22759431 Network Operating Systems Lab Manual

Network Operating Systems

Lab Manual

Javid Ali

The Practice of Knowledge

Department of Computer Science

COMSATS Institute of Information Technology

Abbottabad

Network Operating Systems

Lab Manual

Javid Ali

Tahir Maqsood

TABLE OF CONTENTS

Lab No. 01: Linux Basic Installation ............................................................................................................... 6

Lab No. 02: Linux shell and Basic shell commands ..................................................................................... 19

Lab No. 03: Command Line File Manipulation ............................................................................................ 23

Lab No. 04: Command Line File processing ................................................................................................ 28

Lab No. 05: Command line Text Editors (Vim) ............................................................................................ 34

Lab No. 06: Managing the file system ........................................................................................................ 39

Lab No. 07: Command line Process Management ...................................................................................... 44

Lab No. 08: Basic Bash Scripting, writing and executing bash scripts ........................................................ 48

Lab No. 09: Advance Bash Scripting 1 .................................................................................................... 51

Lab No. 10: Advance Bash Scripting 2 ........................................................................................................ 54

Lab No. 11: Introduction to gcc .................................................................................................................. 57

Lab No. 12: Linux Networking 1 ................................................................................................................. 62

Lab No. 13: Linux Networking 2 .................................................................................................................. 65

Lab No. 14: Network troubleshooting ....................................................................................................... 69

Lab No. 15: Installing Linux Software .......................................................................................................... 83

Lab No. 16: Linux Boot Process .................................................................................................................. 89

Lab No. 17: Configuring Linux DHCP Server ............................................................................................... 93

Lab No. 18: Managing Linux Users and sudo ............................................................................................. 97

Lab No. 19: Configuring Samba ................................................................................................................ 101

Lab No. 20: Sharing Resources using samba ............................................................................................ 107

Lab No. 21 Linux firewalls using iptables .............................................................................................. 111

Lab No. 22: Configuring Linux FTP Server ................................................................................................ 120

Lab No. 23: Telnet and TFTP and XINETD................................................................................................. 126

Lab No. 24: Web Hosting With the Apache Web Server .......................................................................... 131

Lab No. 25: Monitoring Server Performance ............................................................................................ 134

Lab No. 26: Network Based Linux Installation .......................................................................................... 148

Lab No. 27: Remote Disk Access with NFS ................................................................................................ 159

Lab No. 28: Controlling Web Usage with Squid ....................................................................................... 168

Lab No. 29: DNS Configuration 1.............................................................................................................. 173



Lab No. 32: Dynamic DNS ......................................................................................................................... 185

Lab No. 01: Linux Basic Installation

Objective:

This lab provides a basic step-by-step installation of Linux Operation system. A simple approach has

been adopted out of many ways available for different configuration.

Scope:

On completing this exercise, the students will be able to:

• Install linux operating system

• Cearte and manage linux disk partitions

• Configure differents system resources during installation

• Select packages during installation

Useful Concepts:

Partition

• A space in hard disk set aside as a separate disk and has separate filesystem

Mount point

• A logical location in a file system that provide a link to another file system

Package

• An application that can be installed on a UNIX/ Linux system.

Boot loader

• A small program that runs a the system boot and starts an operating system

Exercise-1:- This exercise demonstrates step-by-step installation of Linux Operation sys-

tem. The procedure is shown in Figure 1 – Figure 19 as follows:

• in the boot screen, press Enter

• in the installation welcome screen, click Next

• in the language selection screen, click Next

• in the keyboard configuration screen, click Next

• in the installation type screen, choose Server and click Next

• in the disk partitioning screen, you can select the following option

� remove all linux partition

� remove all partion on this disk

� keep all partition and use free space

If you choose manual partition, select free space and create the following partition:

Mount Point: Size (MB) Filesystem Type

/boot 200 ext3

-------- (size for RAM)*2 swap

/ all available free space ext3

Clicking Next:

• in the partition warning screen, click Yes

• in the partition removal screen, click Next

• in the partitioning removal warning screen, click Yes

• in the disk setup screen, click Next

• in the boot loader screen, click Next

• in the network configuration screen, click Next

• in the firewall configuration screen, click Next

• in the time zone selection screen, choose Asia/Riyadh

• in the root password screen, enter the root password (min. 6 characters) and confirm it,

click Next

• In the package group selection screen, you can select different packages to install. Pack-

ages are grouped in different categories. Choose pachages of your choice to install. Serv-

er group has server packages like apache, hdcp, squid etc. If you did not select the server

installation option in step five, here is the chance that you can select servers of your

choice. After selecting packages click next to go to the next screen

• in the about to install screen, click Next

• in the installation status screen, wait while files are installed

• in the installation complete screen, take out the DVD and click Reboot

Figure 1. Fedora Core boot screen.

Figure 2. Fedora Core installation welcome screen.

Figure 3. Language selection screen.

Figure 4. Keyboard configuration screen.

Figure 5. Installation type screen.

Figure6. Disk partitioning screen.

Figure 7 Partition warning screen.

Figure 8. Partition removal screen.

Figure 9. Partitioning removal warning screen.

Figure 10. Disk setup screen.

Figure 11. Boot loader screen.

Figure 12. Network configuration screen.

Figure 13. Firewall configuration screen.

Figure 14. Time zone selection screen.

Figure 15. Root password screen.

Figure 16. Package group selection screen.

Figure 17. About to install screen.

Figure 18. Installation status screen.

Figure 19. Installation complete screen.

Exercises for lab:

Exercise 1:- Actual configuration of the system is left to your discretion except for those particular sec-

tions of the installation for which specific directions are given. Record every configuration at

each step in your notebook clear enough to allow someone else to exactly follow your instal-

lation steps.

Home Work:

1) List any problems you had during the installation process, and their solutions. Also, answer the

following questions:

• Why did you put /boot in the first location of the hard drive and forced it to be a primary

partition?

• What is the advantage of using different partitions for different sections of the filesys-

tem?

• Specifically describe the critical difference between the partitions /dev/hda1 and

/dev/hda5.

• Why don’t you want to use root as the regular login on your machine?

2) How can shadow passwords, when enabled, help in security?

To understand the Linux Commands

Lab 02: Linux shell and Basic shell commands

Lab No. 02: Linux shell and Basic shell commands

Objective:

To introduce the student to Linux most popular command line shell, the BASH. This lab will cover basic

commands used in Unix/Linux.

Scope:

On the completion of this lab, you will be able to:

• Describe the bash and its features.

• Understand the bash environment.

• Use some frequently-used command in UNIX/ Linux environment.

Useful Concepts:

Shell

• A piece of software that provides an interface for users.

• Typically, an operating system shell which provides access to the services of a kernel.

• Generally fall into one of two categories:

i. command-line

ii. graphical

• Bash (Bourne-again shell) is the default shell on most systems built on top of the Linux

kernel as well as on Mac OS X and it can be run on most Unix-like operating systems.

Terminal

An instant of a shell that provide an editor for the user to enter commands and run processes

Shell Prompt

• Location in the terminal where you can enter commands.

• Represented by $ or >

Root directory

/ is the primary directory where all other directories reside.

Mount point

The location in the operating system's directory structure where a mounted file system appears

Package

Computer software packaged in an archive format to be installed by a package management system or a

self-sufficient installer

Boot loader

The small program that starts loading OS into RAM, also known as a bootstrap loader, or bootstrap or

boot loader

Exercise-1:- This exercise illustrates how to view content of a directory and move around

the file system.

To get a listing of the directory contents, type:

ls

For a long view of the listing with time stamps, file permissions and file ownerships type:

ls -l

To move to directory-name directory type:

cd directory-name

To go to the /etc directory you simply type

cd /etc

To go one step back type:

cd ..

To go to user's home directory, type:

cd ~

To display the path to the directory you r currently working in, type:

pwd

At any point using the TAB key after typing a few characters in at the bash prompt will make bash fill in

the rest of the file or directory name that matches what you have typed. If there is more than one match,

tap the tab key twice and it will list all the matches.

Exercise-2:- This exercise illustrates how to clear screen contents and display history of

command already used in the shell.

If you what to see the list of all commands you have used on the shell, type:

history

To clear the terminal screen, type:

clear

Exercise-3:- This exercise illustrates how to Display or change system date and display cal-

endar of different months and years.

To display calendar of the current month type:

cal

To display calendar of the prev/current/next month type

cal -3

To display weeks that starts on Monday, type:

cal -m

To display calendar of March 1988, type:

cal 03 1988

To display current system date, type:

date

To change date to Thu Mar 3 23:05:25 2009, type:

date –s "Thu Mar 3 23:05:25 2009"

Exercise-4:- This exercise illustrates who to Get help about command and search or com-

mand instances:

To go to manual page of a command, say ls, type:

man ls

To get information about command usage, say ls, type:

info ls

To Report all known instances of a command e.g. ls, type:

whereis ls

To locate a program file in the user's path, type:

which command_name

Exercise-5:- This exercise illustrates the use of miscellaneous commands:

To print system name, type:

hostname

To set host name to mylinuxbox@linuxserver, type:

hostname mylinuxbox@linuxserver

To display the linux system information, type:

uname -r

To print all usernames currently logged in, issue the following command.

who

To print the current user id and name, type

whoami

Exercises for lab:

Exercise 1:- Open a shell and practice all the commands given above. Use man command to explore the

manual page of each command and then try these commands with different options. Note the

effect of the options on the output.

Home Work:

1) Write a note on Linux shell?

2) Compare bash shell with C shell and K shell. What are the new features added to bash shell.

To understand the File Manipulation using shell.

Lab 3: Command Line File Manipulation

Lab No. 03: Command Line File Manipulation

Objective:

To familiarize the students with basic file and directory management using shell.

Scope:

Student will be able to perform the following tasks at the end of this lab:

• The Working Directory

• Listing Directory Contents

• Viewing Files

• Copying Files

• Moving and Renaming Files

• Searching for Files by File Name & by Content

• Creating & Creating Subdirectories

• Creating Symbolic Links

Useful Concepts:

Working Directory

• A special directory remembered by the shell, and is interpreted to be the directory you

are currently “in”.

• Important for situation where relative paths are in use.

Symbolic link

• A symbolic (or soft) link is an indirect reference to a file, similar to an “alias” in Mac OS

or a “shortcut” in Windows.

Meta characters

• Characters having special meaning to the terminal

• Wildcards are Meta characters that can represent different characters in a string.

Following are some Special Characters with a brief description:

Character Function Examples

\ Escape character. If you want to reference a special cha-

racter, you must “escape” it

with a backslash first.

touch /tmp/filename\*

/ Directory separator, used to separate a string of directory

names.

/usr/src/linux

. Current directory. Can also “hide” files when it is the first

character in a filename.

.htaccess

.. Parent directory cd ..

~ User's home directory cd ~

Exercise -1:- This exercise illustrates how to View contents of a file.

To view file contents on shell console, type:

cat filename

To merge contents of two or more files and display it on screen, type

cat file1 file2 file3 ...

To display display a screenful text of file on the terminal, type:

more filename

To display file contents screenful at a time with page-up and page-down options, type:

less filename

To view first k lines of the file, type:

head -n k filename

e.g, to display first 5 lines of the file myfile on the terminal, type;

head -n 5 myfile

To display last 5 lines of the file myfile on the terminal, type;

tail -n 5 myfile

EExxeerrcciissee -2:- This exercise illustrates the procedure of File Copy, move, rename and delete

command.

To copy a file to the same directory with different name, type:

cp source_fiel_name destination_file_name

To copy a file to a different directory, e.g. from /home/cs to /root type:

cp /home/cs/myfile /root/myfile

To move a file to different destination, type:

mv cource destination

To rename a file, type:

mv oldname newname

To delete the file from directory, type:

rm filename

To delete the file from different directory, the filename must precede full path name, like:

rm /home/cs/myfile

To delete an empty directory, type:

* Represents 0 or more characters in a filename, or by it-

self, all files in a directory.

More details in next section

? Represents a single character in a filename. hello?.txt can represent hello1.txt,

helloz.txt, but not hello22.txt

[ ] Can be used to represent a range of values, e.g. [0-9], [A-

Z], etc

hello[0-2].txt represents the

names hello0.txt,

hello1.txt, and hello2.txt

; Command separator. Allows you to execute multiple

commands on a single line.

cd /var/log ; less messages

rmdir directory_name

To delete a non-empty directory, type:

rm –r directory_name

To delete a file forcefully, type:

rm –f file_name

EExxeerrcciissee -3:- This exercise illustrates how to search for files and file types.

To search a file in the entire disc, locate command is used. Type:

locate filename

To search a file in a particular directory and subdirectories, use find command. Type:

find –name filename directory_name

To access a specific file, say myfile.txt, in the directory and subdirectories, use find command, type:

find . -name myfile.txt -print

To search for all files that begin with the characters com, starting in the directory /home, type:

find /home -name com* -print

To search for a file based on the file’s content instead of its name. use grep command. to search all files in

the current directory for the string students type:

grep students ./*

To search all files in the current directory for strings starting with stu and ending with nts, type:

grep stu*nts ./*

To find whether a file is binary file, an executable file or a regular text file etc, type:

file filename

EExxeerrcciissee -4:- This exercise illustrates how to creat files or directories and changing time-

stamps.

To create an empty file, use touch command, type:

touch myfile.txt

To create three files, type:

touch file1 file2 file3

To change the time of last modification of the file, myfile to 12/04/2009, type:

touch -fafsdfsdaf

To create a directory, type;

mkdir directory

To create a directory along with the missing directory in the path, type:

mkdir –p /home/cs/assingments/assignmet1

To create a symbolic link to a file in cs folder of your home directory from your desktop, type:

ln -s ~/cs/friends ~/Desktop/friends

Exercises for lab:

Exercise 1:- write shell commands to carry the following tasks:

• Ad a directory named testdir to the following path.

• /home/users/path/

• Create a file named testfile in testdir directory

• Change the creation date and modification date of the directory to 16/03/1983

• Create a symbolic link from your desktop to testfile

Home Work:

Carry out the following exercises and submit your documented work.

1) Create a directory in the /home/zahid/assignment/assignment1 while your current working direc-

tory is /home, using a single shell command.

2) Create a directory with the following names

• assign.doc

• assigns.doc

• assign.txt

• quiz.txt

• quiz.cpp

3) Write a command to rename assign.doc file to assignment.doc

4) Delete all files with extension .txt using shell command.

5) Display all files names starting with ‘as’.

To understand File processing using terminal or command

line shell

Lab 04: Command Line File processing

Lab No. 04: Command Line File processing

Objective:

To familiarize students with the directory level and file level security, compressing and archiving tech-

niques.

Scope:

On the completion of this lab, students will be able to:

• Understand file types used in LINUX system.

• View and modify file access permission.

• Change the ownership of files and directories

• Create backup for critical files using archives

Useful Concepts:

Access Permissions

• The ability of a user to access a file or directory.

• Three general types of permissions are read permission, write permission and execute permission.

File owner

• The user of the system to whom the file belongs.

Archive

• A collection of contents (files or directories) for backup purpose.

Compression

• A technique used for reducing the size of a file or a directory without effecting contents.

Exercise-1:- This exercise shows which types of files are used in linux and how to know

bout file types

Linux considers each device as file. There are many types of file that are used in Linux. Use ls –l com-

mand to find the type of file. For example:

javidali@JLaptop:/dev$ ls -l

crw-rw----+ 1 root audio 14, 4 2009-04-28 07:01 audio drwxr-xr-x 3 root root 60 2009-04-28 12:01 bus crw------- 1 root dialout 5, 1 2009-04-28 07:01 console lrwxrwxrwx 1 root root 11 2009-04-28 07:01 core -> /proc/kcore srw-rw-rw- 1 root root 0 2009-04-28 07:01 log brw-rw---- 1 root disk 8, 1 2009-04-28 12:01 sda1 javidali@JLaptop:/dev$

In this example, first character in each row, I.e. the first colom represent the file type. The following table

shows file types, representation symbols with short description.

Symbol File type Description

- Regular files text file, Postscript, graphics files, Hypertext (HTML), video file etc

d Directories Files that act as containers to other files

b Block files Files that are used for block (parallel)devices. Data from such devices

are read or written to in blocks.

c Character files Files that are used for character (serial) devices. Data from such de-

vices are read or written to character by character

l Symbolic links Shortcut to other files or directories

s socket files Files that are used in communication

Regular files other than text files can be explored by using an appropriate program, as indicated in the

table below. Follow the command with the name of the file to view it or omit the file name and select the

file from the menu once the program is running.

File Type Application Name Command for the application

Postscript gv (based on GhostView) gv

Portable Document Format (PDF) Adobe Acrobat Reader acroread

Image files XV xv

Image files The Gimp gimp

LaTeX ouput (DVI) xdvi xdvi

Hypertext (HTML) Netscape Netscape

MP3 and MPEG gtv gtv

Exercise-2:- This exercise demonstrates how to view and change access permissions for a

file.

We noticed in exercise-1 that ls -l command earlier presented a long of listing file with a line like the

following for each file:

-rw-r--r-- 1 root javidali 0 2009-04-28 08:26 newfile.txt

Here the first character in the first column (-) indicates that the file is a normal file. The next 9 characters

indicate the access permissions for the file. The next set of 9 characters is divided into 3 groups of 3 cha-

racters. Purpose of these characters is as under:

• (-) represents no permission

• (r) represents 'read' permission

• (w) represents 'write' permission

• (x) represents 'execute' permission

The three group represents user (owner of the file), group(to which the owner belongs) and others (any

other user of the system) respectively.

Three characters in each group are for 'read', 'write' and 'execute' permission respectively.

In our example, the owner has 'read' and 'write' permission for the file and everyone else has only read

permission.

For a normal file, read, write and execute permissions are obvious.

For a directory, read and write permissions mean that to read the contents of the directory and create new

entries in the directory. Execute permission means that one can search in the directory but not read from

or write to the directory.

You can use the chmod command to change the access permissions of a file or a directory. To specify

permissions for a file with chmod, any of the following two methods can be used.

• use a symbolic mode

• use an octal mode

Symbolic mode use combination of the following symbols:

Symbol Meaning

u User

g Group

o Other

a All (equals to ugo)

+ Add a permission

- Remove (take away) a permission

r Read permission

w Write permission

x Execute permission

For example,if the current working directory has the these files:

javidali@JLaptop:~$ ls -l

-rwxr-xr-x 1 root root 955 2009-04-21 08:07 arithmatics.sh -rw-r--r-- 1 javidali javidali 130 2009-04-19 05:29 boidata.txt drwxr-xr-x 2 javidali javidali 4096 2009-04-08 19:56 Desktop drwxr-xr-x 2 javidali javidali 4096 2009-03-12 14:30 Documents -rwx------ 1 javidali javidali 512000 2009-03-24 18:00 install_v10.70.2.3.tar -rw-r--r-- 1 javidali javidali 750 2009-04-28 08:42 lsresults.txt -rwxrwxrwx 1 root root 207 2009-04-10 15:55 myscript.sh -rw-rw-rw- 1 root root 208 2009-04-10 15:55 myscript.sh~ -rw-r--r-- 1 student cs 0 2009-04-28 08:26 newfile.txt javidali@JLaptop:~$

Then gives write permission to the group and read permission to others for all files in the current directo-

ry, type the command

javidali@JLaptop:~$ chmod g+w,o+r *

Now look at The permissions again:

javidali@JLaptop:~$ ls -l

-rwxr-xr-x 1 root root 955 2009-04-21 08:07 arithmatics.sh -rw-r--r-- 1 javidali javidali 130 2009-04-19 05:29 boidata.txt drwxr-xr-x 2 javidali javidali 4096 2009-04-08 19:56 Desktop drwxr-xr-x 2 javidali javidali 4096 2009-03-12 14:30 Documents -rwx-w-r-- 1 javidali javidali 512000 2009-03-24 18:00 install_v10.70.2.3.tar -rw-rw-r-- 1 javidali javidali 750 2009-04-28 08:42 lsresults.txt -rwxrwxrwx 1 root root 207 2009-04-10 15:55 myscript.sh -rw-rw-rw- 1 root root 208 2009-04-10 15:55 myscript.sh~ -rw-rw-r-- 1 student cs 0 2009-04-28 08:26 newfile.txt javidali@JLaptop:~$

Then take away the read and write permission from the owner of the file myscript.sh, group of the owner

and all other users for the files newfile.txt, type the command

javidali@JLaptop:~$ chmod a-rw myscript.sh

The result is: javidali@JLaptop:~$ ls –l myscript.sh

---x--x--x 1 root root 207 2009-04-10 15:55 myscript.sh

Often your home directory has important documents and needs to restrict access to it. If you want to takes all the three access permissions away from everyone but the user, use the command:

javidali@JLaptop:~$ chmod go-rwx �

Octal mode use the same symbols for user,group and other but for access permissions its uses octal num-

bers.

Permission Octal Number Equivalent symbol

Read 4 r--

Write 2 -w-

execute 1 --x

If two or more permissions are to be set, the octal numbers are added together. For example, r-x is equiva-

lent to 4+1=5 and rw-r--r-- is equivalent to 644. now for example to give read,write and execute permis-

sion to user, write permission to the group and read permission to others for the file mysscript.sh , type

the command

javidali@JLaptop:~$ chmod 724 myscript.sh

Here is the result: -rwx-w-r-- 1 root root 207 2009-04-10 15:55 myscript.sh

To secure your home drive from everyone but the user, use the command:

javidali@JLaptop:~$ chmod 700 �

Exercise-3:- This exercise shows how to view and change the own ership of the file

ls -l command is can be used to view the owner of a file. For example to know that who is the owner of

the file newfile.txt, issue the following command.

student@JLaptop:~$ ls –l newfile.txt

---x--x--x 1 student cs 207 2009-04-10 15:55 newfile.txt

Here column next to the number '1' represents that 'student' is the owner of this file , and next column in-

dicates that group of this owner is 'cs'.

Use chown command to change the owner of a file. For example to change the owner of the file

'newfile.txt' from student to root, issue the following command.

javidali@JLaptop:~$ chown root newfile.txt

The result is:

javidali@JLaptop:~$ ls –l newfile.txt

---x--x--x 1 root cs 207 2009-04-10 15:55 newfile.txt

Note that you have to change the group of the owner as well, for example, to change the owner and group

of the file 'newfile.txt' both to root, try the following command.

javidali@JLaptop:~$ sudo chown root:root newfile.txt

The effect will be like:

javidali@JLaptop:~$ ls –l newfile.txt

---x--x--x 1 root root 207 2009-04-10 15:55 newfile.txt

Exercise-4:- This exercise describes the ways to compress/uncompress, files and making

archives of files for backup purposes.

Among many available utilities for archiving and compression purposes are the tar and gzip utilities. tar

is an archiving utility while gzip is used for compressing the file size. Compressed files can be restored

to their original form using gzip -d or gunzip or zcat. Now for example to backup the 'mydata' directory

inside home directory of user 'student', we will first archive the directory and then compress the archive

file. Steps are:

javidali@JLaptop:~$ sudo tar -cvf backup.tar /home/student/mydata/

/home/student/mydata/.synaptic/

/home/student/mydata/.synaptic/options

.

.

/home/student/mydata/DriverInstall/sk98lin.tar.bz2

/home/student/mydata/Music/

javidali@JLaptop:~$

We can find that mydata directory and backup.tar file both have the same size. To reduce this size we

have to compress the archive. Here is the command;

javidali@JLaptop:~$ gzip backup.tar

Output of this command is a file named backup.tar.gz

To uncompress the file again, issue the command

javidali@JLaptop:~$ gzip -d backup.tar.gz

Or

javidali@JLaptop:~$ gunzip backup.tar.gz

Or you can use tar command to uncompress and extract contents of the file. Example is:

javidali@JLaptop:~$ tar -xz backup.tar.gz

Where -z switch issues gzip command from within the tar command and -x switch extract the contents.

To list contents of an archive use -t switch with tar command:

javidali@JLaptop:~$ tar -t backup.tar

And to extract the contents of the archive, issue the following command.

javidali@JLaptop:~$ tar -xvf backup.tar

Exercises for lab:

Exercise 1:- Change the access permission of to the home directory of your login user to match

drwxr-xr-x using both symbolic mode & octal mode.

Exercise 2:- Create a file and modify its access permission so that the file can be executed by user, group

and others besides its current permission setting.

Exercise 3:- Create and archive and add all subdirectories of your home directory to that archive.

Home Work:

1) Search the manual page of the utilities gzip and tar and write a procedure to add files and directo-

ries to and existing archive.

2) Write a note on the advantages of file level security in operating systems.

3) Why do we often compress files before adding to an archive?

To understand the command line editors

Lab 05: Command line Text Editors (Vim)

Lab No. 05: Command line Text Editors (Vim)

Objective:

To enable students to use command line editors for editing text files. Completing this lab, students will

give sufficient knowledge about vim / vi and its features for their daily tasks.

Scope:


• Start the editor, moving cursor around and exiting the editor.

• Work in command mode.

• Copy, Cut and past the text

• format program and check source code

• Search Character/string.

• Recover Your Work.

Useful Concepts:

vi

• A screen-based editor used by many UNIX users.

• Has a powerful feature to aid programmers.

Editing modes

There are two editing modes that the editor can be executed in.

• Insert mode

User can type text in this mode

• Command mode

User can use commands for operation on the file. (e.g. saving, exiting, searching, etc)

Text Buffers in VI

• There are 36 special buffers and also a general purpose buffer for temporary storage of

words or. When a block of text is cut from the file it is placed into the general purpose

buffer but, if specified, the block of text can also be stored in another buffer. Buffers are

numbered from a-to-z and from 0-to-9.

Exercise-1:- This exercise illustrates how to start the editor, move cursor around and exit

form the editor.

To start the editor from command line, type

vi

An empty file will be opened in the editor. If you want to open an existing file in the editor, type

vi filename

To switch to 'Insert' mode, press:

i key

-- INSERT -- key word at the bottom will indicate that you are in an inserting mode and your cursor will

start blinking, to go to the start of the line. Press

a

at command mode will take you to the current cursor position and you can enter any text.

To move cursor around while you are in command mode, press

h key move left,

l key move right,

k key move up,

j key = move down

you can also use arrow keys while in insert mode to do the same tasks.

To switch back to command mode, press

Escape key

While in command mode, each command is preceded by colon ":"

To exit the editor without saving changes made to the file, switch to command mode and type,

:q!

To save changes and exit the editor, switch to command mode and type the command,

:wq

Where "w" is for writing changes to the file and "q" is to quit or exit the editor

Exercise-2:- This exercise illustrates how to Work in command mode in vi edtor.

Press Escape key to switch to command mode and practice the following commands and observe the re-

sults.

To replace one character under the cursor, type:

r

to undo the last change to the file. Typing u again will re-do the change.

u

To delete character after the current cursor position

x

Exercise-3:- This exercise illustrates how to Copy, Cut and paste the text

To cut text from the file, type,

d

to cut multiple characters, type:

NUMd

wher NUM is the numper of characters to cut

to cut the whole line type:

dd

to cut from current cursor position to the beginning of the line,type.

d^

to cut from current cursor position to the end of the line.

d$

to cut from current cursor position to the end of the word.

Dw

To cut three lines from current cursor position downwards.

3dd

You can use the y command which similarly to the d command which is used just to copy the text.

To paste the buffer after the cursor position, type:

p

to paste the buffer before the cursor position type:

P

To paste the text for the specified number of times, say 3, before the cursor position, type:

3P

Exercise-4:- This exercise illustrates how to format a program and check source code for

for correctness.

You can use variable to set up the indentation for each level of nesting in code.

To set the shift width to 4 characters, type:

:set sw=4

To Shift the current line one shift width to the left, type:

:<<

To Shift the current line three shift width to the right, type:

:3>>

To check for matching parenthesis or brace in your code, place the cursor onto a parenthesis or brace and

type:

:%

Exercise -5:- This exercise illustrates how to Search Character/string in a file using vi.

To search a string forwards in the file, say "comsats", type:

/comsats

To search a string backwards in the file, say "comsats", type:

? comsats

To repeat the previous search in the same direction, type:

n

To repeat the previous search in the same direction, type:

N

To search special characters in the file, type a backslash (\) before the character.

Some special characters that are used in search expression and their meaning:

^ Beginning of the line. (At the beginning of a search expression)

. Matches a single character

* Matches zero or more of the previous character.

$ End of the line, (At the end of the search expression)

[ ] Starts a set of matching, or non-matching expressions... For example: /f[iae]t matches either of

these: fit fat fet In this form, it matches anything except these: /a[^bcd] will not match any of these, but

anything with an a and another letter: ab ac ad

< > Put in an expression escaped with the backslash to find the ending or beginning of a word. For

example: /\<the\> should find only word the, but not words like these: there and other.

There are two sets of commands used for character search. [f & F] and [t & T]

To search for a character forwards within one line, say 'j', type:

/fj

Or

/tj

To search for a character backwards within one line, say 'j', type:

/Fj

Or

/Tj

; or , command can be used to repeat these two sets of commands.

; repeats the last character search command in the same direction,

, repeats the command in the reverse direction

Exercise -6:- This exercise illustrates how to recover Your Work:

The VI editor keeps a temporary copy of your edited file, and when you save your work, it puts the con-

tents of the temporary copy into the original file. If file is closed accidentally during editing, the VI editor

will attempt to save your work for you to recover later.

To recover the file named myfile, start the editor with –r option for recovery

vi -r myfile

and save the recovered file then

Note: The -r option only works once per failed VI session.

Exercises for lab:

Exercise-1: Open a file in vi editor and practice all the commands given below.

^B ^D ^F ^H ^J ^M ^N ^P Û $ % ^

( ) { } | + - _ 0 B E

G H L M W b e h j k l

w

Note the effect of the options on the output.

Home Work:

1) Practice the following cursor movement commands and write a note on them:

Ê ^Y z C

2) Practice the following text replacement commands and write a note on them:

R S c r s

3) Practice the following search commands and write a note on them:

, / ; ? F N T f

n t

4) Practice the following formatting commands and write a note on them:

~ < > J

To understand the command line file system

Lab 06: Managing the file system

Lab No. 06: Managing the file system

Objective:

To update the students with knowledge about command line file system and partition management.

Scope:

On the completion of this lab, you will be able to recognize:

• Pathnames

• Relative/Absolute Paths,

• Path and Environmental Settings,

• Directories vs. Partitions in the File System,

• Recognizing/modifying Partitions.

• Understand the bash environment.

Useful Concepts:

Directory

A special type of file that contains other files or directories, same as folders in Windows

File system

Like other platforms (Windows, Mac OS etc,), Linux file system is also hierarchical one. Directories can

be created inside other directories in a tree-like structure.

Root Directory

The Linux file system tree has only one root, called the root directory, represented by /

Sub Directory

A directory inside another directory is usually called a subdirectory.

Pathname

Pathname is a sequence of directories to be followed to reach the file. For example, the pathname of the

file myfile.txt in the cs user's home directoy is /home/cs/myfile.txt.

Absolute pathnames

A pathname that contains all the information needed to find a file or that start form root directory / is

called absolute pathname.

Relative pathname

A pathname that contains information necessary to find a file from a particular point in the tree is called

relative pathmane. For example, from the directory /home, the relative pathname of myfile.txt is just

cs/myfile.txt. Note that this pathname has no leading /.

Exercise-1:- This exercise illustrates how Multiple Disks in the File system are represented.

Each partition of the disk is mounted at a separate directory in the filesystem. So, for example, a separate

disk may be mounted at the directory /mnt. In this case, every time you access something in directory

/mnt, you are actually accessing a file on this separate disk. This is transparent to the user, but you can

peek at which disks are mounted where on a computer by using the df command in the shell. You will see

something like this:

Filesystem 1k-blocks Used Available Use% Mounted on /dev/hda8 497667 78511 393454 17% / /dev/hda1 14607 2758 1 1095 20% /boot /dev/hda7 5308207 1085340 3948063 22% /usr /dev/hdc 609750 609750 0 100% /mnt/cdrom

The first line indicates that the disk with symbolic name5 /dev/hda8 is mounted at the root directory.

The second line indicates that another disk with symbolic name /dev/hda1 is mounted at subdirectory

/boot. The third line is similar.

The disk in the fourth line represents the CD-ROM drive, which is mounted at /mnt/cdrom.

Exercise-2:- This exercise illustrates how to recognize disks.

To see all the disks and partitions on your system, you can list the files in /dev directory. Use

ls /dev command will will display all the device related files.

To display only disk related files type:

ls /dev |grep ?d*

output will be something like:

hda1 hda3 hda5 hda7 hdb2 fd0 fd1 sda1 dsa8 sdb2

etc

Here is a brief description of file system names.

Disk file name Description

fd0 First floppy disk drive

fd1 Second floppy disk drive

hda First master hard disk drive (IDE-0 master)

hdb First slave hard disk drive (IDE-0 slave)

hdc Second mater hard disk (IDE-1 master)

sda First SCSI disk dirve

sdb Second SCSI disk drive

Exercise-3:- This exercise illustrates Recognizing Partitions.

Enter the command ls /dev |grep ?d*

To display only disk related files and the output will be something like:

hda1 hda3 hda5 hda7

hdb2 fd0 fd1 sda1 dsa8 sdb2

Disk file name Description

hda1 First master hard disk drive (IDE-0 master), first primary partition

hda3 First master hard disk drive (IDE-0 master), third partition

hda5 First master hard disk drive (IDE-0 master), 1st logical partition

Hda7 First master hard disk drive (IDE-0 master), 3rd logical partition

hdb1 First slave hard disk drive (IDE-0 slave), 1st partition

sda1 First SCSI disk drive, first primary partition.

sdb8 Second SCSI disk drive, 4th logical partition

Exercise-4:- This exercise illustrates Mounting/un-mounting partition:

To see the contents stored on a partition you must have a mount point in the root directory from where

you can access those contents. To mount a partition, for example hda5 to /mnt directory, type:

mount /dev/hda5 /mnt

Doing this, you will be able to see the content of hda5 partition in /mnt directory.

To mount a Windows NTFS partition, type:

mount -ntfs-3g partition_path Mount_point

Un mounting partition, either type:

umount partition

Or

umount mount_point

e.g.

umount /dev/hda5

Or

umount /mnt

To locate a program file in the user's path, type:

Any of the to command will unmount the mounted partition /dev/hda5 on /mnt

Exercise-5:- This exercise describes Miscellaneous commands:

cfdisk Partition table manipulator for Linux

export Set an environment variable

fdisk Partition table manipulator for Linux

quota Display disk usage and limits

quotacheck Scan a file system for disk usage

Exercises for lab:

Exercise 1:- test all the above exercise and write a note on each exercise. Write the results of the com-

mands on successful execution of commands or the error message on any failure and discuss

it with your lab instructor.

Exercise 2:-how many disk and partitions are available on your system? Create a directory in your home

directory and mount the first logical partition of your primary hard disk to that directory.

Check whether you are able to access the contents of newly mounted file system or not.

Home Work:

1) Define primary partition, extended partition and logical partition. How many primary partitions

can you create in a single disk?

2) Search the web and find the procedure of mounting filesystem over the network (remote mount-

ing).

To understand the command line Process Management

Lab 7: Command line Process Management

Lab No. 07: Command line Process Management

Objective:

Objective of this lab is to introduce the students with command-line process control and management.

Scope:

The student will be able to know the following at the end of this lab:

• Listing Processes

• Ending a Process

• Running a Process in the Background

• Changing the process favorability (priority)

Useful Concepts:

Processes

Linux, like most modern operating system, is multitasking, which means that it can execute many pro-

grams simultaneously. A program that is currently executing is called a process. A Linux system consists

of several dozen active processes at any time.

Some of these processes are system processes that perform important “behind the scenes” tasks and some

are user processes corresponding to programs like Netscape or Emacs.

Nice

A process favorability to access the system recourses (processor time)

Signals

A special instruction to the process under consideration

Exercise-1:- This exercise illustrates Listing Processes

You can view the processes that are currently running on the system with the ps command. Type ps now

and you will see something like the following:

javidali@JLaptop:~$ ps

PID TTY TIME CMD 23985 pts/0 00:00:01 bash 24001 pts/0 00:00:00 ps javidali@JLaptop:~$

This tells you that you are running 2 processes and the commands (CMD) used to start them were bash

(your shell) and ps (the process you just started when you entered ps). The first column in the list, headed

by PID, gives the process ID for each process, an integer used to uniquely identify each process. The next

column, TTY, gives the terminal name to which the process is attached. The third column, TIME, gives

the amount of time the process has been running for (or the amount of time it has been running since it

was last sleeping or stopped).

Using ps by itself only gives information about processes that you own, which, unless you are a system

administrator, is usually all the information you need. If you want information about all the processes

running on the system, you can issue the ps aux command. This command combines 3 options (the nor-

mal dash before options is not necessary) which, together, give information about all processes that have

users have attached to them. Here is a (significantly trimmed) example of what this output might look

like:

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 1324 76 ? S Jul23 0:12 init [5] root 2 0.0 0.0 0 0 ? SW Jul23 0:21 [kflushd] root 3 0.0 0.0 0 0 ? SW Jul23 0:03 [kupdate] root 4 0.0 0.0 0 0 ? SW Jul23 0:00 [kpiod] root 5 0.0 0.0 0 0 ? SW Jul23 0:14 [kswapd] root 6 0.0 0.0 0 0 ? SW< Jul23 0:00 [mdrecoveryd] root 415 0.0 0.1 1548 160 ? S Jul23 0:02 syslogd -m 0 rpc 440 0.0 0.1 1472 252 ? S Jul23 0:00 portmap root 456 0.0 0.0 0 0 ? SW Jul23 0:00 [lockd] root 500 0.0 0.2 5744 272 ? S Jul23 0:00 [ypbind] nobody 566 0.0 0.0 7616 24 ? S Jul23 0:00 [identd]

.

.

. root 1006 14.7 24.7 62796 31612 ? R Jul23 53:50 /etc/X11/X javid 7892 0.0 1.2 7580 1564 ? S 14:15 0:00 gnome-session javid 7957 0.0 1.3 4700 1700 ? S 14:15 1:39 sawmill javid 7966 0.0 2.1 9336 2784 ? S 14:15 3:51 panel javid 7969 0.0 0.8 8404 1092 ? S 14:15 0:00 gmc javid 7972 0.0 0.7 3560 968 ? S 14:15 0:11 xscreensaver javid 7992 0.0 1.3 7676 1676 ? S 14:26 0:21 gnome-terminal javid 7994 0.0 0.6 2440 796 pts/0 S 14:26 0:01 bash javid 12504 0.0 0.1 2004 156 pts/0 S 15:08 0:00 netscape javid 24059 0.0 0.7 2728 900 pts/0 R 15:42 0:00 ps aux

This listing gives a lot of information about the 100 or so processes that are probably currently executing

on the system. For example, you can gather that the computer was rebooted last on July 23. You can see

that X windows (/etc/X11/X) is using almost 25% of the computer’s memory at the moment and 15% of

the CPU time. You can also view the current status (STAT) of each of the processes in the system. An R

in this column means that the processing is currently “runnable” which, as you will learn when you take

Operating Systems, means that the process is either currently running or in the ready queue, waiting to

gain access to the processor. An S indicates that the process is “sleeping” (currently not waiting to use the

processor). A W means that, in addition to sleeping, the process has been “swapped out” (not currently

resident in memory but on the disk instead). Lastly, the < marks a process that is given higher priority

than normal while waiting for the CPU.

Exercise-2:- This exercise illustrates how to terminate a Process

Sometimes you will come across a process that locks up and just won’t quit, no matter what you do. In

this case, the only alternative is to force the process to quit. If the process is one that you started from the

shell in the foreground, you can end it by typing Ctrl - C. If the process is running in the background, you

will need to issue the kill command followed by a process ID. For example, to kill the Netscape process

above, you would type:

kill 12504

If this does not work, use the -9 (or -s SIGKILL) option to forcibly kill the process.

The kill command (or Ctrl - C) also comes in handy when you must kill a program that you wrote with an

infinite loop!

Exercise-3:- This exercise illustrates how to Run a Process in the Background

When you run a program in Linux, it can either be run in the foreground or in the background. When you

run a program in the foreground (which is the default), the resulting process must finish before you get

another prompt in the shell. This is fine when you run short processes like ls, for example. However, if

you want to run Netscape (for example) from the shell, you probably do not want to have to quit Netscape

in order to get a new prompt to, say, copy a file. The alternative is to run Netscape in the background,

which means that the new process will run concurrently with the shell prompt, and a prompt will be re-

turned to you immediately. To run a program in the background, simply follow the command with an am-

persand (&) character. For example, to run Netscape in the background, type:

netscape &

Generally speaking, any time you run a program that generates its own window on the desktop, it is best

to run it in the background.

If you start a program in the foreground by mistake and want to turn it into a background process, hit Ctrl

- Z , which suspends the process. Then type

bg

this command restarts the currently suspended process in the background.

Exercises for lab:

Exercise 1:- List all the processes that belong to root user.

Exercise 2:- Create a process of gedit and send it to background.

Exercise 3:- Change the priority of the process created in exercise no. 2.

Home Work:

1) Find the difference between the output of top utility and ps –aux command.

2) What kinds of signals are used to control a process in UNIX operating system? Where can you

find the list of available signals and their numerical values?

To understand how to writing and executing bash scripts

Lab 8: Basic Bash Scripting, writing and executing

bash scripts

Lab No. 08: Basic Bash Scripting, writing and executing bash scripts

Objective:

To familiarize students with the basics of bash scripting. How to write and execute bash scripts under the

Linux environment.

Scope:

The students would be able to do the following at the end of this lab:

• Write Hello world script.

• Usage of Variables, Global vs. Local variables

• Passing arguments to the bash script

• Executing shell commands with bash

• Reading User Input/ output

Useful Concepts:

Bash

• A UNIX shell as well as an interpreter

Script

• A set of instruction (commands) that can be executed on a sell (interprecter).

Exercise-1:- Hello world example. The script declares a string variable, stores “Hello

World” in it and finally prints the value of variable on the screen.

#!/bin/bash

# declare STRING variable

STRING="Hello World"

#print variable on a screen

echo $STRING

Saving and executing the scripts

Save the above script in the file named “hello_world.sh”

Navigate to the directory where the script is saved

Execute the script using the command “./hello_world.sh”

Exercise -2:- This exercise explains the use of Global vs. Local variables

#!/bin/bash

#Define bash global variable

#This variable is global and can be used anywhere in this bash script

VAR="global variable"

function bash {

#Define bash local variable

#This variable is local to bash function only

local VAR="local variable"

echo $VAR

}

echo $VAR

bash

# Note the bash global variable did not change

# "local" is bash reserved word

echo $VAR

Exercise -3:- This exercise illustrates Passing command line arguments to the bash script

#!/bin/bash

# use predefined variables to access passed arguments

#echo arguments to the shell

echo $1 $2 $3 ' -> echo $1 $2 $3'

# We can also store arguments from bash command line in special array

args=("$@")

#echo arguments to the shell

echo ${args[0]} ${args[1]} ${args[2]} ' -> args=("$@"); echo ${args[0]}

${args[1]} ${args[2]}'

#use $@ to print out all arguments at once

echo $@ ' -> echo $@'

# use $# variable to print out

# number of arguments passed to the bash script

echo Number of arguments passed: $# ' -> echo Number of arguments

passed: $#'

Passing arguments to the scripts

./arguments.sh Bash Scripting Tutorial

Here ./arguments.sh is the filename and the remaining are the arguments passed to the script.

Exercise -4:- This exercise illustrates Executing shell commands with bash

#!/bin/bash

# use backticks " ` ` " to execute shell command

echo ùname -o`

# executing bash command without backticks

echo uname -o

Exercise -5:- This exercise illustrates Reading User Input

#!/bin/bash

echo -e "Hi, please type the word: \c "

read word

echo "The word you entered is: $word"

echo -e "Can you please enter two words? "

read word1 word2

echo "Here is your input: \"$word1\" \"$word2\""

echo -e "How do you feel about bash scripting? "

# read command now stores a reply into the default build-in variable

$REPLY

read

echo "You said $REPLY, I'm glad to hear that! "

echo -e "What are your favorite colours ? "

# -a makes read command to read into an array

read -a colours

echo "My favorite colours are also ${colours[0]}, ${colours[1]} and

${colours[2]}:-)"

Exercises for lab:

Exercise 1:- write a shell script that add two numbers and print their sum.

Exercise 2:- write a script that takes a students information as input and print it to the screen.

Home Work:

1) Write a comparitve report on the pros and cons of atlease three scripting languages.

2)

To understand the Basic Bash Scripting 1

Lab 9: Advance Bash Scripting 1

Lab No. 09: Advance Bash Scripting 1

Objective:

To familiarize students with the concept of Bash if/else statements, bash loops and bash comparisons.

Scope:


• Write shell scripts with conditional execution.

• Using loops in bash scripts

Exercise-1:- Simple Bash if/else statement. In this example we declare a variable named di-

rectory and assign it a value. Then we check in the if statement that the directory exists or

not and the relevant message is printed on the screen accordingly.

Please note the spacing inside the [ and ] brackets! Without the spaces, it won't work!

#!/bin/bash

directory="./BashScripting"

# bash check if directory exists

if [ -d $directory ]; then

echo "Directory exists"

else

echo "Directory does not exists"

fi

Exercise -2:- This exercise demonstrates Bash “for” loop

#!/bin/bash

# bash for loop

for f in $( ls /var/ ); do

echo $f

done

Exercise -3:- This exercise demonstrates Bash while loop

#!/bin/bash

COUNT=6

# bash while loop

while [ $COUNT -gt 0 ]; do

echo Value of count is: $COUNT

let COUNT=COUNT-1

done

Exercise -4:- This exercise demonstrates Bash until loop

#!/bin/bash

COUNT=0

# bash until loop

until [ $COUNT -gt 5 ]; do

echo Value of count is: $COUNT

let COUNT=COUNT+1

done

Exercises for lab:

Exercise 1:- write a shell script that inputs two numbers from the user and check if they are equal or not

Exercise 2:- write a script that takes a number input from user and print its table.

Home Work:

1) Write a script that takes a number input from user and calculate its factorial.

2) Write a script that takes a number input from user and check it’s a prime number or not.

To understand the Advance Basic Bash Scripting 2

Lab 10: Advance Bash Scripting 2

Lab No. 10: Advance Bash Scripting 2

Objective:

To familiarize students with the concept of arrays in bash scripting, bash functions and bash file test-

ing/handling.

Scope:


• Write shell scripts that make use if arrays.

• Use functions in their shell scripts.

• Use various file testing options in their code

Useful Concepts:

Bash File Testing Options

-b filename Block special file

-c filename Special character file

-d directoryname Check for directory existence

-e filename Check for file existence

-f filename Check for regular file existence not a directory

-G filename Check if file exists and is owned by effective group ID.

-g filename true if file exists and is set-group-id.

-k filename Sticky bit

-L filename Symbolic link

-O filename True if file exists and is owned by the effective user id.

-r filename Check if file is a readable

-S filename Check if file is socket

-s filename Check if file is nonzero size

-u filename Check if file set-ser-id bit is set

-w filename Check if file is writable

-x filename Check if file is executable

Exercise -1:- This exercise demonstrates how to Declare simple bash array

#!/bin/bash

#Declare array with 4 elements

ARRAY=( 'Debian Linux' 'Redhat Linux' Ubuntu Linux )

# get number of elements in the array

ELEMENTS=${#ARRAY[@]}

# echo each element in array

# for loop

for (( i=0;i<$ELEMENTS;i++)); do

echo ${ARRAY[${i}]}

done

Exercise -2:- This exercise demonstrates how to Read file into bash array

#!/bin/bash

#Declare array

declare -a ARRAY

#Open file for reading to array

exec 10<bash.txt

let count=0

while read LINE <&10; do

ARRAY[$count]=$LINE

((count++))

done

echo Number of elements: ${#ARRAY[@]}

# echo array's content

echo ${ARRAY[@]}

# close file

exec 10>&-

Exercise -3:- This exercise demonstrates Bash Functions

!/bin/bash

# BASH FUNCTIONS CAN BE DECLARED IN ANY ORDER

function function_B {

echo Function B.

}

function function_A {

echo $1

}

function function_D {

echo Function D.

}

function function_C {

echo $1

}

# FUNCTION CALLS

# Pass parameter to function A

function_A "Function A."

function_B

# Pass parameter to function C

function_C "Function C."

function_D

Exercises for lab:

Exercise 1:-Write a shell script that inputs a file name as string from user and check if any file with this

exists or not.

Exercise 2:- Write a shell script that reads the contents of a text file and count the number of words in the

file. Implement the feature of counting the words in a separate function.

Home Work:

1) Write a shell script that copies a single file to all directories in the tree of the root filesystem using

recursion.

To understand the gcc

Lab 11: Introduction to gcc

Lab No. 11: Introduction to gcc

Objective:

Objective of this lab is to familiarize the student with the GNU C compiler.

Scope:


• Use command line editor to write a C/C++ program

• Compile a/C++ C program

• Make a program

• Debug and execute a C/C++ program

Useful Concepts

gcc

A command line GNU C compiler

g++

A command line C++ compiler

Compiling

A process of converting source code to object code

Make

• A utility used to manage large projects involving different files

• Out put is a makefile that describes the files involved in the project and the dependencies

between them

Debugging

• Process of removing logical errors form the code

• GNU DDD (Data Display Debugger) is a debugger with a more sophisticated interface

that, among other things, incorporates an interactive graphical data display feature, where

data structures are displayed as graphs.

Exercise-1:- This exercise demonstrates Writing a C Program in linux test editors.

To write a C program, you can use any editor. Linux has a rich set of Code-oriented GUI Editors (with

syntax highlighting, indentation, etc.) i.e. glimmer, nedit, gvim, kwrite, and xemacs etc. But if you are

using the command line, you can try vim or emacs editor, we will use vim in our example.

Type the following on command prompt.

Vim introprogram.c

And you will have an empty file opened in the vim editor if the file intoprogram.c does not exist before.

Press I key to switch to insert mode and type the following program:

#include<stdoi.h>

#include<stdio.h>

Int main ()

{

Printf("\n welcome to gcc tutorial");

Return 0;

}

Hit ESC key to switch back to command mode and type

:wq

to save the program and exit the editor.

Exercise-2:- This exercise demonstrates Compiling Programs

You can learn more about g++ later by looking at the man pages. (There’s a lot there!) For now, we’ll just

look at the basics.

To compile the C program of exercise 1, in the shell, simply type

gcc -o intro_program introporgram.c

in the terminal window. The -o option gives the name of the executable to create; if omitted, the executa-

ble will be called a.out.

In general you’ll probably want to compile programs with more options specified. Here is a better way to

compile a program:

gcc -g -Wall -o intro_program introporgram.c

The -g option produces debugging information in the executable.

The -Wall option instructs the compile to display “all warnings

To compile multiple source files into one executable, just include them all on the command line. For ex-

ample, to compile

Prog1.c and prog2.c into a single executable called prog, type:

gcc -g Wall -o prog prog1.c prog2.c

Once you have a working executable program, go to a terminal window to execute it. Make sure you are

in the correct directory and then type the name of the executable program.

Exercise-3:- This exercise explains the used of Make utility

When you are creating large software projects, it is usually a good idea to break the code into multiple

source files. This way, errors are usually easier to find and edit, and when you recompile the program you

only need to recompile the file you changed and those upon which it depends. Of course, this can become

confusing and complicated when the system becomes large. Linux has a powerful tool called make that

allows you to efficiently manage a complex project and compile it efficiently. The make utility reads a

file called a makefile that describes the files involved in the project and the dependencies between them.

Each line in a makefile is of the form:

targets: dependencies

<Tab> commands

Here, targets is a list of target files separated by spaces and dependencies is a list of files on which the

targets depend. In other words, if any of the files in a dependency list is modified, make should recompile

and/or relink the target. The commands are the commands used to recreate the targets. (Note that the

<Tab> preceding commands really must be a tab character and not several spaces.)

For example, consider the following simple makefile:

# A simple makefile

sort: sort.o list.o g++ sort.o list.o -o sort sort.o: sort.cc sort.h g++ -g -c sort.cc list.o: list.cc list.h g++ -g -c list.cc

This file states that the executable sort is dependent on the object files sort.o and list.o. If either of these

object files change, the command g++ sort.o list.o -o sort should be used to recreate (link) sort from the

object files. The next two groups show how to create the object files. The first states that sort.o should be

recreated (compiled using g++) if sort.cc or sort.h changes. (The -c option to g++ tells the compiler to

only compile, creating object files, and not to link them together.) The third group does a similar thing for

list.o. So, you can see that if, for example, list.h is modified,

list.o and then sort will need to be recreated but sort.o will not.

To use this makefile, it should be placed in the same directory as the source files and named Makefile.

Then, execute make sort to compile and link everything.

Exercise-4:- This exercise demonstrates the Debugging process.

You can start up DDD by typing ddd in the shell, followed by the name of your executable program. In

order for the source program to be visible to the debugger, you had to have compiled the program with the

-g option, which includes debugging information in the executable. To simply run your program in DDD,

press the Run button in the small floating window that appears. The output of your program will be dis-

played in the window below your source code. The Interrupt button will stop a running program, the same

way a Ctrl - C does in the shell. If you want to continue to run your program from where you left off,

press the Cont button. Usually, when you are debugging a program, you want the program to stop execu-

tion at some point so that you can examine the value of a variable or check some other part of your pro-

gram. To stop your program, you set a breakpoint. To set a breakpoint, find the line of your source code

where you wish to stop and click to the left of it with the left mouse button. Then press the Break button

(with the stop sign) below the menu bar. A stop sign icon should appear to the left of the line. Now, when

you run your program, execution will stop every time this line is reached. You can set as many break-

points as needed. To clear a breakpoint, do the same thing, except this time the stop sign will be dimmed

and the button will say Clear instead.

If you wish to have your program stop every time the value of some variable changes, you can set a

watchpoint. To set a watchpoint, left-click on a variable name in your source code and press the Watch

button below the menu bar.

Once your program has stopped, there are two options (buttons) for stepping through your program a line

at a time — Step and Next. To step means to proceed to the next line of source code in your program,

even if it is inside a function. The Next option advances to the next source line, but treats function-calls as

if they were single instructions. The Stepi and Nexti buttons behave similarly, but recognize individual

machine language instructions, not lines of source code.

To view the value of a variable as your program runs, select that variable name by left-clicking on it and

then press the Display button below the menu bar. A box with that variable’s value will appear in a new

window above your source code.

These are the basics of DDD. But there is quite a bit more to learn if you desire. The display function of

DDD, in particular, is quite sophisticated and flexible. Under the Help menu, you can find context sensi-

tive help and a detailed manual (also available at w.gnu.org/manual/ddd/). You will also notice that if

you linger over a button with the cursor, a description of that button will appear.

Exercise-5:- This exercise demonstrates the Execution of a program

To execute the program form the terminal window or a shell, type the name of the executable file (the

output file of compiling process). For example, to run the program of exercise 1, type.

./introprogram

Where ./ is te relative path of the executable file named introprogram.

You can also use the ablolute path to execute a program or add the directory to the users search path in-

order to execute the program without referring path.

To use absolute path, for example your executable file is located at /home/cs, type:

/home/cs/introprogram

To at the directory cs to users search path, first type

Export PATH=$PATH:/home/cs

And then to run the program now just type

introprogram

Exercises for lab:

Exercise 1:- Write a C program that display your name and registration number using vim editor

Exercise 2:- Compile the program using a default output file name a.out

Exercise 3:- debug the program using ddd debugger.

Home Work:

1) Go to the manual page of gcc and g++ and find the difference between them

2) Practice the different options available with gcc talked about in gcc's manual bage.

To understand the Basic Linux Networking 1

Lab 12: Linux Networking 1

Lab No. 12: Linux Networking 1

Objective:

To familiarize students with the configuration, activation/de-activation and virtual interfacing

Scope:


• Find all the interfaces available on the system

• List the active interaces.

• Configure TCP/IP options for an interface.

• Configure an interface for atomatic configuration via DHCP or bootp server.

• Create virtual interaces and use single NIC for multiple networks at a time.

Exercise -1:- This exercise illustrate how to Determining Your IP Address

Most modern PCs come with an Ethernet port. When Linux is installed, this device is called eth0. You

can determine the IP address of this device with the ifconfig command.

[root@tmp]# ifconfig -a

eth0 Link encap:Ethernet HWaddr 00:08:C7:10:74:A8

inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:47379 errors:0 dropped:0 overruns:0 frame:0

TX packets:107900 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:100

RX bytes:4676853 (4.4 Mb) TX bytes:43209032 (41.2 Mb)

Interrupt:11 Memory:c887a000-c887b000

[root@tmp]#

In this example, eth0 has an IP address of 192.168.1.100 and a subnet mask of 255.255.255.0. This com-

mand gives good information on the interrupts, or PCI bus ID, used by card.

Exercise -2:- This exercise demonstrates how to Changing Your IP Address

You can give eth0 interface an IP address using the ifconfig command:

[root@tmp]# ifconfig eth0 10.0.0.1 netmask 255.255.255.0 up

The "up" at the end of the command activates the interface. To make this permanent each time you boot

up you'll have to add this command in your /etc/rc.local file which is run at the end of every reboot.

Exercise-3:- This exercise demonstrates how to assign Multiple IP Addresses on a Single

NIC

A virtual subinterface is also known as an IP alias. IP aliasing is one of the most common ways of creat-

ing multiple IP addresses associated with a single NIC. Aliases have the name format parent-interface-

name:X, where X is the sub-interface number of your choice.

The process for creating an IP alias is very similar to the steps outlined for the real interface in the pre-

vious section, "Changing Your IP Address":

First ensure the parent real interface exists

Verify that no other IP aliases with the same name exists with the name you plan to use. In this we want

to create interface eth0:0.

Exercise-4:- This exercise demonstrates how to Create the virtual interface with the ifcon-

fig command

root@tmp]# ifconfig eth0:0 192.168.1.99 netmask 255.255.255.0 up

Exercise-5:- This exercise demonstrates How to Activate/Shut Down Your NIC

The ifup and ifdown commands can be used respectively to activate and deactivate a NIC interface. You

must have an ifcfg file in the /etc/sysconfig/network-scripts directory for these commands to work. Here

is an example for interface eth0:

[root@bigboy tmp]# ifdown eth0

[root@bigboy tmp]# ifup eth0

Exercises for lab:

Exercise 1:- Check the IP address of network interface.

Exercise 2:- Assign the IP address to your Ethernet interface manually and also configure it to be as-

signed automatically at startup.

Home Work:

1) Create configuration files for virtual interfaces eth0:0 and wlan0:0 with the following configura-

tions

• The Ethernet interface has a static IP of network 192.168.0.0 that start at boot time

• The wireless LAN interface gets its IP from DHCP server. The interface is disabled by default.

To understand the Basic Linux Networking 2

Lab 13: Linux Networking 2

Lab No. 13: Linux Networking 2

Objective:

To familiarize students that how a Linux server could be used as router

Scope:


• Configure the default gateway for the Linux router.

• Add/Delete static routes to the Linux router.

Useful Concepts:

Router

• The node in the internework which connects two homogenious networks.

Internewrok

• A network that is built up of networks.

Exercise-1:- This exercise demonstrate How to View Your Current Routing Table

The netstat -nr command will provide the contents of the touting table. Networks with a gateway of

0.0.0.0 are usually directly connected to the interface. No gateway is needed to reach your own directly

connected interface, so a gateway address of 0.0.0.0 seems appropriate. The route with a destination ad-

dress of 0.0.0.0 is your default gateway.

In the following example there are two gateways, the default and the one to 255.255.255.255 which is

usually added on DHCP servers. It is a DHCP server in this case.

[root@tmp]# netstat -nr

Kernel IP routing table

Destination Gateway Genmask Flags MSS Window irtt Iface

255.255.255.255 0.0.0.0 255.255.255.255 UH 40 0 0 wlan0

192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 wlan0

127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo

0.0.0.0 192.168.1.1 0.0.0.0 UG 40 0 0 wlan0

[root@tmp]#

In this example, there are multiple gateways handling traffic destined for different networks on different

interfaces.

[root@tmp]# netstat -nr

Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 172.16.68.64 172.16.69.193 255.255.255.224 UG 40 0 0 eth1 172.16.11.96 172.16.69.193 255.255.255.224 UG 40 0 0 eth1 172.16.68.32 172.16.69.193 255.255.255.224 UG 40 0 0 eth1 172.16.67.0 172.16.67.135 255.255.255.224 UG 40 0 0 eth0 172.16.69.192 0.0.0.0 255.255.255.192 U 40 0 0 eth1 172.16.67.128 0.0.0.0 255.255.255.128 U 40 0 0 eth0 172.160.0 172.16.67.135 255.255.0.0 UG 40 0 0 eth0 172.16.0.0 172.16.67.131 255.240.0.0 UG 40 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo [root@tmp]#

Exercise-2:- This exercise demonstrate How to Change Your Default Gateway

Your server needs to have a single default gateway. DHCP servers will automatically assign a default ga-

teway to DHCP configured NICs, but NICs with configured static IP addresses will need to have a ma-

nually configured default gateway. This can be done with a simple command:

[root@tmp]# route add default gw 192.168.1.1 eth0

In this case, make sure that the router/firewall with IP address 192.168.1.1 is connected to the same net-

work as interface eth0!

Once done, you'll need to update your /etc/sysconfig/network file to reflect the change. This file is used to

configure your default gateway each time Linux boots.

NETWORKING=yes HOSTNAME=bigboy GATEWAY=192.168.1.1

Exercise-3:- This exercise demonstrate How to Configure Two Gateways

Some networks may have multiple router/firewalls providing connectivity. Here's a typical scenario:

You have one router providing access to the Internet that you'd like to have as your default gateway (see

the default gateway example earlier)

You also have another router providing access to your corporate network using addresses in the range

10.0.0.0 to 10.255.255.255. Let's assume that this router has an IP address of 192.168.1.254

The Linux box used in this example uses interface wlan0 for its Internet connectivity.

There are a number of ways to add this new route.

Exercise-4:- This exercise demonstrate how to add Temporary and Permanent Static

Routes

The route add command can be used to add new routes to your server that will last till the next reboot. In

our example the reference to the 10.0.0.0 network has to be preceded with a -net switch and the subnet

mask and gateway values also have to be preceded by the netmask and gw switches respectively.

[root@tmp]#route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.16.1.254

wlan0

If you wanted to add a route to an individual server, then the "-host" switch would be used with no net-

mask value. (The route command automatically knows the mask should be 255.255.255.255). Here is an

example for a route to host 10.0.0.1.

[root@tmp]# route add -host 10.0.0.1 gw 192.168.1.254 wlan0

A universal way of making this change persistent after a reboot would be to place this route add command

in the file /etc/rc.d/rc.local, which is always run at the end of the booting process.

In Fedora Linux, permanent static routes are added on a per interface basis in files located in the

/etc/sysconfig/network-scripts directory. The filename format is routeinterface-name so the filename for

interface wlan0 would be route-wlan0. The format of the file is quite intuitive with the target network

coming in the first column followed by the word via and then the gateway's IP address. In our routing ex-

ample, to set up a route to network 10.0.0.0 with a subnet mask of 255.0.0.0 (a mask with the first 8 bits

set to 1) via the 192.168.1.254 gateway, we would have to configure file /etc/sysconfig/network-

scripts/route-wlan0 to look like this:

# # File /etc/sysconfig/network-scripts/route-wlan0

# 10.0.0.0/8 via 192.168.1.254.

Exercise-5:- This exercise demonstrate How to Delete a Route

Here's how to delete the routes added in the previous section.

[root@tmp]#route del -net 10.0.0.0 netmask 255.0.0.0 gw 192.16.1.254

wlan0

The file /etc/sysconfig/network-scripts/route-wlan0 will also have to be updated so that when you reboot

the server will not reinsert the route. Delete the line that reads:

10.0.0.0/8 via 192.16.1.254

Exercises for lab:

Exercise 1:- View the current routing table of Linux server.

Exercise 2:- Configure default gateway for the router.

Exercise 3:- Add static routes to the router.

Exercise 4:- Delete static routes from the router.

Home Work:

1) Defferenciate between a gateway and a router.

2) Why do we need a default gateway?

To understand simple Network Troubleshooting

Lab 14: Network Troubleshooting

Lab No. 14: Network troubleshooting

Objective:

To give the students an introduction to the main causes of network related problems.

Scope:

At the end of this lab students will be able to fix a network related problem which is either in the forms of

slow response times from the remote server, or a complete lack of connectivity.

Useful Concepts:

Sources of Network Slowness

• NIC duplex and speed incompatibilities

• Network congestion

• Poor routing

• Bad cabling

• Electrical interference

• An overloaded server at the remote end of the connection

• Mis-configured DNS

Sources of a Lack of Connectivity

• Severe sources of

• Power failures

• Shut down The remote server or an application on the remote server.

Excercise-1:- This exercise illustrate Basic Cable and Link Tests

Your server won't be able to communicate with any other device on your network unless the NIC's "link"

light is on. This indicates that the connection between your server and the switch/router is functioning

correctly.

In most cases a lack of link is due to the wrong cable type being used. There are two types of Ethernet

cables crossover and straight-through. Always make sure you are using the correct type.

Other sources of link failure include:

The cables are bad.

The switch or router to which the server is connected is powered down.

The cables aren't plugged in properly.

If you have an extensive network, investment in a battery-operated cable tester for basic connectivity test-

ing is invaluable. More sophisticated models in the market will be able to tell you the approximate loca-

tion of a cable break and whether an Ethernet cable is too long to be used.

EExxeerrcciissee -2:- This exercise demonstrates Testing Your NIC

Your NICs are labeled as eth0, eth1 etc. for Ethernet NICs and wlan0, wlan1 etc for wireless LAN cards

Where 0 and 1 represent the first and second NIC respectively.

To View Your Activated Interfaces, use ifconfig command, type:

ifconfig

To View All Interfaces whether they are functional or not, use ifconfig -a command, type:

ifconfig -a

Shut Down Interface will have no IP address and UP status in the 2nd line.

eth0 Link encap:Ethernet HWaddr 00:06:25:08:6A:1D

BROADCAST MULTICAST MTU:1500 Metric:1




RX bytes:180948 (176.7 Kb) TX bytes:166377 (162.4 Kb)

Interrupt:10 Memory:c88b5000-c88b6000

Active Interface

eth0 Link encap:Ethernet HWaddr 00:06:25:08:6A:1D

inet addr:192.168.0.69 Bcast:192.168.0.255

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1






Note that DHCP clients automatically give their NICs and IP address starting with 169.254.x.x until they

can make contact with their DHCP server. When contact is made they reconfigure their IP addresses to

the values provided by the DHC server. An interface with a 169.254.x.x address signifies a failure to

communicate with the DHCP server.

Check your cabling, routing and DHCP server configuration to rectify such a problem.

EExxeerrcciissee-3:- This exercise demonstrates how to Test Link Status from the Command Line

Both the mii-tool and ethtool commands command will provide reports on the link status and duplex set-

tings for supported NICs.

When used without any switches, the mii-tool gives a very brief report. Use it with the –v switch because

it provides more information on the supported auto negotiation speeds of the NIC and this can be useful

in troubleshooting speed and duplex issues.

The ethtool command provides much more information than mii-tool and should be your command of

choice, especially because mii-tool will be soon deprecated in Linux. In both of the following examples

the NICs are operating at 100Mbps, full duplex and the link is ok.

Link Status Output from mii-tool

[root@bigboy tmp]# mii-tool -v

eth0: 100 Mbit, full duplex, link ok

product info: Intel 82555 rev 4

basic mode: 100 Mbit, full duplex

basic status: link ok

capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD

advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control

link partner: 100baseTx-HD

[root@bigboy tmp]#

Link Status Output from ethtool

[root@bigboy tmp]# ethtool eth0

Settings for eth0:

Supported ports: [ TP MII ]

Supported link modes: 10baseT/Half 10baseT/Full

100baseT/Half 100baseT/Full

Supports auto-negotiation: Yes

Advertised link modes: 10baseT/Half 10baseT/Full

100baseT/Half 100baseT/Full

Advertised auto-negotiation: No

Speed: 100Mb/s

Duplex: Full

Port: MII

PHYAD: 1

Transceiver: internal

Auto-negotiation: off

Supports Wake-on: g

Wake-on: g

Current message level: 0x00000007 (7)

Link detected: yes

[root@bigboy tmp]#

Viewing NIC Errors

Errors are a common symptom of slow connectivity due to poor configuration or excessive bandwidth

utilization. They should always be corrected whenever possible.

Error rates in excess of 0.5% can result in noticeable sluggishness.

Ifconfig Error Output

The ifconfig command also shows the number of overrun, carrier, dropped packet and frame errors.

wlan0 Link encap:Ethernet HWaddr 00:06:25:09:6A:D7

BROADCAST MULTICAST MTU:1500 Metric:1






ethtool Error Output

The ethtool command can provide a much more detailed report when used with the –s switch.

[root@probe-001 root]# ethtool -S eth0

NIC statistics:

rx_packets: 1669993

tx_packets: 627631

rx_bytes: 361714034

tx_bytes: 88228145

rx_errors: 0

tx_errors: 0

rx_dropped: 0

tx_dropped: 0

multicast: 0

collisions: 0

rx_length_errors: 0

rx_over_errors: 0

rx_crc_errors: 0

rx_frame_errors: 0

rx_fifo_errors: 0

rx_missed_errors: 0

tx_aborted_errors: 0

tx_carrier_errors: 0

tx_fifo_errors: 0

tx_heartbeat_errors: 0

tx_window_errors: 0

tx_deferred: 0

tx_single_collisions: 0

tx_multi_collisions: 0

tx_flow_control_pause: 0

rx_flow_control_pause: 0

rx_flow_control_unsupported: 0

tx_tco_packets: 0

rx_tco_packets: 0

[root@probe-001 root]#

netstat Error Output

The netstat command is very versatile and can provide a limited report when used with the -i switch. This

is useful for systems where mii-tool or ethtool are not available.

[root@bigboy tmp]# netstat -i

Kernel Interface table

Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg

eth0 1500 0 18976655 2 0 0 21343152 142 0 3 BMRU

eth1 1500 0 855154 0 0 0 15196620 0 0 0 BMRU

lo 16436 0 1784272 0 0 0 1784272 0 0 0 LRU

[root@bigboy tmp]#

Possible Causes of Ethernet Errors

Collisions: Signifies when the NIC card detects itself and another server on the LAN attempting data

transmissions at the same time. Collisions can be expected as a normal part of Ethernet operation and are

typically below 0.1% of all frames sent. Higher error rates are likely to be caused by faulty NIC cards or

poorly terminated cables.

Single Collisions: The Ethernet frame went through after only one collision

Multiple Collisions: The NIC had to attempt multiple times before successfully sending the frame due to

collisions.

CRC Errors: Frames were sent but were corrupted in transit. The presence of CRC errors, but not many

collisions usually is an indication of electrical noise. Make sure that you are using the correct type of ca-

ble, that the cabling is undamaged and that the connectors are securely fastened.

Frame Errors: An incorrect CRC and a non-integer number of bytes are received. This is usually the result

of collisions or a bad Ethernet device.

FIFO and Overrun Errors: The number of times that the NIC was unable of handing data to its memory

buffers because the data rate the capabilities of the hardware. This is usually a sign of excessive traffic.

Length Errors: The received frame length was less than or exceeded the Ethernet standard. This is most

frequently due to incompatible duplex settings.

Carrier Errors: Errors are caused by the NIC card losing its link connection to the hub or switch. Check

for faulty cabling or faulty interfaces on the NIC and networking equipment.

EExxeerrcciissee-4:- This exercise demonstrates how to view ARP table entries.

The arp -a command will show you the MAC addresses in your server's ARP table and all the other serv-

ers on the directly connected network. Here we see we have some form of connectivity with the router at

address 192.168.0.1

arp -a

bigboypix (192.168.0.1) at 00:09:E8:9C:FD:AB [ether] on etho0

? (192.168.1.101) at 00:06:25:09:6A:D7 [ether] on wlan0

Note: Make sure the IP addresses listed in the ARP table match those of servers expected to be on your

network. If they don't, your server might be plugged into the wrong switch or router port.

You should also check the ARP table of the remote server to see whether it is populated with acceptable

values.

EExxeerrcciissee-5:- This exercise demonstrates how to Use ping to Test Network Connectivity

One of the most common methods used to test connectivity across multiple networks is the ping com-

mand. ping sends ICMP echo packets that request a corresponding ICMP echo-reply response from the

device at the target address. Because most servers will respond to a ping query it becomes a very handy

tool. A lack of response could be due to:

1. A server with that IP address doesn't exist

2. The server has been configured not to respond to pings

3. A firewall or router along the network path is blocking ICMP traffic

4. You have incorrect routing. Check the routes and subnet masks on both the local and remote

servers and all routers in between. A classic symptom of bad routes on a server is the ability to

ping servers only on your local network and nowhere else.

Use traceroute to ensure you're taking the correct path.

5. Either the source or destination device having an incorrect IP address or subnet mask.

The Linux ping command will send continuous pings, once a second, until stopped with a Ctrl-C. Here is

an example of a successful ping to the server bigboy at 192.168.1.100

[root@smallfry tmp]# ping 192.168.1.101

PING 192.168.1.101 (192.168.1.101) from 192.168.1.100 : 56(84) bytes of data.

64 bytes from 192.168.1.101: icmp_seq=1 ttl=128 time=3.95 ms




--- 192.168.1.101 ping statistics ---

4 packets transmitted, 4 received, 0% loss, time 3026ms

rtt min/avg/max/mdev = 3.950/4.948/7.072/1.242 ms

[root@smallfry tmp]#

You may get a "Destination Host Unreachable" message. There message is caused by your router or serv-

er knowing that the target IP address is part of a valid network, but is getting no response from the target

server. There are a number of reasons for this:

If you are trying to ping a host on a directly connected network:

1. The client or server might be down, or disconnected for the network.

2. Your NIC might not have the correct duplex settings; you may verify this with the mii-tool

command.

3. You might have the incorrect type of cable connecting your Linux box to the network. There

are two basic types, straight through and crossover.

4. In the case of a wireless network, your SSID or encryption keys might be incorrect.

If you are trying to ping a host on remote network:

The network device doesn't have a route in its routing table to the destination network and sends an ICMP

reply type 3 which triggers the message. The resulting message might be Destination Host Unreachable or

Destination Network Unreachable.

[root@smallfry tmp]# ping 192.168.1.105

PING 192.168.1.105 (192.168.1.105) from 192.168.1.100 : 56(84) bytes of data.

From 192.168.1.100 icmp_seq=1 Destination Host Unreachable






--- 192.168.1.105 ping statistics ---

8 packets transmitted, 0 received, +6 errors, 100% loss, time 7021ms, pipe 3


EExxeerrcciissee-6:- This exercise demonstrates how to Use telnet to Test Network Connectivity

An easy way to tell if a remote server is listening on a specific TCP port is to use the telnet command. By

default, telnet will try to connect on TCP port 23, but you can specify other TCP ports by typing them in

after the target IP address. HTTP uses TCP port 80, HTTPS uses port 443.

Here is an example of testing server 192.168.1.102 on the TCP port 22 reserved for SSH:

[root@bigboy tmp]# telnet 192.168.1.102 22

When using telnet troubleshooting, here are some useful guidelines to follow that will help to isolate the

source of the problem:

Test connectivity from the remote PC or server.

Test connectivity on the server itself. Try making the connection to the loopback address as well as the

NIC IP address. If the server is running a firewall package such as the Linux iptables software, all loop-

back connectivity is allowed, but connectivity to desired TCP ports on the NIC interface might be blocked

sometimes.

Further discussion of the Linux iptables package is covered in a later section.

Test connectivity from another server on the same network as the target server. This helps to eliminate the

influence of any firewalls protecting the entire network from outside.

Linux telnet Troubleshooting

The following sections the use of telnet troubleshooting from a Linux box.

Note: Always remember that many Linux servers have the iptables firewall package installed by default.

This is often the cause of many connectivity problems and the firewall rules should be correctly updated.

In some cases where the network is already protected by a firewall, iptables might be safely turned off.

You can use the /etc/init.d/iptables status command on the target server to determine whether iptables is

running.

Successful Connection

With Linux a successful telnet connection is always greeted by a Connected to message like the one seen

below when trying to test connectivity to server 192.168.1.102 on the SSH port (TCP 22).


Trying 192.168.1.102...

Connected to 192.168.1.102.

Escape character is '^]'.

SSH-1.99-OpenSSH_3.4p1

^]

telnet> quit

Connection closed.

[root@ bigboy tmp]#

To break out of the connection you have to press the Ctrl and ] keys simultaneously, not the usual Ctrl-C.

Note: In many cases you can successfully connect on the remote server on the desired TCP port, yet the

application doesn't appear to work. This is usually caused by there being correct network connectivity but

a poorly configured application.

Connection Refused Messages

You will get a connection refused message for one of the following reasons:

The application you are trying to test hasn't been started on the remote server.

There is a firewall blocking and rejecting the connection attempt

Here is some sample output:


Trying 192.168.1.100...

telnet: connect to address 192.168.1.100: Connection refused

[root@bigboy tmp]#

telnet Timeout or Hanging

The telnet command will abort the attempted connection after waiting a predetermined time for a re-

sponse. This is called a timeout. In some cases, telnet won't abort, but will just wait indefinitely. This is

also known as hanging. These symptoms can be caused by the one of the following reasons:

The remote server doesn't exist on the destination network. It could be turned off.

A firewall could be blocking and not rejecting the connection attempt, causing it to

timeout instead of being quickly refused.


Trying 216.10.100.12...

telnet: connect to address 216.10.100.12: Connection timed out

[root@bigboy tmp]#

EExxeerrcciissee-7:- This exercise demonstrates how to Use traceroute to Test Network Connectivi-

ty Another tool for network troubleshooting is the traceroute command. It gives a listing of all the router

hops between your server and the target server. This helps you verify that routing over the networks in

between is correct.

The traceroute command works by sending a UDP packet destined to the target with a TTL of 0. The first

router on the route recognizes that the TTL has already been exceeded and discards or drops the packet,

but also sends an ICMP time exceeded message back to the source. The traceroute program records the IP

address of the router that sent the message and knows that that is the first hop on the path to the final des-

tination. The traceroute program tries again, with a TTL of 1. The first hop sees nothing wrong with the

packet, decrements the TTL to 0 as expected, and forwards the packet to the second hop on the path. Rou-

ter 2, sees the TTL of 0, drops the packet and replies with an ICMP time exceeded message. traceroute

now knows the IP address of the second router. This continues around and around until the final destina-

tion is reached.

Note: In Linux the traceroute command is traceroute. In Windows it is tracert.

Note: You will receive traceroute responses only from functioning devices. If a device responds it is less

likely to be the source of your problems.

Sample traceroute Output

Here is a sample output for a query to 144.232.20.158. Notice that all the hop times are

under 50 milliseconds (ms) which is acceptable.

[root@bigboy tmp]# traceroute -I 144.232.20.158

traceroute to 144.232.20.158 (144.232.20.158), 30 hops max, 38 byte packets

1 adsl-67-120-221-110.dsl.sntc01.pacbell.net (67.120.221.110) 14.408 ms 14.064 ms 13.111 ms

2 dist3-vlan50.sntc01.pbi.net (63.203.35.67) 13.018 ms 12.887 ms 13.146 ms

3 bb1-g1-0.sntc01.pbi.net (63.203.35.17) 12.854 ms 13.035 ms 13.745 ms

4 bb2-p11-0.snfc21.pbi.net (64.161.124.246) 16.260 ms 15.618 ms 15.663 ms

5 bb1-p14-0.snfc21.pbi.net (64.161.124.53) 15.897 ms 15.785 ms 17.164 ms

6 sl-gw11-sj-3-0.sprintlink.net (144.228.44.49) 14.443 ms 16.279 ms 15.189 ms

7 sl-bb25-sj-6-1.sprintlink.net (144.232.3.133) 16.185 ms 15.857 ms 15.423 ms

8 sl-bb23-ana-6-0.sprintlink.net (144.232.20.158) 27.482 ms 26.306 ms 26.487 ms

[root@bigboy tmp]#

Possible traceroute Messages

There are a number of possible message codes traceroute can give, these are listed in

Traceroute Symbol Description

***

Expected 5 second response time exceeded. Could be caused by:

A router on the path not sending back the ICMP "time exceeded" messages

A router or firewall in the path blocking the ICMP "time exceeded" messages

The target IP address not responding

!H, !N, or !P Host, network or protocol unreachable

!X or !A Communication administratively prohibited. A router Access Control List (ACL)

or firewall is in the way

!S Source route failed. Source routing attempts to force traceroute to use a certain

path. Failure might be due to a router security setting

EExxeerrcciissee-8:- This exercise illustrate how to Use MTR to Detect Network Congestion

Matt's Traceroute is an application you can use to do a repeated traceroute in real time; it dynamically

shows the round-trip time to reach each hop along the traceroute path. The constant updates enable you

not only to visually determine which hops are slow, but also to determine when they appear to be slow. It

is a good tool to use whenever you suspect there is some intermittent network congestion.

You type in the word mtr followed by the target IP address to get output similar to the following:

[root@bigboy tmp]# mtr 192.168.25.26

Matt's traceroute [v0.52] Bigboy Fri Feb 20 17:19:17 2004 Keys: D - Display mode R - Restart statistics Q - Quit Packets Pings Hostname %Loss Rcv Snt Last Best Avg Worst 1. 192.168.1.1 0% 17 17 32 10 15 32 2. 192.168.2.254 0% 17 17 12 11 18 41 3. 192.168.3.15 0% 17 17 23 14 18 25 4. 192.168.18.35 0% 16 16 24 23 29 42 5. 192.168.25.26 0% 16 16 23 21 26 37 ^C [root@bigboy tmp]#

One of the nice features of MTR is that it gives you the best, worst and average roundtrip times in milli-

seconds for the probe packets between each hop along the way to the final destination. The advantage of

this is that you can let MTR run for an extended period of time, acting as a constant monitor of communi-

cation path quality. The constant refreshing of the screen also enables you to instantaneously spot tran-

sient changes in quality fairly easily, making it much more convenient than a regular traceroute.

EExxeerrcciissee-9:- This exercise demonstrates how to View Packet Flows with tcpdump

The tcpdump command is one of the most popular packages for viewing the flow of packets through your

Linux box's NIC card. It is installed by default on RedHat/Fedora Linux and has very simple syntax, es-

pecially if you are doing simpler types of troubleshooting.

One of the most common uses of tcpdump is to determine whether you are getting basic two-way com-

munication. Lack of communication could be due to the following:

Bad routing

Faulty cables, interfaces of devices in the packet flow

The server not listening on the port because the software isn't installed or started

A network device in the packet path is blocking traffic; common culprits are firewalls, routers with

access control lists and even your Linux box running iptables.

Analyzing tcpdump in much greater detail is beyond the scope of this section.

Like most Linux commands, tcpdump uses command-line switches to modify the output.

Some of the more useful command-line switches are listed in the Table.

tcpdump

command switch

Description

-c Stop after viewing count packets.

-i Listen on interface. If this is not specified, then the command will

use the lowest numbered interface that is UP

-w Dump the output to a specially formatted TCPdump dump file

-C Specifies the size the dump file must reach before a new one with a

numeric extension is created.

-t Don't print a timestamp at the beginning of each line

You can also add expressions after all the command-line switches. These act as filters to limit the volume

of data presented on the screen. You can also use keywords such as and, or or between expressions to fur-

ther fine-tune your selection criteria. Some useful expressions are listed in the Table.

tcpdump command

expression

Description

host host-address View packets from the IP address host-address

icmp View icmp packets

tcp port port-number View TCP packets with packets with either a source or destination

TCP port of port-number

udp port port-number View UDP packets with either a source or destination UDP port of

port-number

The following is an example of tcpdump being used to view ICMP ping packets going through interface

wlan0:

[root@bigboy tmp]# tcpdump -i wlan0 icmp

tcpdump: listening on wlan0 21:48:58.927091 smallfry > bigboy.my-site.com: icmp: echo request (DF) 21:48:58.927510 bigboy.my-site.com > smallfry: icmp: echo reply 21:48:58.928257 smallfry > bigboy.my-site.com: icmp: echo request (DF) 21:48:58.928365 bigboy.my-site.com > smallfry: icmp: echo reply 21:48:58.943926 smallfry > bigboy.my-site.com: icmp: echo request (DF) 21:48:58.944034 bigboy.my-site.com > smallfry: icmp: echo reply 21:48:58.962244 bigboy.my-site.com > smallfry: icmp: echo reply 21:48:58.963966 bigboy.my-site.com > smallfry: icmp: echo reply 21:48:58.968556 bigboy.my-site.com > smallfry: icmp: echo reply 9 packets received by filter 0 packets dropped by kernel [root@bigboy tmp]#

In this example:

The first column of data is a packet timestamp.

The second column of data shows the packet source and then the destination IP address or server name

of the packet.

The third column shows the packet type.

Two-way communication is occurring as each echo gets an echo reply.

The following example shows tcpdump being used to view packets on interface wlan0 to/from host

192.168.1.102 on TCP port 22 with no timestamps in the output (-t switch).

[root@bigboy tmp]# tcpdump -i wlan0 -t host 192.168.1.102 and tcp port

22

tcpdump: listening on wlan0

smallfry.32938 > bigboy.my-site.com.ssh: S 2013297020:2013297020(0) win 5840 <mss 1460,sackOK,timestamp bigboy.my-site.com.ssh > smallfry.32938: R 0:0(0) ack 2013297021 win 0 (DF) [tos 0x10] smallfry.32938 > bigboy.my-site.com.ssh: S 2013297020:2013297020(0) win 5840 <mss 1460,sackOK,timestamp bigboy.my-site.com.ssh > smallfry.32938: R 0:0(0) ack 1 win 0 (DF) [tos 0x10] smallfry.32938 > bigboy.my-site.com.ssh: S 2013297020:2013297020(0) win 5840 <mss 1460,sackOK,timestamp 7 7 packets received by filter 0 packets dropped by kernel [root@bigboy tmp]#

In this example:

The first column of data shows the packet source and then the destination IP address or server name of the

packet

The second column shows the TCP flags within the packet

The client named bigboy is using port 32938 to communicate with the server named smallfry on the TCP

SSH port 22.

Two-way communication is occurring

Analyzing tcpdump files

By using the -w filename option you can send the entire Ethernet frame, not just a brief IP information

that normally goes to the screen, to a file. This can then be analyzed by graphical analysis tools such as

Wireshark, which is available in both Windows and

Linux, with customized filters, colorization of packet records based on criteria deemed interesting, and

the capability of automatically highlighting certain error conditions such as data retransmissions:

tcpdump -i eth1 -w /tmp/packets.dump tcp port 22

Covering Wireshark is beyond the scope of this book but that shouldn't discourage you from using it. The

application is part of the Fedora RPM suite, and a Windows version is also available.

Common Problems with tcpdump

By default tcpdump will attempt to determine the DNS names of all the IP addresses it sees while logging

data. This can slow down tcpdump so much that it appears not to be working at all. The -n switch stops

DNS name lookups and will make tcpdump work more reliably.

The following are examples of how the -n switch affects the output:

Without the -n switch

[root@bigboy tmp]# tcpdump -i eth1 tcp port 22

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 02:24:34.818398 IP 192-168-1-242.my-site.com.1753 > bigboy-100.my-site.com.ssh: . ack 318574223 win 65471 02:24:34.818478 IP bigboy-100.my-site.com.ssh > 192-168-1-242.my-site.com.1753: P 1:165(164) ack 0 win 64 02:24:35.019042 IP 192-168-1-242.my-site.com.1753 > bigboy-100.my-site.com.ssh: . ack 165 win 65307 02:24:35.019118 IP bigboy-100.my-site.com.ssh > 192-168-1-242.my-site.com.1753: P 165:401(236) ack 0 win 02:24:35.176299 IP 192-168-1-242.my-site.com.1753 > bigboy-100.my-site.com.ssh: P 0:20(20) ack 401 win 65

02:24:35.176337 IP bigboy-100.my-site.com.ssh > 192-168-1-242.my-site.com.1753: P 401:629(228) ack 20 win 6 packets captured 7 packets received by filter 0 packets dropped by kernel [root@bigboy tmp]#

With the -n switch

[root@bigboy tmp]# tcpdump -i eth1 -n tcp port 22

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 02:25:53.068511 IP 192.168.1.242.1753 > 192.168.1.100.ssh: . ack 318576011 win 65163 02:25:53.068606 IP 192.168.1.100.ssh > 192.168.1.242.1753: P 1:165(164) ack 0 win 6432 02:25:53.269152 IP 192.168.1.242.1753 > 192.168.1.100.ssh: . ack 165 win 64999 02:25:53.269205 IP 192.168.1.100.ssh > 192.168.1.242.1753: P 165:353(188) ack 0 win 6432 02:25:53.408556 IP 192.168.1.242.1753 > 192.168.1.100.ssh: P 0:20(20) ack 353 win 64811 02:25:53.408589 IP 192.168.1.100.ssh > 192.168.1.242.1753: P 353:541(188) ack 20 win 6432 6 packets captured 7 packets received by filter 0 packets dropped by kernel [root@bigboy tmp]#

Exercises for lab:

Exercise 1:- Display the routing table maintained on your system and slist the networks that are contected

to your system and their corresponding gateways. That is the IP address of the default gate-

way that is set on your system?

Home Work:

1) Configure a network containing two PCs and troubleshoot the network for any broblem in the

network. Follow the procedure step-by-step as given in the manual.

To understand the Installing Linux Software

Lab 15: Installing Linux Software

Lab No. 15: Installing Linux Software

Objective:

To familiarize students that how a Linux server could be used as router

Scope:


• list installed and available packages

• Install a package locally

• Install a package from the internet.

Useful Concepts:

Automated Package Download

The disadvantage of manual downloads is that the packages often won't install unless certain prerequisite

packages have been installed beforehand. This can lead to the download and installation of several pack-

ages which can become tedious.

All the major Linux distributions have automated download and update utilities. For example, Fedora

uses yum and Ubuntu and Debian use apt.

Exercise-1:- This exercise illustrates how to get RPMs Using Command-Line Anonymous

FTP

Anonymous FTP allows you to log in and download files from a FTP server using the username anonym-

ous or the shorter username ftp and a password that matches your email address. This way anyone can

access the data. Let's illustrate this with an example of using anonymous FTP to download the SSH pack-

age from download.fedora.redhat.com:

1) First we issue the FTP command targeting download.fedora.redhat.com at the command line.

[root@bigboy tmp]# ftp download.fedora.redhat.com

Trying 66.187.232.35...

Connected to download.fedora.redhat.com (66.187.232.35).

220 Fedora FTP server ready. All transfers are logged.

Name (download.fedora.redhat.com:root): anonymous

331 Please specify the password.

Password:

230 Login successful. Have fun.

Using binary mode to transfer files.

ftp> pwd

257 "/"

ftp> ls

227 Entering Passive Mode (66,187,232,35,57,155)

150 Here comes the directory listing.

drwxr-xr-x 3 ftp ftp 4096 Oct 29 15:59 pub

226 Directory send OK.

ftp>:

2) After we've logged in, we can use the help command to see what options we have at our disposal.

ftp> help

Commands may be abbreviated. Commands are:

! cr mdir proxy send

------

ftp>

3) By using the Web browsing feature on the Web site ahead of time, I know that the Fedora Core 2

RPMs are located in the pub/fedora/linux/core/2/i386/os/Fedora/RPMS/ directory and will use the cd

command to change my directory to there. We can use the ls command to get a listing of files in this di-

rectory.

ftp> cd pub/fedora/linux/core/2/i386/os/Fedora/RPMS/

250 Directory successfully changed.

ftp> ls open*


150 Here comes the directory listing.

...

...

-rw-r--r-- ... ... 184281 Oct 28 23:29 openssh-3.6.1p2-34.i386.rpm

...

...

226 Directory send OK.

ftp>

4) Next we get the file we need and place it in the local directory /usr/rpm. The hash command will print

"#" hash signs on the screen during the download.

ftp> hash

Hash mark printing on (1024 bytes/hash mark).

ftp> lcd /usr/rpm

Local directory now /usr/rpm

ftp> get openssh-3.6.1p2-34.i386.rpm

local: openssh-3.6.1p2-34.i386.rpm remote: openssh-3.6.1p2-34.i386.rpm


150 Opening BINARY mode data connection for openssh-3.6.1p2-34.i386.rpm (184281 bytes).

################################################226 File send OK.

184281 bytes received in 3.41 secs (53 Kbytes/sec)

ftp>

Note: You can also use wildcards to download the RPMs you need using the mget command. You'll be

prompted for each of the matching RPM files. In the next example, we just aborted this download by typ-

ing n.

ftp> mget openssh-3.6*

mget openssh-3.6.1p2-34.i386.rpm? n

ftp>

5) Finally we use the exit command to leave FTP.

ftp> exit

221 Goodbye.

root@bigboy tmp]#

Exercise-2:- This exercise illustrates download Software using wget utility.

The wget command can be used to download files quickly when you already know the URL at which the

RPM is located. Here is an example downloading a DHCP update from Fedora.

[root@tmp]# wget <URL>

--17:38:36-- ftp://linux.stanford.edu/pub/mirrors/fedora/linux/core/2/i386/os/Fedora/RPMS/dhcp-3.0pl2-

6.

=> `dhcp-3.0pl2-6.16.i386.rpm.5'

Resolving linux.stanford.edu... done.

Connecting to linux.stanford.edu[171.66.2.18]:21... connected.

Logging in as anonymous ... Logged in!

==> SYST ... done. ==> PWD ... done.

==> TYPE I ... done. ==> CWD /pub/mirrors/fedora/linux/core/2/i386/os/Fedora/RPMS ... done.

==> PASV ... done. ==> RETR dhcp-3.0pl2-6.16.i386.rpm ... done.

Length: 529,890 (unauthoritative)

100%[===============================>] 529,890 889.12K/s ETA 00:00

17:38:36 (889.12 KB/s) - `dhcp-3.0pl2-6.16.i386.rpm.5' saved [529890]

[root@tmp]#

Exercise-3:- This exercise illustrates How to Install RPMs Manually

Download / Copy RPMs (which usually have a file extension ending with .rpm) into a temporary directo-

ry, such as /tmp. The next step is to issue the rpm -Uvh command to install the package.

The -U qualifier is used for updating an RPM to the latest version, the -h qualifier gives a list of hash #

characters during the installation and the -v qualifier prints verbose status messages while the command is

run. Here is an example of a typical RPM installation command to install the MySQL server package:

[root@bigboy tmp]# rpm -Uvh mysql-server-3.23.58-9.i386.rpm

Preparing... ####################### [100%]

1:mysql-server ####################### [100%]

[root@bigboy tmp]#

How to Install Source RPMs

Sometimes the packages you want to install need to be compiled in order to match your kernel version.

This requires you to use source RPM files:

Download the source RPMs or locate them on your CD collection. They usually have a file extension

ending with (.src.rpm)

Run the following commands as root:

Compiling and installing source RPMs with Fedora can be done simply with the rpmbuild command

[root@tmp]# rpmbuild --rebuild filename.src.rpm

Here is an example in which we install the tacacs plus package.

[root@bigboy rpm]# rpmbuild --rebuild tac_plus-4.0.3-2.src.rpm

Installing tac_plus-4.0.3-2.src.rpm Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.61594 + umask 022 + cd /usr/src/redhat/BUILD + cd /usr/src/redhat/BUILD + rm -rf tac_plus-4.0.3 + /usr/bin/gzip -dc /usr/src/redhat/SOURCES/tac_plus-4.0.3.tgz + tar -xvvf - ... ... ... + umask 022 + cd /usr/src/redhat/BUILD + rm -rf tac_plus-4.0.3 + exit 0 [root@rpm]#

Exercise-4:- This exercise illustrates How to List Installed RPMs

The rpm -qa command will list all the packages installed on your system:

[root@tmp]# rpm -qa

perl-Storable-1.0.14-15 smpeg-gtv-0.4.4-9 audiofile-0.2.3-3 ... ... [root@tmp]#

Exercise-5:- This exercise illustrates Uninstalling RPMs

The rpm -e command will erase an installed package. The package name given must match that listed in

the rpm -qa command because the version of the package is important:

[root@tmp]# rpm -e package-name

Exercises for lab:

Exercise 1:- Download RPMs using anonymous FTP.

Exercise 2:- Download RPMs using wget.

Exercise 3:- Install MySQL database using RPM.

Exercise 4:- Install java using source RPM.

Home Work

1) Compare the strengths of apt and yum utility.

To understand the Linux Boot Process

Lab 16: Linux Boot Process

Lab No. 16: Linux Boot Process

Objective:

To familiarize students with the Linux boot process and how to customize various boot options.

Scope:


• Change the default boot order of the operating systems installed

• Perform root password recovery

• Staring and stopping daemons when needed

• Start/Stop daemons at the startup

Useful Concepts:

Sample grub.conf file

default=0

timeout=10

splashimage=(hd0,0)/grub/splash.xpm.gz

title Fedora Core (2.6.8-1.521)

root (hd0,0)

kernel /vmlinuz-2.6.8-1.521 ro root=LABEL=/

initrd /initrd-2.6.8-1.521.img

title Windows 2000

rootnoverify (hd0,1)

chainloader +1

Exercise-1:- This exercise demonstrates the procedure of Determining the Default Boot

runlevel

The default boot runlevel is set in the file /etc/inittab with the initdefault variable. When

set to 3, the system boots up with the text interface on the VGA console; when set to 5,

you get the GUI. Here is a snippet of the file (delete the initdefault line you don't need):

# Default runlevel. The runlevels used by RHS are:

# 0 - halt (Do NOT set initdefault to this)

# 1 - Single user mode

# 2 - Multiuser, without NFS (The same as 3, if you do not have networking)

# 3 - Full multiuser mode

# 4 - unused

# 5 - X11

# 6 - reboot (Do NOT set initdefault to this)

#

id:3:initdefault: # Console Text Mode

id:5:initdefault: # Console GUI Mode

Exercise-2:- This exercise demonstrates Root Password Recovery

Sometimes you might forget the root password, or the previous systems administrator may move on to a

new job without giving it to you. To do this, follow these steps:

1. Go to the VGA console and press Ctrl-Alt-Del. The system will then shut down in

an orderly fashion.

2. Reboot the system and enter single-user mode.

3. Once at the command prompt, change your password. Single user mode assumes the

person at the console is the systems administrator root, so you don't have to specify

a root username.

4. Return to your default runlevel by using the exit command.

EExxeerrcciissee-3:- This exercise demonstrates how to Start and Stop the server

If a startup script exists in the /etc/init.d directory, then its daemon can be started by specifying its file-

name followed by the keyword "start" as seen below:

Starting a Daemon

root@localhost# /etc/init.d/apache start

* Starting apache 1.3 web server...

...done.

root@localhost#

Stopping a Daemon

root@localhost# /etc/init.d/apache stop

* Starting apache 1.3 web server...

...done.

root@localhost#

EExxeerrcciissee-4:- Using chkconfig to Start Daemons at Each runlevel

As stated earlier, the chkconfig command can be used to adjust which applications start at each runlevel.

You can use this command with the --list switch to get a full listing of packages listed in /etc/init.d and

the runlevels at which they will be on or off:

[root@root]# chkconfig --list

keytable 0:off 1:on 2:on 3:on 4:on 5:on 6:off

atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off

syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off

gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off

kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off

wlan 0:off 1:off 2:on 3:on 4:on 5:on 6:off

sendmail 0:off 1:off 2:off 3:on 4:off 5:on 6:off

netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off

network 0:off 1:off 2:on 3:on 4:on 5:on 6:off

random 0:off 1:off 2:on 3:on 4:on 5:on 6:off

...

...

Switch Off sendmail Starting Up in Levels 3 and 5

[root@root]# chkconfig --level 35 sendmail off

Switch On sendmail

[root@root]# chkconfig sendmail on

Exercises for lab:

Exercise 1:-Using the grub.conf file change the default boot operating system from linux to windows.

Exercise 2:-Perform the root password recovery process given in Exercise 2.

Exercise 3:-Switch off network startup using chkconfig and then turn in back on.

Home Work:

1) If it is possible to recover the root password as shown in Exercise 2, than why is it said that Linux

has a better security? How can you secure the system by protecting this process to be carried out

by annonimous users?

To understand the Configuring Linux DHCP Server

Lab 17: Configuring Linux DHCP Server

Lab No. 17: Configuring Linux DHCP Server

Objective:

To familiarize students with the configuration of DHCP server along with installing DHCP server on a

Linux machine

Scope:


• To download and install DHCP Server

• Cofigure and customize various DHCP server options

Exercise-1:- This exercise demonstrates how to Download and Install the DHCP Package

For systems using RPMs: When searching for the file, remember that the DHCP server RPM's filename

usually starts with the word dhcp followed by a version number like this: dhcp-3.0.1rc14-1.i386.rpm.

For Debian Linux systems: With Debian / Ubuntu the package name may include a version number. Use

the dpkg --list | grep dhcp command to get a list of all your dhcp packages and use the output to infer

what the DHCP server package name would be. In this case we can guess that the package name should

be dhcp3-server.

• root@root# dpkg --list | grep dhcp

• dhcp3-client 3.0.3-6ubuntu7 DHCP Client

• dhcp3-common 3.0.3-6ubuntu7 Files used by all the dhcp3* packages.

EExxeerrcciissee-2:- This exercise describes The /etc/dhcpd.conf File

configure your network. The standard DHCP RPM package doesn't automatically install

a /etc/dhcpd.conf file, but you can find a sample copy of dhcpd.conf in the following

directory which you can always use as a guide.

/usr/share/doc/dhcp-<version-number>/dhcpd.conf.sample

You have to copy the sample dhcpd.conf file to the /etc directory and then you'll have to

edit it. Here is the command to do the copying for the version 3.0p11 RPM file:

[root@root]# cp /usr/share/doc/dhcp-3.0pl1/dhcpd.conf.sample /etc/dhcpd.conf

EExxeerrcciissee-3:- This exercise demonstrates how to Configure the DHCP Server

Here is a quick explanation of the dhcpd.conf file: Most importantly, there must be a subnet section for

each interface on your Linux box.

ddns-update-style interim

ignore client-updates

subnet 192.168.1.0 netmask 255.255.255.0 {

# The range of IP addresses the server

# will issue to DHCP enabled PC clients

# booting up on the network

range 192.168.1.201 192.168.1.220;

# Set the amount of time in seconds that

# a client may keep the IP address

default-lease-time 86400;

max-lease-time 86400;

# Set the default gateway to be used by

# the PC clients

option routers 192.168.1.1;

# Don't forward DHCP requests from this

# NIC interface to any other NIC

# interfaces

option ip-forwarding off;

# Set the broadcast address and subnet mask

# to be used by the DHCP clients

option broadcast-address 192.168.1.255;

option subnet-mask 255.255.255.0;

# Set the NTP server to be used by the

# DHCP clients

option ntp-servers 192.168.1.100;

# Set the DNS server to be used by the

# DHCP clients

option domain-name-servers 192.168.1.100;

# If you specify a WINS server for your Windows clients,

# you need to include the following option in the dhcpd.conf file:

option netbios-name-servers 192.168.1.100;

# You can also assign specific IP addresses based on the clients'

# ethernet MAC address as follows (Host's name is "laser-printer":

host laser-printer {

hardware ethernet 08:00:2b:4c:59:23;

fixed-address 192.168.1.222;

}

}

#

# List an unused interface here

#

subnet 192.168.2.0 netmask 255.255.255.0 {

}

Exercises for lab:

Exercise 1:- Download and install DHCP server.

Exercise 2:- Configure DHCP server to lease a range of class B IP addresses.

Home Work:

1) Specify Default Gateway and DNS server IPs in DHCP configuration.

2) Using chkconfig configure DHCP to start during boot process.

To understand the Managing Linux Users and sudo

Lab 18: Managing Linux Users and sudo

Lab No. 18: Managing Linux Users and sudo

Objective:

To familiarize students with the Linux user management

Scope:


• Create user groups.

• Create user accounts and assign them appropriate groups

• Running commands with privileged access

Exercise-1:- This exercise illustrates How to Add Users to the system

Adding users takes some planning; read through these steps below before starting:

1) Arrange your list of users into groups by function. In this example there are two groups "parents",

"children".

Parents Children

Asif Sami

Fatima Owais

2) Add the Linux groups to your server:

[root@tmp]# groupadd parents

[root@tmp]# groupadd children

3) Add the Linux users and assign them to their respective groups

[root@tmp]# useradd -g parents asif

[root@tmp]# useradd -g parents fatima

[root@tmp]# useradd -g children sami

[root@tmp]# useradd -g children owais

If you don't specify the group with the -g, RedHat/Fedora Linux creates a group with the same name as

the user you just created; this is also known as the User Private Group Scheme. When each new user first

logs in, they are prompted for their new permanent password.

4) Each user's personal directory is placed in the /home directory. The directory name will be the same as

their user name.

Exercise-2:- This exercise illustrates How to Change Passwords

You need to create passwords for each account. This is done with the passwd command.

You are prompted once for your old password and twice for the new one.

User root changing the password for user asif.

[root@root]# passwd asif

Changing password for user asif.

New password:

Retype new password:

passwd: all authentication tokens updated successfully.

[root@root]#

Users might wish to change their passwords in future. Here is how unprivileged user asif would change

his own password.

[asif@asif]$ passwd

Changing password for asif

Old password: your current password

Enter the new password (minimum of 5, maximum of 8 characters)

Please use a combination of upper and lower case letters and numbers.

New password: your new password

Re-enter new password: your new password

Password changed.

[asif@asif]$

Exercise-3:- This exercise illustrates How to Delete Users

The userdel command is used to remove the user's record from the /etc/passwd and /etc/shadow used in

the login process. The command has a single argument, the username.

[root@tmp]# userdel sami

There is also an optional -r switch that additionally removes all the contents of the user's home directory.

Use this option with care. The data in a user's directory can often be important.

Exercise-4:- This exercise illustrates how to get privileges using sudo

If a server needs to be administered by a number of people it is normally not a good idea for them all to

use the root account. This is because it becomes difficult to determine exactly who did what, when and

where if everyone logs in with the same credentials. The sudo utility was designed to overcome this diffi-

culty.

The sudo utility allows users defined in the /etc/sudoers configuration file to have temporary access to run

commands they would not normally be able to due to file permission restrictions. The commands can be

run as user "root" or as any other user defined in the /etc/sudoers configuration file.

Simple Sudo Examples:

Using sudo is relatively simple as we can see from these examples.

Temporarily gaining root Privileges

In this example, user asif attempts to view the contents of the /etc/sudoers file, which is an action that

normally requires privileged access. Without sudo, the command fails:

[asif@asif]$ more /etc/sudoers

/etc/sudoers: Permission denied

[asif@asif]$

asif tries again using sudo and his regular user password and is successful:

[asif@asif]$ sudo more /etc/sudoers

Password:

...

...

[asif@asif]$

Becoming root for a Complete Login Session

The su command allows a regular user to become the system's root user if they know the root password.

A user with sudo rights to use the su command can become root, but they only need to know their own

password, not that of root as seen here.

someuser@tmp:~$ sudo su -

Password:

root@tmp:~#

Exercises for lab:

Exercise 1:- Add a group with the name of relatives.

Exercise 2:- Add a user with the name of Asim and assign it to the relatives group.

Exercise 3:- Try to edit the file /etc/profile without sudo and then with sudo.

Home Work:

1) Read the /etc/sudoers file thoroughly and modify it to add a user Asim to the /etc/sudoers file.

To understand the Configuring Samba

Lab 19: Configuring Samba

Lab No. 19: Configuring Samba

Objective:

To familiarize students with the working and configuration of samba server

Scope:


• Install Samba server.

• Managing the services related to samba server

• Preparing SWAT to be used for samba configuration

• Using SWAT for samba configuration

Useful Concepts

Download and Install Packages

Samba is comprised of a suite of RPMs files named:

samba

samba-common

samba-client

samba-swat:

Exercise-1:- This exercise illustrates How to Get Samba Started

You can configure Samba to start at boot time using the chkconfig command:

[root@tmp]# chkconfig smb on

You can start/stop/restart Samba after boot time using the smb initialization script as in the examples be-

low:

[root@tmp]# service smb start

[root@tmp]# service smb stop

[root@tmp]# service smb restart

Sometimes Samba may have an ancillary nmb daemon that also needs to be started. The syntax is the

same as that for the smb daemon.

[root@tmp]# service nmb start

[root@tmp]# service nmb stop

[root@tmp]# service nmb restart

Note: Unlike many Linux packages, Samba does not need to be restarted after changes have been made to

its configuration file, as it is read after the receipt of every client request.

Exercise-2:- This exercise explains The Samba Configuration File

The /etc/samba/smb.conf file is the main configuration file you'll need to edit. It is split into five major

sections, outlined in the following table:

Exercise-3:- This exercise illustrates the SWAT utility

SWAT, Samba's web based configuration tool enables you configure your smb.conf file without you

needing to remember all the formatting. Each SWAT screen is actually a form that covers a separate sec-

tion of the smb.conf file into which you fill in the desired parameters. For ease of use, each parameter box

has its own online help. The figure below shows the main SWAT login screen.

Basic SWAT Setup

The enabling and disabling, starting and stopping of SWAT is controlled by xinetd, via a configu-

ration file named /etc/xinetd.d/swat. Here is a sample:

service swat { port = 901 socket_type = stream protocol = tcp

wait = no user = root server = /usr/sbin/swat log_on_failure += USERID disable = no only_from = localhost }

The file's formatting is fairly easy to understand, especially as there are only two entries of interest.

The disable parameter must be set to no to accept connections. This can automatically be switch-

ed between yes and no as we will see later.

The default configuration only allows SWAT web access from the VGA console only as user root

on port 901 with the Linux root password. This means you'll have to enter "http://127.0.0.1:901"

in your browser to get the login screen.

Controlling SWAT

As with all xinetd-controlled applications, the chkconfig command automatically modifies the disable

field accordingly in the configuration file and activates the change. Before SWAT can be used, the xinetd

program which controls it must be activated in advance.

You can start/stop/restart xinetd after boot time using the xinetd initialization cript as in the examples be-

low:

[root@bigboy tmp]# service xinetd start

[root@bigboy tmp]# service xinetd stop

[root@bigboy tmp]# service xinetd restart

Just like most Linux systems applications, you can configure xinetd to start at boot time using the chkcon-

fig command:

[root@bigboy tmp]# chkconfig xinetd on

To activate SWAT use:

[root@bigboy tmp] chkconfig swat on

To deactivate SWAT use:

[root@bigboy tmp] chkconfig swat off

Exercise-4:- This exercise illustrates how to Create a Starter Configuration

We will now illustrate how to configure a Samba server to be the PDC for a small network by using

SWAT. You'll need to edit the various sections of the smb.conf file, so I'll walk you through what you'll

find in each.

The [Global] Section

The [global] section governs the general Samba settings.

Here's how to set the values using SWAT.

1. Log into SWAT and click on the [global] section.

2. Click the Advanced button to see all the options.

3. Make your changes and click on the Commit Changes button when finished.

4. Your smb.conf file should resemble the example below when you're finished. You can view

the contents of the configuration file by logging in to the samba server via a command prompt

and using the cat /etc/samba/smb.conf to verify your changes as you do them.

[global] workgroup = HOMENET time server = Yes domain logons = Yes os level = 65 preferred master = Yes domain master = Yes smb passwd file = /etc/samba/smbpasswd private dir = /etc/samba

Note: security = user and WINS support = yes are default settings for Samba and they may not show up in

your smb.conf file, even though you may see them in SWAT.

The [homes] Section

Here's how to set the values using SWAT:

1. Click on the SWAT shares button to proceed to where shared directories are configured.

2. Click the Advanced button to see all the options.

3. Choose the Homes share.

4. Make your changes and click on the Commit Changes button when finished.

5. Your smb.conf file should resemble this when finished. You can view the contents of the con-

figuration file by logging in to the samba server via a command prompt and using the cat

/etc/samba/smb.conf to verify your changes as you do them.

[homes] read only = No browseable = No create mask = 0644 directory mask = 0755

The [netlogon] and [profiles] Share Sections

The [netlogon] share section contains scripts that the windows clients may use when they log into the

domain. The [profiles] share section stores settings related to the look and feel of windows so that the user

has the same settings no matter which Windows PC is logged into. The [profiles] share section stores

things such as favourites and desktop icons.

Your smb.conf file should look like this when you're finished:

[netlogon] path = /home/samba/netlogon guest ok = Yes [profiles] path = /home/samba/profiles read only = No create mask = 0600 directory mask = 0700

Here's how to do it.

1. Click the Shares button.

3. Modify the path and guest ok settings.

4. Click on the Commit Changes button.

5. Create a [profiles] share section.

6. Modify the path, mask and read only settings. The mask settings allow only the owner of the

netlogon subdirectory to be able to modify its contents.

7. Click on the Commit Changes button.

Remember to create these share directories from the command line afterwards.

[root@tmp]# mkdir -p /home/samba/netlogon

[root@tmp]# mkdir -p /home/samba/profile

[root@tmp]# chmod -R 0755 /home/samba

Exercises for lab:

Exercise 1:- Install samba server.

Exercise 2:- Prepare SWAT for samba configuration.

Exercise 3:- Configure samba as a Primary Domain Controller.

Home Work:

1) What is the difference between smbpasswd and shadowpasswd?

2) Write a comprehencive note on primary domain controller (PDC).

To understand the Sharing Resources using samba

Lab 20: Sharing Resources using samba

Lab No. 20: Sharing Resources using samba

Objective:

To familiarize students with the file/printer sharing features of samba.

Scope:


• Share a printer on the network using samba.

• Create group shares on the samba server.

• Share CD-ROM drive and folders on the samba server

• Automate the mounting process using SMB clients

Exercise-1:- This exercise illustrates Adding a Printer to a Samba PDC

The easiest way to let Samba know the printer is available is via the Samba SWAT Web interface. Once

you are in SWAT:

1. Click the "Printers" button

2. Find your printer in the pull-down menu. If the printer name has an asterisk (*) beside it, it has

been auto-configured by Samba. It might not be visible on your network, however, if Samba

hasn't been restarted since creating the printer. If this is the case, restart Samba.

3. If Samba did not auto-configure your printer, you need to edit or create it yourself. Click on the

"Commit Changes" button to create an updated /etc/samba/smb.conf file.

4. Click on the "Status" tab at the top of the screen and restart smbd and nmbd to restart Samba.

Your printer will now be available for use by all Windows workstations.

Exercise-2:- This exercise illustrates Creating Group Shares in SAMBA

On occasion, subgroups of a family need a share that is fully accessible by all members of the group. For

example, parents working in a home office environment may need a place where they can share, distri-

bute, or collaboratively work on documents. Here's how it's done.

Create The Directory And User Group

As with any group activity, the first step is to get organized.

1. Create a new Linux group parents:

[root@tmp]# /usr/sbin/groupadd parents

2. Create a new directory for the group's files. If one user is designated as the leader, you might want to

change the chown statement to make them owner

[root@tmp]# mkdir /home/parent-files

[root@tmp]# chgrp parents /home/parent-files

[root@tmp]# chmod 0770 /home/parent-files

3. Add the group members to the new group. For instance, the command to add a user named father to the

group is:

[root@tmp]# /usr/sbin/usermod -G parents father

All your members are in the group; now they need to share.

Configure the Share In SWAT

Next, you need to create the share in Samba using SWAT.

1. Click on the shares button then enter the name of the share you want to create, such as only-

parents.

2. Click on the "Create Share" button. Make sure the path maps to /home/parent-files and make

the valid users be @parents, where parents is the name of the Linux user group.

3. Click on the "Commit Changes" button to create a new /etc/samba/smb.conf file.

4. Click on the "Status" tab at the top of the screen and restart smbd and nmbd to restart Samba.

Your /etc/samba/smb.conf file should have an entry like this at the end:

# Parents Shared Area [only-parents] path = /home/parent-files valid users = @parents

If it does, all is well and you can move on. If not, double check your work in the last steps.

Map the Directory Using "My Computer"

Finally, let the user log into the domain from a remote PC

1. Right click on the "My Computer" icon on the desktop

2. Click on "Map Network Drive"

3. Select a drive letter.

4. Browse to the HOMENET domain, then the Samba server, then the share named only-parents.

5. Click on the check box "Reconnect at Logon", to make the change permanent.

Now the files located in the Linux /home/parent-files directory will be accessible to the parents only and

your job is complete!

Create a CD-ROM Drive Mount Point on Your Samba Server

You'll now need to create the mount point on the Linux server to mount and access the CD-ROM drive.

In this case, I've named it /mnt/winclient-cdrom, and you'll use the mount command to get access to this

device from the Linux server.

Password Prompt Method

The Linux mount command will try to access the CD-ROM device as user "username" by using the

"username=" option. You will be prompted for a password.

[root@tmp]# mkdir /mnt/winclient-cdrom

[root@tmp]# mount -t smbfs -o username=username \

//winclient/cdrom /mnt/winclient-cdrom

No Prompt Method

Linux won't prompt you for a password if you embed the access password into the mount command string

along with username as in the example below.

[root@tmp]# mkdir /mnt/winclient-cdrom

[root@tmp]# mount -t smbfs -o \

username=username,password=password \

//winclient/cdrom /mnt/cdrom

Using the smbmount Command Method

Some versions of Linux support the smbmount command to mount the remote drive.

Incompatible versions will give errors like this:

[root@tmp]# smbmount //winclient/cdrom \

/mnt/winclient-cdrom -o username=username

Password:

27875: session setup failed: ERRDOS - ERRnoaccess (Access denied.)

SMB connection failed

To be safe, stick with using the Linux mount command.

Automating Mounting with Linux SAMBA Clients

You can also automate the mounting of shares by placing entries in your /etc/fstab file. In the example

below the home directory of user peter on server 192.168.1.100 will be mounted on the /mnt/smb mount

point as a samba filesystem (smbfs) using the login information in the file named /etc/cred.

#

# File: /etc/fstab

#

//192.168.1.100/peter /mnt/smb smbfs credentials=/etc/cred 0 0

The contents of the /etc/cred file needs to have the username and password for the account in this format:

#

# File: /etc/cred

#

username = peter

password = peterspassword

Once finished you can use the mount -a to mount the new /etc/fstab entry, and the /mnt/smb directory will

now contain the contents of the share.

[root@smallfry tmp]# mount -a

[root@smallfry tmp]# ls /mnt/smb

backups profile docs data music


Exercises for lab:

Exercise 1:- Share a printer on the network using samba shares.

Exercise 2:- Create group shares on the samba server.

Exercise 3:- Share CD-ROM drive and folders on the samba server.

Exercise 4:- Automate the mounting process using /etc/fstab.

Home Work:

1) write a note on access permission setting for shared resourses on samba.

To understand the iptables configuration

Lab 21: Linux firewalls using iptables

Lab No. 21 Linux firewalls using iptables

Objective:

To make the students understand the use of Linux popular firewalls, the iptables, for securing systems and

websites.

Scope:

On completion of this lab the student will be able to:

• understand what iptables is

• Download and Install the Iptables Package

• Start iptables

• Determine the Status of iptables

• understand Packet Processing In iptables

• understand Targets and Jumps

• use Important Iptables Command Switch Operations

• Use User Defined Chains.

Useful Concepts

Firewall

• Utility software that provides protection to the system by monitoring all incoming traffic

ipchains

• The predecessor most popular firewall/NAT package running on Linux.

• Had a number of shortcomings.

iptables

• An improved product of Netfilter organization to rectify the shortcomings of ipchains

Exercise-1:- This exercise is about Downloading and Installing the Iptables

Before you begin, you need to make sure that the iptables package is installed. When searching for the

RPMs or DEB, remember that the filename usually starts with the software package name by a version

number, as in iptables-1.2.9-1.0.i386.rpm.

To install the package online on REDHAT distributions, use yum utility.

yum install iptables-1.2.9-1.0.i386.rpm

to install the pachage from hard disk, move to the directory containing the package and use rpm com-

mand.

rpm –ivh iptables-1.2.9-1.0.i386.rpm

To install the package online on DEBIAN distributions, use apt-get utility.

apt-get -install iptables-1.2.9-1.0.i386.deb

to install the pachage from hard disk, move to the directory containing the package and use dpkg com-

mand.

dpkg --install iptables-1.2.9-1.0.i386.deb

Exercise -2:- This exercise is about Starting, stopping, restarting and checking the status of

iptables

You can start, stop, and restart iptables after booting by using the commands:

javidali@JLaptop$service iptables start

javidali@JLaptop$service iptables stop

javidali@JLaptop$service iptables restart

To get iptables configured to start at boot, use the chkconfig command:

javidali@JLaptop$chkconfig iptables on

You can determine whether iptables is running or not via the service iptables status command. Fedora

Core will give a simple status message. For example

javidali@JLaptop$service iptables status

Firewall is stopped.

javidali@JLaptop$

Exercise -3:- This exercise is about Packet processing in iptables

All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Each

of these queues is dedicated to a particular type of packet activity and is controlled by an associated pack-

et transformation/filtering chain.

There are three tables in total. The first is the mangle table which is responsible for the alteration of quali-

ty of service bits in the TCP header. This is hardly used in a home or SOHO environment.

The second table is the filter queue which is responsible for packet filtering. It has three built-in chains in

which you can place your firewall policy rules. These are the:

• Forward chain: Filters packets to servers protected by the firewall.

• Input chain: Filters packets destined for the firewall.

• Output chain: Filters packets originating from the firewall.

The third table is the nat queue which is responsible for network address translation. It has two built-in

chains; these are:

• Pre-routing chain: NATs packets when the destination address of the packet needs to be

changed.

• Post-routing chain: NATs packets when the source address of the packet needs to be

changed

Table Processing For Packets Routed By The Firewall

Queue

Type

Queue

Function

Packet

Transformation

Chain in Queue

Chain Function

Filter Packet filter-

ing

FORWARD

Filters packets to servers accessible by another NIC on the fire-

wall.

INPUT

Filters packets destined to the firewall

OUTPUT

Filters packets originating from the firewall

Nat Network Ad-

dress

Translation

PREROUTING

Address translation occurs before routing. Facilitates the transfor-

mation of the destination IP address to be compatible with the

firewall's routing table. Used with NAT of the destination IP ad-

dress, also known as destination NAT or DNAT.

POSTROUTING Address translation occurs after routing. This implies that there

was no need to modify the destination IP address of the packet as

in pre-routing. Used with NAT of the source IP address using ei-

ther one-to-one or many-to-one NAT. This is known as source

NAT, or SNAT.

OUTPUT

Network address translation for packets generated by the firewall.

(Rarely used in SOHO environments)

Mangle

TCP header

modification

PREROUTING

POSTROUTING

OUTPUT

INPUT

FORWARD

Modification of the TCP packet quality of service bits before

routing occurs. (Rarely used in SOHO environments)

You need to specify the table and the chain for each firewall rule you create. There is an exception: Most

rules are related to filtering, so iptables assumes that any chain that's defined without an associated table

will be a part of the filter table. The filter table is therefore the default.

To help make this clearer, take a look at the way packets are handled by iptables. In the Figure a TCP

packet from the Internet arrives at the firewall's interface on Network A to create a data connection.

The packet is first examined by your rules in the mangle table's PREROUTING chain, if any. It is then

inspected by the rules in the nat table's PREROUTING chain to see whether the packet requires DNAT. It

is then routed.

If the packet is destined for a protected network, then it is filtered by the rules in the FORWARD chain of

the filter table and, if necessary, the packet undergoes SNAT in the POSTROUTING chain before arriv-

ing at Network B. When the destination server decides to reply, the packet undergoes the same sequence

of steps. Both the FORWARD and POSTROUTING chains may be configured to implement quality of

service (QoS) features in their mangle tables, but this is not usually done in SOHO environments.

If the packet is destined for the firewall itself, then it passes through the mangle table ofthe INPUT chain,

if configured, before being filtered by the rules in the INPUT chain of the filter table before. If it success-

fully passes these tests then it is processed by the intended application on the firewall.

At some point, the firewall needs to reply. This reply is routed and inspected by the rules in the OUTPUT

chain of the mangle table, if any. Next, the rules in the OUTPUT chain of the nat table determine whether

DNAT is required and the rules in the OUTPUT chain of the filter table are then inspected to help restrict

unauthorized packets. Finally, before the packet is sent back to the Internet, SNAT and QoS mangling is

done by the POSTROUTING chain

Iptables Packet Flow Diagram

It is now time to discuss the ways in which you add rules to these chains.

Exercise-4:- This exercise is about Targets And Jumps

Each firewall rule inspects each IP packet and then tries to identify it as the target of some sort of opera-

tion. Once a target is identified, the packet needs to jump over to it for further processing. Following table

lists the built-in targets that iptables uses.

Table Descriptions Of The Most Commonly Used Targets

target Desciption Most Common Options

ACCEPT iptables stops further processing. The packet is

handed over to the end application or the operating

system for processing

N/A

DROP iptables stops further processing.

The packet is blocked

N/A

LOG The packet information is sent to the syslog dae-

mon for logging iptables continues processing

with the next rule in the table

As you can't log and drop at the same time, it is

common to have two similar rules in sequence.

The first will log the packet, the second will drop

it.

--log-prefix "string"

Tells iptables to prefix all log

messages with a user defined

string. Frequently used to tell

why the logged packet was

dropped

REJECT

Works like the DROP target, but will also return

an error message to the host sending the packet

that the packet was blocked

--reject-with qualifier

The qualifier tells what type of

reject message is returned. Qua-

lifiers include:

icmp-host-unreachable

icmp-proto-unreachable

icmp-net-prohibited

icmp-host-prohibited

tcp-reset

echo-reply

icmp-port-unreachable (default)

icmp-net-unreachable

DNAT Used to do destination network address transla-

tion. ie. rewriting the destination IP

address of the packet

--to-destination ipaddress

Tells iptables what the destina-

tion IP address should be

SNAT

Used to do source network address translation re-

writing the source IP address of the packet The

source IP address is user defined

--to-source

<address>[-<address>][:<port>-

<port>]

Specifies the source IP address

and ports to be used by SNAT

MASQUERADE

Used to do Source Network Address Translation.

By default the source IP address is the same as that

used by the firewall's interface

[--to-ports <port>[-<port>]]

Specifies the range of source

ports to which the original source

port can be mapped.

Important Iptables Command Switch Operations Each line of an iptables script not only has a jump, but they also have a number of command line options

that are used to append rules to chains that match your defined packet characteristics, such the source IP

address and TCP port. There are also options that can be used to just clear a chain so you can start all over

again. Following tables list the most common options.

General Iptables Match Criteria iptables command

Switch

Desciption

-t <-table-> If you don't specify a table, then the filter table is assumed. As dis-

cussed before, the possible built-in tables include: filter, nat, mangle

-j <target> Jump to the specified target chain when the packet matches the cur-

rent rule.

-A Append rule to end of a chain

-F Flush. Deletes all the rules in the selected table

-p <protocoltype> Match protocol. Types include, icmp, tcp, udp, and all

-s <ip-address> Match source IP address

-d <ip-address> Match destination IP address

-i <interfacename> Match "input" interface on which the packet enters.

-o <interfacename> Match "output" interface on which the packet exits

In this command switches example

iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p TCP -j ACCEPT

iptables is being configured to allow the firewall to accept TCP packets coming in on interface eth0 from

any IP address destined for the firewall's IP address of 192.168.1.1. The 0/0 representation of an IP ad-

dress means any.

Common TCP and UDP Match Criteria

Switch Description

-p tcp –sport <port> TCP source port. Can be a single value or a range in the format:

start-port-number:end-port-number

-p tcp --dport<port> TCP destination port. Can be a single value or a range in the

format: starting-port:ending-port

-p tcp --syn Used to identify a new TCP connection request. ! --syn means, not

a new connection request

-p udp --sport

<port>

UDP source port. Can be a single value or a range in the format:

starting-port:ending-port

-p udp --dport

<port>

UDP destination port. Can be a single value or a range in the for-

mat: starting-port:ending-port

In this example:

iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \

--sport 1024:65535 --dport 80 -j ACCEPT

iptables is being configured to allow the firewall to accept TCP packets for routing when they enter on

interface eth0 from any IP address and are destined for an IP address of 192.168.1.58 that is reachable via

interface eth1. The source port is in the range 1024 to 65535 and the destination port is port 80

(www/http).

Exercise-5:- This exercise demonstrate a Sample iptables Script for Basic Operating Sys-

tem Defense

You can do several things before employing your firewall script to improve the resilience of your firewall

to attack. For example, the Linux operating system has a number of builtin protection mechanisms that

you should activate by modifying the system kernel parameters in the /proc filesystem via the

/etc/sysctl.conf file.

Here is a sample configuration:

# File: /etc/sysctl.conf

#---------------------------------------------------------------

# Disable routing triangulation. Respond to queries out

# the same interface, not another. Helps to maintain state

# Also protects against IP spoofing

#---------------------------------------------------------------

net/ipv4/conf/all/rp_filter = 1

#---------------------------------------------------------------

# Enable logging of packets with malformed IP addresses

#---------------------------------------------------------------

net/ipv4/conf/all/log_martians = 1

#---------------------------------------------------------------

# Disable redirects

#---------------------------------------------------------------

net/ipv4/conf/all/send_redirects = 0

#---------------------------------------------------------------

# Disable source routed packets

#---------------------------------------------------------------

net/ipv4/conf/all/accept_source_route = 0

#---------------------------------------------------------------

# Disable acceptance of ICMP redirects

#---------------------------------------------------------------

net/ipv4/conf/all/accept_redirects = 0

#---------------------------------------------------------------

# Turn on protection from Denial of Service (DOS) attacks

#---------------------------------------------------------------

net/ipv4/tcp_syncookies = 1

#---------------------------------------------------------------

# Disable responding to ping broadcasts

#---------------------------------------------------------------

net/ipv4/icmp_echo_ignore_broadcasts = 1

#---------------------------------------------------------------

# Enable IP routing. Required if your firewall is protecting a

# network, NAT included

#---------------------------------------------------------------

net/ipv4/ip_forward = 1

Exercises for lab

Exercise 1:- check the iptables package and install the package using online installation utilities available

(apt-get or yum).

Exercise 2:- Check the status of the ipdables process. Start stop and restart the process.

Exercise 3:- configure the firewall for allowing local networks.

Home Work

1) What were the limitations of ipchains that were overcome in iptables in iptables?

2) Which level of security is provided by a firewall?

To understand the Configuring Linux FTP Server

Lab 22: Configuring Linux FTP Server

Lab No. 22: Configuring Linux FTP Server

Objective:

To familiarize students with the working of FTP Server and configuration of FTP server.

Scope:


• Install/manage FTP services on a linux machine.

• Configure FTP for anonymous access

• Configure FTP for restricted access

Useful Concepts

FTP Overview

FTP relies on a pair of TCP ports to get the job done. It operates in two connection channels:

FTP Control Channel, TCP Port 21: All commands you send and the ftp server's responses to those com-

mands will go over the control connection, but any data sent back (such as "ls" directory lists or actual file

data in either direction) will go over the data connection.

FTP Data Channel, TCP Port 20: This port is used for all subsequent data transfers between the client and

server.

Regular FTP

By default, the VSFTPD package allows regular Linux users to copy files to and from their home directo-

ries with an FTP client using their Linux usernames and passwords as their login credentials.

VSFTPD also has the option of allowing this type of access to only a group of Linux users, enabling you

to restrict the addition of new files to your system to authorized personnel.

The disadvantage of regular FTP is that it isn't suitable for general download distribution of software as

everyone either has to get a unique Linux user account or has to use a shared username and password.

Anonymous FTP allows you to avoid this difficulty.

Anonymous FTP

Anonymous FTP is the choice of Web sites that need to exchange files with numerous unknown remote

users. Common uses include downloading software updates and MP3s and uploading diagnostic informa-

tion for a technical support engineers' attention. Unlike regular FTP where you login with a preconfigured

Linux username and password, anonymous FTP requires only a username of anonymous and your email

address for the password. Once logged in to a VSFTPD server, you automatically have access to only the

default anonymous FTP directory (/var/ftp in the case of VSFTPD) and all its subdirectories.

Exercise-1:- This exercise illustrates How to Get VSFTPD Started

With Fedora, Redhat, Ubunbtu and Debian You can start, stop, or restart VSFTPD after booting by using

these commands:

[root@tmp]# /etc/init.d/vsftpd start

[root@tmp]# /etc/init.d/vsftpd stop

[root@tmp]# /etc/init.d/vsftpd restart

With Redhat / Fedora you can configure VSFTPD to start at boot you can use the chkconfig command.

[root@tmp]# chkconfig vsftpd on

With Ubuntu / Debian the sysv-rc-conf command can be used like this:

root@u-bigboy:/tmp# sysv-rc-conf on

Note: In RedHat Linux version 8.0 and earlier, VSFTPD operation is controlled by the xinetd process.

Exercise-2:- This exercise is bout Testing the Status of VSFTPD

You can always test whether the VSFTPD process is running by using the netstat –a command which lists

all the TCP and UDP ports on which the server is listening for traffic. This example shows the expected

output.

[root@root]# netstat -a | grep ftp

tcp 0 0 *:ftp *:* LISTEN

[root@root]#.

If VSFTPD wasn't running, there would be no output at all.

Exercise-3:- This exercise describes important configuration files related to FTP server

VSFTPD only reads the contents of its vsftpd.conf configuration file only when it starts, so you'll have to

restart VSFTPD each time you edit the file in order for the changes to take effect. The file may be located

in either the /etc or the /etc/vsftpd directories depending on your Linux distribution.

This file uses a number of default settings you need to know about.

VSFTPD runs as an anonymous FTP server. Unless you want any remote user to log into to your default

FTP directory using a username of anonymous and a password that's the same as their email address, I

would suggest turning this off. The configuration file's anonymous_enable directive can be set to no to

disable this feature. You'll also need to simultaneously enable local users to be able to log in by removing

the comment symbol (#) before the local_enable instruction.

If you enable anonymous FTP with VSFTPD, remember to define the root directory that visitors will vis-

it. This is done with the anon_root directive.

anon_root=/data/directory

VSFTPD allows only anonymous FTP downloads to remote users, not uploads from them. This can be

changed by modifying the anon_upload_enable directive shown later.

VSFTPD doesn't allow anonymous users to create directories on your FTP server. You can change this by

modifying the anon_mkdir_write_enable directive.

VSFTPD logs FTP access to the /var/log/vsftpd.log log file. You can change this by modifying the xfer-

log_file directive.

By default VSFTPD expects files for anonymous FTP to be placed in the /var/ftp directory. You can

change this by modifying the anon_root directive. There is always the risk with anonymous FTP that us-

ers will discover a way to write files to your anonymous FTP directory. You run the risk of filling up your

/var partition if you use the default setting. It is best to make the anonymous FTP directory reside in its

own dedicated partition.

The configuration file is fairly straight forward as you can see in the snippet below where we enable ano-

nymous FTP and individual accounts simultaneously.

# Allow anonymous FTP? anonymous_enable=YES

... # The directory which vsftpd will try to change # into after an anonymous login. (Default = /var/ftp) anon_root=/data/directory ... # Uncomment this to allow local users to log in. local_enable=YES ... # Uncomment this to enable any form of FTP write command. # (Needed even if you want local users to be able to upload files) write_enable=YES ... # Uncomment to allow the anonymous FTP user to upload files. This only # has an effect if global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES ... # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES ... # Activate logging of uploads/downloads. xferlog_enable=YES ... # You may override where the log file goes if you like. # The default is shown below. xferlog_file=/var/log/vsftpd.log ...

To activate or deactivate a feature, remove or add the # at the beginning of the appropriate line.

Other vsftpd.conf Options

There are many other options you can add to this file:

Limiting the maximum number of client connections (max_clients)

Limiting the number of connections by source IP address (max_per_ip)

The maximum rate of data transfer per anonymous login. (anon_max_rate)

The maximum rate of data transfer per non-anonymous login. (local_max_rate).

FTP Security Issues

FTP has a number of security drawbacks, but you can overcome them in some cases. You can restrict an

individual Linux user's access to non-anonymous FTP, and you can change the configuration to not dis-

play the FTP server's software version information, but unfortunately, though very convenient, FTP lo-

gins and data transfers are not encrypted.

The /etc/vsftpd.ftpusers File

For added security, you may restrict FTP access to certain users by adding them to the list of users in the

/etc/vsftpd.ftpusers file. The VSFTPD package creates this file with a number of entries for privileged

users that normally shouldn't have FTP access. As FTP doesn't encrypt passwords, thereby increasing the

risk of data or passwords being compromised, it is a good idea to let these entries remain and add new

entries for additional security.

Exercise-4:- This exercise illustrates Anonymous Uploads on ftp and banner setting

If you want remote users to write data to your FTP server, then you should create a writeonly directory

within /var/ftp/pub. This will allow your users to upload but not access other files uploaded by other us-

ers. The commands you need are:

[root@tmp]# mkdir /var/ftp/pub/upload

[root@tmp]# chmod 722 /var/ftp/pub/upload

FTP Greeting Banner

Change the default greeting banner in the vsftpd.conf file to make it harder for malicious users to deter-

mine the type of system you have. The directive in this file is.

ftpd_banner= New Banner Here.

Exercise-5:- This exercise illustrates privileged user setting

In this example, anonymous FTP is not desired, but a group of trusted users need to have read only access

to a directory for downloading files. Here are the steps:

1) Disable anonymous FTP. Comment out the anonymous_enable line in the vsftpd.conf file like this:

# Allow anonymous FTP?

anonymous_enable=NO

2) Enable individual logins by making sure you have the local_enable line uncommented in the

vsftpd.conf file like this:

# Uncomment this to allow local users to log in.

local_enable=YES

3) Start VSFTP.

[root@tmp]# service vsftpd start

4) Create a user group and shared directory. In this case, use /home/ftp-users and a user group name of

ftp-users for the remote users

[root@tmp]# groupadd ftp-users

[root@tmp]# mkdir /home/ftp-docs

5) Make the directory accessible to the ftp-users group.

[root@tmp]# chmod 750 /home/ftp-docs

[root@tmp]# chown root:ftp-users /home/ftp-docs

6) Add users, and make their default directory /home/ftp-docs

[root@tmp]# useradd -g ftp-users -d /home/ftp-docs user1




[root@tmp]# passwd user1




7) Copy files to be downloaded by your users into the /home/ftp-docs directory

8) Change the permissions of the files in the /home/ftp-docs directory for read only access by the group

[root@tmp]# chown root:ftp-users /home/ftp-docs/*

[root@tmp]# chmod 740 /home/ftp-docs/*

Users should now be able to log in via FTP to the server using their new usernames and passwords. If you

absolutely don't want any FTP users to be able to write to any directory, then you should set the

write_enable line in your vsftpd.conf file to no:

write_enable = NO

Remember, you must restart VSFTPD for the configuration file changes to take effect.

Exercises for lab

Exercise 1:- Install FTP server.

Exercise 2:- Configure FTP to start at system boot.

Exercise 3:- Allow anonymous users to only read from a shared directory.

Home Work

1) Configure FTP server to allow only a certain group of user to write to the shared directory.

To understand the Telnet and TFTP and XINETD

Lab 23: Telnet and TFTP and XINETD

Lab No. 23: Telnet and TFTP and XINETD

Objective:

To familiarize students with the working and configuration of Telnet Server and TFTP Server

Scope:


• understand and configure xinetd service

• Install and configure Telnet Server

• Implement security for Telnet access

• Install and configure TFTP server software

Useful Concepts:

Telnet

Telnet is a program that allows users to log into your server and get a command prompt just as if they

were logged into the VGA console. The Telnet server RPM is installed and disabled by default on Fedora

Linux.

Exercise-1:- This exercise illustrates how to Control xinetd

The starting and stopping of the xinetd daemon is controlled by the by scripts in the /etc/init.d directory

and its behavior at boot time is controlled by chkconfig.

You can start/stop/restart xinetd after booting by using the following commands:

[root@root]# service xinetd start

[root@root]# service xinetd stop

[root@root]# service xinetd restart

To get xinetd configured to start at boot you can use the chkconfig command.

[root@root]# chkconfig xinetd on

Installing The Telnet Server Software

Older versions of RedHat had the Telnet server installed by default. Fedora Linux doesn't do this and you

will have to install it yourself.

When searching for the file, remember that the Telnet server RPM's filename usually starts with the word

"telnet-server" followed by a version number as in telnet-server-0.17-28.i386.rpm.

With Debian / Ubuntu, the Telnet server package would have a "telnetd" prefix like this: telnetd_0.17-

32_i386.deb.

Basic Telnet Security

There are a number of things you can do to improve the security of telnet. For example, you should also

try to ensure that telnet sessions run over secure internal networks or across VPNs to reduce the risk of

exposing sensitive data to unauthorized eyes. Check out some other options.

Let Telnet Listen On Another TCP Port

Letting telnet run on an alternate TCP port doesn't encrypt the traffic, but it makes it less likely to be de-

tected as telnet traffic. Remember that this isn't a foolproof strategy; good port scanning programs can

detect telnet and other applications running on alternative ports.

1) Edit your /etc/services file and add an entry for a new service. Call it stelnet.

# Local services

stelnet 7777/tcp # "secure" telnet

2) Copy the telnet configuration file called /etc/xinetd.d/telnet and call it /etc/xinetd.d/stelnet:

[root@tmp]# cp /etc/xinetd.d/telnet /etc/xinetd.d/stelnet

3) Edit the new /etc/xinetd.d/stelnet file. Make the new service stelnet and add a port statement for TCP

port 7777.

# default: on

# description: The telnet server serves telnet sessions

# unencrypted username/password pairs for authentication.

service stelnet

{

flags = REUSE

socket_type = stream

wait = no

user = root

server = /usr/sbin/in.telnetd

log_on_failure += USERID

disable = no

port = 7777

}

4) Use chkconfig to activate stelnet.

[root@tmp]# chkconfig stelnet on

5) Check to make sure your server is now listening on port 7777 with the netstat command.

[root@tmp]# netstat -an | grep 777

tcp 0 0 0.0.0.0:7777 0.0.0.0:* LISTEN

[root@tmp]#

You should now be able to log in to the new stelnet server on port 7777. This is done using the

telnet command with the TCP port as the second argument.

[root@tmp]# telnet 192.168.1.100 7777

Trying 192.168.1.100...



Fedora Core release 2 (Tettnang)

Kernel 2.6.8-1.521 on an i686

login:

Let Telnet Allow Connections From Trusted Addresses

You can restrict telnet logins access to individual remote servers by using the only_from keyword in the

telnet configuration file. Here's how.

1) Add a list of trusted servers to the /etc/xinetd.d/telnet file separated by spaces:

# default: on # description: The telnet server serves telnet sessions # unencrypted username/password pairs for authentication. service telnet { flags = REUSE socket_type = stream wait = no

user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = no only_from = 192.168.1.100 127.0.0.1 192.168.1.200 }

2) Restart telnet.

[root@tmp]# chkconfig telnet off

[root@tmp]# chkconfig telnet on

3) Test the telnet session. Servers that are not on the trusted list get the message Connection closed by

foreign host.

[root@tmp]# telnet 192.168.1.100

Trying 192.168.1.100...



Connection closed by foreign host.

[root@tmp]#

Configuring The TFTP Server

The procedure to set up a TFTP Server is straightforward, but it is different between the Redhat and De-

bian distributions as we will soon see.

Redhat / Fedora

By default, the TFTP application expects files to be located in the /tftpboot directory. You can change this

setting in the /etc/xinetd.d/tftp file via the server_args option. It is usually best to place the TFTP files in a

partition other than the root partition. TFTP files of increasing size could eventually fill the partition af-

fecting your ability to install new software or even the overall performance of your system. Creating a

symbolic link for /tftpboot to another directory will not work with all versions of Fedora.

This example creates a new tftpboot directory in the /var partition, and then configures TFTP to be

enabled while using the new directory.

[root@tmp]# mv /tftpboot /var

[root@tmp]# vi /etc/xinetd.d/tftp

#

# File /etc/xinetd.d/tftp

#

service tftp

{

...

...

server_args = -s /var/tftpboot

disable = no

}

Debian / Ubuntu

With the Debian / Ubuntu distributions, the TFTP server configuration file is /etc/default/tftpd-hpa and by

default it instructs the TFTP daemon to use the /var/lib/tftpboot directory to store its files. Also by default,

the daemon is disabled. Another thing to remember is that the tftpd-hpa server daemon runs independent-

ly of xinetd and has its own startup script in the /etc/init.d directory. By default, the daemon is started at

boot time, but the configuration file's default configuration setting disables it by forcing the daemon to

exit prematurely.

This example enables the daemon in the configuration file and then starts the TFTP

server:

root@/tmp# vi /etc/default/tftpd-hpa

...

...

#

# File: /etc/default/tftpd-hpa

#

#Defaults for tftpd-hpa

RUN_DAEMON="yes"

OPTIONS="-l -s /var/lib/tftpboot"

...

...

root@/tmp# /etc/init.d/tftpd-hpa start

Starting HPA's tftpd: in.tftpd.

root@/tmp#

Note: With both Redhat and Debian distributions, you can test whether the TFTP process is running with

the netstat command which is used to check the TCP/UDP ports on which your server is listening. If it

isn't running then there will be no response.

[root@tmp]# netstat -a | grep tftp

udp 0 0 *:tftp *:*

[root@tmp]#

Exercises for lab:

Exercise 1:- Cofigure xinetd to start at system boot.

Exercise 2:- Download / install Telnet and TFTP server.

Exercise 3:- Configure Telnet server and implement security for telnet access.

Exercise 4:- Configure TFTP server.

Home Work:

1) Compare FTP and TFTP protocol

2) Describe the purpose of xinetd program.

3) What is the main difference between TELNET and SSH servers

To understand the Web Hosting With the Apache Web Server

Lab 24: Web Hosting With the Apache Web Server

Lab No. 24: Web Hosting With the Apache Web Server

Objective:

To familiarize students with the configuration of Apache Web Server.

Scope:


• To configure basic functions of Apache web server

• configure named virtual hosts

• configure IP-based virtual hosts

Useful Concepts:

General Configuration

The configuration file used by Apache is /etc/httpd/conf/httpd.conf in Redhat /

Fedora distributions and /etc/apache*/httpd.conf in Debian / Ubuntu distributions.

As for most Linux applications, you must restart Apache before changes to this

configuration file take effect.

Where To Put Your Web Pages

All the statements that define the features of each web site are grouped together inside their own <Virtua-

lHost> section, or container, in the httpd.conf file. The most commonly used statements, or directives,

inside a <VirtualHost> container are:

servername: Defines the name of the website managed by the <VirtualHost> container. This is needed in

named virtual hosting only.

DocumentRoot: Defines the directory in which the web pages for the site can be found.

By default, Apache searches the DocumentRoot directory for an index, or home, page named index.html.

So for example, if you have a servername of www.my-site.com with a DocumentRoot directory of

/home/www/site1/, Apache displays the contents of the file /home/www/site1/index.html when you enter

http://www.my-site.com in your browser.

Named Virtual Hosting

You can make your Web server host more than one site per IP address by using Apache's named virtual

hosting feature. You use the NameVirtualHost directive in the /etc/httpd/conf/httpd.conf file to tell

Apache which IP addresses will participate in this feature.

The <VirtualHost> containers in the file then tell Apache where it should look for the Web pages used on

each Web site. You must specify the IP address for which each <VirtualHost> container applies.

Named Virtual Hosting Example

Consider an example in which the server is configured to provide content on 97.158.253.26. In the code

that follows, notice that within each <VirtualHost> container you specify the primary Web site domain

name for that IP address with the ServerName directive. The DocumentRoot directive defines the directo-

ry that contains the index page for that site.

NameVirtualHost 97.158.253.26

<VirtualHost *>

Default Directives. (In other words, not site #1 or site #2)

</VirtualHost>

<VirtualHost 97.158.253.26>

servername www.my-site.com

Directives for site #1

</VirtualHost>


servername www.another-site.com

Directives for site #2

</VirtualHost>

IP-Based Virtual Hosting

The other virtual hosting option is to have one IP address per Web site, which is also known as IP-based

virtual hosting. In this case, you will not have a NameVirtualHost directive for the IP address, and you

must only have a single <VirtualHost> container per IP address.

Also, because there is only one Web site per IP address, the ServerName directive isn't needed in each

<VirtualHost> container, unlike in named virtual hosting.

IP Virtual Hosting Example: Wild Card and IP addresses

In this example, Apache listens on all interfaces, but gives different content for addresses 97.158.253.26

and 97.158.253.27. Web surfers get the site1 content if they try to access the web server on any of its oth-

er IP addresses.

<VirtualHost *>

DocumentRoot /home/www/site1

</VirtualHost>



</VirtualHost>



</VirtualHost>

Exercises for lab:

Exercise 1:- Configure Apache server to load at system startup.

Exercise 2:- Configure multiple websites on a single IP address.

Exercise 3:- Configure different websites on different IP addresses.

Home Work:

1) Write the configureation lines require to set a webwerver with IP address 25.15.12.14 for to

werbsite that have the web addresses course.nos.com and nos.operatingsystem.com respectively.

To understand network performance Monitoring

Lab 25: Monitoring Server Performance

Lab No. 25: Monitoring Server Performance

Objective:

To familiarize students with the use graphical Linux tools, including MRTG and Webalizer, to monitor server performance.

Scope:

On the completion of this lab, students will be able to:

• Use MRTG

• Download and Install MRTG

• Configuring MRTG

• Getting MRTG To Poll Multiple Devices

• Configuring Apache To Work With MRTG

• Webalizer

• View Your Webalizer Statistics

• Understand The Webalizer Configuration File

Useful Concepts:

SNMP

• Simple Network Management Protocol, a protocol for network management

MIB

• Management Information Base

• Files for devices that define the functions of the OIDs they contain

OID

• object identifier

• A database used to keep the operational statistics of routers and firewalls

MRTG

• Multi-Router Traffic Grapher

• based on SNMP and monitors raw network traffic

• A public domain package for producing graphs of various router statistics via a Web page

Webalizer

• A utility that tracks Web site hits, to monitor your system's Web performance

Exercise-1:- This exercise illustrates SNMP Queries

Configuring SNMP on a server isn't hard, but it does require a number of detailed steps.

Installing SNMP Utilities on a Linux Server

If you intend to use your Linux box to query your network devices, other servers or even itself using

MRTG or any other tool, you need to have the SNMP utility tools package net-snmp-utils installed. This

package may also require pre-requisite packages, so it is best to use an automated package updater such

yum or apt to do this.

When searching for these packages the filenames will start with the package name followed by a version

number, as in net-snmp-utils-5.1.1-2.i386.rpm

SNMP Utilities Command Syntax

The SNMP utility tools package installs a number of new commands on your system for doing SNMP

queries, most notably snmpget for individual OIDs and snmpwalk for obtaining the contents of an entire

MIB. Both commands require you to specify the community string with a -c operator. They also require

you to specify the version of the SNMP query to be used with a -v 1, -v 2c, or -v 3 operator for versions 1,

2, and 3, respectively. The first argument is the name or IP address of the target device and all other ar-

guments list the MIBs to be queried.

This example gets all the values in the interface MIB of the local server using SNMP version 1 and the

community string of craz33guy.

[root@bigboy tmp]# snmpwalk -v 1 -c craz33guy localhost interface

...

... IF-MIB::ifDescr.1 = STRING: lo IF-MIB::ifDescr.2 = STRING: eth0 IF-MIB::ifDescr.3 = STRING: eth1 ... ... IF-MIB::ifPhysAddress.1 = STRING: IF-MIB::ifPhysAddress.2 = STRING: 0:9:5b:2f:9e:d5 IF-MIB::ifPhysAddress.3 = STRING: 0:b0:d0:46:32:71 ... ... [root@bigboy tmp]#

Upon inspecting the output of the snmpwalk command, you can see that the second interface seems to

have the name eth0 and the MAC address 0:9:5b:2f:9e:d5. You can now retrieve the individual MAC ad-

dress using the snmpget command.

[root@bigboy tmp]# snmpget -v 1 -c const1payted localhost ifPhysAd-

dress.2

IF-MIB::ifPhysAddress.2 = STRING: 0:9:5b:2f:9e:d5

[root@bigboy tmp]#

You can confirm this information using the ifconfig command for interface eth0; the very first line shows

a matching MAC address.

[root@bigboy tmp]# ifconfig -a eth0

eth0 Link encap:Ethernet HWaddr 00:09:5B:2F:9E:D5

inet addr:216.10.119.244 Bcast:216.10.119.255 Mask:255.255.255.240

...

...

[root@bigboy tmp]#

You'll now see how you can configure SNMP on your Linux server to achieve these results.

Configuring Simple SNMP on a Linux Server

By default Fedora, installs the net-snmp package as its SNMP server product. This package uses a confi-

guration file named /etc/snmp/snmpd.conf in which the community strings and other parameters may be

set. The version of the configuration file that comes with net-snmp is quite complicated. I suggest archiv-

ing it and using a much simpler version with only a single line containing the keyword rocommunity fol-

lowed by the community string. Here is an example.

1) Save the old configuration file

[root@bigboy tmp]# cd /etc/snmp/

[root@bigboy snmp]# mv snmpd.conf snmpd.conf.old

[root@bigboy snmp]# vi snmpd.conf

2) Enter the following line in the new configuration file to set the Read Only community string to

craz33guy.

rocommunity craz33guy

3) Configure Linux to start SNMP services on each reboot with the chkconfig command:

[root@bigboy root]# chkconfig snmpd on

[root@bigboy root]#

4) Start SNMP to load the current configuration file.

[root@bigboy root]# service snmpd start

Starting snmpd: [ OK ]

[root@bigboy root]#

5) Test whether SNMP can read the system and interface MIBs using the snmpwalk command.

[root@bigboy snmp]# snmpwalk -v 1 -c craz33guy localhost system

SNMPv2-MIB::sysDescr.0 = STRING: Linux bigboy 2.4.18-14 #1 Wed Sep 4

11:57:57 EDT 2002 i586

SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10

SNMPv2-MIB::sysUpTime.0 = Timeticks: (425) 0:00:04.25

SNMPv2-MIB::sysContact.0 = STRING: root@localhost

SNMPv2-MIB::sysName.0 = STRING: bigboy

...

...

...

[root@bigboy snmp]# snmpwalk -v 1 -c craz33guy localhost interface

IF-MIB::ifNumber.0 = INTEGER: 3

IF-MIB::ifIndex.1 = INTEGER: 1



IF-MIB::ifDescr.1 = STRING: lo

IF-MIB::ifDescr.2 = STRING: wlan0

IF-MIB::ifDescr.3 = STRING: eth0

...

...

...

[root@bigboy snmp]#

Now that you know SNMP is working correctly on your Linux server, you can configure SNMP statistics

gathering software, such as MRTG, to create online graphs of your traffic flows.

SNMP on Other Devices

In the example, you were polling localhost. You can poll any SNMP-aware network device that has

SNMP enabled. All you need is the IP address and SNMP Read Only string and you'll be able to get simi-

lar results. Here is an example of a query of a device with an IP address of 192.168.1.1.

[root@bigboy snmp]# snmpwalk -v 1 -c chir1qui 192.168.1.1 interface

Note: When issuing snmpwalk and snmpget commands, remember to use the proper version switch (-v 1,

-v 2c, or -v 3) for the version of SNMP you're using.

Basic SNMP Security

The security precautions that need to be taken with SNMP vary depending on the version you are using.

This section outlines the basic steps for protecting your MIB data.

SNMP Versions 1 and 2

The most commonly supported versions of SNMP don't encrypt your community string password so you

shouldn't do queries over insecure networks, such as the Internet. You should also make sure that you use

all reasonable security measures to allow queries only from trusted IP addresses either via a firewall or

the SNMP security features available in the snmp.conf file.

In case you need it, the snmpd.conf file can support limiting MIB access to trusted hosts and networks.

The snmpd.conf file has two security sections; a section with very restrictive access sits at the top of the

file and is immediately followed by a less restrictive section. The example that follows is a modification

of the less restrictive section. You will have to comment out the more restrictive statements at the top of

the file for it to work correctly.

## sec.name source community

## ======== ====== =========

com2sec local localhost craz33guy

com2sec network_1 172.16.1.0/24 craz33guy

com2sec network_2 192.168.2.0/24 craz33guy

## Access.group.name sec.model sec.name

## ================= ========= ========

group MyROGroup_1 v1 local

group MyROGroup_1 v1 network_1

group MyROGroup_2 v2c network_2

## MIB.view.name incl/excl MIB.subtree mask

## ============== ========= =========== ====

view all-mibs included .1 80

## MIB

## group.name context sec.model sec.level prefix read write notif

## ========== ======= ========= ========= ====== ==== ===== =====

access MyROGroup_1 "" v1 noauth exact all-mibs none none

access MyROGroup_2 "" v2c noauth exact all-mibs none none

In our example:

Only three networks (localhost, 172.16.1.0/24, and 192.168.1.0/24) are allowed to access the server with

the craz33guy community string.

Each network is matched to a either a group called MyROGroup_1 using SNMP version 1, or group

called MyROGroup_2 using SNMP version 2.

All the MIBs on the server are defined by the view named all-mibs.

An access statement ensures that only the defined networks have read only access to all the MIBs. My-

ROGroup_1 only has version 1 access with MyROGroup_2 only having version 2 access.

Modification of the MIBs via SNMP is denied because the word "none" is in the write section of the

access statement.

These precautions are probably unnecessary in a home environment where access is generally limited to

devices on the home network by a NAT firewall.

SNMP Version 3

SNMP Version 3 SNMPv3 is a much more secure alternative to earlier versions as it encrypts all its data

and uses a username / password combination for client authentication. The username should be located in

the /etc/snmp/snmpd.conf file with a corresponding automatically generated password located in the

/var/net-snmp/snmpd.conf file. Here is how it's done.

1. Install the net-snmp-devel package as it contains the utility that will allow you to generate the pass-

word.

2. Stop the snmpd process.

[root@bigboy tmp]# service snmpd stop

Stopping snmpd: [ OK ]

[root@bigboy tmp]#

3. Automatically create the /etc/snmp/snmpd.conf and /var/net-snmp/snmpd.conf username and password

entries using the net-snmp-config command. In this example the authentication password of "rootsrock-

reggae" for the read only (-ro) username "username4snmpv3" is encrypted using the MD5 algorithm. The

data received will not be encrypted.

[root@bigboy tmp]# net-snmp-config --create-snmpv3-user -ro \

-a MD5 -A rootsrockreggae username4snmpv3

adding the following line to /var/net-snmp/snmpd.conf:

createUser username4snmpv3 MD5 "rootsrockreggae" DES

adding the following line to /etc/snmp/snmpd.conf:

rouser username4snmpv3

[root@bigboy tmp]# service snmpd start


[root@bigboy tmp]#

4. To encrypt the data received we use the net-snmp-config command again to create a username just for

this purpose. A new read only username "securev3user" and authentication password "mandeville" are

used, but this time the data will be encrypted using the DES algorithm with the privacy password of "sav-

lamar".

[root@bigboy tmp]# net-snmp-config --create-snmpv3-user -ro \

-a MD5 -A mandeville -x DES -X savlamar securev3user

adding the following line to /var/net-snmp/snmpd.conf:

createUser securev3user MD5 "mandeville" DES savlamar

adding the following line to /etc/snmp/snmpd.conf:

rouser securev3user

[root@bigboy tmp]#

5. Start the snmpd process.

[root@bigboy tmp]# service snmpd start


[root@bigboy tmp]#

6. First we'll do a query from remote host smallfry. We specify the authentication password and authenti-

cation encryption method, and we also use the -l flag to indicate that authentication will be used, but that

data privacy will be disabled (the authNoPriv option).

[root@smallfry ~]# snmpget -v 3 -u username4snmpv3 -l authNoPriv \

-a MD5 -A rootsrockreggae 192.168.1.100 SNMPv2-MIB::sysORDescr.8

SNMPv2-MIB::sysORDescr.8 = STRING: The management information defini-

tions for the SNMP User-based Securit

[root@smallfry ~]#

The query returns an easy to read string, "The management information definitions for the SNMP User-

based Security Model". This unencrypted string can also be seen in the tshark packet capture of the serv-

er's interface.

[root@bigboy tmp]# tshark -n -i eth1 -x port 161

Capturing on eth1

...

...

...

0.005889 192.168.1.100 -> 192.168.1.50 SNMP get-response

0000 00 c0 4f 46 0c 2e 00 b0 d0 46 32 71 08 00 45 00 ..OF.....F2q..E.

0010 00 f0 00 00 40 00 40 11 b3 b2 c0 a8 02 c8 c0 a8 ....@.@.........

0020 02 32 00 a1 80 0a 00 dc 87 38 30 81 d1 02 01 03 .2.......80.....

0030 30 11 02 04 45 a2 23 54 02 03 00 ff e3 04 01 01 0...E.#T........

0040 02 01 03 04 38 30 36 04 0d 80 00 1f 88 80 71 11 ....806.......q.

0050 68 72 0e b1 e7 45 02 01 12 02 01 39 04 0f 75 73 hr...E.....9..us

0060 65 72 6e 61 6d 65 34 73 6e 6d 70 76 33 04 0c 46 ername4snmpv3..F

0070 6c 74 26 51 4d aa 65 61 59 06 1a 04 00 30 7f 04 lt&QM.eaY....0..

0080 0d 80 00 1f 88 80 71 11 68 72 0e b1 e7 45 04 00 ......q.hr...E..

0090 a2 6c 02 04 43 4e da d7 02 01 00 02 01 00 30 5e .l..CN........0^

00a0 30 5c 06 0a 2b 06 01 02 01 01 09 01 03 08 04 4e 0\..+..........N

00b0 54 68 65 20 6d 61 6e 61 67 65 6d 65 6e 74 20 69 The management i

00c0 6e 66 6f 72 6d 61 74 69 6f 6e 20 64 65 66 69 6e nformation defin

00d0 69 74 69 6f 6e 73 20 66 6f 72 20 74 68 65 20 53 itions for the S

00e0 4e 4d 50 20 55 73 65 72 2d 62 61 73 65 64 20 53 NMP User-based S

00f0 65 63 75 72 69 74 79 20 4d 6f 64 65 6c 2e ecurity Model.

4 packets captured

[root@bigboy tmp]#

7. Next we'll do a query that will return a response over an encrypted data channel while crossing the

network (the authPriv option).

[root@smallfry ~]# snmpget -v 3 -u securev3user -l authPriv \

-a MD5 -A mandeville -x DES -X savlamar 192.168.1.100 SNMPv2-

MIB::sysORDescr.8

SNMPv2-MIB::sysORDescr.8 = STRING: The management information defini-

tions for the SNMP User-based Securit

[root@smallfry ~]#

The query returns the same string, but the tshark packet capture only sees encrypted data, with only the

username being visible.

[root@bigboy tmp] # tshark -n -i eth1 -x port 161

Capturing on eth1

...

...

...

0.003675 192.168.1.200 -> 192.168.1.50 SNMP Source port: 161 Destina-

tion port: 32778 [UDP CHECKSUM INC

0000 00 c0 4f 46 0c 2e 00 b0 d0 46 32 71 08 00 45 00 ..OF.....F2q..E.

0010 01 00 00 00 40 00 40 11 b3 a2 c0 a8 02 c8 c0 a8 ....@.@.........

0020 02 32 00 a1 80 0a 00 ec 87 48 30 81 e1 02 01 03 .2.......H0.....

0030 30 11 02 04 17 52 82 96 02 03 00 ff e3 04 01 03 0....R..........

0040 02 01 03 04 3e 30 3c 04 0d 80 00 1f 88 80 71 11 ....>0<.......q.

0050 68 72 0e b1 e7 45 02 01 11 02 02 00 8e 04 0c 73 hr...E.........s

0060 65 63 75 72 65 76 33 75 73 65 72 04 0c 01 b2 00 ecurev3user.....

0070 6e 23 07 83 dc a2 b6 d6 3d 04 08 00 00 00 11 4e n#......=......N

0080 df 19 a3 04 81 88 36 dd e0 ce e0 52 19 ff 58 7e ......6....R..X~

0090 be fa d1 96 20 2b 28 65 59 30 e8 d4 cb 18 9f 8f .... +(eY0......

00a0 1e 5b a3 d6 ae f7 4a 86 bd ed 2a 4b a8 df 52 fb .[....J...*K..R.

00b0 00 b4 a8 37 3d 74 9e 6d 1d 56 9a ba f2 13 fa 72 ...7=t.m.V.....r

00c0 4d 47 fb 88 7b d3 54 e1 9d b3 66 f0 29 ab 8a 55 MG..{.T...f.)..U

00d0 6f 77 65 40 87 ab 0c 51 d9 0e bf 33 7f 9a cb ea [email protected]....

00e0 37 50 3c 8e 65 dd 8f 3c 49 71 96 59 f9 d3 a8 23 7P<.e..<Iq.Y...#

00f0 81 c6 1b b2 c2 d0 57 9b 98 1b 89 1e ca 77 3d 84 ......W......w=.

0100 6f af b6 9b 86 3a 2f 66 44 1a 41 51 03 bc o....:/fD.AQ..

4 packets captured

[root@bigboy tmp] #

8. Your password and privilege information are stored in /var/net-snmp/snmpd.conf using the format dis-

played when you used the net-snmp-config command. here is an example.

# File: /var/net-snmp/snmpd.conf before SNMP starts

createUser securev3user MD5 "mandeville" DES savlamar

createUser username4snmpv3 MD5 "rootsrockreggae" DES

The snmpd daemon will completely encrypt the SNMP password data in this file when it restarts which

helps to further increase security. We can see an example of this configuration here.

# File: /var/net-snmp/snmpd.conf after SNMP starts

usmUser 1 3 0x80001f88780711168720eb1e745

0x73656375626576337573657200

0x73656375726576337573657200

NULL .1.3.6.1.6.3.10.1.1.2 0xd951

ac1d95033f4afgf31243eb6907df .1.3.6.1.6.3.10.1.2.2

0xf1f4bb00452211d27b50c273c09031ac 0x00

usmUser 1 3 0x80001f8880711168720eb1e745

0x757365726e61657534736e6d70763300

0x757365726e616d6534736e6d70763300

NULL .1.3.6.1.6.3.10.

1.1.2 0x5e35c9f5352519aa4f53eded09bbdddd

.1.3.6.1.6.3.10.1.2.2 0x5e35c9f5122519aa4f53eded09bbdddd ""

setserialno 1464593474

Practice using the net-snmp-config command so that you can become familiar with the syntax it uses to

edit the SNMP configuration files. When in doubt, you can get a full syntax listing of the command if you

use it without any arguments like this:

[root@bigboy tmp]# net-snmp-config

...

...

SNMP Setup commands:

--create-snmpv3-user [-ro] [-A authpass] [-X privpass]

[-a MD5|SHA] [-x DES|AES] [username]

...

...

[root@bigboy tmp]#

With experience, you should become confident enough to edit the configuration files by yourself.

As you can see, SNMPv3 is more secure than previous versions and should be your first SNMP choice

whenever possible.

Simple SNMP Troubleshooting

If your SNMP queries fail, then verify that:

You restarted your snmp.conf file so the configuration settings become active.

Remember, the snmpd.conf file is only read by the snmpd daemon when it starts up.

You are using the correct community string.

Firewalls aren't preventing SNMP queries from the SNMP client to the SNMP target.

Your SNMP security policy allows the query from your network.

Any TCP wrappers configuration on your SNMP target machine allows SNMP queries from your SNMP

client. Generally speaking in a home environment protected by NAT your TCP wrappers files

(/etc/hosts.allow) and (/etc/hosts.deny) should be blank.

Network routing between the client and target devices is correct. A simple ping or

traceroute test should be sufficient.

The snmpd daemon is running on the SNMP client.

You are querying using the correct SNMP version.

Your /var/log/messages file does not contain errors that may have occurred while starting snmpd.

Troubleshooting to get functioning SNMP queries is important as many other supporting applications,

such as MRTG which I'll discuss next, rely on them in order to work correctly.

MRTG

The MRTG product is available from the MRTG Web site (www.mrtg.org) and also on your distribution

CDs.

Figure shows a sample MRTG graph

MRTG Download and Installation

You need to install MRTG before proceeding. Most RedHat and Fedora Linux software products are

available in the RPM format. When searching for the file, remember that the MRTG RPM's filename

usually starts with mrtg and a version number, as in mrtg-2.10.5- 3.i386.rpm.

In addition to MRTG, you need to install the SNMP utility tools as explained earlier and you need to have

a Web server package installed for MRTG to work. RedHat Linux usually comes with the Apache Web

server software preinstalled. The easiest way to tell if Apache is installed is to run the rpm -q httpd com-

mand. If you don't get a positive response, you can refer to Chapter 20, "The Apache Web Server", for

installation details.

By default Apache expects the HTML files for your Web site to be located in /var/www/html. MRTG

places its HTML files in /var/www/mrtg.

Configuring MRTG

By default, MRTG maps the inbound and outbound data throughput rates on the device it is polling. Me-

thods for specifying other OIDs, such as CPU and memory usage, are discussed in Chapter 23, "Ad-

vanced MRTG for Linux". For now, I'll stick with the default configuration.

When the MRTG RPM is installed, it creates a directory called /etc/mrtg in which all future configuration

files are stored. To create a replacement default /etc/mrtg/mrtg.cfg configuration file for the server, follow

these steps.

1) Use MRTG's cfgmaker command to create a configuration file named mrtg.cfg for the server (bigboy)

using a Read Only community string of craz33guy. Place all data files in the directory /var/www/mrtg.

[root@bigboy tmp]# cfgmaker --output=/etc/mrtg/mrtg.cfg \

--global "workdir: /var/www/mrtg" -ifref=ip \

--global 'options[_]: growright,bits' \

craz33guy@localhost

--base: Get Device Info on craz33guy@localhost:

--base: Vendor Id:

--base: Populating confcache

--snpo: confcache craz33guy@localhost: Descr lo --> 1

--snpo: confcache craz33guy@localhost: Descr wlan0 --> 2

...

...

...

--base: Walking ifAdminStatus

--base: Walking ifOperStatus

--base: Writing /etc/mrtg/mrtg.cfg

[root@bigboy tmp]#

SNMPv2: As explained in the SNMP section, there are different versions of SNMP. If your query doesn't

work, check to make sure you are using the required version and then check other SNMP configuration

parameters on the target device. You can specify MRTG's SNMP query version with the --snmp-options

cfgmaker option. Here is an example of cfgmaker using an SNMP version 2 query of a router with an IP

address of 192.168.1.3. The --snmp-options option's five colons before the 2 are important.

[root@bigboy tmp]# cfgmaker --output=/etc/mrtg/192.168.1.3.cfg \

-ifref=ip --global "workdir: /var/www/mrtg" \

--snmp-options=:::::2 [email protected]

SNMPv3: The cfgmaker command can also be used to poll SNMPv3 enabled devices, but you have to

first install the Net::SNMP PERL module.

[root@bigboy tmp]# yum -y install perl-Net-SNMP

or

[root@bigboy tmp]# perl -MCPAN -e "install Net::SNMP"

If you fail to install the module, you will get an error looking like this:

Undefined subroutine &main::snmpmapOID called at ./cfgmaker line 1480.

Next you need to know the SNMPv3 ID of the host you intend to poll. In fedora, this is value is located in

the /var/net-snmp/snmpd.conf file. You can use the grep command to obtain it.

[root@bigboy tmp]# grep oldEngineID /var/net-snmp/snmpd.conf

oldEngineID 0x80001f8880711168720eb1e745

[root@bigboy tmp]#

You can then repeat the cfgmaker command with options specific to the privacy and authentication

schemes configured on the SNMP target device. Using the configurations of our previous SNMPv3 ex-

ample, our configuration for encrypted authentication only would look like this:

[root@bigboy tmp]# cfgmaker --global 'WorkDir: /var/www/mrtg' \

--global 'Options[_]: growright, bits' \

--output=/etc/mrtg/192.168.1.100.cfg \

--enablesnmpv3 --username=username4snmpv3 \

--authpassword=rootsrockreggae --authproto=md5 \

--snmp-options=:::::3 \

--contextengineid=0x80001f8880711168720eb1e745 \

[email protected]

Our configuration for encrypted authentication and data privacy only would look like this:

[root@bigboy tmp]# cfgmaker --global 'WorkDir: /var/www/mrtg' \

--global 'Options[_]: growright, bits' \

--output=/etc/mrtg/192.168.1.100-secure.cfg \

--enablesnmpv3 --username=securev3user --authpassword=mandeville \

--authproto=md5 --privpassword=savlamar --privprotocol=des \

--snmp-options=:::::3 \

--contextengineid=0x80001f8880711168720eb1e745 \

[email protected]

Note: The MRTG cfgmaker command reliably supports SNMPv3 as of MRTG version 2.15. Prior to this

version you would commonly see this error when attempting to do DNMPv3 queries.

SNMP V3 requires a --username parameter as part of the User Security

Model for router [email protected]

2) Edit /etc/mrtg/mrtg.cfg, and remove the sections related to interfaces you don't need to monitor. A cer-

tain candidate would be the virtual loopback interface Lo: (with the IP address of 127.0.0.1), which

doesn't pass any network traffic at all.

3) Run MRTG using /etc/mrtg/mrtg.cfg as your argument three times. You'll get an error the two times as

MRTG tries to move old data files, and naturally, the first time it is run, MRTG has no data files to move.

[root@bigboy tmp]# env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg

Rateup WARNING: /usr/bin/rateup could not read the primary log file for

localhost_192.168.1.100

Rateup WARNING: /usr/bin/rateup The backup log file for local-

host_192.168.1.100 was invalid as well

Rateup WARNING: /usr/bin/rateup Can't remove local-

host_192.168.1.100.old updating log file

Rateup WARNING: /usr/bin/rateup Can't rename local-

host_192.168.1.100.log to localhost_192.168.1.100.old u


Rateup WARNING: /usr/bin/rateup Can't remove local-

host_192.168.1.100.old updating log file


[root@bigboy tmp]#

4) Use MRTG's indexmaker command to create a Web index page using your new

mrtg.cfg file as a guide. The MRTG Web GUI expects to find the index file in the default MRTG Web

directory of /var/www/mrtg/, so the format of the command would be.

[root@bigboy tmp]# indexmaker --output=/var/www/mrtg/index.html \

/etc/mrtg/mrtg.cfg

5) MRTG is run every five minutes by default, and the file that governs this is /etc/cron.d/mrtg. For

MRTG to work correctly, edit this file, replacing all occurrences of /usr/bin/mrtg with env LANG=C

/usr/bin/mrtg. The explanation for changing the language character set for MRTG is given in the "Troub-

leshooting MRTG" section.

This isn't all; you need to view the graphs too. This will be covered later, but first I'll show you how to

poll multiple devices.

Getting MRTG to Poll Multiple Devices

The Fedora Core MRTG installation process creates a cron file named /etc/cron.d/mrtg.

This file tells the cron daemon to run MRTG using the /etc/mrtg/mrtg.cfg file every five minutes to poll

your network devices. You can configure MRTG to poll multiple devices, each with a separate configura-

tion file. Here's how:

1) Create a new configuration file using the steps from the previous section; choose a filename that is not

mrtg.cfg.

2) Add a new MRTG line in /etc/cron.d/mrtg for each new configuration file you create.

0-59/5 * * * * root env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg

0-59/5 * * * * root env LANG=C /usr/bin/mrtg /etc/mrtg/device1.cfg

0-59/5 * * * * root env LANG=C /usr/bin/mrtg /etc/mrtg/device2.cfg

3) Run the indexmaker command, and include all of your /etc/mrtg configuration files, to regenerate your

Web index page.

[root@bigboy tmp]# indexmaker --output=/var/www/mrtg/index.html \

/etc/mrtg/mrtg.cfg /etc/mrtg/device1.cfg /etc/mrtg/device2.cfg

4) Other versions of Linux keep their MRTG cron entries inside the /etc/crontab file. Edit this file using

the same syntax as the Fedora /etc/cron.d/mrtg file, and then restart the cron daemon to re-read the confi-

guration:

[root@bigboy tmp]# service crond restart

You could also create a script with the /usr/bin/mrtg /etc/mrtg/device.cfg entries in it and make cron run it

every five minutes. This way you can just edit the script each time you add a device without having to

restart cron.

Configuring Apache to Work With MRTG

MRTG is useful because it can provide a graphical representation of your server's performance statistics

via a Web browser.

With Fedora Core, MRTG creates an add-on configuration file named /etc/httpd/conf.d/mrtg.conf that

includes all the necessary Apache commands for MRTG to work.

Some configuration may need to be done, because by default MRTG accepts Web requests from the Li-

nux console only. You can add your home network to the file by inserting the network on the Allow from

line, or you can allow universal access by commenting out that line along with the Deny from line. This

example adds access from the 192.168.1.0 network.

<Location /mrtg>

Order deny,allow

Deny from all

Allow from localhost 192.168.1.0/24

</Location>

If you want to access MRTG from the Internet, then you'll have to comment out the Deny statement and

allow from all IP addresses:

<Location /mrtg>

Order deny,allow

Allow from all

</Location>

Remember to restart Apache once you have made these modifications in order for these changes to take

effect.

Note: With newer versions of Fedora, Apache automatically reads the add-on files in the /etc/httpd/conf.d/

directory. With Fedora Core 1, you have to specifically configure the Apache configuration file

/etc/httpd/conf/httpd.conf to find it. You can do this yourself by inserting this line at the very bottom of

the main Apache configuration file before restarting Apache for the change to take effect.

include "/etc/httpd/conf.d/mrtg.conf"

Basic Security

If you are accessing MRTG graphs from the Internet, you may want to add password protection to the

directory by using a .htaccess file

How To View The MRTG Graphs In Your Web Browser

You can now access your MRTG graphs by pointing your browser to the URL:

http://server-ip-address/mrtg/

Exercise-2:- This exercise gives a an introduction to the use of Webalizer utility

Webalizer is a Web server log file analysis tool that comes installed by default on

RedHat/Fedora Linux. Each night, Webalizer reads your Apache log files and creates a set of Web pages

that enable you to view Web surfer statistics for your site. The information provided includes a list of

your Web site's most popular pages sorted by hits along with traffic graphs showing the times of day

when your site is most popular.

How to View Your Webalizer Statistics

Fedora creates an add-on configuration file named /etc/httpd/conf.d/Webalizer.conf that includes all the

necessary Apache commands for Webalizer to work. As in the case of the MRTG add-on file mentioned

above, you have to edit it to allow access to the Webalizer pages from locations other than the Linux con-

sole. You also have to restart Apache to make the changes take effect.

By default, Webalizer places its index page in the directory /var/www/html/usage and allows you to view

your data by visiting the URL http://server-ip-address/usage.

The Webalizer Configuration File

Webalizer stores its configuration in the file /etc/Webalizer.conf. The default settings should be sufficient

for your Web server, but you may want to adjust the directory in which Webalizer places your graph sta-

tistics. This can be adjusted with the OutputDir directive in the file. After adjustments, Webalizer func-

tions with few annoyances; however, be aware that running in quiet mode could hide deeper problems

that could occur in future.

The vmstat Command

You can determine memory and swap usage with the vmstat command, which provides a summary of

what top produces. In the example, memory is still 14% free (57,452MB used from a total of 130,780)

and swap isn't being used at all.

[root@bigboy tmp]# vmstat

procs memory swap io system cpu

r b w swpd free buff cache si so bi bo in cs us sy id

0 0 0 0 57452 101584 130780 0 0 0 4 18 1 3 1 1

[root@bigboy tmp]#

As your memory fills up, your system will temporarily store programs and data on your hard disk's

"swap" partition. Excess swapping of programs and data between disk and memory can cause your sys-

tem to slow down significantly and memory usage should be monitored to allow you to plan ways to ei-

ther increase RAM or tune the way your system operates. System tuning is beyond the scope of this book,

but there are many reference guides which can show you how to do this.

The free Utility

The free utility can determine the amount of free RAM on your system. The output is easier to understand

than vmstat's. Here's a sample.

[root@bigboy tmp]# free

total used free shared buffers cached

Mem: 126060 119096 6964 0 58972 40028

-/+ buffers/cache: 20096 105964

Swap: 522072 15496 506576

[root@bigboy tmp]#

You should generally try to make your system run with at least 20% free memory on average, which

should allow it to handle moderate spikes in usage caused by running memory-intensive cron batch jobs

or tape backups. If you cannot achieve this, consider running more efficient versions of programs, of-

floading some applications to servers with less load, and, of course, upgrading the capacity of your RAM.

Exercises for lab:

Exercise 1:- write an SNMP quiry to get all the values in the interface MIB of the local server using

SNMP version 1 and the community string of 10.0.0.3 (a node in your local network).

Home Work:

To understand the Linux Installation over the network

Lab 26: Network Based Linux Installation

Lab No. 26: Network Based Linux Installation

Objective:

You will be introduced to the Linux installation over the network using an FTP, NFS or HTTP server.

Scope:


• Set Up The Installation Server

• Create a Kickstart Boot CD

• Automating Installation With Kickstart

Useful Concepts:

Network installation

• Installation of OS from a remote installation server as apposed to local installation from

CD or local hard disk.

Kickstart Server

Server that has the OS installation image and provides much faster installation procedure than using CDs and the process can be automated.

Procedure at a glance

The procedure is fairly simple:

• Connect the new server (installation client) to the same network as the server with the

pre-loaded installation files (installation server).

• Boot the installation client from a specially created boot CD

• Enter your preferred installation method (FTP, HTTP, NFS) and the needed network pa-

rameters to do this

• The installation procedure will then continue with the more familiar Fedora Linux instal-

lation screens. Enter your selections and then complete the installation.

This manual will set up a single installation server (bigboy) with an IP address of 192.168.1.100.

Exercise-1:- This exercise demonstrates how to Set Up the Installation Server

Kickstart can be configured on an FTP, NFS or Apache server. Each method is explained below, but my

experience has been that the Apache server has a number of advantages over the other two.

Using a web server for kickstart is generally easier because:

Sometimes a kickstart server has to be located on a remote network, often passing through a firewall.

Strict firewall rules for HTTP are generally easier to configure than those for FTP or NFS.

The http:// nomenclature used by kickstart for accessing files is more familiar to users than that used for

NFS and FTP. This may be important for you when configuring files for automated kickstart installation.

Basic Preparation

In this example we are going to set up a kickstart server that will be used in Fedora Core installations. All

the necessary files will be placed in the /data/network-install directory.

Create The Installation Directories

We'll first create the directories /data/network-install/RPM and /data/networkinstall/ ISO in which we will

copy the necessary files.

[root@bigboy tmp]# mkdir -p /data/network-install/RPM

[root@bigboy tmp]# mkdir -p /data/network-install/ISO

You now need to place the network installation driver files into the base directory.

Copying The Files

The HTTP, NFS and FTP kickstart methods all require the base set of Fedora files to be installed on the

kickstart server. Here's how to do it:

1) Create a mount point for your CD ROM drive.

[root@bigboy tmp]# mkdir /mnt/cdrom

2) Mount your first Fedora CD ROM.

[root@bigboy tmp]# mount /dev/cdrom /mnt/cdrom

3) Copy the files from the CD ROM base directory to the hard disk

[root@bigboy tmp]# cp -r /mnt/cdrom/* /data/network-install/RPM

4) Unmount your CD ROM and use the eject command to retrieve it from the drive bay.

[root@bigboy tmp]# umount /dev/cdrom

[root@bigboy tmp]# eject cdrom

5) Repeat steps 2 to 4 with all your CDROMs. Overwrite files when prompted.

Note: Note: You also have the option to FTP all the files of the desired version of Fedora from the Fedora

website to the /data/network-install/RPM directory.

HTTP & FTP Preparation

Copy all the contents of each installation CD to the /data/network-install/RPM directory. This will require

about 3-5 GB of space. When this is completed, your /data/network-install/RPM directory should look

like this:

[root@bigboy tmp]# ls -1 /data/network-install/RPM

eula.txt

Fedora

fedora.css

GPL

images

index.html

isolinux

README-Accessibility

RELEASE-NOTES-en_US.html

repodata

RPM-GPG-KEY

RPM-GPG-KEY-beta

RPM-GPG-KEY-fedora

RPM-GPG-KEY-fedora-extras

RPM-GPG-KEY-fedora-legacy

RPM-GPG-KEY-fedora-rawhide

RPM-GPG-KEY-fedora-test

RPM-GPG-KEY-rawhide

stylesheet-images

[root@bigboy tmp]#

NFS Preparation

Create ISO images of the installation CDs and place them in the /data/networkinstall/ ISO directory. This

will require about 3-5 GB of space as well. You can download the ISO images from the Fedora website or

use the Fedora CDs as shown below. If you create the ISOs files from CDs, make sure they have the same

file names as the ones you can download from the Fedora Web site.

Follow these steps for each CD, substituting the filename where necessary:

[root@bigboy tmp]# cd /data/network-install/ISO

[root@bigboy ISO]# dd if=/dev/cdrom of=filename.iso bs=32k

...

...

[root@bigboy ISO]# eject cdrom

Note: Here is a sample procedure to make ISO files with the older mkisofs command.

You may have to install the mkisofs RPM on newer Fedora versions. The command requires a mounted

CDROM drive, so don't forget the mount command.

[root@bigboy ISO]# mount /mnt/cdrom

[root@bigboy ISO]# mkisofs -J -r -T -o filename.iso /mnt/cdrom

[root@bigboy ISO]# eject cdrom

Setup Your Webserver

You will now have to setup Apache to give the file listings of your /data/networkinstall/

RPM and /data/network-install/ISO directories by pointing your browser to the URL

http://192.168.1.100/network-install/RPM/ or http://192.168.1.100/network-install/ISO/ respectively. A

sample /etc/httpd/conf.d/kickstart.conf configuration is below. Remember to restart Apache to make these

settings take effect.

NameVirtualHost 192.168.1.100

#

# For HTTP Installations

#


ServerName 192.168.1.100

DocumentRoot /data/

</VirtualHost>

<Directory /data/network-install>

Options +Indexes

AllowOverride AuthConfig

order allow,deny

allow from all

</Directory>

Setup Your FTP Server

You'll also have to set up your VSFTPD server to make incoming anonymous FTP connections log in to

the /data/network-install/RPM directory by default. You will also want to enable the correct logging. Here

is a sample snippet of the vsftpd.conf file. Remember to restart VSFTPD to make these settings take ef-

fect

#

# File: vsftpd.conf

#

#

# Anonymous FTP Root Directory

#

anon_root=/data/network-install/RPM

#

# Log file definition

#

xferlog_enable=YES

xferlog_file=/var/log/vsftpd.log

Create A Special FTP User

You can also create a special user for non anonymous FTP installations with its home directory as "/".

You must also make sure that the user has read access to the /data/network-install directory. An example

is below.

[root@bigboy tmp]# useradd -g users ftpinstall

[root@bigboy tmp]# passwd ftpinstall

Changing password for user ftpinstall.

New password:

Retype new password:

passwd: all authentication tokens updated successfully.

[root@bigboy tmp]#

[root@bigbot tmp]# usermod -d / ftpinstall

[root@bigbot tmp]#

Setup Your NFS Server

The steps for setting up an NFS server are more complicated.

1) Create a /etc/exports file with the following entry in it. You must use tabs, not spaces between the en-

tries

/data/network-install *(ro,sync)

2) Make sure that the rpcbind (portmap on older versions of Linux) , nfs, nfslock and netfs daemons are

all running to create an NFS server. The startup scripts for these are found in the /etc/init.d directory.

3) Run the exportfs command to add this directory to the NFS database of network available directories.

[root@bigboy tmp]# exportfs -ra

4) The installation client must have a matching pair of forward and reverse DNS entries on your DNS

server. In other words, a DNS lookup on the IP address of the installation client must return a server name

that will map back to the original IP address when a DNS lookup is done on that same server name.

[root@bigboy tmp]# host 192.168.1.96

96.1.168.192.in-addr.arpa domain name pointer 192-168-1-96.my-site.com.

[root@bigboy tmp]#

[root@bigboy tmp]# host 192-168-1-96.my-site.com

192-168-1-96.my-site.com has address 192.168.1.96

[root@bigboy tmp]#

This may mean that you will have to create entries for all your DHCP IP addresses if you choose to use a

DHCP method of assigning IP addresses during installation.

Configure Your DHCP Server

During the installation procedure, the installation client will prompt you for the IP address it should use

for the installation process. I recommend selecting the option that makes the Installation Client get its ad-

dress via DHCP. This will automate the installation more and will therefore make it faster. It will also

reduce the possibility of human error.

Exercise-2:- This exercise demonstrates how to Create A Kickstart Boot CD

Creating a kickstart boot CD is easy to do. Here are the steps:

1. Your RPM directory should have a subdirectory named images in it. There will be a file there named

boot.iso which is used in booting your system when installing Linux from DVD or CD. Fedora mirror

sites that have directory structures similar to that of the DVD also have a boot.iso file located in the <fe-

dora-version>/Fedora/i386/os/images/ directory. This file is different in both size and function to that on

your DVD. It usually larger than 10 MB in size and it is the boot file you need for kickstart. Download

the boot.iso file from your favorite mirror site using a utility like wget.

[root@bigboy tmp]# wget http://website.org/8/Fedora/i386/os/images/boot.iso

2. You will now need the device name of your CDROM device. This can be obtained using the wodim

command. In this case it is called /dev/scd0.

[root@bigboy tmp]# wodim --devices

wodim: Overview of accessible drives (1 found) :

-------------------------------------------------------------

0 dev='/dev/scd0' rwr--- : 'LITE-ON' 'DVDRW LH-20A1P'

-------------------------------------------------------------

[root@bigboy tmp]#

3. Insert a blank CD. The wodim command can now be used again to burn the boot.iso ISO image file to

the CD.

[root@bigboy tmp]# wodim dev=/dev/scd0 driveropts=burnfree,noforcespeed \

fs=14M -dao -eject -overburn -v boot.iso

...

...

...

BURN-Free was never needed.

wodim: fifo had 6 puts and 6 gets.

wodim: fifo was 0 times empty and 0 times full, min fill was 100%.

[root@bigboy RPM]#

Keep the CD. You will soon need it for your kickstart client machine.

Exercise-3:- This exercise demonstrates The Network Installation

From here on, the installation procedure mimics the regular Linux installation, except for the first couple

steps.

Connect your client Linux box to the DHCP network.

Boot your system using the kickstart boot CD. This is the only CD you'll need for future network instal-

lations.

A menu will appear. Select “Install or upgrade an existing system”.

Go through the usual steps until the process prompts for the "Installation Method".

You will see a number of choices

Local CDROM

Hard Drive

NFS Image

FTP

HTTP

Select the network option of your choice (NFS, FTP, HTTP)

Select the Ethernet device to which the installation client is connected to the installation server network.

This would most likely be interface "eth0".

Select "DHCP" in the following "Configure TCP/IP" screen. This will make the

Installation client use DHCP during the installation.

If You Selected The NFS Method

You will now reach the "NFS setup" menu. Enter the IP address of the installation server as the "NFS

Server Name". The "Red Hat directory" will be "/data/network-install/ISO".

The following menus will be the usual Fedora GUI installation screens.

If You Selected The HTTP Method

You will now reach the "HTTP Setup" menu. Enter the IP address of the installation server when prompt-

ed for a "Web site name".The "Red Hat directory" will be /networkinstall/RPM. The following menus

will be text based versions of the usual Fedora installation screens.

During the installation, issue the following command on the server to check the Apache logs. It will help

to verify whether the kickstart client is accessing the files correctly. You should get a status code of

200<code> after each GET statement. You should retrace your steps if you are not.

[root@bigboy tmp]# tail -f /var/log/httpd/access_log

192.168.1.247 - - [12/Nov/2006:12:01:04 -0800] "GET /network-

install/RPM/repodata/repomd.xml HTTP/1.1" 20

192.168.1.247 - - [12/Nov/2006:12:01:05 -0800] "GET /network-

install/RPM/repodata/primary.xml.gz HTTP/1.1

192.168.1.247 - - [12/Nov/2006:12:01:19 -0800] "GET /network-

install/RPM/repodata/comps.xml HTTP/1.1" 200

If You Selected The FTP Method

You will now reach the "FTP Setup" menu. Enter the IP address of the installation server as the "FTP Site

Name".

"Not Selecting" The Non-Anonymous FTP Box

The "Red Hat directory" will be "/". The following menus will be text based versions of the usual Fedora

installation screens.

"Selecting" The Non-Anonymous FTP Box

The "Red Hat directory" will be "/data/network-install/RPM".

Enter the username and password of your special FTP user account.

The following menus will be text based versions of the usual

RedHat installation screens.

Note: During the installation, issue the following command on the server to check the FTP logs. It will

help to verify whether the kickstart client is accessing the files correctly.

[root@bigboy ~]# tail -f /var/log/vsftpd.log

Sun Nov 12 20:53:12 2006 1 192.168.1.231 1140 /data/network-

install/RPM/repodata/repomd.xml b _ o r ftp-i


install/RPM/repodata/primary.xml.gz b _ o r


install/RPM/repodata/comps.xml b _ o r ftp-

Troubleshooting The Network Installation

You can do some basic troubleshooting by accessing the various installation status screens available.

The installation logs can always be viewed by hitting <CTRL-ALTF3>

Kernel messages can be seen by hitting <CTRL-ALT-F4>

Access to a limited BASH shell Kernel can be gained by hitting

<CTRL-ALT-F2>

You can return to the main installation screen at any time by hitting <CTRL-ALT-F1> for text based

installations and <CTRL-ALTF7> when the GUI is used.

Examine your server's <code>/var/log/httpd/access_log, /var/log/httpd/error_log files for the

HTTP method; the /var/log/vsftpd.log file for the FTP method; and

your /var/log/messages file for the NFS method.

Exercise-4:- This exercise demonstrates Automating Installation With Kickstart

Both Fedora and RedHat Linux save all the parameters you used during installation in the /root/anaconda-

ks.cfg kickstart configuration file. You can use this file to create an automated installation of a duplicate

system which can be useful if you have a large number of servers to install.

This section shows you how to automate network installations using the kickstart application and NFS.

You can use HTTP and FTP but they have been omitted to keep the discussion brief.

How To Create New Kickstart Configuration Files

You can create a customized kickstart configuration file by using the "ksconfig" command from a GUI

console. It will bring up a menu from which you can select all your installation options. When finished,

you save the configuration with the filename of your choice.

You may want to then edit the configuration file and comment out certain parameters that may change

from system to system with a "#". These could include things like the system's name and IP address. Dur-

ing the kickstart process you will be prompted for these unspecified values.

Note: Do not change the order of the entries in the kickstart configuration file.

Note: The IP address you assign must be on the same subnet as that of the DHCP server for kickstart to

work. If the server is going to reside on a different network after the installation, then you'll have to run a

separate script to change the IP addressing information after the installation is complete.

Adding Post Installation Commands

You may want to run some commands on the newly created Linux installation after

kickstart is complete. Some processes that are activated by default by Fedora may not be suitable for your

server and may need to be disabled.

This can be done by placing a %post section at the end of the kicksrart file with all the post installation

commands you wish to run. Here is an example:

%post

chkconfig isdn off

chkconfig pcmcia off

chkconfig portmap off

chkconfig apmd off

chkconfig nfslock off

chkconfig nfs off

A Note About Using anaconda-ks.cfg

It is possible to use the /root/anaconda-ks.cfg file as a template for future installations.

RedHat comments out the partitioning information in this file, so you will either have to uncomment it

and then make your partitioning modifications or be prepared to be prompted for your portioning infor-

mation.

How To Run A Kickstart Installation

It is best to place your kickstart files in a subdirectory under the /data/network-install directory. The ex-

amples below assume the subdirectory is called /data/networkinstall/kickstart.

Remember that you may want to remove the "#" comments from the partition section of the file. If not,

you will be prompted for this information.

Using a NFS Server

Verify that the first two lines of the file look like this or else you may be prompted for NFS ISO file loca-

tion information.

install

nfs --server=192.16.1.100 --dir=/data/network-install/ISO

Using a Web Server

Verify that the first two lines of the file look like this or else you may be prompted for RPM base file lo-

cation information.

install

url --url http://192.168.1.100/network-install/RPM

Booting With Your Kickstart Files

There are two ways to specify the name of the kickstart file to use. The first is to enter it manually from

the LILO boot: prompt when you insert the boot CD. The second is to have your DHCP server automati-

cally tell the Kickstart client about the name of the kickstart file to use when it assigns the IP address.

Both methods are listed below:

Manually Specifying the Kickstart Filename

Once you have booted from your boot CDROM, you'll need to use the following command at the lilo

boot: prompt to continue with the installation. The ks.cfg file is the kickstart configuration file we want to

use.

NFS Method

boot: linux ks=nfs:192.168.1.100:/kickstart/ks.cfg

HTTP Method

boot: linux ks=http://192.168.1.100/network-install/kickstart/ks.cfg

Configuring The Filename Automatically

Whenever you have to create lots of cloned Linux servers, then you may want to configure your DHCP

server to specify the single kickstart configuration file you wish to use. Here is how it's done:

1) Place your kickstart file in the /data/network-install/kickstart directory.

2) Edit your dhcpd.conf file and add the following lines to the section for the interface that will be serving

DHCP IP addresses. The next-server value is the IP address of the kickstart server.

filename "/data/network-install/kickstart/ks.cfg";

next-server 192.168.1.100;

3) Insert the boot CD into the kickstart client Linux box and connect it to the DHCP network. At the boot:

prompt type in the following command:

boot: linux ks

Kickstart will first search for a configuration file named ks.cfg on either the boot CD. It will then auto-

matically attempt to get a DHCP IP address and see if the DHCP server will specify a configuration file.

Kickstart will then use NFS to get both the configuration file and the installation ISOs.

The rest should be automatic.

Exercises for lab:

Exercise 1:- create an image of fedora installation CDs on your systems and configure FTP, NFS and

apache server to access that image.

Home Work:

1) Configure a kick start file for automatic installation over NFS.

To understand the Remote File Sharing among LINUX OSs

Lab 27: Remote Disk Access with NFS

Lab No. 27: Remote Disk Access with NFS

Objective:

To equip students with the practical knowledge to configure Linux boxes for file sharing using Network

File System Protocol

Scope:


• Installing NFS

• Configuring NFS on The Client

• Configuring NFS on The Server

• Accessing NFS Server Directories from the Client

• Activating Modifications To The /etc/exports File

• Troubleshooting NFS

Useful Concepts:

The virtual filesystem (VFS)

Mechanism used by NFS to transparently and automatically redirect all access to NFS-mounted files to

the remote server.

Stateless Operation

Programs that read and write to files on a local filesystem rely on the operating system to track their

access location within the file with a pointer. As NFS is a network-based file system, and networks can be

unreliable, it was decided that the NFS client daemon would act as a failsafe intermediary between regu-

lar programs running on the NFS client and the NFS server.

Normally, when a server fails, file accesses timeout and the file pointers are reset to zero.

With NFS, the NFS server doesn't maintain the file pointer information, the NFS client does. This means

that if an NFS server suddenly fails, the NFS client can precisely restart the file access once more after

patiently waiting until the server returns online.

Caching

NFS clients typically request more data than they need and cache the results in memory locally so that

further sequential access of the data can be done locally versus over the network. This is also known as a

read ahead cache. Data that's to be written to the NFS server is cached with the data being written to the

server when the cache becomes full.

Caching therefore helps to reduce the amount of network traffic while simultaneously improving the

speed of some types of data access.

The NFS server caches information too, such as the directory information for the most recently accessed

files and a read ahead cache for recently read files.

NFS and Symbolic Links

You have to be careful with the use of symbolic links on exported NFS directories. If an absolute link

points to a directory on the NFS server that hasn't been exported, then the NFS client won't be able to

access it. Unlike absolute links, relative symbolic links are interpreted relative to the client's filesystem.

Consider an example where the /data1 directory on the server is mounted on the /data1 directory. If there

is a link to the ../data2 directory on the NFS server and a directory corresponding to ../data2 doesn't exist

on the NFS client, then an error will occur.

Also, mounting a filesystem on a symbolic link actually mounts the filesystem on the target of the sym-

bolic link. You'll have to be careful not to obscure the contents of this original directory in the process.

Plan carefully before doing this.

NFS Background Mounting

NFS clients use the remote procedure call (RPC) suite of network application helper programs to mount

remote filesystems. If the mount cannot occur during the default RPC timeout period, then the client re-

tries the mount process until the NFS number of retires has been exceeded. The default is 10,000 minutes,

which is approximately a week. The difficulty here is that if the NFS server is unavailable, the mount

command will hang for a week until it returns online. It is possible to use a bg option spawn the retries off

as a subprocess so that the main mount command can continue to process other requests.

Hard and Soft Mounts

The process of continuous retrying, whether in the background or foreground, is called a hard mount.

NFS attempts to guarantee the consistency of your data with these constant retries. With soft mounts, re-

peated RPC failures cause the NFS operation to fail not hang and data consistency is therefore not guaran-

teed. The advantage is that the operation completes quickly, whether it fails or not. The disadvantage is

that the use of the soft option implies that you are using an unreliable NFS server; if this is the case it is

best not to place critical data that needs to be updated regularly or executable programs in such a location.

Exercise-1:- This exercise illustrates NFS Installation RedHat Linux installs nfs by default, and also by default nfs is activated when the system boots. You can

determine whether you have nfs installed using the RPM command in conjunction with the grep com-

mand to search for all installed nfs packages.

[root@bigboy tmp]# rpm -qa | grep nfs

redhat-config-nfs-1.1.3-1

nfs-utils-1.0.1-3.9

[root@bigboy tmp]#

A blank list means that you'll have to install the required packages.

You also need to have the RPC rpcbind package installed, and the rpm command can tell you whether it's

on your system already. When you use rpm in conjunction with grep, you can determine all the rpcbind

applications installed:

[root@bigboy tmp]# rpm -q rpcbind

rpcbind-4.0-57

[root@bigboy tmp]#

A blank list means that you'll have to install the required packages.

If nfs and rpcbind are not installed, they can be added fairly easily once you find the nfsutils and rpcbind

RPMs. (Remember that RPM filenames usually start with the software's name and a version number, as in

nfs-utils-1.1.3-1.i386.rpm.)

Using yum or apt-get is a suitable option.

Exercise-2:- This exercise illustrates Scenario Based NFS configuration

Scenario

A small office has an old Linux server that is running out of disk space. The office cannot tolerate any

down time, even after hours, because the server is accessed by overseas programmers and clients at nights

and local ones by day.

Budgets are tight and the company needs a quick solution until it can get a purchase order approved for a

hardware upgrade. Another Linux server on the network has additional disk capacity in its /data partition

and the office would like to expand into it as an interim expansion NFS server.

Configuring NFS on the Server

Both the NFS server and NFS client have to have parts of the NFS package installed and running. The

server needs rpcbind, nfs, and nfslock operational, as well as a correctly configured /etc/exports file.

Here's how to do it.

The /etc/exports File

The /etc/exports file is the main NFS configuration file, and it consists of two columns.

The first column lists the directories you want to make available to the network. The second column has

two parts. The first part lists the networks or DNS domains that can get access to the directory, and the

second part lists NFS options in brackets.

For the scenario you need:

• Read-only access to the /data/files directory to all networks

• Read/write access to the /home directory from all servers on the 192.168.1.0 /24 network,

which is all addresses from 192.168.1.0 to 192.168.1.255

• Read/write access to the /data/test directory from servers in the my-site.com DNS domain

• Read/write access to the /data/database directory from a single server 192.168.1.203.

In all cases, use the sync option to ensure that file data cached in memory is automatically written to the

disk after the completion of any disk data copying operation.

#/etc/exports /data/files *(ro,sync) /home 192.168.1.0/24(rw,sync) /data/test *.my-site.com(rw,sync) /data/database 192.168.1.203/32(rw,sync)

After configuring your /etc/exports file, you need to activate the settings, but first make sure that NFS is

running correctly.

Starting NFS on the Server

Configuring an NFS server is straightforward:

1) Use the chkconfig command to configure the required nfs and RPC rpcbind daemons to start at boot.

You also should activate NFS file locking to reduce the risk of corrupted data.

[root@bigboy tmp]# chkconfig --level 35 nfs on

[root@bigboy tmp]# chkconfig --level 35 nfslock on

[root@bigboy tmp]# chkconfig --level 35 rpcbind on

2) Use the init scripts in the /etc/init.d directory to start the nfs and RPC rpcbind daemons. The examples

use the start option, but when needed, you can also stop and restart the processes with the stop and restart

options.

[root@bigboy tmp]# service rpcbind start

[root@bigboy tmp]# service nfs start

[root@bigboy tmp]# service nfslock start

3) Test whether NFS is running correctly with the rpcinfo command. You should get a listing of running

RPC programs that must include mountd, portmapper, nfs, and nlockmgr.

[root@bigboy tmp]# rpcinfo -p localhost

program vers proto port

100000 2 tcp 111 portmapper

100000 2 udp 111 portmapper

100003 2 udp 2049 nfs

100003 3 udp 2049 nfs

100021 1 udp 1024 nlockmgr



100005 1 udp 1042 mountd

100005 1 tcp 2342 mountd

100005 2 udp 1042 mountd

100005 2 tcp 2342 mountd

100005 3 udp 1042 mountd

100005 3 tcp 2342 mountd

[root@bigboy tmp]#

Configuring NFS on the Client

NFS configuration on the client requires you to start the NFS application; create a directory on which to

mount the NFS server's directories that you exported via the /etc/exports file, and finally to mount the

NFS server's directory on your local directory, or mount point. Here's how to do it all.

Starting NFS on the Client

Three more steps easily configure NFS on the client.

1) Use the chkconfig command to configure the required nfs and RPC rpcbind daemons to start at boot.

Activate nfslock to lock the files and reduce the risk of corrupted data.

[root@smallfry tmp]# chkconfig --level 35 netfs on

[root@smallfry tmp]# chkconfig --level 35 nfslock on

[root@smallfry tmp]# chkconfig --level 35 rpcbind on

2) Use the init scripts in the /etc/init.d directory to start the nfs and RPC rpcbind daemons. As on the

server, the examples use the start option, but you can also stop and restart the processes with the stop and

restart options.

[root@smallfry tmp]# service rpcbind start

[root@smallfry tmp]# service netfs start

[root@smallfry tmp]# service nfslock start

3) Test whether NFS is running correctly with the rpcinfo command. The listing of running RPC pro-

grams you get must include status, portmapper, and nlockmgr.

[root@smallfry root]# rpcinfo -p

program vers proto port

100000 2 tcp 111 portmapper

100000 2 udp 111 portmapper

100024 1 udp 32768 status

100024 1 tcp 32768 status




100021 1 tcp 32769 nlockmgr



391002 2 tcp 32770 sgi_fam

[root@smallfry root]#

NFS and DNS

The NFS client must have a matching pair of forward and reverse DNS entries on the DNS server used by

the NFS server. In other words, a DNS lookup on the NFS server for the IP address of the NFS client

must return a server name that will map back to the original IP address when a DNS lookup is done on

that same server name.

[root@bigboy tmp]# host 192.168.1.102

201.1.168.192.in-addr.arpa domain name pointer 192-168-1-102.my-

site.com.

[root@bigboy tmp]# host 192-168-1-102.my-site.com

192-168-1-102.my-site.com has address 192.168.1.102

[root@bigboy tmp]#

This is a security precaution added into the nfs package that lessens the likelihood of unauthorized servers

from gaining access to files on the NFS server. Failure to correctly register your server IPs in DNS can

result in "fake hostname" errors:

Nov 7 19:14:40 bigboy rpc.mountd: Fake hostname smallfry.my-site.com for 192.168.1.1 - forward lookup do

Accessing NFS Server Directories from the Client

In most cases, users want their NFS directories to be permanently mounted. This requires an entry in the

/etc/fstab file in addition to the creation of the mount point directory.

The /etc/fstab File

The /etc/fstab file lists all the partitions that need to be auto-mounted when the system boots. Therefore,

you need to edit the /etc/fstab file if you need the NFS directory to be made permanently available to us-

ers on the NFS. For the example, mount the /data/files directory on server bigboy (IP address

192.16801.100) as an NFS-type filesystem using the local /mnt/nfs mount point directory.

#/etc/fstab #Directory Mount Point Type Options Dump FSCK 192.168.1.100:/data/files /mnt/nfs nfs soft,nfsvers=2 0 0

This example used the soft and nfsvers options; Table 29.1 outlines these and other useful NFS mounting

options you may want to use. See the NFS man pages for more details.

Possible NFS Mount Options

Option Description

bg Retry mounting in the background if mounting initially fails

fg Mount in the foreground

soft Use soft mounting

hard Use hard mounting

rsize=n The amount of data NFS will attempt to access per read operation. The default is dependent on the ker-

nel. For NFS version 2, set it to 8192 to assure maximum throughput.

wsize=n The amount of data NFS will attempt to access per write operation. The default is dependent on the ker-

nel. For NFS version 2, set it to 8192 to assure maximum throughput.

nfsvers=n The version of NFS the mount command should attempt to use

tcp Attempt to mount the filesystem using TCP packets: the default is UDP.

intr If the filesystem is hard mounted and the mount times out, allow for the process to be aborted using the

usual methods such as CTRL-C and the kill command.

The steps to mount the directory are fairly simple, as you'll see.

Permanently Mounting the NFS Directory

You'll now create a mount point directory, /mnt/nfs, on which to mount the remote NFS directory and

then use the mount -a command activate the mount. Notice how before mounting there were no files visi-

ble in the /mnt/nfs directory, this changes after the mounting is completed:

[root@smallfry tmp]# mkdir /mnt/nfs

[root@smallfry tmp]# ls /mnt/nfs

[root@smallfry tmp]# mount -a

[root@smallfry tmp]# ls /mnt/nfs

ISO ISO-RedHat kickstart RedHat


Each time your system boots, it reads the /etc/fstab file and executes the mount –a command, thereby

making this a permanent NFS mount.

Note: There are multiple versions of NFS, the most popular of which is version 2, which most NFS

clients use. Newer NFS servers may also be able to handle NFS version 4. To be safe, it is best to force

the NFS server to export directories as version 2 using the nfsvers=2 option in the /etc/fstab file as shown

in the example. Failure to do so may result in an error message.

[root@probe-001 tmp]# mount -a

mount to NFS server '192.168.1.100' failed: server is down.

[root@probe-001 tmp]#

Exercise-3:- This exercise illustrates NFS Troubleshooting A basic NFS configuration usually works without problems when the client and server are on the same

network. The most common problems are caused by forgetting to start NFS, to edit the /etc/fstab file, or

to export the /etc/exports file. Another common cause of failure is the iptables firewall daemon running

on either the server or client without the administrator realizing it.

When the client and server are on different networks, these checks still apply, but you'll also have to make

sure basic connectivity has been taken care of. Sometimes a firewall being present on the path between

the client and server can cause difficulties.

As always, no troubleshooting plan would be complete without frequent reference to the

/var/log/messages file when searching for additional clues. Following Table shows some common NFS

errors you'll encounter.

Some Common NFS Error Messages

Error Description

Too many levels of remote in path Attempting to mount a filesystem that has already been mounted.

Permission denied User is denied access. This could be the client's root user who has unprivi-

leged status on the server due to the root_squash option. Could also be

because the user on the client doesn't exist on the server.

No such host Typographical or DNS configuration error in the name of the server.

No such file or Directory Typographical error in the name of the file or directory: they don't exist.

NFS server is not responding The server could be overloaded or down.

Stale file handle A file that was previously accessed by the client was deleted on the server

before the client closed it

Fake hostname Forward and reverse DNS entries don't exist for the NFS client.

The showmount Command

When run on the server, the showmount -a command lists all the currently exporte directories. It also

shows a list of NFS clients accessing the server; in this case one client has an IP address of

192.168.1.102.

[root@bigboy tmp]# showmount -a

All mount points on bigboy:

*:/home

192.168.1.102:*

[root@bigboy tmp]#

The "df" Command

The df command lists the disk usage of a mounted filesystem. Run it on the NFS client to verify that NFS

mounting has occurred. In many cases, the root_squash mount option will prevent the root user from

doing this, so it's best to try it as an unprivileged user.

[nfsuser@smallfry nfsuser]$ df -F nfs

Filesystem 1K-blocks Used Available Use% Mounted on

192.168.1.100:/home/nfsuser

1032056 346552 633068 36% /home/nfsuser

[nfsuser@smallfry nfsuser]$

The nfsstat Command

The nfsstat command provides useful error statistics. The -s option provides NFS server stats, while the -c

option provides them of for clients. Threshold guidelines are provided in the Table.

[root@bigboy tmp]# nfsstat -s

Server rpc stats:

calls badcalls badauth badclnt xdrcall

1547 0 0 0 0

Server nfs v2:

null getattr setattr root lookup readlink

244 100% 0 0% 0 0% 0 0% 0 0% 0 0%

read wrcache write create remove rename

0 0% 0 0% 0 0% 0 0% 0 0% 0 0%

link symlink mkdir rmdir readdir fsstat

0 0% 0 0% 0 0% 0 0% 0 0% 0 0%

Server nfs v3:

null getattr setattr lookup access readlink

251 19% 332 25% 0 0% 265 20% 320 24% 0 0%

read write create mkdir symlink mknod

39 2% 14 1% 1 0% 1 0% 0 0% 0 0%

remove rmdir rename link readdir readdirplus

0 0% 0 0% 0 0% 0 0% 0 0% 31 2%

fsstat fsinfo pathconf commit

1 0% 34 2% 0 0% 14 1%

[root@bigboy tmp]#

Error Thresholds For The "nfsstat" Command

Value Threshold Description

readlink > 10% Excessive numbers of symbolic links slowing performance.

Try to replace them with a directory and mount the filesystem directly on

this new mount point.

getattr > 50% File attributes, like file data, is cached in NFS. This value tracks the percen-

tage of file attribute reads that are not from cache refresh requests. Usually

caused by the NFS "noac" mount option which prevents file attribute cach-

ing.

badcalls > 0 Bad RPC requests. Could be due to poorly configured authentication, the

root user attempting to access data governed by the "root_squash" directive

or having a user in too many groups.

retrans > 5% Percentage of requests for service that the client had to retransmit to the

servers. Could be due to slow NFS servers or poor network conditions.

writes > 10% Writes are slow due to poor caching values. Check the "noac" and "wsize"

mount options.

Exercises for lab

Exercise 1:- This exercise illustrates NFS Installation

Exercise 2:-create a directory named 'shared' and configure the NFS server for sharing the newly created

directory 'shared' with other systems.

Home Work

Configure an NFS server for the scenario given below:

A home user has a Linux server with low disk space. S(he) has another linux system in the house with

some extra space in /home filesystem. Keeping the budget aspect in mind the user wants to share the free

space on /home filesystem on the other system. Help him/her in configuring an NFS

1)

2) a Read-only access to the /data/files directory to all networks

3) Read/write access to the /home directory from all servers on the 192.168.1.0 /24 network, which

is all addresses from 192.168.1.0 to 192.168.1.255

4) Read/write access to the /data/test directory from servers in the my-site.com DNS domain

5) Read/write access to the /data/database directory from a single server 192.168.1.203.

6)

To understand the Controlling Web Usage with Squid

Lab No.28: Controlling Web Usage with Squid

Lab No. 28: Controlling Web Usage with Squid

Objective:

To familiarize students how to limit the web access to only authorized users.

Scope:


• Configure squid proxy server to provide restricted access to the internet using access list.

• Provide transparent proxy services to the users.

Useful Concepts

Squid Configuration File

The main Squid configuration file is squid.conf, and, like most Linux applications, Squid needs to be res-

tarted for changes to the configuration file can take effect. In the next sections we will illustrate the vari-

ous useful sections of squid.conf file.

The Visible Host Name

Squid will fail to start if you don't give your server a hostname. You can set this with the visi-

ble_hostname parameter. Here, the hostname is set to the real name of the server ciit.

visible_hostname ciit

Access Control Lists

You can limit users' ability to browse the Internet with access control lists (ACLs). Each ACL line defines

a particular type of activity, such as an access time or source network, they are then linked to an

http_access statement that tells Squid whether or not to deny or allow traffic that matches the ACL.

Squid matches each Web access request it receives by checking the http_access list from top to bottom. If

it finds a match, it enforces the allow or deny statement and stops reading further. You have to be careful

not to place a deny statement in the list that blocks a similar allow statement below it. The final

http_access statement denies everything, so it is best to place new http_access statements above it.

Note: The very last http_access statement in the squid.conf file denies all access. You therefore have to

add your specific permit statements above this line.

Exercise-1:- This exercise illustrates Restricting Web Access By Time

You can create access control lists with time parameters. For example, you can allow only business hour

access from the home network, while always restricting access to host 192.168.1.23.

#

# Add this to the bottom of the ACL section of squid.conf

#

acl home_network src 192.168.1.0/24

acl business_hours time M T W H F 9:00-17:00

acl RestrictedHost src 192.168.1.23

#

# Add this at the top of the http_access section of squid.conf

#

http_access deny RestrictedHost

http_access allow home_network business_hours

Or, you can allow morning access only:

#


#

acl mornings time 08:00-12:00

#


#

http_access allow mornings.

Exercise-2:- This exercise illustrates Restricting Access to specific Web sites

Squid is also capable of reading files containing lists of web sites and/or domains for use in ACLs. In this

example we create to lists in files named /usr/local/etc/allowedsites.squid and /usr/local/etc/restricted-

sites.squid.

# File: /usr/local/etc/allowed-sites.squid

www.openfree.org

www.google.com

# File: /usr/local/etc/restricted-sites.squid

www.restricted-site.com

www.illegal.com

These can then be used to always block the restricted sites and permit the allowed sites during working

hours. This can be illustrated by expanding our previous example slightly.

#


#

acl home_network src 192.168.1.0/24

acl business_hours time M T W H F 9:00-17:00

acl GoodSites dstdomain "/usr/local/etc/allowed-sites.squid"

acl BadSites dstdomain "/usr/local/etc/restricted-sites.squid"

#


#

http_access deny BadSites

http_access allow home_network business_hours GoodSites

Exercise-3:- This exercise illustrates Restricting Web Access By IP Address

You can create an access control list that restricts Web access to users on certain networks. In this case,

it's an ACL that defines a home network of 192.168.1.0.

#


#

acl home_network src 192.168.1.0/255.255.255.0

You also have to add a corresponding http_access statement that allows traffic that

matches the ACL:

#


#

http_access allow home_network

Exercise-4:- This exercise illustrates Configuring Web Browsers to Use Your Squid Server

If you don't have a firewall that supports redirection, then you need to configure your firewall to only ac-

cept HTTP Internet access from the Squid server, as well as configure your PC browser's proxy server

settings manually to use the Squid server. The method you use depends on your browser.

For example, to make these changes using Internet Explorer

1. Click on the "Tools" item on the menu bar of the browser.

2. Click on "Internet Options"

3. Click on "Connections"

4. Click on "LAN Settings"

5. Configure with the address and TCP port (3128 default) used by your Squid server.

Here's how to make the same changes using Mozilla or Firefox.

1. Click on the "Edit" item on the browser's menu bar.

2. Click on "Preferences"

3. Click on "Advanced"

4. Click on "Proxies"

5. Configure with the address and TCP port (3128 default) used by your Squid server under "Ma-

nual Proxy Configuration".

Exercises for lab

Exercise 1:- Install Squid proxy server.

Exercise 2:- Using squid proxy server restrict user from visiting illegal sites.

Exercise 3:- Allow users to only visit legal/allowed sites from trusted IP addresses only.

Home Work

1) Make your squid server transparent to users using transparent proxy configuration.

To understand the DNS bind process and DNS client settings

Lab 29: DNS Configuration 1

Lab No. 29: DNS Configuration 1

Objective:

To familiarize students with the bind process and DNS client settings

Scope:


• To manage BIND process

• Client side DNS configuration options

• Test the DNS server working

Exercise-1:- This exercise illustrates How to Get BIND Started

Setting up your DNS server is easy to do, but the procedure differs between Linux distributions.

Redhat / Fedora

You can use the chkconfig command to get BIND configured to start at boot

[root@root]# chkconfig named on

To start, stop, and restart BIND after booting, use:

[root@root]# /etc/init.d/named start

[root@root]# /etc/init.d/named stop

[root@root]# /etc/init.d/named restart

Remember to restart the BIND process every time you make a change to the configuration file for the

changes to take effect on the running process.

Debian / Ubuntu

You can use the sysv-rc-conf command to get BIND configured to start at boot

[root@root]# sysv-rc-conf bind on

To start, stop, and restart BIND after booting, use:

[root@root]# /etc/init.d/bind start

[root@root]# /etc/init.d/bind stop

[root@root]# /etc/init.d/bind restart

Exercise-2:- This exercise describe the /etc/resolv.conf File

DNS clients (servers not running BIND) use the /etc/resolv.conf file to determine both the location of

their DNS server and the domains to which they belong. The file generally has two columns; the first con-

tains a keyword, and the second contains the desired values separated by commas. See the Table below

for a list of keywords:

Take a look at a sample configuration in which the client server's main domain is mysite.com, but it also

is a member of domains my-site.net and my-site.org, which should be searched for shorthand references

to other servers. Two name servers, 192.168.1.100 and 192.168.1.102, provide DNS name resolution:

search my-site.com my-site.net my-site.org

nameserver 192.168.1.100


The first domain listed after the search directive must be the home domain of your network, in this case

my-site.com. Placing a domain and search entry in the /etc/resolv.conf is redundant, therefore.

Exercise-3:- This exercise illustrates Basic DNS Testing of DNS Resolution

There are a number of commands you can use do these lookups. Linux uses the host command, for exam-

ple, but Windows uses nslookup.

The Host Command

The host command accepts arguments that are either the fully qualified domain name or the IP address of

the server when providing results. To perform a forward lookup, use the syntax:

[root@root]# host www.google.com

www.google.com has address 65.115.71.34

[root@root]#

The nslookup Command

The nslookup command provides the same results on Windows PCs. To perform forward lookup, use:

C:\> nslookup www.google.com

Server: 192-168-1-200.my-site.com

Address: 192.168.1.200

Non-authoritative answer:

Name: www.google.com

Address: 65.115.71.34

C:\>

Exercises for lab:

Exercise 1:- Configure bind process to load at system startup.

Exercise 2:- Configure resolv.conf file for client side configuration to use proper DNS name server.

Exercise 3:- Test whether the DNS server is working or not.

Home Work:

1) Explain the used of forward lookup zone and reverse lookup zone in DNS

To understand the DNS DNS Zone files and Schema

Configuration



Objective:

To familiarize the students with the configuring of DNS Zone files and Schema.

Scope:


• Configure basic DNS settings

• Setup forward and reverse zone files for name resolution

Exercise-1:- This exercise illustrates how to configure your own Nameserver

For the purposes of this tutorial, assume your ISP assigned you the subnet 97.158.253.24 with a subnet

mask of 255.255.255.248 (/29).

Configuring resolv.conf

You'll have to make your DNS server refer to itself for all DNS queries by configuring the

/etc/resolv.conf file to reference localhost only.


Creating a named.conf Base Configuration

The /etc/named.conf file contains the main DNS configuration and tells BIND where to find the configu-

ration, or zone files for each domain you own. This file usually has two zone areas:

Forward zone file definitions list files to map domains to IP addresses.

Reverse zone file definitions list files to map IP addresses to domains.

The first task is to make sure your DNS server will listening of requests on all the required network inter-

faces. The options section of named.conf may be configured to listen exclusively on its internal hidden

localhost interface with an IP address of 127.0.0.1 as we see in this example:

# File: /etc/named.conf

options {

listen-on port 53 { 127.0.0.1; };

};

If other devices are going to rely on your server for queries, then you’ll need to either change this or add a

selected number of IP addresses on your server. In this example, we allow queries on any interface.

listen-on port 53 { any; };

In this example, we allow queries on localhost and address 192.168.1.100.

listen-on port 53 { 127.0.0.1; 192.168.1.100; };

Note: Always make sure localhost, 127.0.0.1 is included.

Forward Zone File References in named.conf

Let’s describe how we point to forward zone files in a typical named.conf file.

In this example the zone file is named my-site.zone, and, although not explicitly stated, the file my-

site.zone should be located in the default directory of /var/named/chroot/var/named in a chroot configura-

tion or in /var/named in a regular one. With Debian / Ubuntu, references to the full file path will have to

be used. Use the code:

zone “my-web-site.org” {

type master;

notify no;

allow-query { any; };

file “my-site.zone”;

};

In addition, you can insert more entries in the named.conf file to reference other Web domains you host.

Here is an example for another-site.com using a zone file named another-site.zone.

zone “another-site.com” {

type master;

notify no;


file “another-site.zone”;

};

Note: The allow-query directive defines the networks that are allowed to query your DNS server for in-

formation on any zone. For example, to limit queries to only your 192.168.1.0 network, you could modify

the directive to:

allow-query { 192.168.1.0/24; };

Reverse Zone File References in named.conf

Here’s how to format entries that refer to zone files used for reverse lookups for your IP addresses.

zone “1.168.192.in-addr.arpa” {

type master;

notify no;


file “192-168-1.zone”;

};

Sample Forward Zone File

Now that you know the key elements of a zone file, it's time to examine a working

example for the domain my-site.com

;

; Zone file for my-site.com

;

; The full zone file

;

$TTL 3D

@ IN SOA ns1.my-site.com. hostmaster.my-site.com. (

200211152 ; serial#

3600 ; refresh, seconds

3600 ; retry, seconds

3600 ; expire, seconds

3600 ) ; minimum, seconds

NS www ; Inet Address of nameserver

my-site.com. MX 10 mail ; Primary Mail Exchanger

localhost A 127.0.0.1

bigboy A 97.158.253.26

mail A 97.158.253.27

ns1 CNAME bigboy

www CNAME bigboy

Sample Reverse Zone File

;

; Filename: 192-168-1.zone

;

; Zone file for 192.168.1.x

;

$TTL 3D

@ IN SOA www.my-site.com. hostmaster.my-site.com. (

200303301 ; serial number

8H ; refresh, seconds

2H ; retry, seconds

4W ; expire, seconds

1D ) ; minimum, seconds

NS www ; Nameserver Address

100 PTR bigboy.my-site.com.

103 PTR smallfry.my-site.com.

102 PTR ochorios.my-site.com.

105 PTR reggae.my-site.com.

32 PTR dhcp-192-168-1-32.my-site.com.





Exercises for lab:

Exercise 1:- Configure the DNS server for name resolution.

Home Work:

1) Elucidate the purpose of scema file used in configuring a DNS server?

2) Explain the used of forward lookup zone and reverse lookup zone in DNS

To understand the DNS cache nameserver



Objective:

To familiarize students with the use of cache Nameserver.

Scope:


• Understand the cache nameserver

• Configure a linux box as a cache nameserver

Useful Concepts:

Authoritative servers

• Authoritative servers provide the definitive information for your DNS domain, such as

the names of servers and Web sites in it. They are the last word in information related to

your domain.

Caching DNS server

• These servers, through a process called recursion, sequentially query the authoritative

servers at the root, main domain and sub domain levels to get eventually get the specific

information requested.

When to Use A DNS Caching Name Server

• Most servers don’t ask for authoritative DNS server directly, they usually ask a caching

DNS server to do it on their behalf. The most frequently requested information is then

stored (or cached) to reduce the lookup overhead of subsequent queries.

Exercise-1:- This exercise illustrates how to configure your Nameserver as a caching name-

server

If your DNS server is also acting as a caching DNS server, then you'll also need a view for localhost to

use. We'll use a view called localhost_resolver for this.

The Caching Nameserver localhost_resolver View

The localhost_resolver view is used for your caching DNS server configuration and should look like this:

view "localhost_resolver"

{

/* This view sets up named to be a localhost resolver

* ( caching only nameserver ). If all you want is a

* caching-only nameserver, then you need only define this view:

*/

match-clients { localhost; };

match-destinations { localhost; };

// As your caching name server clients will be using this server

// for DNS lookups to get to sites all over the Web you’ll need to

// turn on recursion

recursion yes;

// All views used by caching nameserver clients must

// contain the root hints zone. Recursive lookups to DNS domains

// you don’t own (non-authoritative) starts here.

zone "." IN {

type hint;

file "named.ca";

};

/* these are zones that contain definitions for all the localhost

* names and addresses, as recommended in RFC1912 - these names should

* ONLY be served to localhost clients:

*/

include "/etc/named.rfc1912.zones";

/*

* Include zonefiles for internal zones

*/

include "/var/named/zones/internal/internal_zones.conf";

};

There are some quick facts you should be aware of with your caching name server configuration:

1. If you want your server to be only a caching DNS server, then delete all other views in named.conf and

restart the named daemon.

[root@bigboy tmp]# /etc/init.d/named restart

2. Make all the other machines on your network point to the caching DNS server as their primary DNS

server.

3. Remember that all DNS queries done on your DNS server appear to come from localhost. If your serv-

er is also an authoritative server for your domain, you will have to include a reference to your domain's

zone files in this section for the server's own DNS lookups to work. If not, queries from clients defined by

the internal and external ACLs will work correctly, but queries for the domain from the server itself will

fail. In this example we have included a reference to the internal_zones.conf zone file which we'll visit

again soon. This line can be deleted if your server isn't an authoritative server for your domain.

Note: If you have a localhost only view like this, make sure you don't reference localhost in any of your

other views as one view will take precedence over the other for queries from your server. This could lead

to unpredictable results.

Exercises for lab:

Exercise 1:- Configure the DNS server for cache nameserver for authoritative nameserver.

Home Work:

1) Describe the deference between an authoritative nameserver and a cache nameserver.

•

To understand the Dynamic DNS

Lab 32: Dynamic DNS

Lab No. 32: Dynamic DNS

Objective:

To familiarize students with working of Dynamic DNS and it’s configuration.

Scope:


• Able to understand the working of Dynamic DNS

• Install Dynamic DNS Client

• Configure Dynamic DNS client

• Configure DDNS authentication

Useful Concepts:

Dynamic DNS (DDNS)

Used when you get a changing dynamic Internet IP addresses via DHCP from your ISP. You will have to

use the services of a third-party DNS provider to provide DNS information for your my-site.com domain.

Exercise-1:- This exercise illustrates Registering DDNS

Once you have decided to go ahead with DDNS you'll need to choose between the broad categories of

Dynamic DNS service.

Free Dynamic DNS: Your website name will be a sub domain of the DDNS provider's domain. For ex-

ample if the DDNS provider's domain is isp.net, then your site will become my-site.my-isp.net. You can

perform all the necessary steps on your DDNS service provider's Web site. Remember that this type of

service may be undesirable for a company that wants to establish its own corporate identity.

Another disadvantage is that you must rely on your DDNS provider staying in business or else you may

lose your domain. When you own your own domain this worry largely goes away as you are fully in con-

trol of the DNS registration and renewal process.

Paid Customized DNS: You can register the domain name of your choice and still

host your website on a DHCP line..

If you choose to create your own domain and use a paid DDNS service then you'll need to follow these

steps:

1. Register your domains (such as my-site.com) with such companies as Verisign and RegisterFree.

2. Create an account with the DDNS provider and register your websites (sometimes called hosts) as part

of your domain (as in www.my-site.com and mail.my-site.com) with them. Your DDNS registration

process will provide you with a username and password which you'll need to use when configuring your

DDNS client.

3. Update your domain information with your main DNS registrar (Verisign and RegisterFree) to tell

them to direct queries to *.my-site.com to the DNS name servers of the DDNS provider.

4. Install a DDNS client on your web servers that continuously runs, only updating the DDNS provider's

DNS servers with the most current DHCP IP address of the site whenever it detects a change.

Note: You should also be prepared for slower response times for your home-based site than if you were

using a static IP and a regular DNS service

Exercise-2:- This exercise illustrates how to install a DDNS Client On Your Server

All DDNS service providers require that you use a DDNS client on your web server that will periodically

update the IP address information in your provider's DDNS record. The very popular one DDclient, for

example, now comes in a RPM format.

DDNS Client Software - Linux DDclient

One of the most commonly used clients is DDclient, which can overcome the NAT limitations of DDNS

by actually logging into your SOHO firewall to determine the latest IP address information. Like most

RedHat and Fedora Linux software products, DDclient is available in the RPM format. You can usually

download the software from your DDNS provider, or you can find it at rpmfind.net. The RPM name

usually starts with ddclient followed by a version number, as in ddclient-3.6.3-1.noarch.rpm.

The /etc/ddclient.conf file

The ddclient.conf file is usually installed completely commented out, but provides many configuration

examples for the most popular DDNS providers. The most important general parameters to configure are:

Username: Your DDNS account's login name

Password: Your DDNS account's password

Use: The method used to determine the IP address to advertise to the DDNS server.

Some important DDNS provider parameters are:

Server: The name of the DDNS provider's main DNS server

Protocol: The methodology the DDNS client should use to communicate with the DDNS server

Your domain: The domain to which your web server will belong

You can use the ddclient command to determine the best use parameter to use in the ddclient.conf file. In

this example, only the use=web option gives a valid Internet IP address and should be considered as a first

option:

[root@root]# ddclient -daemon=0 -query

use=if, if=lo address is 127.0.0.1

use=if, if=wlan0 address is 192.168.1.100

use=web, web=dyndns address is 97.158.253.26

[root@root]#

Take a look at a sample configuration. This example specifies a username of my-accountlogin- name and

a password of my-account-password using the dyndns DDNS service provider's settings to track the Web

site named mysite-example.dnsalias.com.

# General Parameter Section

login=my-account-login-name

password=my-account-password

# DDNS Provider Parameters Section

server=members.dyndns.org, \

protocol=dyndns2 \

mysite-example.dnsalias.com

You can add one of the following use lines to the General Parameter Section near the top of the file to

define the method that will be used to determine the correct IP address:

Query A Well Known Internet Server: The web method queries two well known servers run by

DynDNS.org and DNSpark to determine the public Internet IP address of the web server running the

DDclient software. This method is the simplest as it requires no further information and handles NAT

correctly.

use=web

Use The IP Address Of A Specific Server NIC: You can also use this option which will query the IP

address of the DDclient web server's NIC interface of your choice. This is probably most valuable for

servers connected directly to the Internet, and not via NAT

use=if, if=eth0

Login To Your SOHO Firewall For Information: The ddclient.conf file has a list of use statements for

various vendor's firewalls. If your model isn't listed, you can create your own parameters as outlined in

the ddclient README file. This option is good for NAT environments where the "use=web" option isn't

considered a good alternative.

After editing your configuration file you'll have to start ddclient as shown in the next section.

Exercise-3:- This exercise illustrates How to Get DDclient Started

You can configure DDclient to start at boot time using the chkconfig command:

[root@root]# chkconfig ddclient on

You can start, stop, and restart DDclient after boot time using the DDclient initialization script as in:

[root@root]# service ddclient start

[root@root]# service ddclient stop

[root@root]# service ddclient restart

Remember to restart the ddclient process every time you make a change to the ddclient.conf file for the

changes to take effect on the running process.

You can test whether the ddclient process is running with the pgrep command, you should

get a response of plain old process ID numbers:

[root@root]# pgrep ddclient

Exercises for lab:

• Exercise 1:- Install Dynamic DNS client software.

• Exercise 2:- Configure DDNS client authentication.

Home Work:

1) What are the advantages of dynamic DNS server?

References:

www.linuxhomenetworking.com.