello1.txt, and hello2.txt ;
Command separator. Allows you to execute multiple cd /var/log ; less messages commands on a single line.
Exercise -1:- This exercise illustrates how to View contents of a file. To view file contents on shell console, type: cat filename
To merge contents of two or more files and display it on screen, type cat file1 file2 file3 ...
To display display a screenful text of file on the terminal, type: more filename
To display file contents screenful at a time with page-up and page-down options, type: less filename
To view first k lines of the file, type: head -n k filename
e.g, to display first 5 lines of the file myfile on the terminal, type; head -n 5 myfile
To display last 5 lines of the file myfile on the terminal, type; tail -n 5 myfile
Exercise -2:- This exercise illustrates the procedure of File Copy, move, rename and delete command. To copy a file to the same directory with different name, type: cp source_fiel_name destination_file_name
To copy a file to a different directory, e.g. from /home/cs to /root type: cp /home/cs/myfile /root/myfile
To move a file to different destination, type: mv cource destination
To rename a file, type: mv oldname newname
To delete the file from directory, type: rm
filename
To delete the file from different directory, the filename must precede full path name, like: rm /home/cs/myfile
To delete an empty directory, type:
the
rmdir directory_name
To delete a non-empty directory, type: rm –r directory_name
To delete a file forcefully, type: rm –f file_name
Exercise -3:- This exercise illustrates how to search for files and file types. To search a file in the entire disc, locate command is used. Type: locate filename
To search a file in a particular directory and subdirectories, use find command. Type: find –name filename directory_name
To access a specific file, say myfile.txt, in the directory and subdirectories, use find command, type: find . -name myfile.txt -print
To search for all files that begin with the characters com, starting in the directory /home, type: find /home -name com* -print
To search for a file based on the file’s content instead of its name. use grep command. to search all files in the current directory for the string students type: grep students ./*
To search all files in the current directory for strings starting with stu and ending with nts, type: grep stu*nts ./*
To find whether a file is binary file, an executable file or a regular text file etc, type: file filename
Exercise -4:- This exercise illustrates how to creat files or directories and changing timestamps. To create an empty file, use touch command, type: touch myfile.txt To create three files, type: touch file1 file2 file3 To change the time of last modification of the file, myfile to 12/04/2009, type: touch -fafsdfsdaf To create a directory, type; mkdir directory To create a directory along with the missing directory in the path, type: mkdir –p /home/cs/assingments/assignmet1 To create a symbolic link to a file in cs folder of your home directory from your desktop, type: ln -s ~/cs/friends ~/Desktop/friends
Exercises for lab: Exercise 1:- write shell commands to carry the following tasks: •
Ad a directory named testdir to the following path. • /home/users/path/
• • •
Create a file named testfile in testdir directory Change the creation date and modification date of the directory to 16/03/1983 Create a symbolic link from your desktop to testfile
Home Work: Carry out the following exercises and submit your documented work. 1)
Create a directory in the /home/zahid/assignment/assignment1 while your current working directory is /home, using a single shell command.
2)
Create a directory with the following names • • • • •
assign.doc assigns.doc assign.txt quiz.txt quiz.cpp
3)
Write a command to rename assign.doc file to assignment.doc
4)
Delete all files with extension .txt using shell command.
5)
Display all files names starting with ‘as’.
Lab 04: Command Line File processing
To understand File processing using terminal or command line shell
Lab No. 04: Command Line File processing Objective: To familiarize students with the directory level and file level security, compressing and archiving techniques.
Scope: On the completion of this lab, students will be able to: • • • •
Understand file types used in LINUX system. View and modify file access permission. Change the ownership of files and directories Create backup for critical files using archives
Useful Concepts: Access Permissions • •
The ability of a user to access a file or directory. Three general types of permissions are read permission, write permission and execute permission.
File owner •
The user of the system to whom the file belongs.
Archive •
A collection of contents (files or directories) for backup purpose.
Compression •
A technique used for reducing the size of a file or a directory without effecting contents.
Exercise-1:- This exercise shows which types of files are used in linux and how to know bout file types Linux considers each device as file. There are many types of file that are used in Linux. Use ls –l command to find the type of file. For example: javidali@JLaptop:/dev$ ls -l crw-rw----+ 1 root audio 14, drwxr-xr-x 3 root root crw------1 root dialout 5, lrwxrwxrwx 1 root root /proc/kcore srw-rw-rw1 root root brw-rw---1 root disk 8, javidali@JLaptop:/dev$
4 60 1 11
2009-04-28 07:01 2009-04-28 12:01 2009-04-28 07:01 2009-04-28 07:01
audio bus console core ->
0
2009-04-28 07:01 2009-04-28 12:01
log sda1
1
In this example, first character in each row, I.e. the first colom represent the file type. The following table shows file types, representation symbols with short description. Symbol
File type
Description
-
Regular files
text file, Postscript, graphics files, Hypertext (HTML), video file etc
d
Directories
Files that act as containers to other files
b
Block files
Files that are used for block (parallel)devices. Data from such devices are read or written to in blocks.
c
Character files
Files that are used for character (serial) devices. Data from such devices are read or written to character by character
l
Symbolic links
Shortcut to other files or directories
s
socket files
Files that are used in communication
Regular files other than text files can be explored by using an appropriate program, as indicated in the table below. Follow the command with the name of the file to view it or omit the file name and select the file from the menu once the program is running. File Type
Application Name
Postscript Portable Document Format (PDF) Image files Image files LaTeX ouput (DVI) Hypertext (HTML) MP3 and MPEG
gv (based on GhostView) Adobe Acrobat Reader XV The Gimp xdvi Netscape gtv
Command for the application gv acroread xv gimp xdvi Netscape gtv
Exercise-2:- This exercise demonstrates how to view and change access permissions for a file. We noticed in exercise-1 that ls -l command earlier presented a long of listing file with a line like the following for each file: -rw-r--r--
1 root
javidali
0
2009-04-28 08:26 newfile.txt
Here the first character in the first column (-) indicates that the file is a normal file. The next 9 characters indicate the access permissions for the file. The next set of 9 characters is divided into 3 groups of 3 characters. Purpose of these characters is as under: • • • •
(-) represents no permission (r) represents 'read' permission (w) represents 'write' permission (x) represents 'execute' permission
The three group represents user (owner of the file), group(to which the owner belongs) and others (any other user of the system) respectively. Three characters in each group are for 'read', 'write' and 'execute' permission respectively. In our example, the owner has 'read' and 'write' permission for the file and everyone else has only read permission. For a normal file, read, write and execute permissions are obvious. For a directory, read and write permissions mean that to read the contents of the directory and create new entries in the directory. Execute permission means that one can search in the directory but not read from or write to the directory.
You can use the chmod command to change the access permissions of a file or a directory. To specify permissions for a file with chmod, any of the following two methods can be used. • •
use a symbolic mode use an octal mode
Symbolic mode use combination of the following symbols: Symbol Meaning u User g Group o Other a All (equals to ugo) + Add a permission Remove (take away) a permission r Read permission w Write permission x Execute permission For example,if the current working directory has the these files: javidali@JLaptop:~$ ls -l -rwxr-xr-x 1 root root -rw-r--r-1 javidali javidali drwxr-xr-x 2 javidali javidali drwxr-xr-x 2 javidali javidali -rwx-----1 javidali javidali -rw-r--r-1 javidali javidali -rwxrwxrwx 1 root root -rw-rw-rw1 root root -rw-r--r-1 student cs javidali@JLaptop:~$
955 130 4096 4096 512000 750 207 208 0
2009-04-21 2009-04-19 2009-04-08 2009-03-12 2009-03-24 2009-04-28 2009-04-10 2009-04-10 2009-04-28
08:07 05:29 19:56 14:30 18:00 08:42 15:55 15:55 08:26
arithmatics.sh boidata.txt Desktop Documents install_v10.70.2.3.tar lsresults.txt myscript.sh myscript.sh~ newfile.txt
Then gives write permission to the group and read permission to others for all files in the current directory, type the command javidali@JLaptop:~$ chmod g+w,o+r *
Now look at The permissions again: javidali@JLaptop:~$ ls -l -rwxr-xr-x 1 root root -rw-r--r-1 javidali javidali drwxr-xr-x 2 javidali javidali drwxr-xr-x 2 javidali javidali -rwx-w-r-1 javidali javidali -rw-rw-r-1 javidali javidali -rwxrwxrwx 1 root root -rw-rw-rw1 root root -rw-rw-r-1 student cs javidali@JLaptop:~$
955 130 4096 4096 512000 750 207 208 0
2009-04-21 2009-04-19 2009-04-08 2009-03-12 2009-03-24 2009-04-28 2009-04-10 2009-04-10 2009-04-28
08:07 05:29 19:56 14:30 18:00 08:42 15:55 15:55 08:26
arithmatics.sh boidata.txt Desktop Documents install_v10.70.2.3.tar lsresults.txt myscript.sh myscript.sh~ newfile.txt
Then take away the read and write permission from the owner of the file myscript.sh, group of the owner and all other users for the files newfile.txt, type the command javidali@JLaptop:~$ chmod a-rw myscript.sh
The result is: javidali@JLaptop:~$ ls –l myscript.sh
---x--x--x
1
root
root
207
2009-04-10
15:55
myscript.sh
Often your home directory has important documents and needs to restrict access to it. If you want to takes all the three access permissions away from everyone but the user, use the command: javidali@JLaptop:~$ chmod go-rwx
Octal mode use the same symbols for user,group and other but for access permissions its uses octal numbers. Permission
Octal Number
Equivalent symbol
Read
4
r--
Write
2
-w-
execute
1
--x
If two or more permissions are to be set, the octal numbers are added together. For example, r-x is equivalent to 4+1=5 and rw-r--r-- is equivalent to 644. now for example to give read,write and execute permission to user, write permission to the group and read permission to others for the file mysscript.sh , type the command javidali@JLaptop:~$ chmod 724 myscript.sh
Here is the result: -rwx-w-r--
1
root
root
207
2009-04-10
15:55
myscript.sh
To secure your home drive from everyone but the user, use the command: javidali@JLaptop:~$ chmod 700
Exercise-3:- This exercise shows how to view and change the own ership of the file ls -l command is can be used to view the owner of a file. For example to know that who is the owner of the file newfile.txt, issue the following command. student@JLaptop:~$ ls –l newfile.txt ---x--x--x 1 student cs 207 2009-04-10
15:55
newfile.txt
Here column next to the number '1' represents that 'student' is the owner of this file , and next column indicates that group of this owner is 'cs'. Use chown command to change the owner of a file. For example to change the owner of the file 'newfile.txt' from student to root, issue the following command. javidali@JLaptop:~$ chown root newfile.txt
The result is: javidali@JLaptop:~$ ls –l newfile.txt ---x--x--x 1 root cs 207 2009-04-10
15:55
newfile.txt
Note that you have to change the group of the owner as well, for example, to change the owner and group of the file 'newfile.txt' both to root, try the following command. javidali@JLaptop:~$ sudo chown root:root newfile.txt
The effect will be like: javidali@JLaptop:~$ ls –l newfile.txt ---x--x--x 1 root root 207 2009-04-10
15:55
newfile.txt
Exercise-4:- This exercise describes the ways to compress/uncompress, files and making archives of files for backup purposes.
Among many available utilities for archiving and compression purposes are the tar and gzip utilities. tar is an archiving utility while gzip is used for compressing the file size. Compressed files can be restored to their original form using gzip -d or gunzip or zcat. Now for example to backup the 'mydata' directory inside home directory of user 'student', we will first archive the directory and then compress the archive file. Steps are: javidali@JLaptop:~$ sudo tar -cvf backup.tar /home/student/mydata/ /home/student/mydata/.synaptic/ /home/student/mydata/.synaptic/options . . /home/student/mydata/DriverInstall/sk98lin.tar.bz2 /home/student/mydata/Music/ javidali@JLaptop:~$
We can find that mydata directory and backup.tar file both have the same size. To reduce this size we have to compress the archive. Here is the command; javidali@JLaptop:~$ gzip backup.tar
Output of this command is a file named backup.tar.gz To uncompress the file again, issue the command javidali@JLaptop:~$ gzip -d backup.tar.gz
Or javidali@JLaptop:~$ gunzip backup.tar.gz
Or you can use tar command to uncompress and extract contents of the file. Example is: javidali@JLaptop:~$ tar -xz backup.tar.gz
Where -z switch issues gzip command from within the tar command and -x switch extract the contents. To list contents of an archive use -t switch with tar command: javidali@JLaptop:~$ tar -t backup.tar
And to extract the contents of the archive, issue the following command. javidali@JLaptop:~$ tar -xvf backup.tar
Exercises for lab: Exercise 1:- Change the access permission of to the home directory of your login user to match drwxr-xr-x using both symbolic mode & octal mode. Exercise 2:- Create a file and modify its access permission so that the file can be executed by user, group and others besides its current permission setting. Exercise 3:- Create and archive and add all subdirectories of your home directory to that archive.
Home Work: 1)
Search the manual page of the utilities gzip and tar and write a procedure to add files and directories to and existing archive.
2)
Write a note on the advantages of file level security in operating systems.
3)
Why do we often compress files before adding to an archive?
Lab 05: Command line Text Editors (Vim)
To understand the command line editors
Lab No. 05: Command line Text Editors (Vim) Objective: To enable students to use command line editors for editing text files. Completing this lab, students will give sufficient knowledge about vim / vi and its features for their daily tasks.
Scope: On the completion of this lab, you will be able to: • • • • • •
Start the editor, moving cursor around and exiting the editor. Work in command mode. Copy, Cut and past the text format program and check source code Search Character/string. Recover Your Work.
Useful Concepts: vi • •
A screen-based editor used by many UNIX users. Has a powerful feature to aid programmers.
Editing modes There are two editing modes that the editor can be executed in. • •
Insert mode User can type text in this mode Command mode User can use commands for operation on the file. (e.g. saving, exiting, searching, etc)
Text Buffers in VI •
There are 36 special buffers and also a general purpose buffer for temporary storage of words or. When a block of text is cut from the file it is placed into the general purpose buffer but, if specified, the block of text can also be stored in another buffer. Buffers are numbered from a-to-z and from 0-to-9.
Exercise-1:- This exercise illustrates how to start the editor, move cursor around and exit form the editor. To start the editor from command line, type vi
An empty file will be opened in the editor. If you want to open an existing file in the editor, type vi filename
To switch to 'Insert' mode, press: i key -- INSERT -- key word at the bottom will indicate that you are in an inserting mode and your cursor will start blinking, to go to the start of the line. Press a
at command mode will take you to the current cursor position and you can enter any text. To move cursor around while you are in command mode, press h key move left, l key move right, k key move up, j key = move down you can also use arrow keys while in insert mode to do the same tasks. To switch back to command mode, press Escape key While in command mode, each command is preceded by colon ":" To exit the editor without saving changes made to the file, switch to command mode and type, :q!
To save changes and exit the editor, switch to command mode and type the command, :wq
Where "w" is for writing changes to the file and "q" is to quit or exit the editor
Exercise-2:- This exercise illustrates how to Work in command mode in vi edtor. Press Escape key to switch to command mode and practice the following commands and observe the results. To replace one character under the cursor, type: r
to undo the last change to the file. Typing u again will re-do the change. u
To delete character after the current cursor position x
Exercise-3:- This exercise illustrates how to Copy, Cut and paste the text To cut text from the file, type, d
to cut multiple characters, type: NUMd
wher NUM is the numper of characters to cut to cut the whole line type: dd
to cut from current cursor position to the beginning of the line,type. d^
to cut from current cursor position to the end of the line. d$
to cut from current cursor position to the end of the word. Dw
To cut three lines from current cursor position downwards.
3dd
You can use the y command which similarly to the d command which is used just to copy the text. To paste the buffer after the cursor position, type: p
to paste the buffer before the cursor position type: P
To paste the text for the specified number of times, say 3, before the cursor position, type: 3P
Exercise-4:- This exercise illustrates how to format a program and check source code for for correctness. You can use variable to set up the indentation for each level of nesting in code. To set the shift width to 4 characters, type: :set sw=4 To Shift the current line one shift width to the left, type: :<<
To Shift the current line three shift width to the right, type: :3>>
To check for matching parenthesis or brace in your code, place the cursor onto a parenthesis or brace and type: :%
Exercise -5:- This exercise illustrates how to Search Character/string in a file using vi. To search a string forwards in the file, say "comsats", type: /comsats
To search a string backwards in the file, say "comsats", type: ? comsats
To repeat the previous search in the same direction, type: n
To repeat the previous search in the same direction, type: N
To search special characters in the file, type a backslash (\) before the character. Some special characters that are used in search expression and their meaning: ^
Beginning of the line. (At the beginning of a search expression)
.
Matches a single character
*
Matches zero or more of the previous character.
$
End of the line, (At the end of the search expression)
[ ] Starts a set of matching, or non-matching expressions... For example: /f[iae]t matches either of these: fit fat fet In this form, it matches anything except these: /a[^bcd] will not match any of these, but anything with an a and another letter: ab ac ad < > Put in an expression escaped with the backslash to find the ending or beginning of a word. For example: /\
should find only word the, but not words like these: there and other.
There are two sets of commands used for character search. [f & F] and [t & T] To search for a character forwards within one line, say 'j', type: /fj
Or /tj
To search for a character backwards within one line, say 'j', type: /Fj
Or /Tj
; or , command can be used to repeat these two sets of commands. ; repeats the last character search command in the same direction, , repeats the command in the reverse direction
Exercise -6:- This exercise illustrates how to recover Your Work: The VI editor keeps a temporary copy of your edited file, and when you save your work, it puts the contents of the temporary copy into the original file. If file is closed accidentally during editing, the VI editor will attempt to save your work for you to recover later. To recover the file named myfile, start the editor with –r option for recovery vi -r myfile
and save the recovered file then Note: The -r option only works once per failed VI session.
Exercises for lab: Exercise-1: Open a file in vi editor and practice all the commands given below. ^B ^D ( G w
^F ) H
^H { L
^J } M
^M | W
^N + b
^P e
^U _ h
$ 0 j
Note the effect of the options on the output.
Home Work: 1)
Practice the following cursor movement commands and write a note on them: ^E
2)
C
S
c
r
s
Practice the following search commands and write a note on them: , n
4)
z
Practice the following text replacement commands and write a note on them: R
3)
^Y
/ t
;
?
F
N
T
f
Practice the following formatting commands and write a note on them: ~
<
>
J
% B k
^ E l
Lab 06: Managing the file system
To understand the command line file system
Lab No. 06: Managing the file system Objective: To update the students with knowledge about command line file system and partition management.
Scope: On the completion of this lab, you will be able to recognize: • • • • • •
Pathnames Relative/Absolute Paths, Path and Environmental Settings, Directories vs. Partitions in the File System, Recognizing/modifying Partitions. Understand the bash environment.
Useful Concepts: Directory A special type of file that contains other files or directories, same as folders in Windows File system Like other platforms (Windows, Mac OS etc,), Linux file system is also hierarchical one. Directories can be created inside other directories in a tree-like structure. Root Directory The Linux file system tree has only one root, called the root directory, represented by / Sub Directory A directory inside another directory is usually called a subdirectory. Pathname Pathname is a sequence of directories to be followed to reach the file. For example, the pathname of the file myfile.txt in the cs user's home directoy is /home/cs/myfile.txt. Absolute pathnames A pathname that contains all the information needed to find a file or that start form root directory / is called absolute pathname. Relative pathname A pathname that contains information necessary to find a file from a particular point in the tree is called relative pathmane. For example, from the directory /home, the relative pathname of myfile.txt is just cs/myfile.txt. Note that this pathname has no leading /.
Exercise-1:- This exercise illustrates how Multiple Disks in the File system are represented. Each partition of the disk is mounted at a separate directory in the filesystem. So, for example, a separate disk may be mounted at the directory /mnt. In this case, every time you access something in directory /mnt, you are actually accessing a file on this separate disk. This is transparent to the user, but you can peek at which disks are mounted where on a computer by using the df command in the shell. You will see something like this:
Filesystem /dev/hda8 /dev/hda1 /dev/hda7 /dev/hdc
1k-blocks 497667 14607 5308207 609750
Used Available 78511 393454 2758 1 1095 1085340 3948063 609750 0
Use% 17% 20% 22% 100%
Mounted on / /boot /usr /mnt/cdrom
The first line indicates that the disk with symbolic name5 /dev/hda8 is mounted at the root directory. The second line indicates that another disk with symbolic name /dev/hda1 is mounted at subdirectory /boot. The third line is similar. The disk in the fourth line represents the CD-ROM drive, which is mounted at /mnt/cdrom.
Exercise-2:- This exercise illustrates how to recognize disks. To see all the disks and partitions on your system, you can list the files in /dev directory. Use ls /dev command will will display all the device related files. To display only disk related files type: ls /dev |grep ?d*
output will be something like: hda1 hda3 hda5 hda7 hdb2 fd0 fd1 sda1 dsa8 sdb2 etc
Here is a brief description of file system names. Disk file name
Description
fd0
First floppy disk drive
fd1
Second floppy disk drive
hda
First master hard disk drive (IDE-0 master)
hdb
First slave hard disk drive (IDE-0 slave)
hdc
Second mater hard disk (IDE-1 master)
sda
First SCSI disk dirve
sdb
Second SCSI disk drive
Exercise-3:- This exercise illustrates Recognizing Partitions. Enter the command ls /dev |grep ?d*
To display only disk related files and the output will be something like: hda1 hda3 hda5 hda7
hdb2 fd0 fd1 sda1 dsa8 sdb2
Disk file name
Description
hda1
First master hard disk drive (IDE-0 master), first primary partition
hda3
First master hard disk drive (IDE-0 master), third partition
hda5
First master hard disk drive (IDE-0 master), 1st logical partition
Hda7
First master hard disk drive (IDE-0 master), 3rd logical partition
hdb1
First slave hard disk drive (IDE-0 slave), 1st partition
sda1
First SCSI disk drive, first primary partition.
sdb8
Second SCSI disk drive, 4th logical partition
Exercise-4:- This exercise illustrates Mounting/un-mounting partition: To see the contents stored on a partition you must have a mount point in the root directory from where you can access those contents. To mount a partition, for example hda5 to /mnt directory, type: mount /dev/hda5 /mnt
Doing this, you will be able to see the content of hda5 partition in /mnt directory. To mount a Windows NTFS partition, type: mount -ntfs-3g
partition_path
Mount_point
Un mounting partition, either type: umount partition
Or umount mount_point
e.g. umount /dev/hda5
Or umount /mnt
To locate a program file in the user's path, type: Any of the to command will unmount the mounted partition /dev/hda5 on /mnt
Exercise-5:- This exercise describes Miscellaneous commands: cfdisk
Partition table manipulator for Linux
export
Set an environment variable
fdisk
Partition table manipulator for Linux
quota
Display disk usage and limits
quotacheck
Scan a file system for disk usage
Exercises for lab: Exercise 1:- test all the above exercise and write a note on each exercise. Write the results of the commands on successful execution of commands or the error message on any failure and discuss it with your lab instructor. Exercise 2:-how many disk and partitions are available on your system? Create a directory in your home directory and mount the first logical partition of your primary hard disk to that directory. Check whether you are able to access the contents of newly mounted file system or not.
Home Work: 1)
Define primary partition, extended partition and logical partition. How many primary partitions can you create in a single disk?
2)
Search the web and find the procedure of mounting filesystem over the network (remote mounting).
Lab 7: Command line Process Management
To understand the command line Process Management
Lab No. 07: Command line Process Management Objective: Objective of this lab is to introduce the students with command-line process control and management.
Scope: The student will be able to know the following at the end of this lab: • • • •
Listing Processes Ending a Process Running a Process in the Background Changing the process favorability (priority)
Useful Concepts: Processes Linux, like most modern operating system, is multitasking, which means that it can execute many programs simultaneously. A program that is currently executing is called a process. A Linux system consists of several dozen active processes at any time. Some of these processes are system processes that perform important “behind the scenes” tasks and some are user processes corresponding to programs like Netscape or Emacs. Nice A process favorability to access the system recourses (processor time) Signals A special instruction to the process under consideration
Exercise-1:- This exercise illustrates Listing Processes You can view the processes that are currently running on the system with the ps command. Type ps now and you will see something like the following: javidali@JLaptop:~$ ps PID TTY TIME CMD 23985 pts/0 00:00:01 bash 24001 pts/0 00:00:00 ps javidali@JLaptop:~$
This tells you that you are running 2 processes and the commands (CMD) used to start them were bash (your shell) and ps (the process you just started when you entered ps). The first column in the list, headed by PID, gives the process ID for each process, an integer used to uniquely identify each process. The next column, TTY, gives the terminal name to which the process is attached. The third column, TIME, gives the amount of time the process has been running for (or the amount of time it has been running since it was last sleeping or stopped). Using ps by itself only gives information about processes that you own, which, unless you are a system administrator, is usually all the information you need. If you want information about all the processes running on the system, you can issue the ps aux command. This command combines 3 options (the normal dash before options is not necessary) which, together, give information about all processes that have
users have attached to them. Here is a (significantly trimmed) example of what this output might look like: USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 1324 76 ? S Jul23 0:12 init [5] root 2 0.0 0.0 0 0 ? SW Jul23 0:21 [kflushd] root 3 0.0 0.0 0 0 ? SW Jul23 0:03 [kupdate] root 4 0.0 0.0 0 0 ? SW Jul23 0:00 [kpiod] root 5 0.0 0.0 0 0 ? SW Jul23 0:14 [kswapd] root 6 0.0 0.0 0 0 ? SW< Jul23 0:00 [mdrecoveryd] root 415 0.0 0.1 1548 160 ? S Jul23 0:02 syslogd -m 0 rpc 440 0.0 0.1 1472 252 ? S Jul23 0:00 portmap root 456 0.0 0.0 0 0 ? SW Jul23 0:00 [lockd] root 500 0.0 0.2 5744 272 ? S Jul23 0:00 [ypbind] nobody 566 0.0 0.0 7616 24 ? S Jul23 0:00 [identd]
. . . root 1006 14.7 24.7 62796 31612 ? R Jul23 53:50 /etc/X11/X javid 7892 0.0 1.2 7580 1564 ? S 14:15 0:00 gnome-session javid 7957 0.0 1.3 4700 1700 ? S 14:15 1:39 sawmill javid 7966 0.0 2.1 9336 2784 ? S 14:15 3:51 panel javid 7969 0.0 0.8 8404 1092 ? S 14:15 0:00 gmc javid 7972 0.0 0.7 3560 968 ? S 14:15 0:11 xscreensaver javid 7992 0.0 1.3 7676 1676 ? S 14:26 0:21 gnome-terminal javid 7994 0.0 0.6 2440 796 pts/0 S 14:26 0:01 bash javid 12504 0.0 0.1 2004 156 pts/0 S 15:08 0:00 netscape javid 24059 0.0 0.7 2728 900 pts/0 R 15:42 0:00 ps aux
This listing gives a lot of information about the 100 or so processes that are probably currently executing on the system. For example, you can gather that the computer was rebooted last on July 23. You can see that X windows (/etc/X11/X) is using almost 25% of the computer’s memory at the moment and 15% of the CPU time. You can also view the current status (STAT) of each of the processes in the system. An R in this column means that the processing is currently “runnable” which, as you will learn when you take Operating Systems, means that the process is either currently running or in the ready queue, waiting to gain access to the processor. An S indicates that the process is “sleeping” (currently not waiting to use the processor). A W means that, in addition to sleeping, the process has been “swapped out” (not currently resident in memory but on the disk instead). Lastly, the < marks a process that is given higher priority than normal while waiting for the CPU.
Exercise-2:- This exercise illustrates how to terminate a Process Sometimes you will come across a process that locks up and just won’t quit, no matter what you do. In this case, the only alternative is to force the process to quit. If the process is one that you started from the shell in the foreground, you can end it by typing Ctrl - C. If the process is running in the background, you will need to issue the kill command followed by a process ID. For example, to kill the Netscape process above, you would type: kill 12504
If this does not work, use the -9 (or -s SIGKILL) option to forcibly kill the process. The kill command (or Ctrl - C) also comes in handy when you must kill a program that you wrote with an infinite loop!
Exercise-3:- This exercise illustrates how to Run a Process in the Background When you run a program in Linux, it can either be run in the foreground or in the background. When you run a program in the foreground (which is the default), the resulting process must finish before you get another prompt in the shell. This is fine when you run short processes like ls, for example. However, if you want to run Netscape (for example) from the shell, you probably do not want to have to quit Netscape in order to get a new prompt to, say, copy a file. The alternative is to run Netscape in the background, which means that the new process will run concurrently with the shell prompt, and a prompt will be returned to you immediately. To run a program in the background, simply follow the command with an ampersand (&) character. For example, to run Netscape in the background, type: netscape &
Generally speaking, any time you run a program that generates its own window on the desktop, it is best to run it in the background. If you start a program in the foreground by mistake and want to turn it into a background process, hit Ctrl - Z , which suspends the process. Then type bg
this command restarts the currently suspended process in the background.
Exercises for lab: Exercise 1:- List all the processes that belong to root user. Exercise 2:- Create a process of gedit and send it to background. Exercise 3:- Change the priority of the process created in exercise no. 2.
Home Work: 1)
Find the difference between the output of top utility and ps –aux command.
2)
What kinds of signals are used to control a process in UNIX operating system? Where can you find the list of available signals and their numerical values?
Lab 8: Basic Bash Scripting, writing and executing bash scripts To understand how to writing and executing bash scripts
Lab No. 08: Basic Bash Scripting, writing and executing bash scripts Objective: To familiarize students with the basics of bash scripting. How to write and execute bash scripts under the Linux environment.
Scope: The students would be able to do the following at the end of this lab: • • • • •
Write Hello world script. Usage of Variables, Global vs. Local variables Passing arguments to the bash script Executing shell commands with bash Reading User Input/ output
Useful Concepts: Bash •
A UNIX shell as well as an interpreter
Script •
A set of instruction (commands) that can be executed on a sell (interprecter).
Exercise-1:- Hello world example. The script declares a string variable, stores “Hello World” in it and finally prints the value of variable on the screen. #!/bin/bash # declare STRING variable STRING="Hello World" #print variable on a screen echo $STRING
Saving and executing the scripts Save the above script in the file named “hello_world.sh” Navigate to the directory where the script is saved Execute the script using the command “./hello_world.sh”
Exercise -2:- This exercise explains the use of Global vs. Local variables #!/bin/bash #Define bash global variable #This variable is global and can be used anywhere in this bash script VAR="global variable" function bash { #Define bash local variable #This variable is local to bash function only local VAR="local variable" echo $VAR } echo $VAR bash # Note the bash global variable did not change # "local" is bash reserved word echo $VAR
Exercise -3:- This exercise illustrates Passing command line arguments to the bash script #!/bin/bash # use predefined variables to access passed arguments #echo arguments to the shell echo $1 $2 $3 ' -> echo $1 $2 $3' # We can also store arguments from bash command line in special array args=("$@") #echo arguments to the shell echo ${args[0]} ${args[1]} ${args[2]} ' -> args=("$@"); echo ${args[0]} ${args[1]} ${args[2]}' #use $@ to print out all arguments at once echo $@ ' -> echo $@' # use $# variable to print out # number of arguments passed to the bash script echo Number of arguments passed: $# ' -> echo Number of arguments passed: $#'
Passing arguments to the scripts ./arguments.sh Bash Scripting Tutorial
Here ./arguments.sh is the filename and the remaining are the arguments passed to the script.
Exercise -4:- This exercise illustrates Executing shell commands with bash #!/bin/bash # use backticks " ` ` " to execute shell command echo `uname -o` # executing bash command without backticks echo uname -o
Exercise -5:- This exercise illustrates Reading User Input #!/bin/bash echo -e "Hi, please type the word: \c " read word echo "The word you entered is: $word" echo -e "Can you please enter two words? " read word1 word2 echo "Here is your input: \"$word1\" \"$word2\"" echo -e "How do you feel about bash scripting? " # read command now stores a reply into the default build-in variable $REPLY read echo "You said $REPLY, I'm glad to hear that! " echo -e "What are your favorite colours ? " # -a makes read command to read into an array read -a colours echo "My favorite colours are also ${colours[0]}, ${colours[1]} and ${colours[2]}:-)"
Exercises for lab: Exercise 1:- write a shell script that add two numbers and print their sum. Exercise 2:- write a script that takes a students information as input and print it to the screen.
Home Work: 1)
Write a comparitve report on the pros and cons of atlease three scripting languages.
Lab 9: Advance Bash Scripting 1 2)
To understand the Basic Bash Scripting 1
Lab No. 09: Advance Bash Scripting 1 Objective: To familiarize students with the concept of Bash if/else statements, bash loops and bash comparisons.
Scope: The students would be able to do the following at the end of this lab: • •
Write shell scripts with conditional execution. Using loops in bash scripts
Exercise-1:- Simple Bash if/else statement. In this example we declare a variable named directory and assign it a value. Then we check in the if statement that the directory exists or not and the relevant message is printed on the screen accordingly. Please note the spacing inside the [ and ] brackets! Without the spaces, it won't work! #!/bin/bash directory="./BashScripting" # bash check if directory exists if [ -d $directory ]; then echo "Directory exists" else echo "Directory does not exists" fi
Exercise -2:- This exercise demonstrates Bash “for” loop #!/bin/bash # bash for loop for f in $( ls /var/ ); do echo $f done
Exercise -3:- This exercise demonstrates Bash while loop #!/bin/bash COUNT=6 # bash while loop while [ $COUNT -gt 0 ]; do echo Value of count is: $COUNT let COUNT=COUNT-1 done
Exercise -4:- This exercise demonstrates Bash until loop #!/bin/bash COUNT=0 # bash until loop until [ $COUNT -gt 5 ]; do echo Value of count is: $COUNT let COUNT=COUNT+1 done
Exercises for lab: Exercise 1:- write a shell script that inputs two numbers from the user and check if they are equal or not Exercise 2:- write a script that takes a number input from user and print its table.
Home Work: 1)
Write a script that takes a number input from user and calculate its factorial.
2)
Write a script that takes a number input from user and check it’s a prime number or not.
Lab 10: Advance Bash Scripting 2
To understand the Advance Basic Bash Scripting 2
Lab No. 10: Advance Bash Scripting 2 Objective: To familiarize students with the concept of arrays in bash scripting, bash functions and bash file testing/handling.
Scope: The students would be able to do the following at the end of this lab: • • •
Write shell scripts that make use if arrays. Use functions in their shell scripts. Use various file testing options in their code
Useful Concepts: Bash File Testing Options -b filename
Block special file
-c filename
Special character file
-d directoryname
Check for directory existence
-e filename
Check for file existence
-f filename
Check for regular file existence not a directory
-G filename
Check if file exists and is owned by effective group ID.
-g filename
true if file exists and is set-group-id.
-k filename
Sticky bit
-L filename
Symbolic link
-O filename
True if file exists and is owned by the effective user id.
-r filename
Check if file is a readable
-S filename
Check if file is socket
-s filename
Check if file is nonzero size
-u filename
Check if file set-ser-id bit is set
-w filename
Check if file is writable
-x filename
Check if file is executable
Exercise -1:- This exercise demonstrates how to Declare simple bash array #!/bin/bash #Declare array with 4 elements ARRAY=( 'Debian Linux' 'Redhat Linux' Ubuntu Linux ) # get number of elements in the array ELEMENTS=${#ARRAY[@]} # echo each element in array # for loop for (( i=0;i<$ELEMENTS;i++)); do echo ${ARRAY[${i}]} done
Exercise -2:- This exercise demonstrates how to Read file into bash array
#!/bin/bash #Declare array declare -a ARRAY #Open file for reading to array exec 10&-
Exercise -3:- This exercise demonstrates Bash Functions !/bin/bash # BASH FUNCTIONS CAN BE DECLARED IN ANY ORDER function function_B { echo Function B. } function function_A { echo $1 } function function_D { echo Function D. } function function_C { echo $1 } # FUNCTION CALLS # Pass parameter to function A function_A "Function A." function_B # Pass parameter to function C function_C "Function C." function_D
Exercises for lab: Exercise 1:-Write a shell script that inputs a file name as string from user and check if any file with this exists or not. Exercise 2:- Write a shell script that reads the contents of a text file and count the number of words in the file. Implement the feature of counting the words in a separate function.
Home Work: 1)
Write a shell script that copies a single file to all directories in the tree of the root filesystem using recursion.
Lab 11: Introduction to gcc
To understand the gcc
Lab No. 11: Introduction to gcc Objective: Objective of this lab is to familiarize the student with the GNU C compiler.
Scope: The student will be able to know the following at the end of this lab: • • • •
Use command line editor to write a C/C++ program Compile a/C++ C program Make a program Debug and execute a C/C++ program
Useful Concepts gcc A command line GNU C compiler g++ A command line C++ compiler Compiling A process of converting source code to object code Make • •
A utility used to manage large projects involving different files Out put is a makefile that describes the files involved in the project and the dependencies between them
• •
Process of removing logical errors form the code GNU DDD (Data Display Debugger) is a debugger with a more sophisticated interface that, among other things, incorporates an interactive graphical data display feature, where data structures are displayed as graphs.
Debugging
Exercise-1:- This exercise demonstrates Writing a C Program in linux test editors. To write a C program, you can use any editor. Linux has a rich set of Code-oriented GUI Editors (with syntax highlighting, indentation, etc.) i.e. glimmer, nedit, gvim, kwrite, and xemacs etc. But if you are using the command line, you can try vim or emacs editor, we will use vim in our example. Type the following on command prompt. Vim introprogram.c And you will have an empty file opened in the vim editor if the file intoprogram.c does not exist before. Press I key to switch to insert mode and type the following program: #include #include Int main () {
Printf("\n welcome to gcc tutorial"); Return 0; }
Hit ESC key to switch back to command mode and type :wq
to save the program and exit the editor.
Exercise-2:- This exercise demonstrates Compiling Programs You can learn more about g++ later by looking at the man pages. (There’s a lot there!) For now, we’ll just look at the basics. To compile the C program of exercise 1, in the shell, simply type gcc -o intro_program introporgram.c
in the terminal window. The -o option gives the name of the executable to create; if omitted, the executable will be called a.out. In general you’ll probably want to compile programs with more options specified. Here is a better way to compile a program: gcc -g -Wall -o intro_program introporgram.c
The -g option produces debugging information in the executable. The -Wall option instructs the compile to display “all warnings To compile multiple source files into one executable, just include them all on the command line. For example, to compile Prog1.c and prog2.c into a single executable called prog, type: gcc -g Wall -o prog prog1.c prog2.c
Once you have a working executable program, go to a terminal window to execute it. Make sure you are in the correct directory and then type the name of the executable program.
Exercise-3:- This exercise explains the used of Make utility When you are creating large software projects, it is usually a good idea to break the code into multiple source files. This way, errors are usually easier to find and edit, and when you recompile the program you only need to recompile the file you changed and those upon which it depends. Of course, this can become confusing and complicated when the system becomes large. Linux has a powerful tool called make that allows you to efficiently manage a complex project and compile it efficiently. The make utility reads a file called a makefile that describes the files involved in the project and the dependencies between them. Each line in a makefile is of the form: targets: dependencies commands
Here, targets is a list of target files separated by spaces and dependencies is a list of files on which the targets depend. In other words, if any of the files in a dependency list is modified, make should recompile and/or relink the target. The commands are the commands used to recreate the targets. (Note that the preceding commands really must be a tab character and not several spaces.) For example, consider the following simple makefile: # A simple makefile
sort: sort.o list.o g++ sort.o list.o -o sort sort.o: sort.cc sort.h g++ -g -c sort.cc list.o: list.cc list.h g++ -g -c list.cc
This file states that the executable sort is dependent on the object files sort.o and list.o. If either of these object files change, the command g++ sort.o list.o -o sort should be used to recreate (link) sort from the object files. The next two groups show how to create the object files. The first states that sort.o should be recreated (compiled using g++) if sort.cc or sort.h changes. (The -c option to g++ tells the compiler to only compile, creating object files, and not to link them together.) The third group does a similar thing for list.o. So, you can see that if, for example, list.h is modified, list.o and then sort will need to be recreated but sort.o will not. To use this makefile, it should be placed in the same directory as the source files and named Makefile. Then, execute make sort to compile and link everything.
Exercise-4:- This exercise demonstrates the Debugging process. You can start up DDD by typing ddd in the shell, followed by the name of your executable program. In order for the source program to be visible to the debugger, you had to have compiled the program with the -g option, which includes debugging information in the executable. To simply run your program in DDD, press the Run button in the small floating window that appears. The output of your program will be displayed in the window below your source code. The Interrupt button will stop a running program, the same way a Ctrl - C does in the shell. If you want to continue to run your program from where you left off, press the Cont button. Usually, when you are debugging a program, you want the program to stop execution at some point so that you can examine the value of a variable or check some other part of your program. To stop your program, you set a breakpoint. To set a breakpoint, find the line of your source code where you wish to stop and click to the left of it with the left mouse button. Then press the Break button (with the stop sign) below the menu bar. A stop sign icon should appear to the left of the line. Now, when you run your program, execution will stop every time this line is reached. You can set as many breakpoints as needed. To clear a breakpoint, do the same thing, except this time the stop sign will be dimmed and the button will say Clear instead. If you wish to have your program stop every time the value of some variable changes, you can set a watchpoint. To set a watchpoint, left-click on a variable name in your source code and press the Watch button below the menu bar. Once your program has stopped, there are two options (buttons) for stepping through your program a line at a time — Step and Next. To step means to proceed to the next line of source code in your program, even if it is inside a function. The Next option advances to the next source line, but treats function-calls as if they were single instructions. The Stepi and Nexti buttons behave similarly, but recognize individual machine language instructions, not lines of source code. To view the value of a variable as your program runs, select that variable name by left-clicking on it and then press the Display button below the menu bar. A box with that variable’s value will appear in a new window above your source code.
These are the basics of DDD. But there is quite a bit more to learn if you desire. The display function of DDD, in particular, is quite sophisticated and flexible. Under the Help menu, you can find context sensitive help and a detailed manual (also available at w.gnu.org/manual/ddd/). You will also notice that if you linger over a button with the cursor, a description of that button will appear.
Exercise-5:- This exercise demonstrates the Execution of a program To execute the program form the terminal window or a shell, type the name of the executable file (the output file of compiling process). For example, to run the program of exercise 1, type. ./introprogram
Where ./ is te relative path of the executable file named introprogram. You can also use the ablolute path to execute a program or add the directory to the users search path inorder to execute the program without referring path. To use absolute path, for example your executable file is located at /home/cs, type: /home/cs/introprogram
To at the directory cs to users search path, first type Export PATH=$PATH:/home/cs
And then to run the program now just type introprogram
Exercises for lab: Exercise 1:- Write a C program that display your name and registration number using vim editor Exercise 2:- Compile the program using a default output file name a.out Exercise 3:- debug the program using ddd debugger.
Home Work: 1)
Go to the manual page of gcc and g++ and find the difference between them
2)
Practice the different options available with gcc talked about in gcc's manual bage.
Lab 12: Linux Networking 1
To understand the Basic Linux Networking 1
Lab No. 12: Linux Networking 1 Objective: To familiarize students with the configuration, activation/de-activation and virtual interfacing
Scope: The students would be able to do the following at the end of this lab: • • • • •
Find all the interfaces available on the system List the active interaces. Configure TCP/IP options for an interface. Configure an interface for atomatic configuration via DHCP or bootp server. Create virtual interaces and use single NIC for multiple networks at a time.
Exercise -1:- This exercise illustrate how to Determining Your IP Address Most modern PCs come with an Ethernet port. When Linux is installed, this device is called eth0. You can determine the IP address of this device with the ifconfig command. [root@tmp]# ifconfig -a eth0 Link encap:Ethernet HWaddr 00:08:C7:10:74:A8 inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:47379 errors:0 dropped:0 overruns:0 frame:0 TX packets:107900 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:4676853 (4.4 Mb) TX bytes:43209032 (41.2 Mb) Interrupt:11 Memory:c887a000-c887b000 [root@tmp]#
In this example, eth0 has an IP address of 192.168.1.100 and a subnet mask of 255.255.255.0. This command gives good information on the interrupts, or PCI bus ID, used by card.
Exercise -2:- This exercise demonstrates how to Changing Your IP Address You can give eth0 interface an IP address using the ifconfig command: [root@tmp]# ifconfig eth0 10.0.0.1 netmask 255.255.255.0 up
The "up" at the end of the command activates the interface. To make this permanent each time you boot up you'll have to add this command in your /etc/rc.local file which is run at the end of every reboot.
Exercise-3:- This exercise demonstrates how to assign Multiple IP Addresses on a Single NIC A virtual subinterface is also known as an IP alias. IP aliasing is one of the most common ways of creating multiple IP addresses associated with a single NIC. Aliases have the name format parent-interfacename:X, where X is the sub-interface number of your choice. The process for creating an IP alias is very similar to the steps outlined for the real interface in the previous section, "Changing Your IP Address": First ensure the parent real interface exists Verify that no other IP aliases with the same name exists with the name you plan to use. In this we want to create interface eth0:0.
Exercise-4:- This exercise demonstrates how to Create the virtual interface with the ifconfig command root@tmp]# ifconfig eth0:0 192.168.1.99 netmask 255.255.255.0 up
Exercise-5:- This exercise demonstrates How to Activate/Shut Down Your NIC The ifup and ifdown commands can be used respectively to activate and deactivate a NIC interface. You must have an ifcfg file in the /etc/sysconfig/network-scripts directory for these commands to work. Here is an example for interface eth0: [root@bigboy tmp]# ifdown eth0 [root@bigboy tmp]# ifup eth0
Exercises for lab: Exercise 1:- Check the IP address of network interface. Exercise 2:- Assign the IP address to your Ethernet interface manually and also configure it to be assigned automatically at startup.
Home Work: 1)
Create configuration files for virtual interfaces eth0:0 and wlan0:0 with the following configurations •
The Ethernet interface has a static IP of network 192.168.0.0 that start at boot time
•
The wireless LAN interface gets its IP from DHCP server. The interface is disabled by default.
Lab 13: Linux Networking 2
To understand the Basic Linux Networking 2
Lab No. 13: Linux Networking 2 Objective: To familiarize students that how a Linux server could be used as router
Scope: The students would be able to do the following at the end of this lab: • •
Configure the default gateway for the Linux router. Add/Delete static routes to the Linux router.
Useful Concepts: Router •
The node in the internework which connects two homogenious networks.
Internewrok •
A network that is built up of networks.
Exercise-1:- This exercise demonstrate How to View Your Current Routing Table The netstat -nr command will provide the contents of the touting table. Networks with a gateway of 0.0.0.0 are usually directly connected to the interface. No gateway is needed to reach your own directly connected interface, so a gateway address of 0.0.0.0 seems appropriate. The route with a destination address of 0.0.0.0 is your default gateway. In the following example there are two gateways, the default and the one to 255.255.255.255 which is usually added on DHCP servers. It is a DHCP server in this case. [root@tmp]# netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 255.255.255.255 0.0.0.0 255.255.255.255 UH 40 0 0 192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo 0.0.0.0 192.168.1.1 0.0.0.0 UG 40 0 0 [root@tmp]#
wlan0 wlan0 wlan0
In this example, there are multiple gateways handling traffic destined for different networks on different interfaces. [root@tmp]# netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 172.16.68.64 172.16.69.193 255.255.255.224 UG 172.16.11.96 172.16.69.193 255.255.255.224 UG 172.16.68.32 172.16.69.193 255.255.255.224 UG 172.16.67.0 172.16.67.135 255.255.255.224 UG 172.16.69.192 0.0.0.0 255.255.255.192 U 172.16.67.128 0.0.0.0 255.255.255.128 U 172.160.0 172.16.67.135 255.255.0.0 UG 172.16.0.0 172.16.67.131 255.240.0.0 UG 127.0.0.0 0.0.0.0 255.0.0.0 [root@tmp]#
40 0 0 40 0 0 40 0 0 40 0 0 40 0 0 40 0 0 40 0 0 40 0 0 U
eth1 eth1 eth1 eth0 eth1 eth0 eth0 eth0 40 0 0
lo
Exercise-2:- This exercise demonstrate How to Change Your Default Gateway
Your server needs to have a single default gateway. DHCP servers will automatically assign a default gateway to DHCP configured NICs, but NICs with configured static IP addresses will need to have a manually configured default gateway. This can be done with a simple command: [root@tmp]# route add default gw 192.168.1.1 eth0
In this case, make sure that the router/firewall with IP address 192.168.1.1 is connected to the same network as interface eth0! Once done, you'll need to update your /etc/sysconfig/network file to reflect the change. This file is used to configure your default gateway each time Linux boots. NETWORKING=yes HOSTNAME=bigboy GATEWAY=192.168.1.1
Exercise-3:- This exercise demonstrate How to Configure Two Gateways Some networks may have multiple router/firewalls providing connectivity. Here's a typical scenario: You have one router providing access to the Internet that you'd like to have as your default gateway (see the default gateway example earlier) You also have another router providing access to your corporate network using addresses in the range 10.0.0.0 to 10.255.255.255. Let's assume that this router has an IP address of 192.168.1.254 The Linux box used in this example uses interface wlan0 for its Internet connectivity. There are a number of ways to add this new route.
Exercise-4:- This exercise demonstrate how to add Temporary and Permanent Static Routes The route add command can be used to add new routes to your server that will last till the next reboot. In our example the reference to the 10.0.0.0 network has to be preceded with a -net switch and the subnet mask and gateway values also have to be preceded by the netmask and gw switches respectively. [root@tmp]#route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.16.1.254 wlan0
If you wanted to add a route to an individual server, then the "-host" switch would be used with no netmask value. (The route command automatically knows the mask should be 255.255.255.255). Here is an example for a route to host 10.0.0.1. [root@tmp]# route add -host 10.0.0.1 gw 192.168.1.254 wlan0
A universal way of making this change persistent after a reboot would be to place this route add command in the file /etc/rc.d/rc.local, which is always run at the end of the booting process. In Fedora Linux, permanent static routes are added on a per interface basis in files located in the /etc/sysconfig/network-scripts directory. The filename format is routeinterface-name so the filename for interface wlan0 would be route-wlan0. The format of the file is quite intuitive with the target network coming in the first column followed by the word via and then the gateway's IP address. In our routing example, to set up a route to network 10.0.0.0 with a subnet mask of 255.0.0.0 (a mask with the first 8 bits set to 1) via the 192.168.1.254 gateway, we would have to configure file /etc/sysconfig/networkscripts/route-wlan0 to look like this: # # File /etc/sysconfig/network-scripts/route-wlan0
# 10.0.0.0/8 via 192.168.1.254.
Exercise-5:- This exercise demonstrate How to Delete a Route Here's how to delete the routes added in the previous section. [root@tmp]#route del -net 10.0.0.0 netmask 255.0.0.0 gw 192.16.1.254 wlan0
The file /etc/sysconfig/network-scripts/route-wlan0 will also have to be updated so that when you reboot the server will not reinsert the route. Delete the line that reads: 10.0.0.0/8 via 192.16.1.254
Exercises for lab: Exercise 1:- View the current routing table of Linux server. Exercise 2:- Configure default gateway for the router. Exercise 3:- Add static routes to the router. Exercise 4:- Delete static routes from the router.
Home Work: 1)
Defferenciate between a gateway and a router.
2)
Why do we need a default gateway?
Lab 14: Network Troubleshooting
To understand simple Network Troubleshooting
Lab No. 14: Network troubleshooting Objective: To give the students an introduction to the main causes of network related problems.
Scope: At the end of this lab students will be able to fix a network related problem which is either in the forms of slow response times from the remote server, or a complete lack of connectivity.
Useful Concepts: Sources of Network Slowness • • • • • • •
NIC duplex and speed incompatibilities Network congestion Poor routing Bad cabling Electrical interference An overloaded server at the remote end of the connection Mis-configured DNS
Sources of a Lack of Connectivity • • •
Severe sources of Power failures Shut down The remote server or an application on the remote server.
Excercise-1:- This exercise illustrate Basic Cable and Link Tests Your server won't be able to communicate with any other device on your network unless the NIC's "link" light is on. This indicates that the connection between your server and the switch/router is functioning correctly. In most cases a lack of link is due to the wrong cable type being used. There are two types of Ethernet cables crossover and straight-through. Always make sure you are using the correct type. Other sources of link failure include: The cables are bad. The switch or router to which the server is connected is powered down. The cables aren't plugged in properly. If you have an extensive network, investment in a battery-operated cable tester for basic connectivity testing is invaluable. More sophisticated models in the market will be able to tell you the approximate location of a cable break and whether an Ethernet cable is too long to be used.
Exercise -2:- This exercise demonstrates Testing Your NIC Your NICs are labeled as eth0, eth1 etc. for Ethernet NICs and wlan0, wlan1 etc for wireless LAN cards Where 0 and 1 represent the first and second NIC respectively. To View Your Activated Interfaces, use ifconfig command, type: ifconfig
To View All Interfaces whether they are functional or not, use ifconfig -a command, type: ifconfig -a Shut Down Interface will have no IP address and UP status in the 2nd line. eth0
Link encap:Ethernet HWaddr 00:06:25:08:6A:1D BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:2924 errors:0 dropped:0 overruns:0 frame:0 TX packets:2287 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:180948 (176.7 Kb) TX bytes:166377 (162.4 Kb) Interrupt:10 Memory:c88b5000-c88b6000
Active Interface eth0
Link encap:Ethernet HWaddr 00:06:25:08:6A:1D inet addr:192.168.0.69 Bcast:192.168.0.255 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2924 errors:0 dropped:0 overruns:0 frame:0 TX packets:2295 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:180948 (176.7 Kb) TX bytes:166521 (162.6 Kb) Interrupt:10 Memory:c88b5000-c88b6000
Note that DHCP clients automatically give their NICs and IP address starting with 169.254.x.x until they can make contact with their DHCP server. When contact is made they reconfigure their IP addresses to the values provided by the DHC server. An interface with a 169.254.x.x address signifies a failure to communicate with the DHCP server. Check your cabling, routing and DHCP server configuration to rectify such a problem.
Exercise-3:- This exercise demonstrates how to Test Link Status from the Command Line Both the mii-tool and ethtool commands command will provide reports on the link status and duplex settings for supported NICs. When used without any switches, the mii-tool gives a very brief report. Use it with the –v switch because it provides more information on the supported auto negotiation speeds of the NIC and this can be useful in troubleshooting speed and duplex issues. The ethtool command provides much more information than mii-tool and should be your command of choice, especially because mii-tool will be soon deprecated in Linux. In both of the following examples the NICs are operating at 100Mbps, full duplex and the link is ok. Link Status Output from mii-tool [root@bigboy tmp]# mii-tool -v eth0: 100 Mbit, full duplex, link ok product info: Intel 82555 rev 4 basic mode: 100 Mbit, full duplex
basic status: link ok capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control link partner: 100baseTx-HD [root@bigboy tmp]# Link Status Output from ethtool [root@bigboy tmp]# ethtool eth0 Settings for eth0: Supported ports: [ TP MII ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full Supports auto-negotiation: Yes Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full Advertised auto-negotiation: No Speed: 100Mb/s Duplex: Full Port: MII PHYAD: 1 Transceiver: internal Auto-negotiation: off Supports Wake-on: g Wake-on: g Current message level: 0x00000007 (7) Link detected: yes [root@bigboy tmp]# Viewing NIC Errors Errors are a common symptom of slow connectivity due to poor configuration or excessive bandwidth utilization. They should always be corrected whenever possible. Error rates in excess of 0.5% can result in noticeable sluggishness. Ifconfig Error Output The ifconfig command also shows the number of overrun, carrier, dropped packet and frame errors. wlan0 Link encap:Ethernet HWaddr 00:06:25:09:6A:D7 BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:2924 errors:0 dropped:0 overruns:0 frame:0 TX packets:2287 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:180948 (176.7 Kb) TX bytes:166377 (162.4 Kb)
Interrupt:10 Memory:c88b5000-c88b6000 ethtool Error Output The ethtool command can provide a much more detailed report when used with the –s switch. [root@probe-001 root]# ethtool -S eth0
NIC statistics: rx_packets: 1669993 tx_packets: 627631 rx_bytes: 361714034 tx_bytes: 88228145 rx_errors: 0 tx_errors: 0 rx_dropped: 0 tx_dropped: 0 multicast: 0 collisions: 0 rx_length_errors: 0 rx_over_errors: 0 rx_crc_errors: 0 rx_frame_errors: 0 rx_fifo_errors: 0 rx_missed_errors: 0 tx_aborted_errors: 0 tx_carrier_errors: 0 tx_fifo_errors: 0 tx_heartbeat_errors: 0 tx_window_errors: 0 tx_deferred: 0 tx_single_collisions: 0 tx_multi_collisions: 0 tx_flow_control_pause: 0 rx_flow_control_pause: 0 rx_flow_control_unsupported: 0 tx_tco_packets: 0 rx_tco_packets: 0 [root@probe-001 root]# netstat Error Output The netstat command is very versatile and can provide a limited report when used with the -i switch. This is useful for systems where mii-tool or ethtool are not available.
[root@bigboy tmp]# netstat -i Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 18976655 2 0 0 21343152 142 0 3 BMRU eth1 1500 0 855154 0 0 0 15196620 0 0 0 BMRU lo 16436 0 1784272 0 0 0 1784272 0 0 0 LRU [root@bigboy tmp]# Possible Causes of Ethernet Errors Collisions: Signifies when the NIC card detects itself and another server on the LAN attempting data transmissions at the same time. Collisions can be expected as a normal part of Ethernet operation and are typically below 0.1% of all frames sent. Higher error rates are likely to be caused by faulty NIC cards or poorly terminated cables. Single Collisions: The Ethernet frame went through after only one collision Multiple Collisions: The NIC had to attempt multiple times before successfully sending the frame due to collisions. CRC Errors: Frames were sent but were corrupted in transit. The presence of CRC errors, but not many collisions usually is an indication of electrical noise. Make sure that you are using the correct type of cable, that the cabling is undamaged and that the connectors are securely fastened. Frame Errors: An incorrect CRC and a non-integer number of bytes are received. This is usually the result of collisions or a bad Ethernet device. FIFO and Overrun Errors: The number of times that the NIC was unable of handing data to its memory buffers because the data rate the capabilities of the hardware. This is usually a sign of excessive traffic. Length Errors: The received frame length was less than or exceeded the Ethernet standard. This is most frequently due to incompatible duplex settings. Carrier Errors: Errors are caused by the NIC card losing its link connection to the hub or switch. Check for faulty cabling or faulty interfaces on the NIC and networking equipment.
Exercise-4:- This exercise demonstrates how to view ARP table entries. The arp -a command will show you the MAC addresses in your server's ARP table and all the other servers on the directly connected network. Here we see we have some form of connectivity with the router at address 192.168.0.1 arp -a bigboypix (192.168.0.1) at 00:09:E8:9C:FD:AB [ether] on etho0 ? (192.168.1.101) at 00:06:25:09:6A:D7 [ether] on wlan0 Note: Make sure the IP addresses listed in the ARP table match those of servers expected to be on your network. If they don't, your server might be plugged into the wrong switch or router port. You should also check the ARP table of the remote server to see whether it is populated with acceptable values.
Exercise-5:- This exercise demonstrates how to Use ping to Test Network Connectivity
One of the most common methods used to test connectivity across multiple networks is the ping command. ping sends ICMP echo packets that request a corresponding ICMP echo-reply response from the device at the target address. Because most servers will respond to a ping query it becomes a very handy tool. A lack of response could be due to: 1. A server with that IP address doesn't exist 2. The server has been configured not to respond to pings 3. A firewall or router along the network path is blocking ICMP traffic 4. You have incorrect routing. Check the routes and subnet masks on both the local and remote servers and all routers in between. A classic symptom of bad routes on a server is the ability to ping servers only on your local network and nowhere else. Use traceroute to ensure you're taking the correct path. 5. Either the source or destination device having an incorrect IP address or subnet mask. The Linux ping command will send continuous pings, once a second, until stopped with a Ctrl-C. Here is an example of a successful ping to the server bigboy at 192.168.1.100 [root@smallfry tmp]# ping 192.168.1.101 PING 192.168.1.101 (192.168.1.101) from 192.168.1.100 : 56(84) bytes of data. 64 bytes from 192.168.1.101: icmp_seq=1 ttl=128 time=3.95 ms 64 bytes from 192.168.1.101: icmp_seq=2 ttl=128 time=7.07 ms 64 bytes from 192.168.1.101: icmp_seq=3 ttl=128 time=4.46 ms 64 bytes from 192.168.1.101: icmp_seq=4 ttl=128 time=4.31 ms --- 192.168.1.101 ping statistics --4 packets transmitted, 4 received, 0% loss, time 3026ms rtt min/avg/max/mdev = 3.950/4.948/7.072/1.242 ms [root@smallfry tmp]# You may get a "Destination Host Unreachable" message. There message is caused by your router or server knowing that the target IP address is part of a valid network, but is getting no response from the target server. There are a number of reasons for this: If you are trying to ping a host on a directly connected network: 1. The client or server might be down, or disconnected for the network. 2. Your NIC might not have the correct duplex settings; you may verify this with the mii-tool command. 3. You might have the incorrect type of cable connecting your Linux box to the network. There are two basic types, straight through and crossover. 4. In the case of a wireless network, your SSID or encryption keys might be incorrect. If you are trying to ping a host on remote network: The network device doesn't have a route in its routing table to the destination network and sends an ICMP reply type 3 which triggers the message. The resulting message might be Destination Host Unreachable or Destination Network Unreachable. [root@smallfry tmp]# ping 192.168.1.105
PING 192.168.1.105 (192.168.1.105) from 192.168.1.100 : 56(84) bytes of data. From 192.168.1.100 icmp_seq=1 Destination Host Unreachable From 192.168.1.100 icmp_seq=2 Destination Host Unreachable From 192.168.1.100 icmp_seq=3 Destination Host Unreachable From 192.168.1.100 icmp_seq=4 Destination Host Unreachable From 192.168.1.100 icmp_seq=5 Destination Host Unreachable From 192.168.1.100 icmp_seq=6 Destination Host Unreachable --- 192.168.1.105 ping statistics --8 packets transmitted, 0 received, +6 errors, 100% loss, time 7021ms, pipe 3 [root@smallfry tmp]#
Exercise-6:- This exercise demonstrates how to Use telnet to Test Network Connectivity An easy way to tell if a remote server is listening on a specific TCP port is to use the telnet command. By default, telnet will try to connect on TCP port 23, but you can specify other TCP ports by typing them in after the target IP address. HTTP uses TCP port 80, HTTPS uses port 443. Here is an example of testing server 192.168.1.102 on the TCP port 22 reserved for SSH: [root@bigboy tmp]# telnet 192.168.1.102 22 When using telnet troubleshooting, here are some useful guidelines to follow that will help to isolate the source of the problem: Test connectivity from the remote PC or server. Test connectivity on the server itself. Try making the connection to the loopback address as well as the NIC IP address. If the server is running a firewall package such as the Linux iptables software, all loopback connectivity is allowed, but connectivity to desired TCP ports on the NIC interface might be blocked sometimes. Further discussion of the Linux iptables package is covered in a later section. Test connectivity from another server on the same network as the target server. This helps to eliminate the influence of any firewalls protecting the entire network from outside. Linux telnet Troubleshooting The following sections the use of telnet troubleshooting from a Linux box. Note: Always remember that many Linux servers have the iptables firewall package installed by default. This is often the cause of many connectivity problems and the firewall rules should be correctly updated. In some cases where the network is already protected by a firewall, iptables might be safely turned off. You can use the /etc/init.d/iptables status command on the target server to determine whether iptables is running. Successful Connection With Linux a successful telnet connection is always greeted by a Connected to message like the one seen below when trying to test connectivity to server 192.168.1.102 on the SSH port (TCP 22). [root@bigboy tmp]# telnet 192.168.1.102 22 Trying 192.168.1.102... Connected to 192.168.1.102.
Escape character is '^]'. SSH-1.99-OpenSSH_3.4p1 ^] telnet> quit Connection closed. [root@ bigboy tmp]# To break out of the connection you have to press the Ctrl and ] keys simultaneously, not the usual Ctrl-C. Note: In many cases you can successfully connect on the remote server on the desired TCP port, yet the application doesn't appear to work. This is usually caused by there being correct network connectivity but a poorly configured application. Connection Refused Messages You will get a connection refused message for one of the following reasons: The application you are trying to test hasn't been started on the remote server. There is a firewall blocking and rejecting the connection attempt Here is some sample output: [root@bigboy tmp]# telnet 192.168.1.100 22 Trying 192.168.1.100... telnet: connect to address 192.168.1.100: Connection refused [root@bigboy tmp]# telnet Timeout or Hanging The telnet command will abort the attempted connection after waiting a predetermined time for a response. This is called a timeout. In some cases, telnet won't abort, but will just wait indefinitely. This is also known as hanging. These symptoms can be caused by the one of the following reasons: The remote server doesn't exist on the destination network. It could be turned off. A firewall could be blocking and not rejecting the connection attempt, causing it to timeout instead of being quickly refused. [root@bigboy tmp]# telnet 216.10.100.12 22 Trying 216.10.100.12... telnet: connect to address 216.10.100.12: Connection timed out [root@bigboy tmp]#
Exercise-7:- This exercise demonstrates how to Use traceroute to Test Network Connectivity Another tool for network troubleshooting is the traceroute command. It gives a listing of all the router hops between your server and the target server. This helps you verify that routing over the networks in between is correct. The traceroute command works by sending a UDP packet destined to the target with a TTL of 0. The first router on the route recognizes that the TTL has already been exceeded and discards or drops the packet, but also sends an ICMP time exceeded message back to the source. The traceroute program records the IP
address of the router that sent the message and knows that that is the first hop on the path to the final destination. The traceroute program tries again, with a TTL of 1. The first hop sees nothing wrong with the packet, decrements the TTL to 0 as expected, and forwards the packet to the second hop on the path. Router 2, sees the TTL of 0, drops the packet and replies with an ICMP time exceeded message. traceroute now knows the IP address of the second router. This continues around and around until the final destination is reached. Note: In Linux the traceroute command is traceroute. In Windows it is tracert. Note: You will receive traceroute responses only from functioning devices. If a device responds it is less likely to be the source of your problems. Sample traceroute Output Here is a sample output for a query to 144.232.20.158. Notice that all the hop times are under 50 milliseconds (ms) which is acceptable. [root@bigboy tmp]# traceroute -I 144.232.20.158 traceroute to 144.232.20.158 (144.232.20.158), 30 hops max, 38 byte packets 1 adsl-67-120-221-110.dsl.sntc01.pacbell.net (67.120.221.110) 14.408 ms 14.064 ms 13.111 ms 2 dist3-vlan50.sntc01.pbi.net (63.203.35.67) 13.018 ms 12.887 ms 13.146 ms 3 bb1-g1-0.sntc01.pbi.net (63.203.35.17) 12.854 ms 13.035 ms 13.745 ms 4 bb2-p11-0.snfc21.pbi.net (64.161.124.246) 16.260 ms 15.618 ms 15.663 ms 5 bb1-p14-0.snfc21.pbi.net (64.161.124.53) 15.897 ms 15.785 ms 17.164 ms 6 sl-gw11-sj-3-0.sprintlink.net (144.228.44.49) 14.443 ms 16.279 ms 15.189 ms 7 sl-bb25-sj-6-1.sprintlink.net (144.232.3.133) 16.185 ms 15.857 ms 15.423 ms 8 sl-bb23-ana-6-0.sprintlink.net (144.232.20.158) 27.482 ms 26.306 ms 26.487 ms [root@bigboy tmp]# Possible traceroute Messages There are a number of possible message codes traceroute can give, these are listed in Traceroute Symbol ***
Description Expected 5 second response time exceeded. Could be caused by: A router on the path not sending back the ICMP "time exceeded" messages A router or firewall in the path blocking the ICMP "time exceeded" messages The target IP address not responding
!H, !N, or !P
Host, network or protocol unreachable
!X or !A
Communication administratively prohibited. A router Access Control List (ACL) or firewall is in the way
!S
Source route failed. Source routing attempts to force traceroute to use a certain path. Failure might be due to a router security setting
Exercise-8:- This exercise illustrate how to Use MTR to Detect Network Congestion
Matt's Traceroute is an application you can use to do a repeated traceroute in real time; it dynamically shows the round-trip time to reach each hop along the traceroute path. The constant updates enable you not only to visually determine which hops are slow, but also to determine when they appear to be slow. It is a good tool to use whenever you suspect there is some intermittent network congestion. You type in the word mtr followed by the target IP address to get output similar to the following: [root@bigboy tmp]# mtr 192.168.25.26 Matt's traceroute [v0.52] Bigboy Fri Feb 20 17:19:17 2004 Keys: D - Display mode R - Restart statistics Q - Quit Packets Pings Hostname %Loss Rcv Snt Last Best Avg Worst 1. 192.168.1.1 0% 17 17 32 10 15 32 2. 192.168.2.254 0% 17 17 12 11 18 41 3. 192.168.3.15 0% 17 17 23 14 18 25 4. 192.168.18.35 0% 16 16 24 23 29 42 5. 192.168.25.26 0% 16 16 23 21 26 37 ^C [root@bigboy tmp]#
One of the nice features of MTR is that it gives you the best, worst and average roundtrip times in milliseconds for the probe packets between each hop along the way to the final destination. The advantage of this is that you can let MTR run for an extended period of time, acting as a constant monitor of communication path quality. The constant refreshing of the screen also enables you to instantaneously spot transient changes in quality fairly easily, making it much more convenient than a regular traceroute.
Exercise-9:- This exercise demonstrates how to View Packet Flows with tcpdump The tcpdump command is one of the most popular packages for viewing the flow of packets through your Linux box's NIC card. It is installed by default on RedHat/Fedora Linux and has very simple syntax, especially if you are doing simpler types of troubleshooting. One of the most common uses of tcpdump is to determine whether you are getting basic two-way communication. Lack of communication could be due to the following: Bad routing Faulty cables, interfaces of devices in the packet flow The server not listening on the port because the software isn't installed or started A network device in the packet path is blocking traffic; common culprits are firewalls, routers with access control lists and even your Linux box running iptables. Analyzing tcpdump in much greater detail is beyond the scope of this section. Like most Linux commands, tcpdump uses command-line switches to modify the output. Some of the more useful command-line switches are listed in the Table. tcpdump
Description
command switch -c
Stop after viewing count packets.
-i
Listen on interface. If this is not specified, then the command will use the lowest numbered interface that is UP
-w
Dump the output to a specially formatted TCPdump dump file
-C
Specifies the size the dump file must reach before a new one with a numeric extension is created.
-t
Don't print a timestamp at the beginning of each line
You can also add expressions after all the command-line switches. These act as filters to limit the volume of data presented on the screen. You can also use keywords such as and, or or between expressions to further fine-tune your selection criteria. Some useful expressions are listed in the Table. tcpdump command
Description
expression host host-address
View packets from the IP address host-address
icmp
View icmp packets
tcp port port-number
View TCP packets with packets with either a source or destination TCP port of port-number
udp port port-number
View UDP packets with either a source or destination UDP port of port-number
The following is an example of tcpdump being used to view ICMP ping packets going through interface wlan0: [root@bigboy tmp]# tcpdump -i wlan0 icmp tcpdump: listening on wlan0 21:48:58.927091 smallfry > bigboy.my-site.com: icmp: echo request (DF) 21:48:58.927510 bigboy.my-site.com > smallfry: icmp: echo reply 21:48:58.928257 smallfry > bigboy.my-site.com: icmp: echo request (DF) 21:48:58.928365 bigboy.my-site.com > smallfry: icmp: echo reply 21:48:58.943926 smallfry > bigboy.my-site.com: icmp: echo request (DF) 21:48:58.944034 bigboy.my-site.com > smallfry: icmp: echo reply 21:48:58.962244 bigboy.my-site.com > smallfry: icmp: echo reply 21:48:58.963966 bigboy.my-site.com > smallfry: icmp: echo reply 21:48:58.968556 bigboy.my-site.com > smallfry: icmp: echo reply 9 packets received by filter 0 packets dropped by kernel [root@bigboy tmp]#
In this example: The first column of data is a packet timestamp. The second column of data shows the packet source and then the destination IP address or server name of the packet. The third column shows the packet type. Two-way communication is occurring as each echo gets an echo reply. The following example shows tcpdump being used to view packets on interface wlan0 to/from host 192.168.1.102 on TCP port 22 with no timestamps in the output (-t switch). [root@bigboy tmp]# tcpdump -i wlan0 -t host 192.168.1.102 and tcp port 22 tcpdump: listening on wlan0
smallfry.32938 > bigboy.my-site.com.ssh: S 2013297020:2013297020(0) win 5840 smallfry.32938: R 0:0(0) ack 2013297021 win 0 (DF) [tos 0x10] smallfry.32938 > bigboy.my-site.com.ssh: S 2013297020:2013297020(0) win 5840 smallfry.32938: R 0:0(0) ack 1 win 0 (DF) [tos 0x10] smallfry.32938 > bigboy.my-site.com.ssh: S 2013297020:2013297020(0) win 5840
In this example: The first column of data shows the packet source and then the destination IP address or server name of the packet The second column shows the TCP flags within the packet The client named bigboy is using port 32938 to communicate with the server named smallfry on the TCP SSH port 22. Two-way communication is occurring Analyzing tcpdump files By using the -w filename option you can send the entire Ethernet frame, not just a brief IP information that normally goes to the screen, to a file. This can then be analyzed by graphical analysis tools such as Wireshark, which is available in both Windows and Linux, with customized filters, colorization of packet records based on criteria deemed interesting, and the capability of automatically highlighting certain error conditions such as data retransmissions: tcpdump -i eth1 -w /tmp/packets.dump tcp port 22 Covering Wireshark is beyond the scope of this book but that shouldn't discourage you from using it. The application is part of the Fedora RPM suite, and a Windows version is also available. Common Problems with tcpdump By default tcpdump will attempt to determine the DNS names of all the IP addresses it sees while logging data. This can slow down tcpdump so much that it appears not to be working at all. The -n switch stops DNS name lookups and will make tcpdump work more reliably. The following are examples of how the -n switch affects the output: Without the -n switch [root@bigboy tmp]# tcpdump -i eth1 tcp port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 02:24:34.818398 IP 192-168-1-242.my-site.com.1753 > bigboy-100.my-site.com.ssh: . ack 318574223 win 65471 02:24:34.818478 IP bigboy-100.my-site.com.ssh > 192-168-1-242.my-site.com.1753: P 1:165(164) ack 0 win 64 02:24:35.019042 IP 192-168-1-242.my-site.com.1753 > bigboy-100.my-site.com.ssh: . ack 165 win 65307 02:24:35.019118 IP bigboy-100.my-site.com.ssh > 192-168-1-242.my-site.com.1753: P 165:401(236) ack 0 win 02:24:35.176299 IP 192-168-1-242.my-site.com.1753 > bigboy-100.my-site.com.ssh: P 0:20(20) ack 401 win 65
02:24:35.176337 IP bigboy-100.my-site.com.ssh > 192-168-1-242.my-site.com.1753: P 401:629(228) ack 20 win 6 packets captured 7 packets received by filter 0 packets dropped by kernel [root@bigboy tmp]#
With the -n switch [root@bigboy tmp]# tcpdump -i eth1 -n tcp port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 02:25:53.068511 IP 192.168.1.242.1753 > 192.168.1.100.ssh: . ack 318576011 win 65163 02:25:53.068606 IP 192.168.1.100.ssh > 192.168.1.242.1753: P 1:165(164) ack 0 win 6432 02:25:53.269152 IP 192.168.1.242.1753 > 192.168.1.100.ssh: . ack 165 win 64999 02:25:53.269205 IP 192.168.1.100.ssh > 192.168.1.242.1753: P 165:353(188) ack 0 win 6432 02:25:53.408556 IP 192.168.1.242.1753 > 192.168.1.100.ssh: P 0:20(20) ack 353 win 64811 02:25:53.408589 IP 192.168.1.100.ssh > 192.168.1.242.1753: P 353:541(188) ack 20 win 6432 6 packets captured 7 packets received by filter 0 packets dropped by kernel [root@bigboy tmp]#
Exercises for lab: Exercise 1:- Display the routing table maintained on your system and slist the networks that are contected to your system and their corresponding gateways. That is the IP address of the default gateway that is set on your system?
Home Work: 1)
Configure a network containing two PCs and troubleshoot the network for any broblem in the network. Follow the procedure step-by-step as given in the manual.
Lab 15: Installing Linux Software
To understand the Installing Linux Software
Lab No. 15: Installing Linux Software Objective: To familiarize students that how a Linux server could be used as router
Scope: The students would be able to do the following at the end of this lab: • • •
list installed and available packages Install a package locally Install a package from the internet.
Useful Concepts: Automated Package Download The disadvantage of manual downloads is that the packages often won't install unless certain prerequisite packages have been installed beforehand. This can lead to the download and installation of several packages which can become tedious. All the major Linux distributions have automated download and update utilities. For example, Fedora uses yum and Ubuntu and Debian use apt.
Exercise-1:- This exercise illustrates how to get RPMs Using Command-Line Anonymous FTP Anonymous FTP allows you to log in and download files from a FTP server using the username anonymous or the shorter username ftp and a password that matches your email address. This way anyone can access the data. Let's illustrate this with an example of using anonymous FTP to download the SSH package from download.fedora.redhat.com: 1) First we issue the FTP command targeting download.fedora.redhat.com at the command line. [root@bigboy tmp]# ftp download.fedora.redhat.com Trying 66.187.232.35... Connected to download.fedora.redhat.com (66.187.232.35). 220 Fedora FTP server ready. All transfers are logged. Name (download.fedora.redhat.com:root): anonymous 331 Please specify the password. Password: 230 Login successful. Have fun. Using binary mode to transfer files. ftp> pwd 257 "/" ftp> ls 227 Entering Passive Mode (66,187,232,35,57,155) 150 Here comes the directory listing.
drwxr-xr-x 3 ftp ftp 4096 Oct 29 15:59 pub 226 Directory send OK. ftp>:
2) After we've logged in, we can use the help command to see what options we have at our disposal. ftp> help Commands may be abbreviated. Commands are: ! cr mdir proxy send -----ftp> 3) By using the Web browsing feature on the Web site ahead of time, I know that the Fedora Core 2 RPMs are located in the pub/fedora/linux/core/2/i386/os/Fedora/RPMS/ directory and will use the cd command to change my directory to there. We can use the ls command to get a listing of files in this directory. ftp> cd pub/fedora/linux/core/2/i386/os/Fedora/RPMS/ 250 Directory successfully changed. ftp> ls open* 227 Entering Passive Mode (66,187,232,35,58,3) 150 Here comes the directory listing. ... ... -rw-r--r-- ... ... 184281 Oct 28 23:29 openssh-3.6.1p2-34.i386.rpm ... ... 226 Directory send OK. ftp> 4) Next we get the file we need and place it in the local directory /usr/rpm. The hash command will print "#" hash signs on the screen during the download. ftp> hash Hash mark printing on (1024 bytes/hash mark). ftp> lcd /usr/rpm Local directory now /usr/rpm ftp> get openssh-3.6.1p2-34.i386.rpm local: openssh-3.6.1p2-34.i386.rpm remote: openssh-3.6.1p2-34.i386.rpm 227 Entering Passive Mode (66,187,232,35,58,25) 150 Opening BINARY mode data connection for openssh-3.6.1p2-34.i386.rpm (184281 bytes). ################################################226 File send OK.
184281 bytes received in 3.41 secs (53 Kbytes/sec) ftp> Note: You can also use wildcards to download the RPMs you need using the mget command. You'll be prompted for each of the matching RPM files. In the next example, we just aborted this download by typing n. ftp> mget openssh-3.6* mget openssh-3.6.1p2-34.i386.rpm? n ftp> 5) Finally we use the exit command to leave FTP. ftp> exit 221 Goodbye. root@bigboy tmp]#
Exercise-2:- This exercise illustrates download Software using wget utility. The wget command can be used to download files quickly when you already know the URL at which the RPM is located. Here is an example downloading a DHCP update from Fedora. [root@tmp]# wget --17:38:36-- ftp://linux.stanford.edu/pub/mirrors/fedora/linux/core/2/i386/os/Fedora/RPMS/dhcp-3.0pl26. => `dhcp-3.0pl2-6.16.i386.rpm.5' Resolving linux.stanford.edu... done. Connecting to linux.stanford.edu[171.66.2.18]:21... connected. Logging in as anonymous ... Logged in! ==> SYST ... done. ==> PWD ... done. ==> TYPE I ... done. ==> CWD /pub/mirrors/fedora/linux/core/2/i386/os/Fedora/RPMS ... done. ==> PASV ... done. ==> RETR dhcp-3.0pl2-6.16.i386.rpm ... done. Length: 529,890 (unauthoritative) 100%[===============================>] 529,890 889.12K/s ETA 00:00 17:38:36 (889.12 KB/s) - `dhcp-3.0pl2-6.16.i386.rpm.5' saved [529890] [root@tmp]#
Exercise-3:- This exercise illustrates How to Install RPMs Manually Download / Copy RPMs (which usually have a file extension ending with .rpm) into a temporary directory, such as /tmp. The next step is to issue the rpm -Uvh command to install the package. The -U qualifier is used for updating an RPM to the latest version, the -h qualifier gives a list of hash # characters during the installation and the -v qualifier prints verbose status messages while the command is run. Here is an example of a typical RPM installation command to install the MySQL server package: [root@bigboy tmp]# rpm -Uvh mysql-server-3.23.58-9.i386.rpm Preparing... ####################### [100%] 1:mysql-server ####################### [100%] [root@bigboy tmp]#
How to Install Source RPMs Sometimes the packages you want to install need to be compiled in order to match your kernel version. This requires you to use source RPM files: Download the source RPMs or locate them on your CD collection. They usually have a file extension ending with (.src.rpm) Run the following commands as root: Compiling and installing source RPMs with Fedora can be done simply with the rpmbuild command [root@tmp]# rpmbuild --rebuild filename.src.rpm
Here is an example in which we install the tacacs plus package. [root@bigboy rpm]# rpmbuild --rebuild tac_plus-4.0.3-2.src.rpm Installing tac_plus-4.0.3-2.src.rpm Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.61594 + umask 022 + cd /usr/src/redhat/BUILD + cd /usr/src/redhat/BUILD + rm -rf tac_plus-4.0.3 + /usr/bin/gzip -dc /usr/src/redhat/SOURCES/tac_plus-4.0.3.tgz + tar -xvvf ... ... ... + umask 022 + cd /usr/src/redhat/BUILD + rm -rf tac_plus-4.0.3 + exit 0 [root@rpm]#
Exercise-4:- This exercise illustrates How to List Installed RPMs The rpm -qa command will list all the packages installed on your system: [root@tmp]# rpm -qa perl-Storable-1.0.14-15 smpeg-gtv-0.4.4-9 audiofile-0.2.3-3 ... ... [root@tmp]#
Exercise-5:- This exercise illustrates Uninstalling RPMs The rpm -e command will erase an installed package. The package name given must match that listed in the rpm -qa command because the version of the package is important: [root@tmp]# rpm -e package-name
Exercises for lab: Exercise 1:- Download RPMs using anonymous FTP. Exercise 2:- Download RPMs using wget. Exercise 3:- Install MySQL database using RPM. Exercise 4:- Install java using source RPM.
Home Work
1) Compare the strengths of apt and yum utility.
Lab 16: Linux Boot Process
To understand the Linux Boot Process
Lab No. 16: Linux Boot Process Objective: To familiarize students with the Linux boot process and how to customize various boot options.
Scope: The students would be able to do the following at the end of this lab: • • • •
Change the default boot order of the operating systems installed Perform root password recovery Staring and stopping daemons when needed Start/Stop daemons at the startup
Useful Concepts: Sample grub.conf file default=0 timeout=10 splashimage=(hd0,0)/grub/splash.xpm.gz title Fedora Core (2.6.8-1.521) root (hd0,0) kernel /vmlinuz-2.6.8-1.521 ro root=LABEL=/ initrd /initrd-2.6.8-1.521.img title Windows 2000 rootnoverify (hd0,1) chainloader +1
Exercise-1:- This exercise demonstrates the procedure of Determining the Default Boot runlevel The default boot runlevel is set in the file /etc/inittab with the initdefault variable. When set to 3, the system boots up with the text interface on the VGA console; when set to 5, you get the GUI. Here is a snippet of the file (delete the initdefault line you don't need): # Default runlevel. The runlevels used by RHS are: # 0 - halt (Do NOT set initdefault to this) # 1 - Single user mode # 2 - Multiuser, without NFS (The same as 3, if you do not have networking) # 3 - Full multiuser mode # 4 - unused # 5 - X11 # 6 - reboot (Do NOT set initdefault to this) # id:3:initdefault: # Console Text Mode id:5:initdefault: # Console GUI Mode
Exercise-2:- This exercise demonstrates Root Password Recovery Sometimes you might forget the root password, or the previous systems administrator may move on to a new job without giving it to you. To do this, follow these steps: 1. Go to the VGA console and press Ctrl-Alt-Del. The system will then shut down in an orderly fashion. 2. Reboot the system and enter single-user mode. 3. Once at the command prompt, change your password. Single user mode assumes the person at the console is the systems administrator root, so you don't have to specify a root username. 4. Return to your default runlevel by using the exit command.
Exercise-3:- This exercise demonstrates how to Start and Stop the server If a startup script exists in the /etc/init.d directory, then its daemon can be started by specifying its filename followed by the keyword "start" as seen below: Starting a Daemon root@localhost# /etc/init.d/apache start * Starting apache 1.3 web server... ...done. root@localhost# Stopping a Daemon root@localhost# /etc/init.d/apache stop * Starting apache 1.3 web server... ...done. root@localhost#
Exercise-4:- Using chkconfig to Start Daemons at Each runlevel As stated earlier, the chkconfig command can be used to adjust which applications start at each runlevel. You can use this command with the --list switch to get a full listing of packages listed in /etc/init.d and the runlevels at which they will be on or off: [root@root]# chkconfig --list keytable 0:off 1:on 2:on 3:on 4:on 5:on 6:off atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off wlan 0:off 1:off 2:on 3:on 4:on 5:on 6:off sendmail 0:off 1:off 2:off 3:on 4:off 5:on 6:off
netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off random 0:off 1:off 2:on 3:on 4:on 5:on 6:off ... ... Switch Off sendmail Starting Up in Levels 3 and 5 [root@root]# chkconfig --level 35 sendmail off Switch On sendmail [root@root]# chkconfig sendmail on
Exercises for lab: Exercise 1:-Using the grub.conf file change the default boot operating system from linux to windows. Exercise 2:-Perform the root password recovery process given in Exercise 2. Exercise 3:-Switch off network startup using chkconfig and then turn in back on.
Home Work: 1)
If it is possible to recover the root password as shown in Exercise 2, than why is it said that Linux has a better security? How can you secure the system by protecting this process to be carried out by annonimous users?
Lab 17: Configuring Linux DHCP Server
To understand the Configuring Linux DHCP Server
Lab No. 17: Configuring Linux DHCP Server Objective: To familiarize students with the configuration of DHCP server along with installing DHCP server on a Linux machine
Scope: The students would be able to do the following at the end of this lab: • •
To download and install DHCP Server Cofigure and customize various DHCP server options
Exercise-1:- This exercise demonstrates how to Download and Install the DHCP Package For systems using RPMs: When searching for the file, remember that the DHCP server RPM's filename usually starts with the word dhcp followed by a version number like this: dhcp-3.0.1rc14-1.i386.rpm. For Debian Linux systems: With Debian / Ubuntu the package name may include a version number. Use the dpkg --list | grep dhcp command to get a list of all your dhcp packages and use the output to infer what the DHCP server package name would be. In this case we can guess that the package name should be dhcp3-server. • • •
root@root# dpkg --list | grep dhcp dhcp3-client 3.0.3-6ubuntu7 DHCP Client dhcp3-common 3.0.3-6ubuntu7 Files used by all the dhcp3* packages.
Exercise-2:- This exercise describes The /etc/dhcpd.conf File configure your network. The standard DHCP RPM package doesn't automatically install a /etc/dhcpd.conf file, but you can find a sample copy of dhcpd.conf in the following directory which you can always use as a guide. /usr/share/doc/dhcp-/dhcpd.conf.sample You have to copy the sample dhcpd.conf file to the /etc directory and then you'll have to edit it. Here is the command to do the copying for the version 3.0p11 RPM file: [root@root]# cp /usr/share/doc/dhcp-3.0pl1/dhcpd.conf.sample /etc/dhcpd.conf
Exercise-3:- This exercise demonstrates how to Configure the DHCP Server Here is a quick explanation of the dhcpd.conf file: Most importantly, there must be a subnet section for each interface on your Linux box. ddns-update-style interim ignore client-updates subnet 192.168.1.0 netmask 255.255.255.0 { # The range of IP addresses the server # will issue to DHCP enabled PC clients # booting up on the network range 192.168.1.201 192.168.1.220; # Set the amount of time in seconds that
# a client may keep the IP address default-lease-time 86400; max-lease-time 86400; # Set the default gateway to be used by # the PC clients option routers 192.168.1.1; # Don't forward DHCP requests from this # NIC interface to any other NIC # interfaces option ip-forwarding off; # Set the broadcast address and subnet mask # to be used by the DHCP clients option broadcast-address 192.168.1.255; option subnet-mask 255.255.255.0; # Set the NTP server to be used by the # DHCP clients option ntp-servers 192.168.1.100; # Set the DNS server to be used by the # DHCP clients option domain-name-servers 192.168.1.100; # If you specify a WINS server for your Windows clients, # you need to include the following option in the dhcpd.conf file: option netbios-name-servers 192.168.1.100; # You can also assign specific IP addresses based on the clients' # ethernet MAC address as follows (Host's name is "laser-printer": host laser-printer { hardware ethernet 08:00:2b:4c:59:23; fixed-address 192.168.1.222; } } # # List an unused interface here # subnet 192.168.2.0 netmask 255.255.255.0 { }
Exercises for lab: Exercise 1:- Download and install DHCP server.
Exercise 2:- Configure DHCP server to lease a range of class B IP addresses.
Home Work: 1)
Specify Default Gateway and DNS server IPs in DHCP configuration.
2)
Using chkconfig configure DHCP to start during boot process.
Lab 18: Managing Linux Users and sudo
To understand the Managing Linux Users and sudo
Lab No. 18: Managing Linux Users and sudo Objective: To familiarize students with the Linux user management
Scope: The students would be able to do the following at the end of this lab: • • •
Create user groups. Create user accounts and assign them appropriate groups Running commands with privileged access
Exercise-1:- This exercise illustrates How to Add Users to the system Adding users takes some planning; read through these steps below before starting: 1) Arrange your list of users into groups by function. In this example there are two groups "parents", "children". Parents
Children
Asif
Sami
Fatima
Owais
2) Add the Linux groups to your server: [root@tmp]# groupadd parents [root@tmp]# groupadd children
3) Add the Linux users and assign them to their respective groups [root@tmp]# [root@tmp]# [root@tmp]# [root@tmp]#
useradd useradd useradd useradd
-g -g -g -g
parents asif parents fatima children sami children owais
If you don't specify the group with the -g, RedHat/Fedora Linux creates a group with the same name as the user you just created; this is also known as the User Private Group Scheme. When each new user first logs in, they are prompted for their new permanent password. 4) Each user's personal directory is placed in the /home directory. The directory name will be the same as their user name.
Exercise-2:- This exercise illustrates How to Change Passwords You need to create passwords for each account. This is done with the passwd command. You are prompted once for your old password and twice for the new one. User root changing the password for user asif. [root@root]# passwd asif Changing password for user asif. New password: Retype new password: passwd: all authentication tokens updated successfully. [root@root]#
Users might wish to change their passwords in future. Here is how unprivileged user asif would change his own password. [asif@asif]$ passwd
Changing password for asif Old password: your current password Enter the new password (minimum of 5, maximum of 8 characters) Please use a combination of upper and lower case letters and numbers. New password: your new password Re-enter new password: your new password Password changed. [asif@asif]$
Exercise-3:- This exercise illustrates How to Delete Users The userdel command is used to remove the user's record from the /etc/passwd and /etc/shadow used in the login process. The command has a single argument, the username. [root@tmp]# userdel sami There is also an optional -r switch that additionally removes all the contents of the user's home directory. Use this option with care. The data in a user's directory can often be important.
Exercise-4:- This exercise illustrates how to get privileges using sudo If a server needs to be administered by a number of people it is normally not a good idea for them all to use the root account. This is because it becomes difficult to determine exactly who did what, when and where if everyone logs in with the same credentials. The sudo utility was designed to overcome this difficulty. The sudo utility allows users defined in the /etc/sudoers configuration file to have temporary access to run commands they would not normally be able to due to file permission restrictions. The commands can be run as user "root" or as any other user defined in the /etc/sudoers configuration file. Simple Sudo Examples: Using sudo is relatively simple as we can see from these examples. Temporarily gaining root Privileges In this example, user asif attempts to view the contents of the /etc/sudoers file, which is an action that normally requires privileged access. Without sudo, the command fails: [asif@asif]$ more /etc/sudoers /etc/sudoers: Permission denied [asif@asif]$
asif tries again using sudo and his regular user password and is successful: [asif@asif]$ sudo more /etc/sudoers Password: ... ... [asif@asif]$
Becoming root for a Complete Login Session The su command allows a regular user to become the system's root user if they know the root password. A user with sudo rights to use the su command can become root, but they only need to know their own password, not that of root as seen here. someuser@tmp:~$ sudo su Password:
root@tmp:~#
Exercises for lab: Exercise 1:- Add a group with the name of relatives. Exercise 2:- Add a user with the name of Asim and assign it to the relatives group. Exercise 3:- Try to edit the file /etc/profile without sudo and then with sudo.
Home Work: 1)
Read the /etc/sudoers file thoroughly and modify it to add a user Asim to the /etc/sudoers file.
Lab 19: Configuring Samba
To understand the Configuring Samba
Lab No. 19: Configuring Samba Objective: To familiarize students with the working and configuration of samba server
Scope: The students would be able to do the following at the end of this lab: • • • •
Install Samba server. Managing the services related to samba server Preparing SWAT to be used for samba configuration Using SWAT for samba configuration
Useful Concepts Download and Install Packages Samba is comprised of a suite of RPMs files named: samba samba-common samba-client samba-swat:
Exercise-1:- This exercise illustrates How to Get Samba Started You can configure Samba to start at boot time using the chkconfig command: [root@tmp]# chkconfig smb on You can start/stop/restart Samba after boot time using the smb initialization script as in the examples below: [root@tmp]# service smb start [root@tmp]# service smb stop [root@tmp]# service smb restart Sometimes Samba may have an ancillary nmb daemon that also needs to be started. The syntax is the same as that for the smb daemon. [root@tmp]# service nmb start [root@tmp]# service nmb stop [root@tmp]# service nmb restart Note: Unlike many Linux packages, Samba does not need to be restarted after changes have been made to its configuration file, as it is read after the receipt of every client request.
Exercise-2:- This exercise explains The Samba Configuration File The /etc/samba/smb.conf file is the main configuration file you'll need to edit. It is split into five major sections, outlined in the following table:
Exercise-3:- This exercise illustrates the SWAT utility SWAT, Samba's web based configuration tool enables you configure your smb.conf file without you needing to remember all the formatting. Each SWAT screen is actually a form that covers a separate section of the smb.conf file into which you fill in the desired parameters. For ease of use, each parameter box has its own online help. The figure below shows the main SWAT login screen.
Basic SWAT Setup The enabling and disabling, starting and stopping of SWAT is controlled by xinetd, via a configuration file named /etc/xinetd.d/swat. Here is a sample: service swat { port = 901 socket_type = stream protocol = tcp
wait = no user = root server = /usr/sbin/swat log_on_failure += USERID disable = no only_from = localhost }
The file's formatting is fairly easy to understand, especially as there are only two entries of interest. The disable parameter must be set to no to accept connections. This can automatically be switched between yes and no as we will see later. The default configuration only allows SWAT web access from the VGA console only as user root on port 901 with the Linux root password. This means you'll have to enter "http://127.0.0.1:901" in your browser to get the login screen. Controlling SWAT As with all xinetd-controlled applications, the chkconfig command automatically modifies the disable field accordingly in the configuration file and activates the change. Before SWAT can be used, the xinetd program which controls it must be activated in advance. You can start/stop/restart xinetd after boot time using the xinetd initialization cript as in the examples below: [root@bigboy tmp]# service xinetd start [root@bigboy tmp]# service xinetd stop [root@bigboy tmp]# service xinetd restart
Just like most Linux systems applications, you can configure xinetd to start at boot time using the chkconfig command: [root@bigboy tmp]# chkconfig xinetd on
To activate SWAT use: [root@bigboy tmp] chkconfig swat on
To deactivate SWAT use: [root@bigboy tmp] chkconfig swat off
Exercise-4:- This exercise illustrates how to Create a Starter Configuration We will now illustrate how to configure a Samba server to be the PDC for a small network by using SWAT. You'll need to edit the various sections of the smb.conf file, so I'll walk you through what you'll find in each. The [Global] Section The [global] section governs the general Samba settings. Here's how to set the values using SWAT. 1. Log into SWAT and click on the [global] section. 2. Click the Advanced button to see all the options. 3. Make your changes and click on the Commit Changes button when finished. 4. Your smb.conf file should resemble the example below when you're finished. You can view the contents of the configuration file by logging in to the samba server via a command prompt and using the cat /etc/samba/smb.conf to verify your changes as you do them.
[global] workgroup = HOMENET time server = Yes domain logons = Yes os level = 65 preferred master = Yes domain master = Yes smb passwd file = /etc/samba/smbpasswd private dir = /etc/samba
Note: security = user and WINS support = yes are default settings for Samba and they may not show up in your smb.conf file, even though you may see them in SWAT. The [homes] Section Here's how to set the values using SWAT: 1. Click on the SWAT shares button to proceed to where shared directories are configured. 2. Click the Advanced button to see all the options. 3. Choose the Homes share. 4. Make your changes and click on the Commit Changes button when finished. 5. Your smb.conf file should resemble this when finished. You can view the contents of the configuration file by logging in to the samba server via a command prompt and using the cat /etc/samba/smb.conf to verify your changes as you do them. [homes] read only = No browseable = No create mask = 0644 directory mask = 0755
The [netlogon] and [profiles] Share Sections The [netlogon] share section contains scripts that the windows clients may use when they log into the domain. The [profiles] share section stores settings related to the look and feel of windows so that the user has the same settings no matter which Windows PC is logged into. The [profiles] share section stores things such as favourites and desktop icons. Your smb.conf file should look like this when you're finished: [netlogon] path = /home/samba/netlogon guest ok = Yes [profiles] path = /home/samba/profiles read only = No create mask = 0600 directory mask = 0700
Here's how to do it. 1. Click the Shares button. 3. Modify the path and guest ok settings. 4. Click on the Commit Changes button. 5. Create a [profiles] share section.
6. Modify the path, mask and read only settings. The mask settings allow only the owner of the netlogon subdirectory to be able to modify its contents. 7. Click on the Commit Changes button. Remember to create these share directories from the command line afterwards. [root@tmp]# mkdir -p /home/samba/netlogon [root@tmp]# mkdir -p /home/samba/profile [root@tmp]# chmod -R 0755 /home/samba
Exercises for lab: Exercise 1:- Install samba server. Exercise 2:- Prepare SWAT for samba configuration. Exercise 3:- Configure samba as a Primary Domain Controller.
Home Work: 1)
What is the difference between smbpasswd and shadowpasswd?
2)
Write a comprehencive note on primary domain controller (PDC).
Lab 20: Sharing Resources using samba
To understand the Sharing Resources using samba
Lab No. 20: Sharing Resources using samba Objective: To familiarize students with the file/printer sharing features of samba.
Scope: The students would be able to do the following at the end of this lab: • • • •
Share a printer on the network using samba. Create group shares on the samba server. Share CD-ROM drive and folders on the samba server Automate the mounting process using SMB clients
Exercise-1:- This exercise illustrates Adding a Printer to a Samba PDC The easiest way to let Samba know the printer is available is via the Samba SWAT Web interface. Once you are in SWAT: 1. Click the "Printers" button 2. Find your printer in the pull-down menu. If the printer name has an asterisk (*) beside it, it has been auto-configured by Samba. It might not be visible on your network, however, if Samba hasn't been restarted since creating the printer. If this is the case, restart Samba. 3. If Samba did not auto-configure your printer, you need to edit or create it yourself. Click on the "Commit Changes" button to create an updated /etc/samba/smb.conf file. 4. Click on the "Status" tab at the top of the screen and restart smbd and nmbd to restart Samba. Your printer will now be available for use by all Windows workstations.
Exercise-2:- This exercise illustrates Creating Group Shares in SAMBA On occasion, subgroups of a family need a share that is fully accessible by all members of the group. For example, parents working in a home office environment may need a place where they can share, distribute, or collaboratively work on documents. Here's how it's done. Create The Directory And User Group As with any group activity, the first step is to get organized. 1. Create a new Linux group parents: [root@tmp]# /usr/sbin/groupadd parents
2. Create a new directory for the group's files. If one user is designated as the leader, you might want to change the chown statement to make them owner [root@tmp]# mkdir /home/parent-files [root@tmp]# chgrp parents /home/parent-files [root@tmp]# chmod 0770 /home/parent-files
3. Add the group members to the new group. For instance, the command to add a user named father to the group is: [root@tmp]# /usr/sbin/usermod -G parents father
All your members are in the group; now they need to share. Configure the Share In SWAT
Next, you need to create the share in Samba using SWAT. 1. Click on the shares button then enter the name of the share you want to create, such as onlyparents. 2. Click on the "Create Share" button. Make sure the path maps to /home/parent-files and make the valid users be @parents, where parents is the name of the Linux user group. 3. Click on the "Commit Changes" button to create a new /etc/samba/smb.conf file. 4. Click on the "Status" tab at the top of the screen and restart smbd and nmbd to restart Samba. Your /etc/samba/smb.conf file should have an entry like this at the end: # Parents Shared Area [only-parents] path = /home/parent-files valid users = @parents
If it does, all is well and you can move on. If not, double check your work in the last steps. Map the Directory Using "My Computer" Finally, let the user log into the domain from a remote PC 1. Right click on the "My Computer" icon on the desktop 2. Click on "Map Network Drive" 3. Select a drive letter. 4. Browse to the HOMENET domain, then the Samba server, then the share named only-parents. 5. Click on the check box "Reconnect at Logon", to make the change permanent. Now the files located in the Linux /home/parent-files directory will be accessible to the parents only and your job is complete! Create a CD-ROM Drive Mount Point on Your Samba Server You'll now need to create the mount point on the Linux server to mount and access the CD-ROM drive. In this case, I've named it /mnt/winclient-cdrom, and you'll use the mount command to get access to this device from the Linux server. Password Prompt Method The Linux mount command will try to access the CD-ROM device as user "username" by using the "username=" option. You will be prompted for a password. [root@tmp]# mkdir /mnt/winclient-cdrom [root@tmp]# mount -t smbfs -o username=username \ //winclient/cdrom /mnt/winclient-cdrom No Prompt Method Linux won't prompt you for a password if you embed the access password into the mount command string along with username as in the example below. [root@tmp]# mkdir /mnt/winclient-cdrom [root@tmp]# mount -t smbfs -o \ username=username,password=password \ //winclient/cdrom /mnt/cdrom
Using the smbmount Command Method Some versions of Linux support the smbmount command to mount the remote drive.
Incompatible versions will give errors like this: [root@tmp]# smbmount //winclient/cdrom \ /mnt/winclient-cdrom -o username=username Password: 27875: session setup failed: ERRDOS - ERRnoaccess (Access denied.) SMB connection failed To be safe, stick with using the Linux mount command. Automating Mounting with Linux SAMBA Clients You can also automate the mounting of shares by placing entries in your /etc/fstab file. In the example below the home directory of user peter on server 192.168.1.100 will be mounted on the /mnt/smb mount point as a samba filesystem (smbfs) using the login information in the file named /etc/cred. # # File: /etc/fstab # //192.168.1.100/peter /mnt/smb smbfs credentials=/etc/cred 0 0 The contents of the /etc/cred file needs to have the username and password for the account in this format: # # File: /etc/cred # username = peter password = peterspassword Once finished you can use the mount -a to mount the new /etc/fstab entry, and the /mnt/smb directory will now contain the contents of the share. [root@smallfry tmp]# mount -a [root@smallfry tmp]# ls /mnt/smb backups profile docs data music [root@smallfry tmp]#
Exercises for lab: Exercise 1:- Share a printer on the network using samba shares. Exercise 2:- Create group shares on the samba server. Exercise 3:- Share CD-ROM drive and folders on the samba server. Exercise 4:- Automate the mounting process using /etc/fstab.
Home Work: 1)
write a note on access permission setting for shared resourses on samba.
Lab 21: Linux firewalls using iptables
To understand the iptables configuration
Lab No. 21 Linux firewalls using iptables Objective: To make the students understand the use of Linux popular firewalls, the iptables, for securing systems and websites.
Scope: On completion of this lab the student will be able to: • • • • • • • •
understand what iptables is Download and Install the Iptables Package Start iptables Determine the Status of iptables understand Packet Processing In iptables understand Targets and Jumps use Important Iptables Command Switch Operations Use User Defined Chains.
Useful Concepts Firewall •
Utility software that provides protection to the system by monitoring all incoming traffic
• •
The predecessor most popular firewall/NAT package running on Linux. Had a number of shortcomings.
•
An improved product of Netfilter organization to rectify the shortcomings of ipchains
ipchains
iptables
Exercise-1:- This exercise is about Downloading and Installing the Iptables Before you begin, you need to make sure that the iptables package is installed. When searching for the RPMs or DEB, remember that the filename usually starts with the software package name by a version number, as in iptables-1.2.9-1.0.i386.rpm. To install the package online on REDHAT distributions, use yum utility. yum install iptables-1.2.9-1.0.i386.rpm
to install the pachage from hard disk, move to the directory containing the package and use rpm command. rpm –ivh iptables-1.2.9-1.0.i386.rpm
To install the package online on DEBIAN distributions, use apt-get utility. apt-get -install iptables-1.2.9-1.0.i386.deb
to install the pachage from hard disk, move to the directory containing the package and use dpkg command. dpkg --install iptables-1.2.9-1.0.i386.deb
Exercise -2:- This exercise is about Starting, stopping, restarting and checking the status of iptables You can start, stop, and restart iptables after booting by using the commands: javidali@JLaptop$service iptables start javidali@JLaptop$service iptables stop javidali@JLaptop$service iptables restart
To get iptables configured to start at boot, use the chkconfig command: javidali@JLaptop$chkconfig iptables on
You can determine whether iptables is running or not via the service iptables status command. Fedora Core will give a simple status message. For example javidali@JLaptop$service iptables status Firewall is stopped. javidali@JLaptop$
Exercise -3:- This exercise is about Packet processing in iptables All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Each of these queues is dedicated to a particular type of packet activity and is controlled by an associated packet transformation/filtering chain. There are three tables in total. The first is the mangle table which is responsible for the alteration of quality of service bits in the TCP header. This is hardly used in a home or SOHO environment. The second table is the filter queue which is responsible for packet filtering. It has three built-in chains in which you can place your firewall policy rules. These are the: • • •
Forward chain: Filters packets to servers protected by the firewall. Input chain: Filters packets destined for the firewall. Output chain: Filters packets originating from the firewall.
The third table is the nat queue which is responsible for network address translation. It has two built-in chains; these are: • •
Pre-routing chain: NATs packets when the destination address of the packet needs to be changed. Post-routing chain: NATs packets when the source address of the packet needs to be changed
Table Processing For Packets Routed By The Firewall Packet Queue
Queue
Transformation
Type
Function
Chain in Queue
Filter
Packet filter- FORWARD ing INPUT
Chain Function
Filters packets to servers accessible by another NIC on the firewall. Filters packets destined to the firewall
OUTPUT Nat
Network Ad- PREROUTING dress Translation
Mangle
Filters packets originating from the firewall Address translation occurs before routing. Facilitates the transformation of the destination IP address to be compatible with the firewall's routing table. Used with NAT of the destination IP address, also known as destination NAT or DNAT.
POSTROUTING
Address translation occurs after routing. This implies that there was no need to modify the destination IP address of the packet as in pre-routing. Used with NAT of the source IP address using either one-to-one or many-to-one NAT. This is known as source NAT, or SNAT.
OUTPUT
Network address translation for packets generated by the firewall. (Rarely used in SOHO environments)
TCP header
PREROUTING
modification
POSTROUTING
Modification of the TCP packet quality of service bits before routing occurs. (Rarely used in SOHO environments)
OUTPUT INPUT FORWARD
You need to specify the table and the chain for each firewall rule you create. There is an exception: Most rules are related to filtering, so iptables assumes that any chain that's defined without an associated table will be a part of the filter table. The filter table is therefore the default. To help make this clearer, take a look at the way packets are handled by iptables. In the Figure a TCP packet from the Internet arrives at the firewall's interface on Network A to create a data connection. The packet is first examined by your rules in the mangle table's PREROUTING chain, if any. It is then inspected by the rules in the nat table's PREROUTING chain to see whether the packet requires DNAT. It is then routed. If the packet is destined for a protected network, then it is filtered by the rules in the FORWARD chain of the filter table and, if necessary, the packet undergoes SNAT in the POSTROUTING chain before arriving at Network B. When the destination server decides to reply, the packet undergoes the same sequence of steps. Both the FORWARD and POSTROUTING chains may be configured to implement quality of service (QoS) features in their mangle tables, but this is not usually done in SOHO environments. If the packet is destined for the firewall itself, then it passes through the mangle table ofthe INPUT chain, if configured, before being filtered by the rules in the INPUT chain of the filter table before. If it successfully passes these tests then it is processed by the intended application on the firewall. At some point, the firewall needs to reply. This reply is routed and inspected by the rules in the OUTPUT chain of the mangle table, if any. Next, the rules in the OUTPUT chain of the nat table determine whether DNAT is required and the rules in the OUTPUT chain of the filter table are then inspected to help restrict
unauthorized packets. Finally, before the packet is sent back to the Internet, SNAT and QoS mangling is done by the POSTROUTING chain
Iptables Packet Flow Diagram
It is now time to discuss the ways in which you add rules to these chains.
Exercise-4:- This exercise is about Targets And Jumps Each firewall rule inspects each IP packet and then tries to identify it as the target of some sort of operation. Once a target is identified, the packet needs to jump over to it for further processing. Following table lists the built-in targets that iptables uses.
Table Descriptions Of The Most Commonly Used Targets target
Desciption
Most Common Options
ACCEPT
iptables stops further processing. The packet is N/A handed over to the end application or the operating system for processing
DROP
iptables stops further processing.
N/A
The packet is blocked LOG
The packet information is sent to the syslog dae- --log-prefix "string" mon for logging iptables continues processing Tells iptables to prefix all log with the next rule in the table messages with a user defined As you can't log and drop at the same time, it is string. Frequently used to tell common to have two similar rules in sequence. why the logged packet was The first will log the packet, the second will drop dropped it.
REJECT
Works like the DROP target, but will also return --reject-with qualifier an error message to the host sending the packet The qualifier tells what type of that the packet was blocked reject message is returned. Qualifiers include: icmp-host-unreachable icmp-proto-unreachable icmp-net-prohibited icmp-host-prohibited tcp-reset echo-reply icmp-port-unreachable (default) icmp-net-unreachable
DNAT
Used to do destination network address transla- --to-destination ipaddress tion. ie. rewriting the destination IP Tells iptables what the destinaaddress of the packet tion IP address should be
SNAT
Used to do source network address translation re- --to-source writing the source IP address of the packet The [-][:source IP address is user defined ] Specifies the source IP address and ports to be used by SNAT
MASQUERADE Used to do Source Network Address Translation. [--to-ports [-]] By default the source IP address is the same as that Specifies the range of source used by the firewall's interface ports to which the original source port can be mapped. Important Iptables Command Switch Operations Each line of an iptables script not only has a jump, but they also have a number of command line options that are used to append rules to chains that match your defined packet characteristics, such the source IP address and TCP port. There are also options that can be used to just clear a chain so you can start all over again. Following tables list the most common options. General Iptables Match Criteria iptables command
Desciption
Switch -t <-table->
If you don't specify a table, then the filter table is assumed. As discussed before, the possible built-in tables include: filter, nat, mangle
-j
Jump to the specified target chain when the packet matches the current rule.
-A
Append rule to end of a chain
-F
Flush. Deletes all the rules in the selected table
-p
Match protocol. Types include, icmp, tcp, udp, and all
-s
Match source IP address
-d
Match destination IP address
-i
Match "input" interface on which the packet enters.
-o
Match "output" interface on which the packet exits
In this command switches example iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p TCP -j ACCEPT iptables is being configured to allow the firewall to accept TCP packets coming in on interface eth0 from any IP address destined for the firewall's IP address of 192.168.1.1. The 0/0 representation of an IP address means any. Common TCP and UDP Match Criteria Switch -p tcp –sport
Description TCP source port. Can be a single value or a range in the format: start-port-number:end-port-number
-p tcp --dport
TCP destination port. Can be a single value or a range in the format: starting-port:ending-port
-p tcp --syn
Used to identify a new TCP connection request. ! --syn means, not a new connection request
-p udp --sport
UDP source port. Can be a single value or a range in the format: starting-port:ending-port
-p udp --dport
UDP destination port. Can be a single value or a range in the format: starting-port:ending-port
In this example: iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \ --sport 1024:65535 --dport 80 -j ACCEPT iptables is being configured to allow the firewall to accept TCP packets for routing when they enter on interface eth0 from any IP address and are destined for an IP address of 192.168.1.58 that is reachable via interface eth1. The source port is in the range 1024 to 65535 and the destination port is port 80 (www/http).
Exercise-5:- This exercise demonstrate a Sample iptables Script for Basic Operating System Defense You can do several things before employing your firewall script to improve the resilience of your firewall to attack. For example, the Linux operating system has a number of builtin protection mechanisms that you should activate by modifying the system kernel parameters in the /proc filesystem via the /etc/sysctl.conf file. Here is a sample configuration: # File: /etc/sysctl.conf #--------------------------------------------------------------# Disable routing triangulation. Respond to queries out # the same interface, not another. Helps to maintain state # Also protects against IP spoofing #--------------------------------------------------------------net/ipv4/conf/all/rp_filter = 1 #--------------------------------------------------------------# Enable logging of packets with malformed IP addresses #--------------------------------------------------------------net/ipv4/conf/all/log_martians = 1 #--------------------------------------------------------------# Disable redirects #---------------------------------------------------------------
net/ipv4/conf/all/send_redirects = 0 #--------------------------------------------------------------# Disable source routed packets #--------------------------------------------------------------net/ipv4/conf/all/accept_source_route = 0 #--------------------------------------------------------------# Disable acceptance of ICMP redirects #--------------------------------------------------------------net/ipv4/conf/all/accept_redirects = 0 #--------------------------------------------------------------# Turn on protection from Denial of Service (DOS) attacks #--------------------------------------------------------------net/ipv4/tcp_syncookies = 1 #--------------------------------------------------------------# Disable responding to ping broadcasts #--------------------------------------------------------------net/ipv4/icmp_echo_ignore_broadcasts = 1 #--------------------------------------------------------------# Enable IP routing. Required if your firewall is protecting a # network, NAT included #--------------------------------------------------------------net/ipv4/ip_forward = 1
Exercises for lab Exercise 1:- check the iptables package and install the package using online installation utilities available (apt-get or yum). Exercise 2:- Check the status of the ipdables process. Start stop and restart the process. Exercise 3:- configure the firewall for allowing local networks.
Home Work 1)
What were the limitations of ipchains that were overcome in iptables in iptables?
2)
Which level of security is provided by a firewall?
Lab 22: Configuring Linux FTP Server
To understand the Configuring Linux FTP Server
Lab No. 22: Configuring Linux FTP Server Objective: To familiarize students with the working of FTP Server and configuration of FTP server.
Scope: The students would be able to do the following at the end of this lab: • • •
Install/manage FTP services on a linux machine. Configure FTP for anonymous access Configure FTP for restricted access
Useful Concepts FTP Overview FTP relies on a pair of TCP ports to get the job done. It operates in two connection channels: FTP Control Channel, TCP Port 21: All commands you send and the ftp server's responses to those commands will go over the control connection, but any data sent back (such as "ls" directory lists or actual file data in either direction) will go over the data connection. FTP Data Channel, TCP Port 20: This port is used for all subsequent data transfers between the client and server. Regular FTP By default, the VSFTPD package allows regular Linux users to copy files to and from their home directories with an FTP client using their Linux usernames and passwords as their login credentials. VSFTPD also has the option of allowing this type of access to only a group of Linux users, enabling you to restrict the addition of new files to your system to authorized personnel. The disadvantage of regular FTP is that it isn't suitable for general download distribution of software as everyone either has to get a unique Linux user account or has to use a shared username and password. Anonymous FTP allows you to avoid this difficulty. Anonymous FTP Anonymous FTP is the choice of Web sites that need to exchange files with numerous unknown remote users. Common uses include downloading software updates and MP3s and uploading diagnostic information for a technical support engineers' attention. Unlike regular FTP where you login with a preconfigured Linux username and password, anonymous FTP requires only a username of anonymous and your email address for the password. Once logged in to a VSFTPD server, you automatically have access to only the default anonymous FTP directory (/var/ftp in the case of VSFTPD) and all its subdirectories.
Exercise-1:- This exercise illustrates How to Get VSFTPD Started With Fedora, Redhat, Ubunbtu and Debian You can start, stop, or restart VSFTPD after booting by using these commands: [root@tmp]# /etc/init.d/vsftpd start [root@tmp]# /etc/init.d/vsftpd stop [root@tmp]# /etc/init.d/vsftpd restart
With Redhat / Fedora you can configure VSFTPD to start at boot you can use the chkconfig command. [root@tmp]# chkconfig vsftpd on
With Ubuntu / Debian the sysv-rc-conf command can be used like this: root@u-bigboy:/tmp# sysv-rc-conf on
Note: In RedHat Linux version 8.0 and earlier, VSFTPD operation is controlled by the xinetd process.
Exercise-2:- This exercise is bout Testing the Status of VSFTPD You can always test whether the VSFTPD process is running by using the netstat –a command which lists all the TCP and UDP ports on which the server is listening for traffic. This example shows the expected output. [root@root]# netstat -a | grep ftp tcp 0 0 *:ftp *:* LISTEN [root@root]#.
If VSFTPD wasn't running, there would be no output at all.
Exercise-3:- This exercise describes important configuration files related to FTP server VSFTPD only reads the contents of its vsftpd.conf configuration file only when it starts, so you'll have to restart VSFTPD each time you edit the file in order for the changes to take effect. The file may be located in either the /etc or the /etc/vsftpd directories depending on your Linux distribution. This file uses a number of default settings you need to know about. VSFTPD runs as an anonymous FTP server. Unless you want any remote user to log into to your default FTP directory using a username of anonymous and a password that's the same as their email address, I would suggest turning this off. The configuration file's anonymous_enable directive can be set to no to disable this feature. You'll also need to simultaneously enable local users to be able to log in by removing the comment symbol (#) before the local_enable instruction. If you enable anonymous FTP with VSFTPD, remember to define the root directory that visitors will visit. This is done with the anon_root directive. anon_root=/data/directory
VSFTPD allows only anonymous FTP downloads to remote users, not uploads from them. This can be changed by modifying the anon_upload_enable directive shown later. VSFTPD doesn't allow anonymous users to create directories on your FTP server. You can change this by modifying the anon_mkdir_write_enable directive. VSFTPD logs FTP access to the /var/log/vsftpd.log log file. You can change this by modifying the xferlog_file directive. By default VSFTPD expects files for anonymous FTP to be placed in the /var/ftp directory. You can change this by modifying the anon_root directive. There is always the risk with anonymous FTP that users will discover a way to write files to your anonymous FTP directory. You run the risk of filling up your /var partition if you use the default setting. It is best to make the anonymous FTP directory reside in its own dedicated partition.
The configuration file is fairly straight forward as you can see in the snippet below where we enable anonymous FTP and individual accounts simultaneously. # Allow anonymous FTP? anonymous_enable=YES
... # The directory which vsftpd will try to change # into after an anonymous login. (Default = /var/ftp) anon_root=/data/directory ... # Uncomment this to allow local users to log in. local_enable=YES ... # Uncomment this to enable any form of FTP write command. # (Needed even if you want local users to be able to upload files) write_enable=YES ... # Uncomment to allow the anonymous FTP user to upload files. This only # has an effect if global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES ... # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES ... # Activate logging of uploads/downloads. xferlog_enable=YES ... # You may override where the log file goes if you like. # The default is shown below. xferlog_file=/var/log/vsftpd.log ...
To activate or deactivate a feature, remove or add the # at the beginning of the appropriate line. Other vsftpd.conf Options There are many other options you can add to this file: Limiting the maximum number of client connections (max_clients) Limiting the number of connections by source IP address (max_per_ip) The maximum rate of data transfer per anonymous login. (anon_max_rate) The maximum rate of data transfer per non-anonymous login. (local_max_rate). FTP Security Issues FTP has a number of security drawbacks, but you can overcome them in some cases. You can restrict an individual Linux user's access to non-anonymous FTP, and you can change the configuration to not display the FTP server's software version information, but unfortunately, though very convenient, FTP logins and data transfers are not encrypted. The /etc/vsftpd.ftpusers File For added security, you may restrict FTP access to certain users by adding them to the list of users in the /etc/vsftpd.ftpusers file. The VSFTPD package creates this file with a number of entries for privileged users that normally shouldn't have FTP access. As FTP doesn't encrypt passwords, thereby increasing the risk of data or passwords being compromised, it is a good idea to let these entries remain and add new entries for additional security.
Exercise-4:- This exercise illustrates Anonymous Uploads on ftp and banner setting
If you want remote users to write data to your FTP server, then you should create a writeonly directory within /var/ftp/pub. This will allow your users to upload but not access other files uploaded by other users. The commands you need are: [root@tmp]# mkdir /var/ftp/pub/upload [root@tmp]# chmod 722 /var/ftp/pub/upload
FTP Greeting Banner Change the default greeting banner in the vsftpd.conf file to make it harder for malicious users to determine the type of system you have. The directive in this file is. ftpd_banner= New Banner Here.
Exercise-5:- This exercise illustrates privileged user setting In this example, anonymous FTP is not desired, but a group of trusted users need to have read only access to a directory for downloading files. Here are the steps: 1) Disable anonymous FTP. Comment out the anonymous_enable line in the vsftpd.conf file like this: # Allow anonymous FTP? anonymous_enable=NO
2) Enable individual logins by making sure you have the local_enable line uncommented in the vsftpd.conf file like this: # Uncomment this to allow local users to log in. local_enable=YES
3) Start VSFTP. [root@tmp]# service vsftpd start
4) Create a user group and shared directory. In this case, use /home/ftp-users and a user group name of ftp-users for the remote users [root@tmp]# groupadd ftp-users [root@tmp]# mkdir /home/ftp-docs
5) Make the directory accessible to the ftp-users group. [root@tmp]# chmod 750 /home/ftp-docs [root@tmp]# chown root:ftp-users /home/ftp-docs
6) Add users, and make their default directory /home/ftp-docs [root@tmp]# [root@tmp]# [root@tmp]# [root@tmp]# [root@tmp]# [root@tmp]# [root@tmp]# [root@tmp]#
useradd -g ftp-users useradd -g ftp-users useradd -g ftp-users useradd -g ftp-users passwd user1 passwd user2 passwd user3 passwd user4
-d -d -d -d
/home/ftp-docs /home/ftp-docs /home/ftp-docs /home/ftp-docs
user1 user2 user3 user4
7) Copy files to be downloaded by your users into the /home/ftp-docs directory 8) Change the permissions of the files in the /home/ftp-docs directory for read only access by the group [root@tmp]# chown root:ftp-users /home/ftp-docs/* [root@tmp]# chmod 740 /home/ftp-docs/*
Users should now be able to log in via FTP to the server using their new usernames and passwords. If you absolutely don't want any FTP users to be able to write to any directory, then you should set the write_enable line in your vsftpd.conf file to no: write_enable = NO
Remember, you must restart VSFTPD for the configuration file changes to take effect.
Exercises for lab Exercise 1:- Install FTP server. Exercise 2:- Configure FTP to start at system boot. Exercise 3:- Allow anonymous users to only read from a shared directory.
Home Work 1)
Configure FTP server to allow only a certain group of user to write to the shared directory.
Lab 23: Telnet and TFTP and XINETD
To understand the Telnet and TFTP and XINETD
Lab No. 23: Telnet and TFTP and XINETD Objective: To familiarize students with the working and configuration of Telnet Server and TFTP Server
Scope: The students would be able to do the following at the end of this lab: • • • •
understand and configure xinetd service Install and configure Telnet Server Implement security for Telnet access Install and configure TFTP server software
Useful Concepts: Telnet Telnet is a program that allows users to log into your server and get a command prompt just as if they were logged into the VGA console. The Telnet server RPM is installed and disabled by default on Fedora Linux.
Exercise-1:- This exercise illustrates how to Control xinetd The starting and stopping of the xinetd daemon is controlled by the by scripts in the /etc/init.d directory and its behavior at boot time is controlled by chkconfig. You can start/stop/restart xinetd after booting by using the following commands: [root@root]# service xinetd start [root@root]# service xinetd stop [root@root]# service xinetd restart
To get xinetd configured to start at boot you can use the chkconfig command. [root@root]# chkconfig xinetd on
Installing The Telnet Server Software Older versions of RedHat had the Telnet server installed by default. Fedora Linux doesn't do this and you will have to install it yourself. When searching for the file, remember that the Telnet server RPM's filename usually starts with the word "telnet-server" followed by a version number as in telnet-server-0.17-28.i386.rpm. With Debian / Ubuntu, the Telnet server package would have a "telnetd" prefix like this: telnetd_0.1732_i386.deb. Basic Telnet Security There are a number of things you can do to improve the security of telnet. For example, you should also try to ensure that telnet sessions run over secure internal networks or across VPNs to reduce the risk of exposing sensitive data to unauthorized eyes. Check out some other options. Let Telnet Listen On Another TCP Port Letting telnet run on an alternate TCP port doesn't encrypt the traffic, but it makes it less likely to be detected as telnet traffic. Remember that this isn't a foolproof strategy; good port scanning programs can detect telnet and other applications running on alternative ports.
1) Edit your /etc/services file and add an entry for a new service. Call it stelnet. # Local services stelnet 7777/tcp # "secure" telnet
2) Copy the telnet configuration file called /etc/xinetd.d/telnet and call it /etc/xinetd.d/stelnet: [root@tmp]# cp /etc/xinetd.d/telnet /etc/xinetd.d/stelnet
3) Edit the new /etc/xinetd.d/stelnet file. Make the new service stelnet and add a port statement for TCP port 7777. # default: on # description: The telnet server serves telnet sessions # unencrypted username/password pairs for authentication. service stelnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = no port = 7777 }
4) Use chkconfig to activate stelnet. [root@tmp]# chkconfig stelnet on
5) Check to make sure your server is now listening on port 7777 with the netstat command. [root@tmp]# netstat -an | grep 777 tcp 0 0 0.0.0.0:7777 0.0.0.0:* LISTEN [root@tmp]#
You should now be able to log in to the new stelnet server on port 7777. This is done using the telnet command with the TCP port as the second argument. [root@tmp]# telnet 192.168.1.100 7777 Trying 192.168.1.100... Connected to 192.168.1.100. Escape character is '^]'. Fedora Core release 2 (Tettnang) Kernel 2.6.8-1.521 on an i686 login:
Let Telnet Allow Connections From Trusted Addresses You can restrict telnet logins access to individual remote servers by using the only_from keyword in the telnet configuration file. Here's how. 1) Add a list of trusted servers to the /etc/xinetd.d/telnet file separated by spaces: # default: on # description: The telnet server serves telnet sessions # unencrypted username/password pairs for authentication. service telnet { flags = REUSE socket_type = stream wait = no
user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = no only_from = 192.168.1.100 127.0.0.1 192.168.1.200 }
2) Restart telnet. [root@tmp]# chkconfig telnet off [root@tmp]# chkconfig telnet on
3) Test the telnet session. Servers that are not on the trusted list get the message Connection closed by foreign host. [root@tmp]# telnet 192.168.1.100 Trying 192.168.1.100... Connected to 192.168.1.100. Escape character is '^]'. Connection closed by foreign host. [root@tmp]#
Configuring The TFTP Server The procedure to set up a TFTP Server is straightforward, but it is different between the Redhat and Debian distributions as we will soon see. Redhat / Fedora By default, the TFTP application expects files to be located in the /tftpboot directory. You can change this setting in the /etc/xinetd.d/tftp file via the server_args option. It is usually best to place the TFTP files in a partition other than the root partition. TFTP files of increasing size could eventually fill the partition affecting your ability to install new software or even the overall performance of your system. Creating a symbolic link for /tftpboot to another directory will not work with all versions of Fedora. This example creates a new tftpboot directory in the /var partition, and then configures TFTP to be enabled while using the new directory. [root@tmp]# mv /tftpboot /var [root@tmp]# vi /etc/xinetd.d/tftp # # File /etc/xinetd.d/tftp # service tftp { ... ... server_args = -s /var/tftpboot disable = no }
Debian / Ubuntu With the Debian / Ubuntu distributions, the TFTP server configuration file is /etc/default/tftpd-hpa and by default it instructs the TFTP daemon to use the /var/lib/tftpboot directory to store its files. Also by default, the daemon is disabled. Another thing to remember is that the tftpd-hpa server daemon runs independently of xinetd and has its own startup script in the /etc/init.d directory. By default, the daemon is started at boot time, but the configuration file's default configuration setting disables it by forcing the daemon to exit prematurely.
This example enables the daemon in the configuration file and then starts the TFTP server: root@/tmp# vi /etc/default/tftpd-hpa ... ... # # File: /etc/default/tftpd-hpa # #Defaults for tftpd-hpa RUN_DAEMON="yes" OPTIONS="-l -s /var/lib/tftpboot" ... ... root@/tmp# /etc/init.d/tftpd-hpa start Starting HPA's tftpd: in.tftpd. root@/tmp#
Note: With both Redhat and Debian distributions, you can test whether the TFTP process is running with the netstat command which is used to check the TCP/UDP ports on which your server is listening. If it isn't running then there will be no response. [root@tmp]# netstat -a | grep tftp udp 0 0 *:tftp *:* [root@tmp]#
Exercises for lab: Exercise 1:- Cofigure xinetd to start at system boot. Exercise 2:- Download / install Telnet and TFTP server. Exercise 3:- Configure Telnet server and implement security for telnet access. Exercise 4:- Configure TFTP server.
Home Work: 1)
Compare FTP and TFTP protocol
2)
Describe the purpose of xinetd program.
3)
What is the main difference between TELNET and SSH servers
Lab 24: Web Hosting With the Apache Web Server
To understand the Web Hosting With the Apache Web Server
Lab No. 24: Web Hosting With the Apache Web Server Objective: To familiarize students with the configuration of Apache Web Server.
Scope: The students would be able to do the following at the end of this lab: • • •
To configure basic functions of Apache web server configure named virtual hosts configure IP-based virtual hosts
Useful Concepts: General Configuration The configuration file used by Apache is /etc/httpd/conf/httpd.conf in Redhat / Fedora distributions and /etc/apache*/httpd.conf in Debian / Ubuntu distributions. As for most Linux applications, you must restart Apache before changes to this configuration file take effect. Where To Put Your Web Pages All the statements that define the features of each web site are grouped together inside their own section, or container, in the httpd.conf file. The most commonly used statements, or directives, inside a container are: servername: Defines the name of the website managed by the container. This is needed in named virtual hosting only. DocumentRoot: Defines the directory in which the web pages for the site can be found. By default, Apache searches the DocumentRoot directory for an index, or home, page named index.html. So for example, if you have a servername of www.my-site.com with a DocumentRoot directory of /home/www/site1/, Apache displays the contents of the file /home/www/site1/index.html when you enter http://www.my-site.com in your browser. Named Virtual Hosting You can make your Web server host more than one site per IP address by using Apache's named virtual hosting feature. You use the NameVirtualHost directive in the /etc/httpd/conf/httpd.conf file to tell Apache which IP addresses will participate in this feature. The containers in the file then tell Apache where it should look for the Web pages used on each Web site. You must specify the IP address for which each container applies. Named Virtual Hosting Example Consider an example in which the server is configured to provide content on 97.158.253.26. In the code that follows, notice that within each container you specify the primary Web site domain name for that IP address with the ServerName directive. The DocumentRoot directive defines the directory that contains the index page for that site. NameVirtualHost 97.158.253.26
Default Directives. (In other words, not site #1 or site #2) servername www.my-site.com Directives for site #1 servername www.another-site.com Directives for site #2
IP-Based Virtual Hosting The other virtual hosting option is to have one IP address per Web site, which is also known as IP-based virtual hosting. In this case, you will not have a NameVirtualHost directive for the IP address, and you must only have a single container per IP address. Also, because there is only one Web site per IP address, the ServerName directive isn't needed in each container, unlike in named virtual hosting. IP Virtual Hosting Example: Wild Card and IP addresses In this example, Apache listens on all interfaces, but gives different content for addresses 97.158.253.26 and 97.158.253.27. Web surfers get the site1 content if they try to access the web server on any of its other IP addresses. DocumentRoot /home/www/site1 DocumentRoot /home/www/site2 DocumentRoot /home/www/site3
Exercises for lab: Exercise 1:- Configure Apache server to load at system startup. Exercise 2:- Configure multiple websites on a single IP address. Exercise 3:- Configure different websites on different IP addresses.
Home Work: 1)
Write the configureation lines require to set a webwerver with IP address 25.15.12.14 for to werbsite that have the web addresses course.nos.com and nos.operatingsystem.com respectively.
Lab 25: Monitoring Server Performance
To understand network performance Monitoring
Lab No. 25: Monitoring Server Performance Objective: To familiarize students with the use graphical Linux tools, including MRTG and Webalizer, to monitor server performance.
Scope: On the completion of this lab, students will be able to: • • • • • • • •
Use MRTG Download and Install MRTG Configuring MRTG Getting MRTG To Poll Multiple Devices Configuring Apache To Work With MRTG Webalizer View Your Webalizer Statistics Understand The Webalizer Configuration File
Useful Concepts: SNMP •
Simple Network Management Protocol, a protocol for network management
• •
Management Information Base Files for devices that define the functions of the OIDs they contain
• •
object identifier A database used to keep the operational statistics of routers and firewalls
• • •
Multi-Router Traffic Grapher based on SNMP and monitors raw network traffic A public domain package for producing graphs of various router statistics via a Web page
•
A utility that tracks Web site hits, to monitor your system's Web performance
MIB
OID
MRTG
Webalizer
Exercise-1:- This exercise illustrates SNMP Queries Configuring SNMP on a server isn't hard, but it does require a number of detailed steps. Installing SNMP Utilities on a Linux Server If you intend to use your Linux box to query your network devices, other servers or even itself using MRTG or any other tool, you need to have the SNMP utility tools package net-snmp-utils installed. This package may also require pre-requisite packages, so it is best to use an automated package updater such yum or apt to do this.
When searching for these packages the filenames will start with the package name followed by a version number, as in net-snmp-utils-5.1.1-2.i386.rpm SNMP Utilities Command Syntax The SNMP utility tools package installs a number of new commands on your system for doing SNMP queries, most notably snmpget for individual OIDs and snmpwalk for obtaining the contents of an entire MIB. Both commands require you to specify the community string with a -c operator. They also require you to specify the version of the SNMP query to be used with a -v 1, -v 2c, or -v 3 operator for versions 1, 2, and 3, respectively. The first argument is the name or IP address of the target device and all other arguments list the MIBs to be queried. This example gets all the values in the interface MIB of the local server using SNMP version 1 and the community string of craz33guy. [root@bigboy tmp]# snmpwalk -v 1 -c craz33guy localhost interface ... ... IF-MIB::ifDescr.1 = STRING: lo IF-MIB::ifDescr.2 = STRING: eth0 IF-MIB::ifDescr.3 = STRING: eth1 ... ... IF-MIB::ifPhysAddress.1 = STRING: IF-MIB::ifPhysAddress.2 = STRING: 0:9:5b:2f:9e:d5 IF-MIB::ifPhysAddress.3 = STRING: 0:b0:d0:46:32:71 ... ... [root@bigboy tmp]#
Upon inspecting the output of the snmpwalk command, you can see that the second interface seems to have the name eth0 and the MAC address 0:9:5b:2f:9e:d5. You can now retrieve the individual MAC address using the snmpget command. [root@bigboy tmp]# snmpget -v 1 -c const1payted localhost ifPhysAddress.2 IF-MIB::ifPhysAddress.2 = STRING: 0:9:5b:2f:9e:d5 [root@bigboy tmp]#
You can confirm this information using the ifconfig command for interface eth0; the very first line shows a matching MAC address. [root@bigboy tmp]# ifconfig -a eth0 eth0 Link encap:Ethernet HWaddr 00:09:5B:2F:9E:D5 inet addr:216.10.119.244 Bcast:216.10.119.255 Mask:255.255.255.240 ... ... [root@bigboy tmp]#
You'll now see how you can configure SNMP on your Linux server to achieve these results. Configuring Simple SNMP on a Linux Server By default Fedora, installs the net-snmp package as its SNMP server product. This package uses a configuration file named /etc/snmp/snmpd.conf in which the community strings and other parameters may be set. The version of the configuration file that comes with net-snmp is quite complicated. I suggest archiving it and using a much simpler version with only a single line containing the keyword rocommunity followed by the community string. Here is an example.
1) Save the old configuration file [root@bigboy tmp]# cd /etc/snmp/ [root@bigboy snmp]# mv snmpd.conf snmpd.conf.old [root@bigboy snmp]# vi snmpd.conf
2) Enter the following line in the new configuration file to set the Read Only community string to craz33guy. rocommunity craz33guy
3) Configure Linux to start SNMP services on each reboot with the chkconfig command: [root@bigboy root]# chkconfig snmpd on [root@bigboy root]#
4) Start SNMP to load the current configuration file. [root@bigboy root]# service snmpd start Starting snmpd: [ OK ] [root@bigboy root]#
5) Test whether SNMP can read the system and interface MIBs using the snmpwalk command. [root@bigboy snmp]# snmpwalk -v 1 -c craz33guy localhost system SNMPv2-MIB::sysDescr.0 = STRING: Linux bigboy 2.4.18-14 #1 Wed Sep 4 11:57:57 EDT 2002 i586 SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10 SNMPv2-MIB::sysUpTime.0 = Timeticks: (425) 0:00:04.25 SNMPv2-MIB::sysContact.0 = STRING: root@localhost SNMPv2-MIB::sysName.0 = STRING: bigboy ... ... ... [root@bigboy snmp]# snmpwalk -v 1 -c craz33guy localhost interface IF-MIB::ifNumber.0 = INTEGER: 3 IF-MIB::ifIndex.1 = INTEGER: 1 IF-MIB::ifIndex.2 = INTEGER: 2 IF-MIB::ifIndex.3 = INTEGER: 3 IF-MIB::ifDescr.1 = STRING: lo IF-MIB::ifDescr.2 = STRING: wlan0 IF-MIB::ifDescr.3 = STRING: eth0 ... ... ... [root@bigboy snmp]#
Now that you know SNMP is working correctly on your Linux server, you can configure SNMP statistics gathering software, such as MRTG, to create online graphs of your traffic flows. SNMP on Other Devices In the example, you were polling localhost. You can poll any SNMP-aware network device that has SNMP enabled. All you need is the IP address and SNMP Read Only string and you'll be able to get similar results. Here is an example of a query of a device with an IP address of 192.168.1.1. [root@bigboy snmp]# snmpwalk -v 1 -c chir1qui 192.168.1.1 interface
Note: When issuing snmpwalk and snmpget commands, remember to use the proper version switch (-v 1, -v 2c, or -v 3) for the version of SNMP you're using. Basic SNMP Security
The security precautions that need to be taken with SNMP vary depending on the version you are using. This section outlines the basic steps for protecting your MIB data. SNMP Versions 1 and 2 The most commonly supported versions of SNMP don't encrypt your community string password so you shouldn't do queries over insecure networks, such as the Internet. You should also make sure that you use all reasonable security measures to allow queries only from trusted IP addresses either via a firewall or the SNMP security features available in the snmp.conf file. In case you need it, the snmpd.conf file can support limiting MIB access to trusted hosts and networks. The snmpd.conf file has two security sections; a section with very restrictive access sits at the top of the file and is immediately followed by a less restrictive section. The example that follows is a modification of the less restrictive section. You will have to comment out the more restrictive statements at the top of the file for it to work correctly. ## sec.name source community ## ======== ====== ========= com2sec local localhost craz33guy com2sec network_1 172.16.1.0/24 craz33guy com2sec network_2 192.168.2.0/24 craz33guy ## Access.group.name sec.model sec.name ## ================= ========= ======== group MyROGroup_1 v1 local group MyROGroup_1 v1 network_1 group MyROGroup_2 v2c network_2 ## MIB.view.name incl/excl MIB.subtree mask ## ============== ========= =========== ==== view all-mibs included .1 80 ## MIB ## group.name context sec.model sec.level prefix read write notif ## ========== ======= ========= ========= ====== ==== ===== ===== access MyROGroup_1 "" v1 noauth exact all-mibs none none access MyROGroup_2 "" v2c noauth exact all-mibs none none
In our example: Only three networks (localhost, 172.16.1.0/24, and 192.168.1.0/24) are allowed to access the server with the craz33guy community string. Each network is matched to a either a group called MyROGroup_1 using SNMP version 1, or group called MyROGroup_2 using SNMP version 2. All the MIBs on the server are defined by the view named all-mibs. An access statement ensures that only the defined networks have read only access to all the MIBs. MyROGroup_1 only has version 1 access with MyROGroup_2 only having version 2 access. Modification of the MIBs via SNMP is denied because the word "none" is in the write section of the access statement. These precautions are probably unnecessary in a home environment where access is generally limited to devices on the home network by a NAT firewall. SNMP Version 3 SNMP Version 3 SNMPv3 is a much more secure alternative to earlier versions as it encrypts all its data and uses a username / password combination for client authentication. The username should be located in
the /etc/snmp/snmpd.conf file with a corresponding automatically generated password located in the /var/net-snmp/snmpd.conf file. Here is how it's done. 1. Install the net-snmp-devel package as it contains the utility that will allow you to generate the password. 2. Stop the snmpd process. [root@bigboy tmp]# service snmpd stop Stopping snmpd: [ OK ] [root@bigboy tmp]#
3. Automatically create the /etc/snmp/snmpd.conf and /var/net-snmp/snmpd.conf username and password entries using the net-snmp-config command. In this example the authentication password of "rootsrockreggae" for the read only (-ro) username "username4snmpv3" is encrypted using the MD5 algorithm. The data received will not be encrypted. [root@bigboy tmp]# net-snmp-config --create-snmpv3-user -ro \ -a MD5 -A rootsrockreggae username4snmpv3 adding the following line to /var/net-snmp/snmpd.conf: createUser username4snmpv3 MD5 "rootsrockreggae" DES adding the following line to /etc/snmp/snmpd.conf: rouser username4snmpv3 [root@bigboy tmp]# service snmpd start Starting snmpd: [ OK ] [root@bigboy tmp]#
4. To encrypt the data received we use the net-snmp-config command again to create a username just for this purpose. A new read only username "securev3user" and authentication password "mandeville" are used, but this time the data will be encrypted using the DES algorithm with the privacy password of "savlamar". [root@bigboy tmp]# net-snmp-config --create-snmpv3-user -ro \ -a MD5 -A mandeville -x DES -X savlamar securev3user adding the following line to /var/net-snmp/snmpd.conf: createUser securev3user MD5 "mandeville" DES savlamar adding the following line to /etc/snmp/snmpd.conf: rouser securev3user [root@bigboy tmp]#
5. Start the snmpd process. [root@bigboy tmp]# service snmpd start Starting snmpd: [ OK ] [root@bigboy tmp]#
6. First we'll do a query from remote host smallfry. We specify the authentication password and authentication encryption method, and we also use the -l flag to indicate that authentication will be used, but that data privacy will be disabled (the authNoPriv option). [root@smallfry ~]# snmpget -v 3 -u username4snmpv3 -l authNoPriv \ -a MD5 -A rootsrockreggae 192.168.1.100 SNMPv2-MIB::sysORDescr.8 SNMPv2-MIB::sysORDescr.8 = STRING: The management information definitions for the SNMP User-based Securit [root@smallfry ~]#
The query returns an easy to read string, "The management information definitions for the SNMP Userbased Security Model". This unencrypted string can also be seen in the tshark packet capture of the server's interface. [root@bigboy tmp]# tshark -n -i eth1 -x port 161
Capturing on eth1 ... ... ... 0.005889 192.168.1.100 0000 00 c0 4f 46 0c 2e 0010 00 f0 00 00 40 00 0020 02 32 00 a1 80 0a 0030 30 11 02 04 45 a2 0040 02 01 03 04 38 30 0050 68 72 0e b1 e7 45 0060 65 72 6e 61 6d 65 0070 6c 74 26 51 4d aa 0080 0d 80 00 1f 88 80 0090 a2 6c 02 04 43 4e 00a0 30 5c 06 0a 2b 06 00b0 54 68 65 20 6d 61 00c0 6e 66 6f 72 6d 61 00d0 69 74 69 6f 6e 73 00e0 4e 4d 50 20 55 73 00f0 65 63 75 72 69 74 4 packets captured [root@bigboy tmp]#
-> 00 40 00 23 36 02 34 65 71 da 01 6e 74 20 65 79
192.168.1.50 SNMP b0 d0 46 32 71 08 11 b3 b2 c0 a8 02 dc 87 38 30 81 d1 54 02 03 00 ff e3 04 0d 80 00 1f 88 01 12 02 01 39 04 73 6e 6d 70 76 33 61 59 06 1a 04 00 11 68 72 0e b1 e7 d7 02 01 00 02 01 02 01 01 09 01 03 61 67 65 6d 65 6e 69 6f 6e 20 64 65 66 6f 72 20 74 68 72 2d 62 61 73 65 20 4d 6f 64 65 6c
get-response 00 45 00 ..OF.....F2q..E. c8 c0 a8 ....@.@......... 02 01 03 .2.......80..... 04 01 01 0...E.#T........ 80 71 11 ....806.......q. 0f 75 73 hr...E.....9..us 04 0c 46 ername4snmpv3..F 30 7f 04 lt&QM.eaY....0.. 45 04 00 ......q.hr...E.. 00 30 5e .l..CN........0^ 08 04 4e 0\..+..........N 74 20 69 The management i 66 69 6e nformation defin 65 20 53 itions for the S 64 20 53 NMP User-based S 2e ecurity Model.
7. Next we'll do a query that will return a response over an encrypted data channel while crossing the network (the authPriv option). [root@smallfry ~]# snmpget -v 3 -u securev3user -l authPriv \ -a MD5 -A mandeville -x DES -X savlamar 192.168.1.100 SNMPv2MIB::sysORDescr.8 SNMPv2-MIB::sysORDescr.8 = STRING: The management information definitions for the SNMP User-based Securit [root@smallfry ~]#
The query returns the same string, but the tshark packet capture only sees encrypted data, with only the username being visible. [root@bigboy tmp] # tshark -n -i eth1 -x port 161 Capturing on eth1 ... ... ... 0.003675 192.168.1.200 -> 192.168.1.50 SNMP Source port: 161 Destination port: 32778 [UDP CHECKSUM INC 0000 00 c0 4f 46 0c 2e 00 b0 d0 46 32 71 08 00 45 00 ..OF.....F2q..E. 0010 01 00 00 00 40 00 40 11 b3 a2 c0 a8 02 c8 c0 a8 ....@.@......... 0020 02 32 00 a1 80 0a 00 ec 87 48 30 81 e1 02 01 03 .2.......H0..... 0030 30 11 02 04 17 52 82 96 02 03 00 ff e3 04 01 03 0....R.......... 0040 02 01 03 04 3e 30 3c 04 0d 80 00 1f 88 80 71 11 ....>0<.......q. 0050 68 72 0e b1 e7 45 02 01 11 02 02 00 8e 04 0c 73 hr...E.........s 0060 65 63 75 72 65 76 33 75 73 65 72 04 0c 01 b2 00 ecurev3user..... 0070 6e 23 07 83 dc a2 b6 d6 3d 04 08 00 00 00 11 4e n#......=......N 0080 df 19 a3 04 81 88 36 dd e0 ce e0 52 19 ff 58 7e ......6....R..X~ 0090 be fa d1 96 20 2b 28 65 59 30 e8 d4 cb 18 9f 8f .... +(eY0...... 00a0 1e 5b a3 d6 ae f7 4a 86 bd ed 2a 4b a8 df 52 fb .[....J...*K..R. 00b0 00 b4 a8 37 3d 74 9e 6d 1d 56 9a ba f2 13 fa 72 ...7=t.m.V.....r 00c0 4d 47 fb 88 7b d3 54 e1 9d b3 66 f0 29 ab 8a 55 MG..{.T...f.)..U 00d0 6f 77 65 40 87 ab 0c 51 d9 0e bf 33 7f 9a cb ea [email protected].... 00e0 37 50 3c 8e 65 dd 8f 3c 49 71 96 59 f9 d3 a8 23 7P<.e..
00f0 81 c6 1b b2 c2 d0 57 9b 98 1b 89 1e ca 77 3d 84 ......W......w=. 0100 6f af b6 9b 86 3a 2f 66 44 1a 41 51 03 bc o....:/fD.AQ.. 4 packets captured [root@bigboy tmp] #
8. Your password and privilege information are stored in /var/net-snmp/snmpd.conf using the format displayed when you used the net-snmp-config command. here is an example. # File: /var/net-snmp/snmpd.conf before SNMP starts createUser securev3user MD5 "mandeville" DES savlamar createUser username4snmpv3 MD5 "rootsrockreggae" DES
The snmpd daemon will completely encrypt the SNMP password data in this file when it restarts which helps to further increase security. We can see an example of this configuration here. # File: /var/net-snmp/snmpd.conf after SNMP starts usmUser 1 3 0x80001f88780711168720eb1e745 0x73656375626576337573657200 0x73656375726576337573657200 NULL .1.3.6.1.6.3.10.1.1.2 0xd951 ac1d95033f4afgf31243eb6907df .1.3.6.1.6.3.10.1.2.2 0xf1f4bb00452211d27b50c273c09031ac 0x00 usmUser 1 3 0x80001f8880711168720eb1e745 0x757365726e61657534736e6d70763300 0x757365726e616d6534736e6d70763300 NULL .1.3.6.1.6.3.10. 1.1.2 0x5e35c9f5352519aa4f53eded09bbdddd .1.3.6.1.6.3.10.1.2.2 0x5e35c9f5122519aa4f53eded09bbdddd "" setserialno 1464593474
Practice using the net-snmp-config command so that you can become familiar with the syntax it uses to edit the SNMP configuration files. When in doubt, you can get a full syntax listing of the command if you use it without any arguments like this: [root@bigboy tmp]# net-snmp-config ... ... SNMP Setup commands: --create-snmpv3-user [-ro] [-A authpass] [-X privpass] [-a MD5|SHA] [-x DES|AES] [username] ... ... [root@bigboy tmp]#
With experience, you should become confident enough to edit the configuration files by yourself. As you can see, SNMPv3 is more secure than previous versions and should be your first SNMP choice whenever possible. Simple SNMP Troubleshooting If your SNMP queries fail, then verify that: You restarted your snmp.conf file so the configuration settings become active. Remember, the snmpd.conf file is only read by the snmpd daemon when it starts up. You are using the correct community string. Firewalls aren't preventing SNMP queries from the SNMP client to the SNMP target. Your SNMP security policy allows the query from your network.
Any TCP wrappers configuration on your SNMP target machine allows SNMP queries from your SNMP client. Generally speaking in a home environment protected by NAT your TCP wrappers files (/etc/hosts.allow) and (/etc/hosts.deny) should be blank. Network routing between the client and target devices is correct. A simple ping or traceroute test should be sufficient. The snmpd daemon is running on the SNMP client. You are querying using the correct SNMP version. Your /var/log/messages file does not contain errors that may have occurred while starting snmpd. Troubleshooting to get functioning SNMP queries is important as many other supporting applications, such as MRTG which I'll discuss next, rely on them in order to work correctly. MRTG The MRTG product is available from the MRTG Web site (www.mrtg.org) and also on your distribution CDs. Figure shows a sample MRTG graph
MRTG Download and Installation
You need to install MRTG before proceeding. Most RedHat and Fedora Linux software products are available in the RPM format. When searching for the file, remember that the MRTG RPM's filename usually starts with mrtg and a version number, as in mrtg-2.10.5- 3.i386.rpm. In addition to MRTG, you need to install the SNMP utility tools as explained earlier and you need to have a Web server package installed for MRTG to work. RedHat Linux usually comes with the Apache Web server software preinstalled. The easiest way to tell if Apache is installed is to run the rpm -q httpd command. If you don't get a positive response, you can refer to Chapter 20, "The Apache Web Server", for installation details. By default Apache expects the HTML files for your Web site to be located in /var/www/html. MRTG places its HTML files in /var/www/mrtg. Configuring MRTG By default, MRTG maps the inbound and outbound data throughput rates on the device it is polling. Methods for specifying other OIDs, such as CPU and memory usage, are discussed in Chapter 23, "Advanced MRTG for Linux". For now, I'll stick with the default configuration. When the MRTG RPM is installed, it creates a directory called /etc/mrtg in which all future configuration files are stored. To create a replacement default /etc/mrtg/mrtg.cfg configuration file for the server, follow these steps. 1) Use MRTG's cfgmaker command to create a configuration file named mrtg.cfg for the server (bigboy) using a Read Only community string of craz33guy. Place all data files in the directory /var/www/mrtg. [root@bigboy tmp]# cfgmaker --output=/etc/mrtg/mrtg.cfg \ --global "workdir: /var/www/mrtg" -ifref=ip \ --global 'options[_]: growright,bits' \ craz33guy@localhost --base: Get Device Info on craz33guy@localhost: --base: Vendor Id: --base: Populating confcache --snpo: confcache craz33guy@localhost: Descr lo --> 1 --snpo: confcache craz33guy@localhost: Descr wlan0 --> 2 ... ... ... --base: Walking ifAdminStatus --base: Walking ifOperStatus --base: Writing /etc/mrtg/mrtg.cfg [root@bigboy tmp]#
SNMPv2: As explained in the SNMP section, there are different versions of SNMP. If your query doesn't work, check to make sure you are using the required version and then check other SNMP configuration parameters on the target device. You can specify MRTG's SNMP query version with the --snmp-options cfgmaker option. Here is an example of cfgmaker using an SNMP version 2 query of a router with an IP address of 192.168.1.3. The --snmp-options option's five colons before the 2 are important. [root@bigboy tmp]# cfgmaker --output=/etc/mrtg/192.168.1.3.cfg \ -ifref=ip --global "workdir: /var/www/mrtg" \ --snmp-options=:::::2 [email protected]
SNMPv3: The cfgmaker command can also be used to poll SNMPv3 enabled devices, but you have to first install the Net::SNMP PERL module. [root@bigboy tmp]# yum -y install perl-Net-SNMP
or [root@bigboy
tmp]# perl -MCPAN -e "install Net::SNMP"
If you fail to install the module, you will get an error looking like this: Undefined subroutine &main::snmpmapOID called at ./cfgmaker line 1480.
Next you need to know the SNMPv3 ID of the host you intend to poll. In fedora, this is value is located in the /var/net-snmp/snmpd.conf file. You can use the grep command to obtain it. [root@bigboy tmp]# grep oldEngineID /var/net-snmp/snmpd.conf oldEngineID 0x80001f8880711168720eb1e745 [root@bigboy tmp]#
You can then repeat the cfgmaker command with options specific to the privacy and authentication schemes configured on the SNMP target device. Using the configurations of our previous SNMPv3 example, our configuration for encrypted authentication only would look like this: [root@bigboy tmp]# cfgmaker --global 'WorkDir: /var/www/mrtg' \ --global 'Options[_]: growright, bits' \ --output=/etc/mrtg/192.168.1.100.cfg \ --enablesnmpv3 --username=username4snmpv3 \ --authpassword=rootsrockreggae --authproto=md5 \ --snmp-options=:::::3 \ --contextengineid=0x80001f8880711168720eb1e745 \ [email protected]
Our configuration for encrypted authentication and data privacy only would look like this: [root@bigboy tmp]# cfgmaker --global 'WorkDir: /var/www/mrtg' \ --global 'Options[_]: growright, bits' \ --output=/etc/mrtg/192.168.1.100-secure.cfg \ --enablesnmpv3 --username=securev3user --authpassword=mandeville \ --authproto=md5 --privpassword=savlamar --privprotocol=des \ --snmp-options=:::::3 \ --contextengineid=0x80001f8880711168720eb1e745 \ [email protected]
Note: The MRTG cfgmaker command reliably supports SNMPv3 as of MRTG version 2.15. Prior to this version you would commonly see this error when attempting to do DNMPv3 queries. SNMP V3 requires a --username parameter as part of the User Security Model for router [email protected]
2) Edit /etc/mrtg/mrtg.cfg, and remove the sections related to interfaces you don't need to monitor. A certain candidate would be the virtual loopback interface Lo: (with the IP address of 127.0.0.1), which doesn't pass any network traffic at all. 3) Run MRTG using /etc/mrtg/mrtg.cfg as your argument three times. You'll get an error the two times as MRTG tries to move old data files, and naturally, the first time it is run, MRTG has no data files to move. [root@bigboy tmp]# env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg Rateup WARNING: /usr/bin/rateup could not read the primary log file for localhost_192.168.1.100 Rateup WARNING: /usr/bin/rateup The backup log file for localhost_192.168.1.100 was invalid as well Rateup WARNING: /usr/bin/rateup Can't remove localhost_192.168.1.100.old updating log file Rateup WARNING: /usr/bin/rateup Can't rename localhost_192.168.1.100.log to localhost_192.168.1.100.old u [root@bigboy tmp]# env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg Rateup WARNING: /usr/bin/rateup Can't remove localhost_192.168.1.100.old updating log file
[root@bigboy tmp]# env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg [root@bigboy tmp]#
4) Use MRTG's indexmaker command to create a Web index page using your new mrtg.cfg file as a guide. The MRTG Web GUI expects to find the index file in the default MRTG Web directory of /var/www/mrtg/, so the format of the command would be. [root@bigboy tmp]# indexmaker --output=/var/www/mrtg/index.html \ /etc/mrtg/mrtg.cfg
5) MRTG is run every five minutes by default, and the file that governs this is /etc/cron.d/mrtg. For MRTG to work correctly, edit this file, replacing all occurrences of /usr/bin/mrtg with env LANG=C /usr/bin/mrtg. The explanation for changing the language character set for MRTG is given in the "Troubleshooting MRTG" section. This isn't all; you need to view the graphs too. This will be covered later, but first I'll show you how to poll multiple devices. Getting MRTG to Poll Multiple Devices The Fedora Core MRTG installation process creates a cron file named /etc/cron.d/mrtg. This file tells the cron daemon to run MRTG using the /etc/mrtg/mrtg.cfg file every five minutes to poll your network devices. You can configure MRTG to poll multiple devices, each with a separate configuration file. Here's how: 1) Create a new configuration file using the steps from the previous section; choose a filename that is not mrtg.cfg. 2) Add a new MRTG line in /etc/cron.d/mrtg for each new configuration file you create. 0-59/5 * * * * root env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg 0-59/5 * * * * root env LANG=C /usr/bin/mrtg /etc/mrtg/device1.cfg 0-59/5 * * * * root env LANG=C /usr/bin/mrtg /etc/mrtg/device2.cfg
3) Run the indexmaker command, and include all of your /etc/mrtg configuration files, to regenerate your Web index page. [root@bigboy tmp]# indexmaker --output=/var/www/mrtg/index.html \ /etc/mrtg/mrtg.cfg /etc/mrtg/device1.cfg /etc/mrtg/device2.cfg
4) Other versions of Linux keep their MRTG cron entries inside the /etc/crontab file. Edit this file using the same syntax as the Fedora /etc/cron.d/mrtg file, and then restart the cron daemon to re-read the configuration: [root@bigboy tmp]# service crond restart
You could also create a script with the /usr/bin/mrtg /etc/mrtg/device.cfg entries in it and make cron run it every five minutes. This way you can just edit the script each time you add a device without having to restart cron. Configuring Apache to Work With MRTG MRTG is useful because it can provide a graphical representation of your server's performance statistics via a Web browser. With Fedora Core, MRTG creates an add-on configuration file named /etc/httpd/conf.d/mrtg.conf that includes all the necessary Apache commands for MRTG to work. Some configuration may need to be done, because by default MRTG accepts Web requests from the Linux console only. You can add your home network to the file by inserting the network on the Allow from
line, or you can allow universal access by commenting out that line along with the Deny from line. This example adds access from the 192.168.1.0 network. Order deny,allow Deny from all Allow from localhost 192.168.1.0/24
If you want to access MRTG from the Internet, then you'll have to comment out the Deny statement and allow from all IP addresses: Order deny,allow Allow from all
Remember to restart Apache once you have made these modifications in order for these changes to take effect. Note: With newer versions of Fedora, Apache automatically reads the add-on files in the /etc/httpd/conf.d/ directory. With Fedora Core 1, you have to specifically configure the Apache configuration file /etc/httpd/conf/httpd.conf to find it. You can do this yourself by inserting this line at the very bottom of the main Apache configuration file before restarting Apache for the change to take effect. include "/etc/httpd/conf.d/mrtg.conf"
Basic Security If you are accessing MRTG graphs from the Internet, you may want to add password protection to the directory by using a .htaccess file How To View The MRTG Graphs In Your Web Browser You can now access your MRTG graphs by pointing your browser to the URL: http://server-ip-address/mrtg/
Exercise-2:- This exercise gives a an introduction to the use of Webalizer utility Webalizer is a Web server log file analysis tool that comes installed by default on RedHat/Fedora Linux. Each night, Webalizer reads your Apache log files and creates a set of Web pages that enable you to view Web surfer statistics for your site. The information provided includes a list of your Web site's most popular pages sorted by hits along with traffic graphs showing the times of day when your site is most popular. How to View Your Webalizer Statistics Fedora creates an add-on configuration file named /etc/httpd/conf.d/Webalizer.conf that includes all the necessary Apache commands for Webalizer to work. As in the case of the MRTG add-on file mentioned above, you have to edit it to allow access to the Webalizer pages from locations other than the Linux console. You also have to restart Apache to make the changes take effect. By default, Webalizer places its index page in the directory /var/www/html/usage and allows you to view your data by visiting the URL http://server-ip-address/usage.
The Webalizer Configuration File
Webalizer stores its configuration in the file /etc/Webalizer.conf. The default settings should be sufficient for your Web server, but you may want to adjust the directory in which Webalizer places your graph statistics. This can be adjusted with the OutputDir directive in the file. After adjustments, Webalizer functions with few annoyances; however, be aware that running in quiet mode could hide deeper problems that could occur in future. The vmstat Command You can determine memory and swap usage with the vmstat command, which provides a summary of what top produces. In the example, memory is still 14% free (57,452MB used from a total of 130,780) and swap isn't being used at all. [root@bigboy tmp]# vmstat procs memory swap io system cpu r b w swpd free buff cache si so bi bo in cs us sy id 0 0 0 0 57452 101584 130780 0 0 0 4 18 1 3 1 1 [root@bigboy tmp]#
As your memory fills up, your system will temporarily store programs and data on your hard disk's "swap" partition. Excess swapping of programs and data between disk and memory can cause your system to slow down significantly and memory usage should be monitored to allow you to plan ways to either increase RAM or tune the way your system operates. System tuning is beyond the scope of this book, but there are many reference guides which can show you how to do this. The free Utility The free utility can determine the amount of free RAM on your system. The output is easier to understand than vmstat's. Here's a sample. [root@bigboy tmp]# free total used free shared buffers cached Mem: 126060 119096 6964 0 58972 40028 -/+ buffers/cache: 20096 105964 Swap: 522072 15496 506576 [root@bigboy tmp]#
You should generally try to make your system run with at least 20% free memory on average, which should allow it to handle moderate spikes in usage caused by running memory-intensive cron batch jobs or tape backups. If you cannot achieve this, consider running more efficient versions of programs, offloading some applications to servers with less load, and, of course, upgrading the capacity of your RAM.
Exercises for lab: Exercise 1:- write an SNMP quiry to get all the values in the interface MIB of the local server using SNMP version 1 and the community string of 10.0.0.3 (a node in your local network).
Home Work:
Lab 26: Network Based Linux Installation
To understand the Linux Installation over the network
Lab No. 26: Network Based Linux Installation Objective: You will be introduced to the Linux installation over the network using an FTP, NFS or HTTP server.
Scope: On the completion of this lab, you will be able to: • • •
Set Up The Installation Server Create a Kickstart Boot CD Automating Installation With Kickstart
Useful Concepts: Network installation •
Installation of OS from a remote installation server as apposed to local installation from CD or local hard disk.
Kickstart Server Server that has the OS installation image and provides much faster installation procedure than using CDs and the process can be automated. Procedure at a glance The procedure is fairly simple: • • • •
Connect the new server (installation client) to the same network as the server with the pre-loaded installation files (installation server). Boot the installation client from a specially created boot CD Enter your preferred installation method (FTP, HTTP, NFS) and the needed network parameters to do this The installation procedure will then continue with the more familiar Fedora Linux installation screens. Enter your selections and then complete the installation.
This manual will set up a single installation server (bigboy) with an IP address of 192.168.1.100.
Exercise-1:- This exercise demonstrates how to Set Up the Installation Server Kickstart can be configured on an FTP, NFS or Apache server. Each method is explained below, but my experience has been that the Apache server has a number of advantages over the other two. Using a web server for kickstart is generally easier because: Sometimes a kickstart server has to be located on a remote network, often passing through a firewall. Strict firewall rules for HTTP are generally easier to configure than those for FTP or NFS. The http:// nomenclature used by kickstart for accessing files is more familiar to users than that used for NFS and FTP. This may be important for you when configuring files for automated kickstart installation. Basic Preparation In this example we are going to set up a kickstart server that will be used in Fedora Core installations. All the necessary files will be placed in the /data/network-install directory.
Create The Installation Directories We'll first create the directories /data/network-install/RPM and /data/networkinstall/ ISO in which we will copy the necessary files. [root@bigboy tmp]# mkdir -p /data/network-install/RPM [root@bigboy tmp]# mkdir -p /data/network-install/ISO You now need to place the network installation driver files into the base directory. Copying The Files The HTTP, NFS and FTP kickstart methods all require the base set of Fedora files to be installed on the kickstart server. Here's how to do it: 1) Create a mount point for your CD ROM drive. [root@bigboy tmp]# mkdir /mnt/cdrom 2) Mount your first Fedora CD ROM. [root@bigboy tmp]# mount /dev/cdrom /mnt/cdrom 3) Copy the files from the CD ROM base directory to the hard disk [root@bigboy tmp]# cp -r /mnt/cdrom/* /data/network-install/RPM 4) Unmount your CD ROM and use the eject command to retrieve it from the drive bay. [root@bigboy tmp]# umount /dev/cdrom [root@bigboy tmp]# eject cdrom 5) Repeat steps 2 to 4 with all your CDROMs. Overwrite files when prompted. Note: Note: You also have the option to FTP all the files of the desired version of Fedora from the Fedora website to the /data/network-install/RPM directory. HTTP & FTP Preparation Copy all the contents of each installation CD to the /data/network-install/RPM directory. This will require about 3-5 GB of space. When this is completed, your /data/network-install/RPM directory should look like this: [root@bigboy tmp]# ls -1 /data/network-install/RPM eula.txt Fedora fedora.css GPL images index.html isolinux README-Accessibility RELEASE-NOTES-en_US.html repodata RPM-GPG-KEY RPM-GPG-KEY-beta
RPM-GPG-KEY-fedora RPM-GPG-KEY-fedora-extras RPM-GPG-KEY-fedora-legacy RPM-GPG-KEY-fedora-rawhide RPM-GPG-KEY-fedora-test RPM-GPG-KEY-rawhide stylesheet-images [root@bigboy tmp]# NFS Preparation Create ISO images of the installation CDs and place them in the /data/networkinstall/ ISO directory. This will require about 3-5 GB of space as well. You can download the ISO images from the Fedora website or use the Fedora CDs as shown below. If you create the ISOs files from CDs, make sure they have the same file names as the ones you can download from the Fedora Web site. Follow these steps for each CD, substituting the filename where necessary: [root@bigboy tmp]# cd /data/network-install/ISO [root@bigboy ISO]# dd if=/dev/cdrom of=filename.iso bs=32k ... ... [root@bigboy ISO]# eject cdrom Note: Here is a sample procedure to make ISO files with the older mkisofs command. You may have to install the mkisofs RPM on newer Fedora versions. The command requires a mounted CDROM drive, so don't forget the mount command. [root@bigboy ISO]# mount /mnt/cdrom [root@bigboy ISO]# mkisofs -J -r -T -o filename.iso /mnt/cdrom [root@bigboy ISO]# eject cdrom Setup Your Webserver You will now have to setup Apache to give the file listings of your /data/networkinstall/ RPM and /data/network-install/ISO directories by pointing your browser to the URL http://192.168.1.100/network-install/RPM/ or http://192.168.1.100/network-install/ISO/ respectively. A sample /etc/httpd/conf.d/kickstart.conf configuration is below. Remember to restart Apache to make these settings take effect. NameVirtualHost 192.168.1.100 # # For HTTP Installations # ServerName 192.168.1.100 DocumentRoot /data/
Options +Indexes AllowOverride AuthConfig order allow,deny allow from all Setup Your FTP Server You'll also have to set up your VSFTPD server to make incoming anonymous FTP connections log in to the /data/network-install/RPM directory by default. You will also want to enable the correct logging. Here is a sample snippet of the vsftpd.conf file. Remember to restart VSFTPD to make these settings take effect # # File: vsftpd.conf # # # Anonymous FTP Root Directory # anon_root=/data/network-install/RPM # # Log file definition # xferlog_enable=YES xferlog_file=/var/log/vsftpd.log Create A Special FTP User You can also create a special user for non anonymous FTP installations with its home directory as "/". You must also make sure that the user has read access to the /data/network-install directory. An example is below. [root@bigboy tmp]# useradd -g users ftpinstall [root@bigboy tmp]# passwd ftpinstall Changing password for user ftpinstall. New password: Retype new password: passwd: all authentication tokens updated successfully. [root@bigboy tmp]# [root@bigbot tmp]# usermod -d / ftpinstall [root@bigbot tmp]# Setup Your NFS Server
The steps for setting up an NFS server are more complicated. 1) Create a /etc/exports file with the following entry in it. You must use tabs, not spaces between the entries /data/network-install *(ro,sync) 2) Make sure that the rpcbind (portmap on older versions of Linux) , nfs, nfslock and netfs daemons are all running to create an NFS server. The startup scripts for these are found in the /etc/init.d directory. 3) Run the exportfs command to add this directory to the NFS database of network available directories. [root@bigboy tmp]# exportfs -ra 4) The installation client must have a matching pair of forward and reverse DNS entries on your DNS server. In other words, a DNS lookup on the IP address of the installation client must return a server name that will map back to the original IP address when a DNS lookup is done on that same server name. [root@bigboy tmp]# host 192.168.1.96 96.1.168.192.in-addr.arpa domain name pointer 192-168-1-96.my-site.com. [root@bigboy tmp]# [root@bigboy tmp]# host 192-168-1-96.my-site.com 192-168-1-96.my-site.com has address 192.168.1.96 [root@bigboy tmp]# This may mean that you will have to create entries for all your DHCP IP addresses if you choose to use a DHCP method of assigning IP addresses during installation. Configure Your DHCP Server During the installation procedure, the installation client will prompt you for the IP address it should use for the installation process. I recommend selecting the option that makes the Installation Client get its address via DHCP. This will automate the installation more and will therefore make it faster. It will also reduce the possibility of human error.
Exercise-2:- This exercise demonstrates how to Create A Kickstart Boot CD Creating a kickstart boot CD is easy to do. Here are the steps: 1. Your RPM directory should have a subdirectory named images in it. There will be a file there named boot.iso which is used in booting your system when installing Linux from DVD or CD. Fedora mirror sites that have directory structures similar to that of the DVD also have a boot.iso file located in the /Fedora/i386/os/images/ directory. This file is different in both size and function to that on your DVD. It usually larger than 10 MB in size and it is the boot file you need for kickstart. Download the boot.iso file from your favorite mirror site using a utility like wget. [root@bigboy tmp]# wget http://website.org/8/Fedora/i386/os/images/boot.iso 2. You will now need the device name of your CDROM device. This can be obtained using the wodim command. In this case it is called /dev/scd0. [root@bigboy tmp]# wodim --devices wodim: Overview of accessible drives (1 found) : -------------------------------------------------------------
0 dev='/dev/scd0' rwr--- : 'LITE-ON' 'DVDRW LH-20A1P' ------------------------------------------------------------[root@bigboy tmp]# 3. Insert a blank CD. The wodim command can now be used again to burn the boot.iso ISO image file to the CD. [root@bigboy tmp]# wodim dev=/dev/scd0 driveropts=burnfree,noforcespeed \ fs=14M -dao -eject -overburn -v boot.iso ... ... ... BURN-Free was never needed. wodim: fifo had 6 puts and 6 gets. wodim: fifo was 0 times empty and 0 times full, min fill was 100%. [root@bigboy RPM]# Keep the CD. You will soon need it for your kickstart client machine.
Exercise-3:- This exercise demonstrates The Network Installation From here on, the installation procedure mimics the regular Linux installation, except for the first couple steps. Connect your client Linux box to the DHCP network. Boot your system using the kickstart boot CD. This is the only CD you'll need for future network installations. A menu will appear. Select “Install or upgrade an existing system”. Go through the usual steps until the process prompts for the "Installation Method". You will see a number of choices Local CDROM Hard Drive NFS Image FTP HTTP Select the network option of your choice (NFS, FTP, HTTP) Select the Ethernet device to which the installation client is connected to the installation server network. This would most likely be interface "eth0". Select "DHCP" in the following "Configure TCP/IP" screen. This will make the Installation client use DHCP during the installation. If You Selected The NFS Method You will now reach the "NFS setup" menu. Enter the IP address of the installation server as the "NFS Server Name". The "Red Hat directory" will be "/data/network-install/ISO". The following menus will be the usual Fedora GUI installation screens.
If You Selected The HTTP Method You will now reach the "HTTP Setup" menu. Enter the IP address of the installation server when prompted for a "Web site name".The "Red Hat directory" will be /networkinstall/RPM. The following menus will be text based versions of the usual Fedora installation screens. During the installation, issue the following command on the server to check the Apache logs. It will help to verify whether the kickstart client is accessing the files correctly. You should get a status code of 200 after each GET statement. You should retrace your steps if you are not. [root@bigboy tmp]# tail -f /var/log/httpd/access_log 192.168.1.247 [12/Nov/2006:12:01:04 install/RPM/repodata/repomd.xml HTTP/1.1" 20
-0800]
"GET
/network-
192.168.1.247 [12/Nov/2006:12:01:05 install/RPM/repodata/primary.xml.gz HTTP/1.1
-0800]
"GET
/network-
192.168.1.247 [12/Nov/2006:12:01:19 install/RPM/repodata/comps.xml HTTP/1.1" 200
-0800]
"GET
/network-
If You Selected The FTP Method You will now reach the "FTP Setup" menu. Enter the IP address of the installation server as the "FTP Site Name". "Not Selecting" The Non-Anonymous FTP Box The "Red Hat directory" will be "/". The following menus will be text based versions of the usual Fedora installation screens. "Selecting" The Non-Anonymous FTP Box The "Red Hat directory" will be "/data/network-install/RPM". Enter the username and password of your special FTP user account. The following menus will be text based versions of the usual RedHat installation screens. Note: During the installation, issue the following command on the server to check the FTP logs. It will help to verify whether the kickstart client is accessing the files correctly. [root@bigboy ~]# tail -f /var/log/vsftpd.log Sun Nov 12 20:53:12 2006 1 install/RPM/repodata/repomd.xml b _ o r ftp-i
192.168.1.231
1140
/data/network-
Sun Nov 12 20:53:21 2006 2 install/RPM/repodata/primary.xml.gz b _ o r
192.168.1.231
844228
/data/network-
Sun Nov 12 20:53:40 2006 install/RPM/repodata/comps.xml b _ o r ftp-
192.168.1.231
853899
/data/network-
2
Troubleshooting The Network Installation You can do some basic troubleshooting by accessing the various installation status screens available. The installation logs can always be viewed by hitting Kernel messages can be seen by hitting Access to a limited BASH shell Kernel can be gained by hitting
You can return to the main installation screen at any time by hitting for text based installations and when the GUI is used. Examine your server's /var/log/httpd/access_log, /var/log/httpd/error_log files for the HTTP method; the /var/log/vsftpd.log file for the FTP method; and your /var/log/messages file for the NFS method.
Exercise-4:- This exercise demonstrates Automating Installation With Kickstart Both Fedora and RedHat Linux save all the parameters you used during installation in the /root/anacondaks.cfg kickstart configuration file. You can use this file to create an automated installation of a duplicate system which can be useful if you have a large number of servers to install. This section shows you how to automate network installations using the kickstart application and NFS. You can use HTTP and FTP but they have been omitted to keep the discussion brief. How To Create New Kickstart Configuration Files You can create a customized kickstart configuration file by using the "ksconfig" command from a GUI console. It will bring up a menu from which you can select all your installation options. When finished, you save the configuration with the filename of your choice. You may want to then edit the configuration file and comment out certain parameters that may change from system to system with a "#". These could include things like the system's name and IP address. During the kickstart process you will be prompted for these unspecified values. Note: Do not change the order of the entries in the kickstart configuration file. Note: The IP address you assign must be on the same subnet as that of the DHCP server for kickstart to work. If the server is going to reside on a different network after the installation, then you'll have to run a separate script to change the IP addressing information after the installation is complete. Adding Post Installation Commands You may want to run some commands on the newly created Linux installation after kickstart is complete. Some processes that are activated by default by Fedora may not be suitable for your server and may need to be disabled. This can be done by placing a %post section at the end of the kicksrart file with all the post installation commands you wish to run. Here is an example: %post chkconfig isdn off chkconfig pcmcia off chkconfig portmap off chkconfig apmd off chkconfig nfslock off chkconfig nfs off A Note About Using anaconda-ks.cfg It is possible to use the /root/anaconda-ks.cfg file as a template for future installations.
RedHat comments out the partitioning information in this file, so you will either have to uncomment it and then make your partitioning modifications or be prepared to be prompted for your portioning information. How To Run A Kickstart Installation It is best to place your kickstart files in a subdirectory under the /data/network-install directory. The examples below assume the subdirectory is called /data/networkinstall/kickstart. Remember that you may want to remove the "#" comments from the partition section of the file. If not, you will be prompted for this information. Using a NFS Server Verify that the first two lines of the file look like this or else you may be prompted for NFS ISO file location information. install nfs --server=192.16.1.100 --dir=/data/network-install/ISO Using a Web Server Verify that the first two lines of the file look like this or else you may be prompted for RPM base file location information. install url --url http://192.168.1.100/network-install/RPM Booting With Your Kickstart Files There are two ways to specify the name of the kickstart file to use. The first is to enter it manually from the LILO boot: prompt when you insert the boot CD. The second is to have your DHCP server automatically tell the Kickstart client about the name of the kickstart file to use when it assigns the IP address. Both methods are listed below: Manually Specifying the Kickstart Filename Once you have booted from your boot CDROM, you'll need to use the following command at the lilo boot: prompt to continue with the installation. The ks.cfg file is the kickstart configuration file we want to use. NFS Method boot: linux ks=nfs:192.168.1.100:/kickstart/ks.cfg HTTP Method boot: linux ks=http://192.168.1.100/network-install/kickstart/ks.cfg Configuring The Filename Automatically Whenever you have to create lots of cloned Linux servers, then you may want to configure your DHCP server to specify the single kickstart configuration file you wish to use. Here is how it's done: 1) Place your kickstart file in the /data/network-install/kickstart directory. 2) Edit your dhcpd.conf file and add the following lines to the section for the interface that will be serving DHCP IP addresses. The next-server value is the IP address of the kickstart server. filename "/data/network-install/kickstart/ks.cfg"; next-server 192.168.1.100;
3) Insert the boot CD into the kickstart client Linux box and connect it to the DHCP network. At the boot: prompt type in the following command: boot: linux ks Kickstart will first search for a configuration file named ks.cfg on either the boot CD. It will then automatically attempt to get a DHCP IP address and see if the DHCP server will specify a configuration file. Kickstart will then use NFS to get both the configuration file and the installation ISOs. The rest should be automatic.
Exercises for lab: Exercise 1:- create an image of fedora installation CDs on your systems and configure FTP, NFS and apache server to access that image.
Home Work: 1)
Configure a kick start file for automatic installation over NFS.
Lab 27: Remote Disk Access with NFS
To understand the Remote File Sharing among LINUX OSs
Lab No. 27: Remote Disk Access with NFS Objective: To equip students with the practical knowledge to configure Linux boxes for file sharing using Network File System Protocol
Scope: The student will be able to know the following at the end of this lab: • • • • • •
Installing NFS Configuring NFS on The Client Configuring NFS on The Server Accessing NFS Server Directories from the Client Activating Modifications To The /etc/exports File Troubleshooting NFS
Useful Concepts: The virtual filesystem (VFS) Mechanism used by NFS to transparently and automatically redirect all access to NFS-mounted files to the remote server. Stateless Operation Programs that read and write to files on a local filesystem rely on the operating system to track their access location within the file with a pointer. As NFS is a network-based file system, and networks can be unreliable, it was decided that the NFS client daemon would act as a failsafe intermediary between regular programs running on the NFS client and the NFS server. Normally, when a server fails, file accesses timeout and the file pointers are reset to zero. With NFS, the NFS server doesn't maintain the file pointer information, the NFS client does. This means that if an NFS server suddenly fails, the NFS client can precisely restart the file access once more after patiently waiting until the server returns online. Caching NFS clients typically request more data than they need and cache the results in memory locally so that further sequential access of the data can be done locally versus over the network. This is also known as a read ahead cache. Data that's to be written to the NFS server is cached with the data being written to the server when the cache becomes full. Caching therefore helps to reduce the amount of network traffic while simultaneously improving the speed of some types of data access. The NFS server caches information too, such as the directory information for the most recently accessed files and a read ahead cache for recently read files. NFS and Symbolic Links You have to be careful with the use of symbolic links on exported NFS directories. If an absolute link points to a directory on the NFS server that hasn't been exported, then the NFS client won't be able to access it. Unlike absolute links, relative symbolic links are interpreted relative to the client's filesystem.
Consider an example where the /data1 directory on the server is mounted on the /data1 directory. If there is a link to the ../data2 directory on the NFS server and a directory corresponding to ../data2 doesn't exist on the NFS client, then an error will occur. Also, mounting a filesystem on a symbolic link actually mounts the filesystem on the target of the symbolic link. You'll have to be careful not to obscure the contents of this original directory in the process. Plan carefully before doing this. NFS Background Mounting NFS clients use the remote procedure call (RPC) suite of network application helper programs to mount remote filesystems. If the mount cannot occur during the default RPC timeout period, then the client retries the mount process until the NFS number of retires has been exceeded. The default is 10,000 minutes, which is approximately a week. The difficulty here is that if the NFS server is unavailable, the mount command will hang for a week until it returns online. It is possible to use a bg option spawn the retries off as a subprocess so that the main mount command can continue to process other requests. Hard and Soft Mounts The process of continuous retrying, whether in the background or foreground, is called a hard mount. NFS attempts to guarantee the consistency of your data with these constant retries. With soft mounts, repeated RPC failures cause the NFS operation to fail not hang and data consistency is therefore not guaranteed. The advantage is that the operation completes quickly, whether it fails or not. The disadvantage is that the use of the soft option implies that you are using an unreliable NFS server; if this is the case it is best not to place critical data that needs to be updated regularly or executable programs in such a location.
Exercise-1:- This exercise illustrates NFS Installation RedHat Linux installs nfs by default, and also by default nfs is activated when the system boots. You can determine whether you have nfs installed using the RPM command in conjunction with the grep command to search for all installed nfs packages. [root@bigboy tmp]# rpm -qa | grep nfs redhat-config-nfs-1.1.3-1 nfs-utils-1.0.1-3.9 [root@bigboy tmp]#
A blank list means that you'll have to install the required packages. You also need to have the RPC rpcbind package installed, and the rpm command can tell you whether it's on your system already. When you use rpm in conjunction with grep, you can determine all the rpcbind applications installed: [root@bigboy tmp]# rpm -q rpcbind rpcbind-4.0-57 [root@bigboy tmp]#
A blank list means that you'll have to install the required packages. If nfs and rpcbind are not installed, they can be added fairly easily once you find the nfsutils and rpcbind RPMs. (Remember that RPM filenames usually start with the software's name and a version number, as in nfs-utils-1.1.3-1.i386.rpm.) Using yum or apt-get is a suitable option.
Exercise-2:- This exercise illustrates Scenario Based NFS configuration
Scenario A small office has an old Linux server that is running out of disk space. The office cannot tolerate any down time, even after hours, because the server is accessed by overseas programmers and clients at nights and local ones by day. Budgets are tight and the company needs a quick solution until it can get a purchase order approved for a hardware upgrade. Another Linux server on the network has additional disk capacity in its /data partition and the office would like to expand into it as an interim expansion NFS server. Configuring NFS on the Server Both the NFS server and NFS client have to have parts of the NFS package installed and running. The server needs rpcbind, nfs, and nfslock operational, as well as a correctly configured /etc/exports file. Here's how to do it. The /etc/exports File The /etc/exports file is the main NFS configuration file, and it consists of two columns. The first column lists the directories you want to make available to the network. The second column has two parts. The first part lists the networks or DNS domains that can get access to the directory, and the second part lists NFS options in brackets. For the scenario you need: • • • •
Read-only access to the /data/files directory to all networks Read/write access to the /home directory from all servers on the 192.168.1.0 /24 network, which is all addresses from 192.168.1.0 to 192.168.1.255 Read/write access to the /data/test directory from servers in the my-site.com DNS domain Read/write access to the /data/database directory from a single server 192.168.1.203.
In all cases, use the sync option to ensure that file data cached in memory is automatically written to the disk after the completion of any disk data copying operation. #/etc/exports /data/files *(ro,sync) /home 192.168.1.0/24(rw,sync) /data/test *.my-site.com(rw,sync) /data/database 192.168.1.203/32(rw,sync)
After configuring your /etc/exports file, you need to activate the settings, but first make sure that NFS is running correctly. Starting NFS on the Server Configuring an NFS server is straightforward: 1) Use the chkconfig command to configure the required nfs and RPC rpcbind daemons to start at boot. You also should activate NFS file locking to reduce the risk of corrupted data. [root@bigboy tmp]# chkconfig --level 35 nfs on [root@bigboy tmp]# chkconfig --level 35 nfslock on [root@bigboy tmp]# chkconfig --level 35 rpcbind on
2) Use the init scripts in the /etc/init.d directory to start the nfs and RPC rpcbind daemons. The examples use the start option, but when needed, you can also stop and restart the processes with the stop and restart options. [root@bigboy tmp]# service rpcbind start
[root@bigboy tmp]# service nfs start [root@bigboy tmp]# service nfslock start
3) Test whether NFS is running correctly with the rpcinfo command. You should get a listing of running RPC programs that must include mountd, portmapper, nfs, and nlockmgr. [root@bigboy program vers 100000 2 tcp 100000 2 udp 100003 2 udp 100003 3 udp 100021 1 udp 100021 3 udp 100021 4 udp 100005 1 udp 100005 1 tcp 100005 2 udp 100005 2 tcp 100005 3 udp 100005 3 tcp [root@bigboy
tmp]# rpcinfo -p localhost proto port 111 portmapper 111 portmapper 2049 nfs 2049 nfs 1024 nlockmgr 1024 nlockmgr 1024 nlockmgr 1042 mountd 2342 mountd 1042 mountd 2342 mountd 1042 mountd 2342 mountd tmp]#
Configuring NFS on the Client NFS configuration on the client requires you to start the NFS application; create a directory on which to mount the NFS server's directories that you exported via the /etc/exports file, and finally to mount the NFS server's directory on your local directory, or mount point. Here's how to do it all. Starting NFS on the Client Three more steps easily configure NFS on the client. 1) Use the chkconfig command to configure the required nfs and RPC rpcbind daemons to start at boot. Activate nfslock to lock the files and reduce the risk of corrupted data. [root@smallfry tmp]# chkconfig --level 35 netfs on [root@smallfry tmp]# chkconfig --level 35 nfslock on [root@smallfry tmp]# chkconfig --level 35 rpcbind on
2) Use the init scripts in the /etc/init.d directory to start the nfs and RPC rpcbind daemons. As on the server, the examples use the start option, but you can also stop and restart the processes with the stop and restart options. [root@smallfry tmp]# service rpcbind start [root@smallfry tmp]# service netfs start [root@smallfry tmp]# service nfslock start
3) Test whether NFS is running correctly with the rpcinfo command. The listing of running RPC programs you get must include status, portmapper, and nlockmgr. [root@smallfry root]# rpcinfo -p program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 32768 status 100024 1 tcp 32768 status 100021 1 udp 32769 nlockmgr 100021 3 udp 32769 nlockmgr 100021 4 udp 32769 nlockmgr 100021 1 tcp 32769 nlockmgr
100021 3 tcp 32769 nlockmgr 100021 4 tcp 32769 nlockmgr 391002 2 tcp 32770 sgi_fam [root@smallfry root]#
NFS and DNS The NFS client must have a matching pair of forward and reverse DNS entries on the DNS server used by the NFS server. In other words, a DNS lookup on the NFS server for the IP address of the NFS client must return a server name that will map back to the original IP address when a DNS lookup is done on that same server name. [root@bigboy tmp]# host 192.168.1.102 201.1.168.192.in-addr.arpa domain name pointer 192-168-1-102.mysite.com. [root@bigboy tmp]# host 192-168-1-102.my-site.com 192-168-1-102.my-site.com has address 192.168.1.102 [root@bigboy tmp]#
This is a security precaution added into the nfs package that lessens the likelihood of unauthorized servers from gaining access to files on the NFS server. Failure to correctly register your server IPs in DNS can result in "fake hostname" errors: Nov 7 19:14:40 bigboy rpc.mountd: Fake hostname smallfry.my-site.com for 192.168.1.1 - forward lookup do
Accessing NFS Server Directories from the Client In most cases, users want their NFS directories to be permanently mounted. This requires an entry in the /etc/fstab file in addition to the creation of the mount point directory. The /etc/fstab File The /etc/fstab file lists all the partitions that need to be auto-mounted when the system boots. Therefore, you need to edit the /etc/fstab file if you need the NFS directory to be made permanently available to users on the NFS. For the example, mount the /data/files directory on server bigboy (IP address 192.16801.100) as an NFS-type filesystem using the local /mnt/nfs mount point directory. #/etc/fstab #Directory Mount Point Type Options Dump FSCK 192.168.1.100:/data/files /mnt/nfs nfs soft,nfsvers=2 0 0
This example used the soft and nfsvers options; Table 29.1 outlines these and other useful NFS mounting options you may want to use. See the NFS man pages for more details. Possible NFS Mount Options Option
Description
bg
Retry mounting in the background if mounting initially fails
fg
Mount in the foreground
soft
Use soft mounting
hard
Use hard mounting
rsize=n
The amount of data NFS will attempt to access per read operation. The default is dependent on the kernel. For NFS version 2, set it to 8192 to assure maximum throughput.
wsize=n
The amount of data NFS will attempt to access per write operation. The default is dependent on the kernel. For NFS version 2, set it to 8192 to assure maximum throughput.
nfsvers=n
The version of NFS the mount command should attempt to use
tcp
Attempt to mount the filesystem using TCP packets: the default is UDP.
intr
If the filesystem is hard mounted and the mount times out, allow for the process to be aborted using the usual methods such as CTRL-C and the kill command.
The steps to mount the directory are fairly simple, as you'll see. Permanently Mounting the NFS Directory You'll now create a mount point directory, /mnt/nfs, on which to mount the remote NFS directory and then use the mount -a command activate the mount. Notice how before mounting there were no files visible in the /mnt/nfs directory, this changes after the mounting is completed: [root@smallfry [root@smallfry [root@smallfry [root@smallfry ISO ISO-RedHat [root@smallfry
tmp]# mkdir /mnt/nfs tmp]# ls /mnt/nfs tmp]# mount -a tmp]# ls /mnt/nfs kickstart RedHat tmp]#
Each time your system boots, it reads the /etc/fstab file and executes the mount –a command, thereby making this a permanent NFS mount. Note: There are multiple versions of NFS, the most popular of which is version 2, which most NFS clients use. Newer NFS servers may also be able to handle NFS version 4. To be safe, it is best to force the NFS server to export directories as version 2 using the nfsvers=2 option in the /etc/fstab file as shown in the example. Failure to do so may result in an error message. [root@probe-001 tmp]# mount -a mount to NFS server '192.168.1.100' failed: server is down. [root@probe-001 tmp]#
Exercise-3:- This exercise illustrates NFS Troubleshooting A basic NFS configuration usually works without problems when the client and server are on the same network. The most common problems are caused by forgetting to start NFS, to edit the /etc/fstab file, or to export the /etc/exports file. Another common cause of failure is the iptables firewall daemon running on either the server or client without the administrator realizing it. When the client and server are on different networks, these checks still apply, but you'll also have to make sure basic connectivity has been taken care of. Sometimes a firewall being present on the path between the client and server can cause difficulties. As always, no troubleshooting plan would be complete without frequent reference to the /var/log/messages file when searching for additional clues. Following Table shows some common NFS errors you'll encounter. Some Common NFS Error Messages Error Too many levels of remote in path
Description Attempting to mount a filesystem that has already been mounted.
Permission denied
User is denied access. This could be the client's root user who has unprivileged status on the server due to the root_squash option. Could also be because the user on the client doesn't exist on the server.
No such host
Typographical or DNS configuration error in the name of the server.
No such file or Directory
Typographical error in the name of the file or directory: they don't exist.
NFS server is not responding
The server could be overloaded or down.
Stale file handle
A file that was previously accessed by the client was deleted on the server before the client closed it
Fake hostname
Forward and reverse DNS entries don't exist for the NFS client.
The showmount Command When run on the server, the showmount -a command lists all the currently exporte directories. It also shows a list of NFS clients accessing the server; in this case one client has an IP address of 192.168.1.102. [root@bigboy tmp]# showmount -a All mount points on bigboy: *:/home 192.168.1.102:* [root@bigboy tmp]#
The "df" Command The df command lists the disk usage of a mounted filesystem. Run it on the NFS client to verify that NFS mounting has occurred. In many cases, the root_squash mount option will prevent the root user from doing this, so it's best to try it as an unprivileged user. [nfsuser@smallfry nfsuser]$ df -F nfs Filesystem 1K-blocks Used Available Use% Mounted on 192.168.1.100:/home/nfsuser 1032056 346552 633068 36% /home/nfsuser [nfsuser@smallfry nfsuser]$
The nfsstat Command The nfsstat command provides useful error statistics. The -s option provides NFS server stats, while the -c option provides them of for clients. Threshold guidelines are provided in the Table. [root@bigboy tmp]# nfsstat -s Server rpc stats: calls badcalls badauth badclnt xdrcall 1547 0 0 0 0 Server nfs v2: null getattr setattr root lookup readlink 244 100% 0 0% 0 0% 0 0% 0 0% 0 0% read wrcache write create remove rename 0 0% 0 0% 0 0% 0 0% 0 0% 0 0% link symlink mkdir rmdir readdir fsstat 0 0% 0 0% 0 0% 0 0% 0 0% 0 0% Server nfs v3: null getattr setattr lookup access readlink 251 19% 332 25% 0 0% 265 20% 320 24% 0 0% read write create mkdir symlink mknod 39 2% 14 1% 1 0% 1 0% 0 0% 0 0% remove rmdir rename link readdir readdirplus
0 0% 0 0% 0 0% 0 0% 0 0% 31 2% fsstat fsinfo pathconf commit 1 0% 34 2% 0 0% 14 1% [root@bigboy tmp]#
Error Thresholds For The "nfsstat" Command Value readlink
Threshold > 10%
Description Excessive numbers of symbolic links slowing performance. Try to replace them with a directory and mount the filesystem directly on this new mount point.
getattr
> 50%
File attributes, like file data, is cached in NFS. This value tracks the percentage of file attribute reads that are not from cache refresh requests. Usually caused by the NFS "noac" mount option which prevents file attribute caching.
badcalls
>0
Bad RPC requests. Could be due to poorly configured authentication, the root user attempting to access data governed by the "root_squash" directive or having a user in too many groups.
retrans
> 5%
Percentage of requests for service that the client had to retransmit to the servers. Could be due to slow NFS servers or poor network conditions.
writes
> 10%
Writes are slow due to poor caching values. Check the "noac" and "wsize" mount options.
Exercises for lab Exercise 1:- This exercise illustrates NFS Installation Exercise 2:-create a directory named 'shared' and configure the NFS server for sharing the newly created directory 'shared' with other systems.
Home Work Configure an NFS server for the scenario given below: A home user has a Linux server with low disk space. S(he) has another linux system in the house with some extra space in /home filesystem. Keeping the budget aspect in mind the user wants to share the free space on /home filesystem on the other system. Help him/her in configuring an NFS 1) 2)
a Read-only access to the /data/files directory to all networks
3)
Read/write access to the /home directory from all servers on the 192.168.1.0 /24 network, which is all addresses from 192.168.1.0 to 192.168.1.255
4)
Read/write access to the /data/test directory from servers in the my-site.com DNS domain
5)
Read/write access to the /data/database directory from a single server 192.168.1.203.
6)
Lab No.28: Controlling Web Usage with Squid
To understand the Controlling Web Usage with Squid
Lab No. 28: Controlling Web Usage with Squid Objective: To familiarize students how to limit the web access to only authorized users.
Scope: The students would be able to do the following at the end of this lab: • •
Configure squid proxy server to provide restricted access to the internet using access list. Provide transparent proxy services to the users.
Useful Concepts Squid Configuration File The main Squid configuration file is squid.conf, and, like most Linux applications, Squid needs to be restarted for changes to the configuration file can take effect. In the next sections we will illustrate the various useful sections of squid.conf file. The Visible Host Name Squid will fail to start if you don't give your server a hostname. You can set this with the visible_hostname parameter. Here, the hostname is set to the real name of the server ciit. visible_hostname ciit Access Control Lists You can limit users' ability to browse the Internet with access control lists (ACLs). Each ACL line defines a particular type of activity, such as an access time or source network, they are then linked to an http_access statement that tells Squid whether or not to deny or allow traffic that matches the ACL. Squid matches each Web access request it receives by checking the http_access list from top to bottom. If it finds a match, it enforces the allow or deny statement and stops reading further. You have to be careful not to place a deny statement in the list that blocks a similar allow statement below it. The final http_access statement denies everything, so it is best to place new http_access statements above it. Note: The very last http_access statement in the squid.conf file denies all access. You therefore have to add your specific permit statements above this line.
Exercise-1:- This exercise illustrates Restricting Web Access By Time You can create access control lists with time parameters. For example, you can allow only business hour access from the home network, while always restricting access to host 192.168.1.23. # # Add this to the bottom of the ACL section of squid.conf # acl home_network src 192.168.1.0/24 acl business_hours time M T W H F 9:00-17:00
acl RestrictedHost src 192.168.1.23 # # Add this at the top of the http_access section of squid.conf # http_access deny RestrictedHost http_access allow home_network business_hours Or, you can allow morning access only: # # Add this to the bottom of the ACL section of squid.conf # acl mornings time 08:00-12:00 # # Add this at the top of the http_access section of squid.conf # http_access allow mornings.
Exercise-2:- This exercise illustrates Restricting Access to specific Web sites Squid is also capable of reading files containing lists of web sites and/or domains for use in ACLs. In this example we create to lists in files named /usr/local/etc/allowedsites.squid and /usr/local/etc/restrictedsites.squid. # File: /usr/local/etc/allowed-sites.squid www.openfree.org www.google.com # File: /usr/local/etc/restricted-sites.squid www.restricted-site.com www.illegal.com These can then be used to always block the restricted sites and permit the allowed sites during working hours. This can be illustrated by expanding our previous example slightly. # # Add this to the bottom of the ACL section of squid.conf # acl home_network src 192.168.1.0/24 acl business_hours time M T W H F 9:00-17:00 acl GoodSites dstdomain "/usr/local/etc/allowed-sites.squid" acl BadSites dstdomain "/usr/local/etc/restricted-sites.squid" # # Add this at the top of the http_access section of squid.conf
# http_access deny BadSites http_access allow home_network business_hours GoodSites
Exercise-3:- This exercise illustrates Restricting Web Access By IP Address You can create an access control list that restricts Web access to users on certain networks. In this case, it's an ACL that defines a home network of 192.168.1.0. # # Add this to the bottom of the ACL section of squid.conf # acl home_network src 192.168.1.0/255.255.255.0 You also have to add a corresponding http_access statement that allows traffic that matches the ACL: # # Add this at the top of the http_access section of squid.conf # http_access allow home_network
Exercise-4:- This exercise illustrates Configuring Web Browsers to Use Your Squid Server If you don't have a firewall that supports redirection, then you need to configure your firewall to only accept HTTP Internet access from the Squid server, as well as configure your PC browser's proxy server settings manually to use the Squid server. The method you use depends on your browser. For example, to make these changes using Internet Explorer 1. Click on the "Tools" item on the menu bar of the browser. 2. Click on "Internet Options" 3. Click on "Connections" 4. Click on "LAN Settings" 5. Configure with the address and TCP port (3128 default) used by your Squid server. Here's how to make the same changes using Mozilla or Firefox. 1. Click on the "Edit" item on the browser's menu bar. 2. Click on "Preferences" 3. Click on "Advanced" 4. Click on "Proxies" 5. Configure with the address and TCP port (3128 default) used by your Squid server under "Manual Proxy Configuration".
Exercises for lab Exercise 1:- Install Squid proxy server. Exercise 2:- Using squid proxy server restrict user from visiting illegal sites.
Exercise 3:- Allow users to only visit legal/allowed sites from trusted IP addresses only.
Home Work 1)
Make your squid server transparent to users using transparent proxy configuration.
Lab 29: DNS Configuration 1
To understand the DNS bind process and DNS client settings
Lab No. 29: DNS Configuration 1 Objective: To familiarize students with the bind process and DNS client settings
Scope: The students would be able to do the following at the end of this lab: • To manage BIND process • Client side DNS configuration options • Test the DNS server working
Exercise-1:- This exercise illustrates How to Get BIND Started Setting up your DNS server is easy to do, but the procedure differs between Linux distributions. Redhat / Fedora You can use the chkconfig command to get BIND configured to start at boot [root@root]# chkconfig named on To start, stop, and restart BIND after booting, use: [root@root]# /etc/init.d/named start [root@root]# /etc/init.d/named stop [root@root]# /etc/init.d/named restart Remember to restart the BIND process every time you make a change to the configuration file for the changes to take effect on the running process. Debian / Ubuntu You can use the sysv-rc-conf command to get BIND configured to start at boot [root@root]# sysv-rc-conf bind on To start, stop, and restart BIND after booting, use: [root@root]# /etc/init.d/bind start [root@root]# /etc/init.d/bind stop [root@root]# /etc/init.d/bind restart
Exercise-2:- This exercise describe the /etc/resolv.conf File DNS clients (servers not running BIND) use the /etc/resolv.conf file to determine both the location of their DNS server and the domains to which they belong. The file generally has two columns; the first contains a keyword, and the second contains the desired values separated by commas. See the Table below for a list of keywords:
Take a look at a sample configuration in which the client server's main domain is mysite.com, but it also is a member of domains my-site.net and my-site.org, which should be searched for shorthand references to other servers. Two name servers, 192.168.1.100 and 192.168.1.102, provide DNS name resolution: search my-site.com my-site.net my-site.org nameserver 192.168.1.100 nameserver 192.168.1.102
The first domain listed after the search directive must be the home domain of your network, in this case my-site.com. Placing a domain and search entry in the /etc/resolv.conf is redundant, therefore.
Exercise-3:- This exercise illustrates Basic DNS Testing of DNS Resolution There are a number of commands you can use do these lookups. Linux uses the host command, for example, but Windows uses nslookup. The Host Command The host command accepts arguments that are either the fully qualified domain name or the IP address of the server when providing results. To perform a forward lookup, use the syntax: [root@root]# host www.google.com www.google.com has address 65.115.71.34 [root@root]#
The nslookup Command The nslookup command provides the same results on Windows PCs. To perform forward lookup, use: C:\> nslookup www.google.com Server: 192-168-1-200.my-site.com Address: 192.168.1.200 Non-authoritative answer: Name: www.google.com Address: 65.115.71.34 C:\>
Exercises for lab: Exercise 1:- Configure bind process to load at system startup.
Exercise 2:- Configure resolv.conf file for client side configuration to use proper DNS name server. Exercise 3:- Test whether the DNS server is working or not.
Home Work: 1)
Explain the used of forward lookup zone and reverse lookup zone in DNS
Lab 30: DNS Configuration 2
To understand the DNS DNS Zone files and Schema Configuration
Lab No. 30: DNS Configuration 2 Objective: To familiarize the students with the configuring of DNS Zone files and Schema.
Scope: The students would be able to do the following at the end of this lab: • •
Configure basic DNS settings Setup forward and reverse zone files for name resolution
Exercise-1:- This exercise illustrates how to configure your own Nameserver For the purposes of this tutorial, assume your ISP assigned you the subnet 97.158.253.24 with a subnet mask of 255.255.255.248 (/29). Configuring resolv.conf You'll have to make your DNS server refer to itself for all DNS queries by configuring the /etc/resolv.conf file to reference localhost only. nameserver 127.0.0.1 Creating a named.conf Base Configuration The /etc/named.conf file contains the main DNS configuration and tells BIND where to find the configuration, or zone files for each domain you own. This file usually has two zone areas: Forward zone file definitions list files to map domains to IP addresses. Reverse zone file definitions list files to map IP addresses to domains. The first task is to make sure your DNS server will listening of requests on all the required network interfaces. The options section of named.conf may be configured to listen exclusively on its internal hidden localhost interface with an IP address of 127.0.0.1 as we see in this example: # File: /etc/named.conf options { listen-on port 53 { 127.0.0.1; }; }; If other devices are going to rely on your server for queries, then you’ll need to either change this or add a selected number of IP addresses on your server. In this example, we allow queries on any interface. listen-on port 53 { any; }; In this example, we allow queries on localhost and address 192.168.1.100. listen-on port 53 { 127.0.0.1; 192.168.1.100; }; Note: Always make sure localhost, 127.0.0.1 is included. Forward Zone File References in named.conf Let’s describe how we point to forward zone files in a typical named.conf file. In this example the zone file is named my-site.zone, and, although not explicitly stated, the file mysite.zone should be located in the default directory of /var/named/chroot/var/named in a chroot configura-
tion or in /var/named in a regular one. With Debian / Ubuntu, references to the full file path will have to be used. Use the code: zone “my-web-site.org” { type master; notify no; allow-query { any; }; file “my-site.zone”; }; In addition, you can insert more entries in the named.conf file to reference other Web domains you host. Here is an example for another-site.com using a zone file named another-site.zone. zone “another-site.com” { type master; notify no; allow-query { any; }; file “another-site.zone”; }; Note: The allow-query directive defines the networks that are allowed to query your DNS server for information on any zone. For example, to limit queries to only your 192.168.1.0 network, you could modify the directive to: allow-query { 192.168.1.0/24; }; Reverse Zone File References in named.conf Here’s how to format entries that refer to zone files used for reverse lookups for your IP addresses. zone “1.168.192.in-addr.arpa” { type master; notify no; allow-query { any; }; file “192-168-1.zone”; }; Sample Forward Zone File Now that you know the key elements of a zone file, it's time to examine a working example for the domain my-site.com ; ; Zone file for my-site.com ; ; The full zone file ; $TTL 3D
@ IN SOA ns1.my-site.com. hostmaster.my-site.com. ( 200211152 ; serial# 3600 ; refresh, seconds 3600 ; retry, seconds 3600 ; expire, seconds 3600 ) ; minimum, seconds NS www ; Inet Address of nameserver my-site.com. MX 10 mail ; Primary Mail Exchanger localhost A 127.0.0.1 bigboy A 97.158.253.26 mail A 97.158.253.27 ns1 CNAME bigboy www CNAME bigboy Sample Reverse Zone File ; ; Filename: 192-168-1.zone ; ; Zone file for 192.168.1.x ; $TTL 3D @ IN SOA www.my-site.com. hostmaster.my-site.com. ( 200303301 ; serial number 8H ; refresh, seconds 2H ; retry, seconds 4W ; expire, seconds 1D ) ; minimum, seconds NS www ; Nameserver Address 100 PTR bigboy.my-site.com. 103 PTR smallfry.my-site.com. 102 PTR ochorios.my-site.com. 105 PTR reggae.my-site.com. 32 PTR dhcp-192-168-1-32.my-site.com. 33 PTR dhcp-192-168-1-33.my-site.com. 34 PTR dhcp-192-168-1-34.my-site.com. 35 PTR dhcp-192-168-1-35.my-site.com. 36 PTR dhcp-192-168-1-36.my-site.com.
Exercises for lab: Exercise 1:- Configure the DNS server for name resolution.
Home Work: 1)
Elucidate the purpose of scema file used in configuring a DNS server?
2)
Explain the used of forward lookup zone and reverse lookup zone in DNS
Lab 31: DNS Configuration 3
To understand the DNS cache nameserver
Lab No. 31: DNS Configuration 3 Objective: To familiarize students with the use of cache Nameserver.
Scope: The students would be able to do the following at the end of this lab: • •
Understand the cache nameserver Configure a linux box as a cache nameserver
Useful Concepts: Authoritative servers •
Authoritative servers provide the definitive information for your DNS domain, such as the names of servers and Web sites in it. They are the last word in information related to your domain.
Caching DNS server •
These servers, through a process called recursion, sequentially query the authoritative servers at the root, main domain and sub domain levels to get eventually get the specific information requested.
When to Use A DNS Caching Name Server •
Most servers don’t ask for authoritative DNS server directly, they usually ask a caching DNS server to do it on their behalf. The most frequently requested information is then stored (or cached) to reduce the lookup overhead of subsequent queries.
Exercise-1:- This exercise illustrates how to configure your Nameserver as a caching nameserver If your DNS server is also acting as a caching DNS server, then you'll also need a view for localhost to use. We'll use a view called localhost_resolver for this. The Caching Nameserver localhost_resolver View The localhost_resolver view is used for your caching DNS server configuration and should look like this: view "localhost_resolver" { /* This view sets up named to be a localhost resolver * ( caching only nameserver ). If all you want is a * caching-only nameserver, then you need only define this view: */ match-clients { localhost; }; match-destinations { localhost; }; // As your caching name server clients will be using this server // for DNS lookups to get to sites all over the Web you’ll need to // turn on recursion recursion yes; // All views used by caching nameserver clients must // contain the root hints zone. Recursive lookups to DNS domains // you don’t own (non-authoritative) starts here.
zone "." IN { type hint; file "named.ca"; }; /* these are zones that contain definitions for all the localhost * names and addresses, as recommended in RFC1912 - these names should * ONLY be served to localhost clients: */ include "/etc/named.rfc1912.zones"; /* * Include zonefiles for internal zones */ include "/var/named/zones/internal/internal_zones.conf"; };
There are some quick facts you should be aware of with your caching name server configuration: 1. If you want your server to be only a caching DNS server, then delete all other views in named.conf and restart the named daemon. [root@bigboy tmp]# /etc/init.d/named restart
2. Make all the other machines on your network point to the caching DNS server as their primary DNS server. 3. Remember that all DNS queries done on your DNS server appear to come from localhost. If your server is also an authoritative server for your domain, you will have to include a reference to your domain's zone files in this section for the server's own DNS lookups to work. If not, queries from clients defined by the internal and external ACLs will work correctly, but queries for the domain from the server itself will fail. In this example we have included a reference to the internal_zones.conf zone file which we'll visit again soon. This line can be deleted if your server isn't an authoritative server for your domain. Note: If you have a localhost only view like this, make sure you don't reference localhost in any of your other views as one view will take precedence over the other for queries from your server. This could lead to unpredictable results.
Exercises for lab: Exercise 1:- Configure the DNS server for cache nameserver for authoritative nameserver.
Home Work: 1)
Describe the deference between an authoritative nameserver and a cache nameserver.
Lab 32: Dynamic DNS •
To understand the Dynamic DNS
Lab No. 32: Dynamic DNS Objective: To familiarize students with working of Dynamic DNS and it’s configuration.
Scope: The students would be able to do the following at the end of this lab: • • • •
Able to understand the working of Dynamic DNS Install Dynamic DNS Client Configure Dynamic DNS client Configure DDNS authentication
Useful Concepts: Dynamic DNS (DDNS) Used when you get a changing dynamic Internet IP addresses via DHCP from your ISP. You will have to use the services of a third-party DNS provider to provide DNS information for your my-site.com domain.
Exercise-1:- This exercise illustrates Registering DDNS Once you have decided to go ahead with DDNS you'll need to choose between the broad categories of Dynamic DNS service. Free Dynamic DNS: Your website name will be a sub domain of the DDNS provider's domain. For example if the DDNS provider's domain is isp.net, then your site will become my-site.my-isp.net. You can perform all the necessary steps on your DDNS service provider's Web site. Remember that this type of service may be undesirable for a company that wants to establish its own corporate identity. Another disadvantage is that you must rely on your DDNS provider staying in business or else you may lose your domain. When you own your own domain this worry largely goes away as you are fully in control of the DNS registration and renewal process. Paid Customized DNS: You can register the domain name of your choice and still host your website on a DHCP line.. If you choose to create your own domain and use a paid DDNS service then you'll need to follow these steps: 1. Register your domains (such as my-site.com) with such companies as Verisign and RegisterFree. 2. Create an account with the DDNS provider and register your websites (sometimes called hosts) as part of your domain (as in www.my-site.com and mail.my-site.com) with them. Your DDNS registration process will provide you with a username and password which you'll need to use when configuring your DDNS client. 3. Update your domain information with your main DNS registrar (Verisign and RegisterFree) to tell them to direct queries to *.my-site.com to the DNS name servers of the DDNS provider. 4. Install a DDNS client on your web servers that continuously runs, only updating the DDNS provider's DNS servers with the most current DHCP IP address of the site whenever it detects a change.
Note: You should also be prepared for slower response times for your home-based site than if you were using a static IP and a regular DNS service
Exercise-2:- This exercise illustrates how to install a DDNS Client On Your Server All DDNS service providers require that you use a DDNS client on your web server that will periodically update the IP address information in your provider's DDNS record. The very popular one DDclient, for example, now comes in a RPM format. DDNS Client Software - Linux DDclient One of the most commonly used clients is DDclient, which can overcome the NAT limitations of DDNS by actually logging into your SOHO firewall to determine the latest IP address information. Like most RedHat and Fedora Linux software products, DDclient is available in the RPM format. You can usually download the software from your DDNS provider, or you can find it at rpmfind.net. The RPM name usually starts with ddclient followed by a version number, as in ddclient-3.6.3-1.noarch.rpm. The /etc/ddclient.conf file The ddclient.conf file is usually installed completely commented out, but provides many configuration examples for the most popular DDNS providers. The most important general parameters to configure are: Username: Your DDNS account's login name Password: Your DDNS account's password Use: The method used to determine the IP address to advertise to the DDNS server. Some important DDNS provider parameters are: Server: The name of the DDNS provider's main DNS server Protocol: The methodology the DDNS client should use to communicate with the DDNS server Your domain: The domain to which your web server will belong You can use the ddclient command to determine the best use parameter to use in the ddclient.conf file. In this example, only the use=web option gives a valid Internet IP address and should be considered as a first option: [root@root]# ddclient -daemon=0 -query use=if, if=lo address is 127.0.0.1 use=if, if=wlan0 address is 192.168.1.100 use=web, web=dyndns address is 97.158.253.26 [root@root]# Take a look at a sample configuration. This example specifies a username of my-accountlogin- name and a password of my-account-password using the dyndns DDNS service provider's settings to track the Web site named mysite-example.dnsalias.com. # General Parameter Section login=my-account-login-name password=my-account-password # DDNS Provider Parameters Section server=members.dyndns.org, \ protocol=dyndns2 \
mysite-example.dnsalias.com You can add one of the following use lines to the General Parameter Section near the top of the file to define the method that will be used to determine the correct IP address: Query A Well Known Internet Server: The web method queries two well known servers run by DynDNS.org and DNSpark to determine the public Internet IP address of the web server running the DDclient software. This method is the simplest as it requires no further information and handles NAT correctly. use=web Use The IP Address Of A Specific Server NIC: You can also use this option which will query the IP address of the DDclient web server's NIC interface of your choice. This is probably most valuable for servers connected directly to the Internet, and not via NAT use=if, if=eth0 Login To Your SOHO Firewall For Information: The ddclient.conf file has a list of use statements for various vendor's firewalls. If your model isn't listed, you can create your own parameters as outlined in the ddclient README file. This option is good for NAT environments where the "use=web" option isn't considered a good alternative. After editing your configuration file you'll have to start ddclient as shown in the next section.
Exercise-3:- This exercise illustrates How to Get DDclient Started You can configure DDclient to start at boot time using the chkconfig command: [root@root]# chkconfig ddclient on You can start, stop, and restart DDclient after boot time using the DDclient initialization script as in: [root@root]# service ddclient start [root@root]# service ddclient stop [root@root]# service ddclient restart Remember to restart the ddclient process every time you make a change to the ddclient.conf file for the changes to take effect on the running process. You can test whether the ddclient process is running with the pgrep command, you should get a response of plain old process ID numbers: [root@root]# pgrep ddclient
Exercises for lab: • •
Exercise 1:- Install Dynamic DNS client software. Exercise 2:- Configure DDNS client authentication.
Home Work: 1)
What are the advantages of dynamic DNS server?
References: www.linuxhomenetworking.com.