Date post: | 16-Nov-2014 |
Category: |
Documents |
Upload: | hasnain444 |
View: | 3,641 times |
Download: | 3 times |
Network Operating Systems
Lab Manual
Javid Ali
The Practice of Knowledge
Department of Computer Science
COMSATS Institute of Information Technology
Abbottabad
Network Operating Systems
Lab Manual
Javid Ali
Tahir Maqsood
TABLE OF CONTENTS
Lab No. 01: Linux Basic Installation ............................................................................................................... 6
Lab No. 02: Linux shell and Basic shell commands ..................................................................................... 19
Lab No. 03: Command Line File Manipulation ............................................................................................ 23
Lab No. 04: Command Line File processing ................................................................................................ 28
Lab No. 05: Command line Text Editors (Vim) ............................................................................................ 34
Lab No. 06: Managing the file system ........................................................................................................ 39
Lab No. 07: Command line Process Management ...................................................................................... 44
Lab No. 08: Basic Bash Scripting, writing and executing bash scripts ........................................................ 48
Lab No. 09: Advance Bash Scripting 1 .................................................................................................... 51
Lab No. 10: Advance Bash Scripting 2 ........................................................................................................ 54
Lab No. 11: Introduction to gcc .................................................................................................................. 57
Lab No. 12: Linux Networking 1 ................................................................................................................. 62
Lab No. 13: Linux Networking 2 .................................................................................................................. 65
Lab No. 14: Network troubleshooting ....................................................................................................... 69
Lab No. 15: Installing Linux Software .......................................................................................................... 83
Lab No. 16: Linux Boot Process .................................................................................................................. 89
Lab No. 17: Configuring Linux DHCP Server ............................................................................................... 93
Lab No. 18: Managing Linux Users and sudo ............................................................................................. 97
Lab No. 19: Configuring Samba ................................................................................................................ 101
Lab No. 20: Sharing Resources using samba ............................................................................................ 107
Lab No. 21 Linux firewalls using iptables .............................................................................................. 111
Lab No. 22: Configuring Linux FTP Server ................................................................................................ 120
Lab No. 23: Telnet and TFTP and XINETD................................................................................................. 126
Lab No. 24: Web Hosting With the Apache Web Server .......................................................................... 131
Lab No. 25: Monitoring Server Performance ............................................................................................ 134
Lab No. 26: Network Based Linux Installation .......................................................................................... 148
Lab No. 27: Remote Disk Access with NFS ................................................................................................ 159
Lab No. 28: Controlling Web Usage with Squid ....................................................................................... 168
Lab No. 29: DNS Configuration 1.............................................................................................................. 173
Lab No. 30: DNS Configuration 2.............................................................................................................. 177
Lab No. 31: DNS Configuration 3.............................................................................................................. 182
Lab No. 32: Dynamic DNS ......................................................................................................................... 185
Lab No. 01: Linux Basic Installation
Objective:
This lab provides a basic step-by-step installation of Linux Operation system. A simple approach has
been adopted out of many ways available for different configuration.
Scope:
On completing this exercise, the students will be able to:
• Install linux operating system
• Cearte and manage linux disk partitions
• Configure differents system resources during installation
• Select packages during installation
Useful Concepts:
Partition
• A space in hard disk set aside as a separate disk and has separate filesystem
Mount point
• A logical location in a file system that provide a link to another file system
Package
• An application that can be installed on a UNIX/ Linux system.
Boot loader
• A small program that runs a the system boot and starts an operating system
Exercise-1:- This exercise demonstrates step-by-step installation of Linux Operation sys-
tem. The procedure is shown in Figure 1 – Figure 19 as follows:
• in the boot screen, press Enter
• in the installation welcome screen, click Next
• in the language selection screen, click Next
• in the keyboard configuration screen, click Next
• in the installation type screen, choose Server and click Next
• in the disk partitioning screen, you can select the following option
� remove all linux partition
� remove all partion on this disk
� keep all partition and use free space
If you choose manual partition, select free space and create the following partition:
Mount Point: Size (MB) Filesystem Type
/boot 200 ext3
-------- (size for RAM)*2 swap
/ all available free space ext3
Clicking Next:
• in the partition warning screen, click Yes
• in the partition removal screen, click Next
• in the partitioning removal warning screen, click Yes
• in the disk setup screen, click Next
• in the boot loader screen, click Next
• in the network configuration screen, click Next
• in the firewall configuration screen, click Next
• in the time zone selection screen, choose Asia/Riyadh
• in the root password screen, enter the root password (min. 6 characters) and confirm it,
click Next
• In the package group selection screen, you can select different packages to install. Pack-
ages are grouped in different categories. Choose pachages of your choice to install. Serv-
er group has server packages like apache, hdcp, squid etc. If you did not select the server
installation option in step five, here is the chance that you can select servers of your
choice. After selecting packages click next to go to the next screen
• in the about to install screen, click Next
• in the installation status screen, wait while files are installed
• in the installation complete screen, take out the DVD and click Reboot
Figure 1. Fedora Core boot screen.
Figure 2. Fedora Core installation welcome screen.
Figure 3. Language selection screen.
Figure 4. Keyboard configuration screen.
Figure 5. Installation type screen.
Figure6. Disk partitioning screen.
Figure 7 Partition warning screen.
Figure 8. Partition removal screen.
Figure 9. Partitioning removal warning screen.
Figure 10. Disk setup screen.
Figure 11. Boot loader screen.
Figure 12. Network configuration screen.
Figure 13. Firewall configuration screen.
Figure 14. Time zone selection screen.
Figure 15. Root password screen.
Figure 16. Package group selection screen.
Figure 17. About to install screen.
Figure 18. Installation status screen.
Figure 19. Installation complete screen.
Exercises for lab:
Exercise 1:- Actual configuration of the system is left to your discretion except for those particular sec-
tions of the installation for which specific directions are given. Record every configuration at
each step in your notebook clear enough to allow someone else to exactly follow your instal-
lation steps.
Home Work:
1) List any problems you had during the installation process, and their solutions. Also, answer the
following questions:
• Why did you put /boot in the first location of the hard drive and forced it to be a primary
partition?
• What is the advantage of using different partitions for different sections of the filesys-
tem?
• Specifically describe the critical difference between the partitions /dev/hda1 and
/dev/hda5.
• Why don’t you want to use root as the regular login on your machine?
2) How can shadow passwords, when enabled, help in security?
To understand the Linux Commands
Lab 02: Linux shell and Basic shell commands
Lab No. 02: Linux shell and Basic shell commands
Objective:
To introduce the student to Linux most popular command line shell, the BASH. This lab will cover basic
commands used in Unix/Linux.
Scope:
On the completion of this lab, you will be able to:
• Describe the bash and its features.
• Understand the bash environment.
• Use some frequently-used command in UNIX/ Linux environment.
Useful Concepts:
Shell
• A piece of software that provides an interface for users.
• Typically, an operating system shell which provides access to the services of a kernel.
• Generally fall into one of two categories:
i. command-line
ii. graphical
• Bash (Bourne-again shell) is the default shell on most systems built on top of the Linux
kernel as well as on Mac OS X and it can be run on most Unix-like operating systems.
Terminal
An instant of a shell that provide an editor for the user to enter commands and run processes
Shell Prompt
• Location in the terminal where you can enter commands.
• Represented by $ or >
Root directory
/ is the primary directory where all other directories reside.
Mount point
The location in the operating system's directory structure where a mounted file system appears
Package
Computer software packaged in an archive format to be installed by a package management system or a
self-sufficient installer
Boot loader
The small program that starts loading OS into RAM, also known as a bootstrap loader, or bootstrap or
boot loader
Exercise-1:- This exercise illustrates how to view content of a directory and move around
the file system.
To get a listing of the directory contents, type:
ls
For a long view of the listing with time stamps, file permissions and file ownerships type:
ls -l
To move to directory-name directory type:
cd directory-name
To go to the /etc directory you simply type
cd /etc
To go one step back type:
cd ..
To go to user's home directory, type:
cd ~
To display the path to the directory you r currently working in, type:
pwd
At any point using the TAB key after typing a few characters in at the bash prompt will make bash fill in
the rest of the file or directory name that matches what you have typed. If there is more than one match,
tap the tab key twice and it will list all the matches.
Exercise-2:- This exercise illustrates how to clear screen contents and display history of
command already used in the shell.
If you what to see the list of all commands you have used on the shell, type:
history
To clear the terminal screen, type:
clear
Exercise-3:- This exercise illustrates how to Display or change system date and display cal-
endar of different months and years.
To display calendar of the current month type:
cal
To display calendar of the prev/current/next month type
cal -3
To display weeks that starts on Monday, type:
cal -m
To display calendar of March 1988, type:
cal 03 1988
To display current system date, type:
date
To change date to Thu Mar 3 23:05:25 2009, type:
date –s "Thu Mar 3 23:05:25 2009"
Exercise-4:- This exercise illustrates who to Get help about command and search or com-
mand instances:
To go to manual page of a command, say ls, type:
man ls
To get information about command usage, say ls, type:
info ls
To Report all known instances of a command e.g. ls, type:
whereis ls
To locate a program file in the user's path, type:
which command_name
Exercise-5:- This exercise illustrates the use of miscellaneous commands:
To print system name, type:
hostname
To set host name to mylinuxbox@linuxserver, type:
hostname mylinuxbox@linuxserver
To display the linux system information, type:
uname -r
To print all usernames currently logged in, issue the following command.
who
To print the current user id and name, type
whoami
Exercises for lab:
Exercise 1:- Open a shell and practice all the commands given above. Use man command to explore the
manual page of each command and then try these commands with different options. Note the
effect of the options on the output.
Home Work:
1) Write a note on Linux shell?
2) Compare bash shell with C shell and K shell. What are the new features added to bash shell.
To understand the File Manipulation using shell.
Lab 3: Command Line File Manipulation
Lab No. 03: Command Line File Manipulation
Objective:
To familiarize the students with basic file and directory management using shell.
Scope:
Student will be able to perform the following tasks at the end of this lab:
• The Working Directory
• Listing Directory Contents
• Viewing Files
• Copying Files
• Moving and Renaming Files
• Searching for Files by File Name & by Content
• Creating & Creating Subdirectories
• Creating Symbolic Links
Useful Concepts:
Working Directory
• A special directory remembered by the shell, and is interpreted to be the directory you
are currently “in”.
• Important for situation where relative paths are in use.
Symbolic link
• A symbolic (or soft) link is an indirect reference to a file, similar to an “alias” in Mac OS
or a “shortcut” in Windows.
Meta characters
• Characters having special meaning to the terminal
• Wildcards are Meta characters that can represent different characters in a string.
Following are some Special Characters with a brief description:
Character Function Examples
\ Escape character. If you want to reference a special cha-
racter, you must “escape” it
with a backslash first.
touch /tmp/filename\*
/ Directory separator, used to separate a string of directory
names.
/usr/src/linux
. Current directory. Can also “hide” files when it is the first
character in a filename.
.htaccess
.. Parent directory cd ..
~ User's home directory cd ~
Exercise -1:- This exercise illustrates how to View contents of a file.
To view file contents on shell console, type:
cat filename
To merge contents of two or more files and display it on screen, type
cat file1 file2 file3 ...
To display display a screenful text of file on the terminal, type:
more filename
To display file contents screenful at a time with page-up and page-down options, type:
less filename
To view first k lines of the file, type:
head -n k filename
e.g, to display first 5 lines of the file myfile on the terminal, type;
head -n 5 myfile
To display last 5 lines of the file myfile on the terminal, type;
tail -n 5 myfile
EExxeerrcciissee -2:- This exercise illustrates the procedure of File Copy, move, rename and delete
command.
To copy a file to the same directory with different name, type:
cp source_fiel_name destination_file_name
To copy a file to a different directory, e.g. from /home/cs to /root type:
cp /home/cs/myfile /root/myfile
To move a file to different destination, type:
mv cource destination
To rename a file, type:
mv oldname newname
To delete the file from directory, type:
rm filename
To delete the file from different directory, the filename must precede full path name, like:
rm /home/cs/myfile
To delete an empty directory, type:
* Represents 0 or more characters in a filename, or by it-
self, all files in a directory.
More details in next section
? Represents a single character in a filename. hello?.txt can represent hello1.txt,
helloz.txt, but not hello22.txt
[ ] Can be used to represent a range of values, e.g. [0-9], [A-
Z], etc
hello[0-2].txt represents the
names hello0.txt,
hello1.txt, and hello2.txt
; Command separator. Allows you to execute multiple
commands on a single line.
cd /var/log ; less messages
rmdir directory_name
To delete a non-empty directory, type:
rm –r directory_name
To delete a file forcefully, type:
rm –f file_name
EExxeerrcciissee -3:- This exercise illustrates how to search for files and file types.
To search a file in the entire disc, locate command is used. Type:
locate filename
To search a file in a particular directory and subdirectories, use find command. Type:
find –name filename directory_name
To access a specific file, say myfile.txt, in the directory and subdirectories, use find command, type:
find . -name myfile.txt -print
To search for all files that begin with the characters com, starting in the directory /home, type:
find /home -name com* -print
To search for a file based on the file’s content instead of its name. use grep command. to search all files in
the current directory for the string students type:
grep students ./*
To search all files in the current directory for strings starting with stu and ending with nts, type:
grep stu*nts ./*
To find whether a file is binary file, an executable file or a regular text file etc, type:
file filename
EExxeerrcciissee -4:- This exercise illustrates how to creat files or directories and changing time-
stamps.
To create an empty file, use touch command, type:
touch myfile.txt
To create three files, type:
touch file1 file2 file3
To change the time of last modification of the file, myfile to 12/04/2009, type:
touch -fafsdfsdaf
To create a directory, type;
mkdir directory
To create a directory along with the missing directory in the path, type:
mkdir –p /home/cs/assingments/assignmet1
To create a symbolic link to a file in cs folder of your home directory from your desktop, type:
ln -s ~/cs/friends ~/Desktop/friends
Exercises for lab:
Exercise 1:- write shell commands to carry the following tasks:
• Ad a directory named testdir to the following path.
• /home/users/path/
• Create a file named testfile in testdir directory
• Change the creation date and modification date of the directory to 16/03/1983
• Create a symbolic link from your desktop to testfile
Home Work:
Carry out the following exercises and submit your documented work.
1) Create a directory in the /home/zahid/assignment/assignment1 while your current working direc-
tory is /home, using a single shell command.
2) Create a directory with the following names
• assign.doc
• assigns.doc
• assign.txt
• quiz.txt
• quiz.cpp
3) Write a command to rename assign.doc file to assignment.doc
4) Delete all files with extension .txt using shell command.
5) Display all files names starting with ‘as’.
To understand File processing using terminal or command
line shell
Lab 04: Command Line File processing
Lab No. 04: Command Line File processing
Objective:
To familiarize students with the directory level and file level security, compressing and archiving tech-
niques.
Scope:
On the completion of this lab, students will be able to:
• Understand file types used in LINUX system.
• View and modify file access permission.
• Change the ownership of files and directories
• Create backup for critical files using archives
Useful Concepts:
Access Permissions
• The ability of a user to access a file or directory.
• Three general types of permissions are read permission, write permission and execute permission.
File owner
• The user of the system to whom the file belongs.
Archive
• A collection of contents (files or directories) for backup purpose.
Compression
• A technique used for reducing the size of a file or a directory without effecting contents.
Exercise-1:- This exercise shows which types of files are used in linux and how to know
bout file types
Linux considers each device as file. There are many types of file that are used in Linux. Use ls –l com-
mand to find the type of file. For example:
javidali@JLaptop:/dev$ ls -l
crw-rw----+ 1 root audio 14, 4 2009-04-28 07:01 audio drwxr-xr-x 3 root root 60 2009-04-28 12:01 bus crw------- 1 root dialout 5, 1 2009-04-28 07:01 console lrwxrwxrwx 1 root root 11 2009-04-28 07:01 core -> /proc/kcore srw-rw-rw- 1 root root 0 2009-04-28 07:01 log brw-rw---- 1 root disk 8, 1 2009-04-28 12:01 sda1 javidali@JLaptop:/dev$
In this example, first character in each row, I.e. the first colom represent the file type. The following table
shows file types, representation symbols with short description.
Symbol File type Description
- Regular files text file, Postscript, graphics files, Hypertext (HTML), video file etc
d Directories Files that act as containers to other files
b Block files Files that are used for block (parallel)devices. Data from such devices
are read or written to in blocks.
c Character files Files that are used for character (serial) devices. Data from such de-
vices are read or written to character by character
l Symbolic links Shortcut to other files or directories
s socket files Files that are used in communication
Regular files other than text files can be explored by using an appropriate program, as indicated in the
table below. Follow the command with the name of the file to view it or omit the file name and select the
file from the menu once the program is running.
File Type Application Name Command for the application
Postscript gv (based on GhostView) gv
Portable Document Format (PDF) Adobe Acrobat Reader acroread
Image files XV xv
Image files The Gimp gimp
LaTeX ouput (DVI) xdvi xdvi
Hypertext (HTML) Netscape Netscape
MP3 and MPEG gtv gtv
Exercise-2:- This exercise demonstrates how to view and change access permissions for a
file.
We noticed in exercise-1 that ls -l command earlier presented a long of listing file with a line like the
following for each file:
-rw-r--r-- 1 root javidali 0 2009-04-28 08:26 newfile.txt
Here the first character in the first column (-) indicates that the file is a normal file. The next 9 characters
indicate the access permissions for the file. The next set of 9 characters is divided into 3 groups of 3 cha-
racters. Purpose of these characters is as under:
• (-) represents no permission
• (r) represents 'read' permission
• (w) represents 'write' permission
• (x) represents 'execute' permission
The three group represents user (owner of the file), group(to which the owner belongs) and others (any
other user of the system) respectively.
Three characters in each group are for 'read', 'write' and 'execute' permission respectively.
In our example, the owner has 'read' and 'write' permission for the file and everyone else has only read
permission.
For a normal file, read, write and execute permissions are obvious.
For a directory, read and write permissions mean that to read the contents of the directory and create new
entries in the directory. Execute permission means that one can search in the directory but not read from
or write to the directory.
You can use the chmod command to change the access permissions of a file or a directory. To specify
permissions for a file with chmod, any of the following two methods can be used.
• use a symbolic mode
• use an octal mode
Symbolic mode use combination of the following symbols:
Symbol Meaning
u User
g Group
o Other
a All (equals to ugo)
+ Add a permission
- Remove (take away) a permission
r Read permission
w Write permission
x Execute permission
For example,if the current working directory has the these files:
javidali@JLaptop:~$ ls -l
-rwxr-xr-x 1 root root 955 2009-04-21 08:07 arithmatics.sh -rw-r--r-- 1 javidali javidali 130 2009-04-19 05:29 boidata.txt drwxr-xr-x 2 javidali javidali 4096 2009-04-08 19:56 Desktop drwxr-xr-x 2 javidali javidali 4096 2009-03-12 14:30 Documents -rwx------ 1 javidali javidali 512000 2009-03-24 18:00 install_v10.70.2.3.tar -rw-r--r-- 1 javidali javidali 750 2009-04-28 08:42 lsresults.txt -rwxrwxrwx 1 root root 207 2009-04-10 15:55 myscript.sh -rw-rw-rw- 1 root root 208 2009-04-10 15:55 myscript.sh~ -rw-r--r-- 1 student cs 0 2009-04-28 08:26 newfile.txt javidali@JLaptop:~$
Then gives write permission to the group and read permission to others for all files in the current directo-
ry, type the command
javidali@JLaptop:~$ chmod g+w,o+r *
Now look at The permissions again:
javidali@JLaptop:~$ ls -l
-rwxr-xr-x 1 root root 955 2009-04-21 08:07 arithmatics.sh -rw-r--r-- 1 javidali javidali 130 2009-04-19 05:29 boidata.txt drwxr-xr-x 2 javidali javidali 4096 2009-04-08 19:56 Desktop drwxr-xr-x 2 javidali javidali 4096 2009-03-12 14:30 Documents -rwx-w-r-- 1 javidali javidali 512000 2009-03-24 18:00 install_v10.70.2.3.tar -rw-rw-r-- 1 javidali javidali 750 2009-04-28 08:42 lsresults.txt -rwxrwxrwx 1 root root 207 2009-04-10 15:55 myscript.sh -rw-rw-rw- 1 root root 208 2009-04-10 15:55 myscript.sh~ -rw-rw-r-- 1 student cs 0 2009-04-28 08:26 newfile.txt javidali@JLaptop:~$
Then take away the read and write permission from the owner of the file myscript.sh, group of the owner
and all other users for the files newfile.txt, type the command
javidali@JLaptop:~$ chmod a-rw myscript.sh
The result is: javidali@JLaptop:~$ ls –l myscript.sh
---x--x--x 1 root root 207 2009-04-10 15:55 myscript.sh
Often your home directory has important documents and needs to restrict access to it. If you want to takes all the three access permissions away from everyone but the user, use the command:
javidali@JLaptop:~$ chmod go-rwx �
Octal mode use the same symbols for user,group and other but for access permissions its uses octal num-
bers.
Permission Octal Number Equivalent symbol
Read 4 r--
Write 2 -w-
execute 1 --x
If two or more permissions are to be set, the octal numbers are added together. For example, r-x is equiva-
lent to 4+1=5 and rw-r--r-- is equivalent to 644. now for example to give read,write and execute permis-
sion to user, write permission to the group and read permission to others for the file mysscript.sh , type
the command
javidali@JLaptop:~$ chmod 724 myscript.sh
Here is the result: -rwx-w-r-- 1 root root 207 2009-04-10 15:55 myscript.sh
To secure your home drive from everyone but the user, use the command:
javidali@JLaptop:~$ chmod 700 �
Exercise-3:- This exercise shows how to view and change the own ership of the file
ls -l command is can be used to view the owner of a file. For example to know that who is the owner of
the file newfile.txt, issue the following command.
student@JLaptop:~$ ls –l newfile.txt
---x--x--x 1 student cs 207 2009-04-10 15:55 newfile.txt
Here column next to the number '1' represents that 'student' is the owner of this file , and next column in-
dicates that group of this owner is 'cs'.
Use chown command to change the owner of a file. For example to change the owner of the file
'newfile.txt' from student to root, issue the following command.
javidali@JLaptop:~$ chown root newfile.txt
The result is:
javidali@JLaptop:~$ ls –l newfile.txt
---x--x--x 1 root cs 207 2009-04-10 15:55 newfile.txt
Note that you have to change the group of the owner as well, for example, to change the owner and group
of the file 'newfile.txt' both to root, try the following command.
javidali@JLaptop:~$ sudo chown root:root newfile.txt
The effect will be like:
javidali@JLaptop:~$ ls –l newfile.txt
---x--x--x 1 root root 207 2009-04-10 15:55 newfile.txt
Exercise-4:- This exercise describes the ways to compress/uncompress, files and making
archives of files for backup purposes.
Among many available utilities for archiving and compression purposes are the tar and gzip utilities. tar
is an archiving utility while gzip is used for compressing the file size. Compressed files can be restored
to their original form using gzip -d or gunzip or zcat. Now for example to backup the 'mydata' directory
inside home directory of user 'student', we will first archive the directory and then compress the archive
file. Steps are:
javidali@JLaptop:~$ sudo tar -cvf backup.tar /home/student/mydata/
/home/student/mydata/.synaptic/
/home/student/mydata/.synaptic/options
.
.
/home/student/mydata/DriverInstall/sk98lin.tar.bz2
/home/student/mydata/Music/
javidali@JLaptop:~$
We can find that mydata directory and backup.tar file both have the same size. To reduce this size we
have to compress the archive. Here is the command;
javidali@JLaptop:~$ gzip backup.tar
Output of this command is a file named backup.tar.gz
To uncompress the file again, issue the command
javidali@JLaptop:~$ gzip -d backup.tar.gz
Or
javidali@JLaptop:~$ gunzip backup.tar.gz
Or you can use tar command to uncompress and extract contents of the file. Example is:
javidali@JLaptop:~$ tar -xz backup.tar.gz
Where -z switch issues gzip command from within the tar command and -x switch extract the contents.
To list contents of an archive use -t switch with tar command:
javidali@JLaptop:~$ tar -t backup.tar
And to extract the contents of the archive, issue the following command.
javidali@JLaptop:~$ tar -xvf backup.tar
Exercises for lab:
Exercise 1:- Change the access permission of to the home directory of your login user to match
drwxr-xr-x using both symbolic mode & octal mode.
Exercise 2:- Create a file and modify its access permission so that the file can be executed by user, group
and others besides its current permission setting.
Exercise 3:- Create and archive and add all subdirectories of your home directory to that archive.
Home Work:
1) Search the manual page of the utilities gzip and tar and write a procedure to add files and directo-
ries to and existing archive.
2) Write a note on the advantages of file level security in operating systems.
3) Why do we often compress files before adding to an archive?
To understand the command line editors
Lab 05: Command line Text Editors (Vim)
Lab No. 05: Command line Text Editors (Vim)
Objective:
To enable students to use command line editors for editing text files. Completing this lab, students will
give sufficient knowledge about vim / vi and its features for their daily tasks.
Scope:
On the completion of this lab, you will be able to:
• Start the editor, moving cursor around and exiting the editor.
• Work in command mode.
• Copy, Cut and past the text
• format program and check source code
• Search Character/string.
• Recover Your Work.
Useful Concepts:
vi
• A screen-based editor used by many UNIX users.
• Has a powerful feature to aid programmers.
Editing modes
There are two editing modes that the editor can be executed in.
• Insert mode
User can type text in this mode
• Command mode
User can use commands for operation on the file. (e.g. saving, exiting, searching, etc)
Text Buffers in VI
• There are 36 special buffers and also a general purpose buffer for temporary storage of
words or. When a block of text is cut from the file it is placed into the general purpose
buffer but, if specified, the block of text can also be stored in another buffer. Buffers are
numbered from a-to-z and from 0-to-9.
Exercise-1:- This exercise illustrates how to start the editor, move cursor around and exit
form the editor.
To start the editor from command line, type
vi
An empty file will be opened in the editor. If you want to open an existing file in the editor, type
vi filename
To switch to 'Insert' mode, press:
i key
-- INSERT -- key word at the bottom will indicate that you are in an inserting mode and your cursor will
start blinking, to go to the start of the line. Press
a
at command mode will take you to the current cursor position and you can enter any text.
To move cursor around while you are in command mode, press
h key move left,
l key move right,
k key move up,
j key = move down
you can also use arrow keys while in insert mode to do the same tasks.
To switch back to command mode, press
Escape key
While in command mode, each command is preceded by colon ":"
To exit the editor without saving changes made to the file, switch to command mode and type,
:q!
To save changes and exit the editor, switch to command mode and type the command,
:wq
Where "w" is for writing changes to the file and "q" is to quit or exit the editor
Exercise-2:- This exercise illustrates how to Work in command mode in vi edtor.
Press Escape key to switch to command mode and practice the following commands and observe the re-
sults.
To replace one character under the cursor, type:
r
to undo the last change to the file. Typing u again will re-do the change.
u
To delete character after the current cursor position
x
Exercise-3:- This exercise illustrates how to Copy, Cut and paste the text
To cut text from the file, type,
d
to cut multiple characters, type:
NUMd
wher NUM is the numper of characters to cut
to cut the whole line type:
dd
to cut from current cursor position to the beginning of the line,type.
d^
to cut from current cursor position to the end of the line.
d$
to cut from current cursor position to the end of the word.
Dw
To cut three lines from current cursor position downwards.
3dd
You can use the y command which similarly to the d command which is used just to copy the text.
To paste the buffer after the cursor position, type:
p
to paste the buffer before the cursor position type:
P
To paste the text for the specified number of times, say 3, before the cursor position, type:
3P
Exercise-4:- This exercise illustrates how to format a program and check source code for
for correctness.
You can use variable to set up the indentation for each level of nesting in code.
To set the shift width to 4 characters, type:
:set sw=4
To Shift the current line one shift width to the left, type:
:<<
To Shift the current line three shift width to the right, type:
:3>>
To check for matching parenthesis or brace in your code, place the cursor onto a parenthesis or brace and
type:
:%
Exercise -5:- This exercise illustrates how to Search Character/string in a file using vi.
To search a string forwards in the file, say "comsats", type:
/comsats
To search a string backwards in the file, say "comsats", type:
? comsats
To repeat the previous search in the same direction, type:
n
To repeat the previous search in the same direction, type:
N
To search special characters in the file, type a backslash (\) before the character.
Some special characters that are used in search expression and their meaning:
^ Beginning of the line. (At the beginning of a search expression)
. Matches a single character
* Matches zero or more of the previous character.
$ End of the line, (At the end of the search expression)
[ ] Starts a set of matching, or non-matching expressions... For example: /f[iae]t matches either of
these: fit fat fet In this form, it matches anything except these: /a[^bcd] will not match any of these, but
anything with an a and another letter: ab ac ad
< > Put in an expression escaped with the backslash to find the ending or beginning of a word. For
example: /\<the\> should find only word the, but not words like these: there and other.
There are two sets of commands used for character search. [f & F] and [t & T]
To search for a character forwards within one line, say 'j', type:
/fj
Or
/tj
To search for a character backwards within one line, say 'j', type:
/Fj
Or
/Tj
; or , command can be used to repeat these two sets of commands.
; repeats the last character search command in the same direction,
, repeats the command in the reverse direction
Exercise -6:- This exercise illustrates how to recover Your Work:
The VI editor keeps a temporary copy of your edited file, and when you save your work, it puts the con-
tents of the temporary copy into the original file. If file is closed accidentally during editing, the VI editor
will attempt to save your work for you to recover later.
To recover the file named myfile, start the editor with –r option for recovery
vi -r myfile
and save the recovered file then
Note: The -r option only works once per failed VI session.
Exercises for lab:
Exercise-1: Open a file in vi editor and practice all the commands given below.
^B ^D ^F ^H ^J ^M ^N ^P ^U $ % ^
( ) { } | + - _ 0 B E
G H L M W b e h j k l
w
Note the effect of the options on the output.
Home Work:
1) Practice the following cursor movement commands and write a note on them:
^E ^Y z C
2) Practice the following text replacement commands and write a note on them:
R S c r s
3) Practice the following search commands and write a note on them:
, / ; ? F N T f
n t
4) Practice the following formatting commands and write a note on them:
~ < > J
To understand the command line file system
Lab 06: Managing the file system
Lab No. 06: Managing the file system
Objective:
To update the students with knowledge about command line file system and partition management.
Scope:
On the completion of this lab, you will be able to recognize:
• Pathnames
• Relative/Absolute Paths,
• Path and Environmental Settings,
• Directories vs. Partitions in the File System,
• Recognizing/modifying Partitions.
• Understand the bash environment.
Useful Concepts:
Directory
A special type of file that contains other files or directories, same as folders in Windows
File system
Like other platforms (Windows, Mac OS etc,), Linux file system is also hierarchical one. Directories can
be created inside other directories in a tree-like structure.
Root Directory
The Linux file system tree has only one root, called the root directory, represented by /
Sub Directory
A directory inside another directory is usually called a subdirectory.
Pathname
Pathname is a sequence of directories to be followed to reach the file. For example, the pathname of the
file myfile.txt in the cs user's home directoy is /home/cs/myfile.txt.
Absolute pathnames
A pathname that contains all the information needed to find a file or that start form root directory / is
called absolute pathname.
Relative pathname
A pathname that contains information necessary to find a file from a particular point in the tree is called
relative pathmane. For example, from the directory /home, the relative pathname of myfile.txt is just
cs/myfile.txt. Note that this pathname has no leading /.
Exercise-1:- This exercise illustrates how Multiple Disks in the File system are represented.
Each partition of the disk is mounted at a separate directory in the filesystem. So, for example, a separate
disk may be mounted at the directory /mnt. In this case, every time you access something in directory
/mnt, you are actually accessing a file on this separate disk. This is transparent to the user, but you can
peek at which disks are mounted where on a computer by using the df command in the shell. You will see
something like this:
Filesystem 1k-blocks Used Available Use% Mounted on /dev/hda8 497667 78511 393454 17% / /dev/hda1 14607 2758 1 1095 20% /boot /dev/hda7 5308207 1085340 3948063 22% /usr /dev/hdc 609750 609750 0 100% /mnt/cdrom
The first line indicates that the disk with symbolic name5 /dev/hda8 is mounted at the root directory.
The second line indicates that another disk with symbolic name /dev/hda1 is mounted at subdirectory
/boot. The third line is similar.
The disk in the fourth line represents the CD-ROM drive, which is mounted at /mnt/cdrom.
Exercise-2:- This exercise illustrates how to recognize disks.
To see all the disks and partitions on your system, you can list the files in /dev directory. Use
ls /dev command will will display all the device related files.
To display only disk related files type:
ls /dev |grep ?d*
output will be something like:
hda1 hda3 hda5 hda7 hdb2 fd0 fd1 sda1 dsa8 sdb2
etc
Here is a brief description of file system names.
Disk file name Description
fd0 First floppy disk drive
fd1 Second floppy disk drive
hda First master hard disk drive (IDE-0 master)
hdb First slave hard disk drive (IDE-0 slave)
hdc Second mater hard disk (IDE-1 master)
sda First SCSI disk dirve
sdb Second SCSI disk drive
Exercise-3:- This exercise illustrates Recognizing Partitions.
Enter the command ls /dev |grep ?d*
To display only disk related files and the output will be something like:
hda1 hda3 hda5 hda7
hdb2 fd0 fd1 sda1 dsa8 sdb2
Disk file name Description
hda1 First master hard disk drive (IDE-0 master), first primary partition
hda3 First master hard disk drive (IDE-0 master), third partition
hda5 First master hard disk drive (IDE-0 master), 1st logical partition
Hda7 First master hard disk drive (IDE-0 master), 3rd logical partition
hdb1 First slave hard disk drive (IDE-0 slave), 1st partition
sda1 First SCSI disk drive, first primary partition.
sdb8 Second SCSI disk drive, 4th logical partition
Exercise-4:- This exercise illustrates Mounting/un-mounting partition:
To see the contents stored on a partition you must have a mount point in the root directory from where
you can access those contents. To mount a partition, for example hda5 to /mnt directory, type:
mount /dev/hda5 /mnt
Doing this, you will be able to see the content of hda5 partition in /mnt directory.
To mount a Windows NTFS partition, type:
mount -ntfs-3g partition_path Mount_point
Un mounting partition, either type:
umount partition
Or
umount mount_point
e.g.
umount /dev/hda5
Or
umount /mnt
To locate a program file in the user's path, type:
Any of the to command will unmount the mounted partition /dev/hda5 on /mnt
Exercise-5:- This exercise describes Miscellaneous commands:
cfdisk Partition table manipulator for Linux
export Set an environment variable
fdisk Partition table manipulator for Linux
quota Display disk usage and limits
quotacheck Scan a file system for disk usage
Exercises for lab:
Exercise 1:- test all the above exercise and write a note on each exercise. Write the results of the com-
mands on successful execution of commands or the error message on any failure and discuss
it with your lab instructor.
Exercise 2:-how many disk and partitions are available on your system? Create a directory in your home
directory and mount the first logical partition of your primary hard disk to that directory.
Check whether you are able to access the contents of newly mounted file system or not.
Home Work:
1) Define primary partition, extended partition and logical partition. How many primary partitions
can you create in a single disk?
2) Search the web and find the procedure of mounting filesystem over the network (remote mount-
ing).
To understand the command line Process Management
Lab 7: Command line Process Management
Lab No. 07: Command line Process Management
Objective:
Objective of this lab is to introduce the students with command-line process control and management.
Scope:
The student will be able to know the following at the end of this lab:
• Listing Processes
• Ending a Process
• Running a Process in the Background
• Changing the process favorability (priority)
Useful Concepts:
Processes
Linux, like most modern operating system, is multitasking, which means that it can execute many pro-
grams simultaneously. A program that is currently executing is called a process. A Linux system consists
of several dozen active processes at any time.
Some of these processes are system processes that perform important “behind the scenes” tasks and some
are user processes corresponding to programs like Netscape or Emacs.
Nice
A process favorability to access the system recourses (processor time)
Signals
A special instruction to the process under consideration
Exercise-1:- This exercise illustrates Listing Processes
You can view the processes that are currently running on the system with the ps command. Type ps now
and you will see something like the following:
javidali@JLaptop:~$ ps
PID TTY TIME CMD 23985 pts/0 00:00:01 bash 24001 pts/0 00:00:00 ps javidali@JLaptop:~$
This tells you that you are running 2 processes and the commands (CMD) used to start them were bash
(your shell) and ps (the process you just started when you entered ps). The first column in the list, headed
by PID, gives the process ID for each process, an integer used to uniquely identify each process. The next
column, TTY, gives the terminal name to which the process is attached. The third column, TIME, gives
the amount of time the process has been running for (or the amount of time it has been running since it
was last sleeping or stopped).
Using ps by itself only gives information about processes that you own, which, unless you are a system
administrator, is usually all the information you need. If you want information about all the processes
running on the system, you can issue the ps aux command. This command combines 3 options (the nor-
mal dash before options is not necessary) which, together, give information about all processes that have
users have attached to them. Here is a (significantly trimmed) example of what this output might look
like:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 1324 76 ? S Jul23 0:12 init [5] root 2 0.0 0.0 0 0 ? SW Jul23 0:21 [kflushd] root 3 0.0 0.0 0 0 ? SW Jul23 0:03 [kupdate] root 4 0.0 0.0 0 0 ? SW Jul23 0:00 [kpiod] root 5 0.0 0.0 0 0 ? SW Jul23 0:14 [kswapd] root 6 0.0 0.0 0 0 ? SW< Jul23 0:00 [mdrecoveryd] root 415 0.0 0.1 1548 160 ? S Jul23 0:02 syslogd -m 0 rpc 440 0.0 0.1 1472 252 ? S Jul23 0:00 portmap root 456 0.0 0.0 0 0 ? SW Jul23 0:00 [lockd] root 500 0.0 0.2 5744 272 ? S Jul23 0:00 [ypbind] nobody 566 0.0 0.0 7616 24 ? S Jul23 0:00 [identd]
.
.
. root 1006 14.7 24.7 62796 31612 ? R Jul23 53:50 /etc/X11/X javid 7892 0.0 1.2 7580 1564 ? S 14:15 0:00 gnome-session javid 7957 0.0 1.3 4700 1700 ? S 14:15 1:39 sawmill javid 7966 0.0 2.1 9336 2784 ? S 14:15 3:51 panel javid 7969 0.0 0.8 8404 1092 ? S 14:15 0:00 gmc javid 7972 0.0 0.7 3560 968 ? S 14:15 0:11 xscreensaver javid 7992 0.0 1.3 7676 1676 ? S 14:26 0:21 gnome-terminal javid 7994 0.0 0.6 2440 796 pts/0 S 14:26 0:01 bash javid 12504 0.0 0.1 2004 156 pts/0 S 15:08 0:00 netscape javid 24059 0.0 0.7 2728 900 pts/0 R 15:42 0:00 ps aux
This listing gives a lot of information about the 100 or so processes that are probably currently executing
on the system. For example, you can gather that the computer was rebooted last on July 23. You can see
that X windows (/etc/X11/X) is using almost 25% of the computer’s memory at the moment and 15% of
the CPU time. You can also view the current status (STAT) of each of the processes in the system. An R
in this column means that the processing is currently “runnable” which, as you will learn when you take
Operating Systems, means that the process is either currently running or in the ready queue, waiting to
gain access to the processor. An S indicates that the process is “sleeping” (currently not waiting to use the
processor). A W means that, in addition to sleeping, the process has been “swapped out” (not currently
resident in memory but on the disk instead). Lastly, the < marks a process that is given higher priority
than normal while waiting for the CPU.
Exercise-2:- This exercise illustrates how to terminate a Process
Sometimes you will come across a process that locks up and just won’t quit, no matter what you do. In
this case, the only alternative is to force the process to quit. If the process is one that you started from the
shell in the foreground, you can end it by typing Ctrl - C. If the process is running in the background, you
will need to issue the kill command followed by a process ID. For example, to kill the Netscape process
above, you would type:
kill 12504
If this does not work, use the -9 (or -s SIGKILL) option to forcibly kill the process.
The kill command (or Ctrl - C) also comes in handy when you must kill a program that you wrote with an
infinite loop!
Exercise-3:- This exercise illustrates how to Run a Process in the Background
When you run a program in Linux, it can either be run in the foreground or in the background. When you
run a program in the foreground (which is the default), the resulting process must finish before you get
another prompt in the shell. This is fine when you run short processes like ls, for example. However, if
you want to run Netscape (for example) from the shell, you probably do not want to have to quit Netscape
in order to get a new prompt to, say, copy a file. The alternative is to run Netscape in the background,
which means that the new process will run concurrently with the shell prompt, and a prompt will be re-
turned to you immediately. To run a program in the background, simply follow the command with an am-
persand (&) character. For example, to run Netscape in the background, type:
netscape &
Generally speaking, any time you run a program that generates its own window on the desktop, it is best
to run it in the background.
If you start a program in the foreground by mistake and want to turn it into a background process, hit Ctrl
- Z , which suspends the process. Then type
bg
this command restarts the currently suspended process in the background.
Exercises for lab:
Exercise 1:- List all the processes that belong to root user.
Exercise 2:- Create a process of gedit and send it to background.
Exercise 3:- Change the priority of the process created in exercise no. 2.
Home Work:
1) Find the difference between the output of top utility and ps –aux command.
2) What kinds of signals are used to control a process in UNIX operating system? Where can you
find the list of available signals and their numerical values?
To understand how to writing and executing bash scripts
Lab 8: Basic Bash Scripting, writing and executing
bash scripts
Lab No. 08: Basic Bash Scripting, writing and executing bash scripts
Objective:
To familiarize students with the basics of bash scripting. How to write and execute bash scripts under the
Linux environment.
Scope:
The students would be able to do the following at the end of this lab:
• Write Hello world script.
• Usage of Variables, Global vs. Local variables
• Passing arguments to the bash script
• Executing shell commands with bash
• Reading User Input/ output
Useful Concepts:
Bash
• A UNIX shell as well as an interpreter
Script
• A set of instruction (commands) that can be executed on a sell (interprecter).
Exercise-1:- Hello world example. The script declares a string variable, stores “Hello
World” in it and finally prints the value of variable on the screen.
#!/bin/bash
# declare STRING variable
STRING="Hello World"
#print variable on a screen
echo $STRING
Saving and executing the scripts
Save the above script in the file named “hello_world.sh”
Navigate to the directory where the script is saved
Execute the script using the command “./hello_world.sh”
Exercise -2:- This exercise explains the use of Global vs. Local variables
#!/bin/bash
#Define bash global variable
#This variable is global and can be used anywhere in this bash script
VAR="global variable"
function bash {
#Define bash local variable
#This variable is local to bash function only
local VAR="local variable"
echo $VAR
}
echo $VAR
bash
# Note the bash global variable did not change
# "local" is bash reserved word
echo $VAR
Exercise -3:- This exercise illustrates Passing command line arguments to the bash script
#!/bin/bash
# use predefined variables to access passed arguments
#echo arguments to the shell
echo $1 $2 $3 ' -> echo $1 $2 $3'
# We can also store arguments from bash command line in special array
args=("$@")
#echo arguments to the shell
echo ${args[0]} ${args[1]} ${args[2]} ' -> args=("$@"); echo ${args[0]}
${args[1]} ${args[2]}'
#use $@ to print out all arguments at once
echo $@ ' -> echo $@'
# use $# variable to print out
# number of arguments passed to the bash script
echo Number of arguments passed: $# ' -> echo Number of arguments
passed: $#'
Passing arguments to the scripts
./arguments.sh Bash Scripting Tutorial
Here ./arguments.sh is the filename and the remaining are the arguments passed to the script.
Exercise -4:- This exercise illustrates Executing shell commands with bash
#!/bin/bash
# use backticks " ` ` " to execute shell command
echo `uname -o`
# executing bash command without backticks
echo uname -o
Exercise -5:- This exercise illustrates Reading User Input
#!/bin/bash
echo -e "Hi, please type the word: \c "
read word
echo "The word you entered is: $word"
echo -e "Can you please enter two words? "
read word1 word2
echo "Here is your input: \"$word1\" \"$word2\""
echo -e "How do you feel about bash scripting? "
# read command now stores a reply into the default build-in variable
$REPLY
read
echo "You said $REPLY, I'm glad to hear that! "
echo -e "What are your favorite colours ? "
# -a makes read command to read into an array
read -a colours
echo "My favorite colours are also ${colours[0]}, ${colours[1]} and
${colours[2]}:-)"
Exercises for lab:
Exercise 1:- write a shell script that add two numbers and print their sum.
Exercise 2:- write a script that takes a students information as input and print it to the screen.
Home Work:
1) Write a comparitve report on the pros and cons of atlease three scripting languages.
2)
To understand the Basic Bash Scripting 1
Lab 9: Advance Bash Scripting 1
Lab No. 09: Advance Bash Scripting 1
Objective:
To familiarize students with the concept of Bash if/else statements, bash loops and bash comparisons.
Scope:
The students would be able to do the following at the end of this lab:
• Write shell scripts with conditional execution.
• Using loops in bash scripts
Exercise-1:- Simple Bash if/else statement. In this example we declare a variable named di-
rectory and assign it a value. Then we check in the if statement that the directory exists or
not and the relevant message is printed on the screen accordingly.
Please note the spacing inside the [ and ] brackets! Without the spaces, it won't work!
#!/bin/bash
directory="./BashScripting"
# bash check if directory exists
if [ -d $directory ]; then
echo "Directory exists"
else
echo "Directory does not exists"
fi
Exercise -2:- This exercise demonstrates Bash “for” loop
#!/bin/bash
# bash for loop
for f in $( ls /var/ ); do
echo $f
done
Exercise -3:- This exercise demonstrates Bash while loop
#!/bin/bash
COUNT=6
# bash while loop
while [ $COUNT -gt 0 ]; do
echo Value of count is: $COUNT
let COUNT=COUNT-1
done
Exercise -4:- This exercise demonstrates Bash until loop
#!/bin/bash
COUNT=0
# bash until loop
until [ $COUNT -gt 5 ]; do
echo Value of count is: $COUNT
let COUNT=COUNT+1
done
Exercises for lab:
Exercise 1:- write a shell script that inputs two numbers from the user and check if they are equal or not
Exercise 2:- write a script that takes a number input from user and print its table.
Home Work:
1) Write a script that takes a number input from user and calculate its factorial.
2) Write a script that takes a number input from user and check it’s a prime number or not.
To understand the Advance Basic Bash Scripting 2
Lab 10: Advance Bash Scripting 2
Lab No. 10: Advance Bash Scripting 2
Objective:
To familiarize students with the concept of arrays in bash scripting, bash functions and bash file test-
ing/handling.
Scope:
The students would be able to do the following at the end of this lab:
• Write shell scripts that make use if arrays.
• Use functions in their shell scripts.
• Use various file testing options in their code
Useful Concepts:
Bash File Testing Options
-b filename Block special file
-c filename Special character file
-d directoryname Check for directory existence
-e filename Check for file existence
-f filename Check for regular file existence not a directory
-G filename Check if file exists and is owned by effective group ID.
-g filename true if file exists and is set-group-id.
-k filename Sticky bit
-L filename Symbolic link
-O filename True if file exists and is owned by the effective user id.
-r filename Check if file is a readable
-S filename Check if file is socket
-s filename Check if file is nonzero size
-u filename Check if file set-ser-id bit is set
-w filename Check if file is writable
-x filename Check if file is executable
Exercise -1:- This exercise demonstrates how to Declare simple bash array
#!/bin/bash
#Declare array with 4 elements
ARRAY=( 'Debian Linux' 'Redhat Linux' Ubuntu Linux )
# get number of elements in the array
ELEMENTS=${#ARRAY[@]}
# echo each element in array
# for loop
for (( i=0;i<$ELEMENTS;i++)); do
echo ${ARRAY[${i}]}
done
Exercise -2:- This exercise demonstrates how to Read file into bash array
#!/bin/bash
#Declare array
declare -a ARRAY
#Open file for reading to array
exec 10<bash.txt
let count=0
while read LINE <&10; do
ARRAY[$count]=$LINE
((count++))
done
echo Number of elements: ${#ARRAY[@]}
# echo array's content
echo ${ARRAY[@]}
# close file
exec 10>&-
Exercise -3:- This exercise demonstrates Bash Functions
!/bin/bash
# BASH FUNCTIONS CAN BE DECLARED IN ANY ORDER
function function_B {
echo Function B.
}
function function_A {
echo $1
}
function function_D {
echo Function D.
}
function function_C {
echo $1
}
# FUNCTION CALLS
# Pass parameter to function A
function_A "Function A."
function_B
# Pass parameter to function C
function_C "Function C."
function_D
Exercises for lab:
Exercise 1:-Write a shell script that inputs a file name as string from user and check if any file with this
exists or not.
Exercise 2:- Write a shell script that reads the contents of a text file and count the number of words in the
file. Implement the feature of counting the words in a separate function.
Home Work:
1) Write a shell script that copies a single file to all directories in the tree of the root filesystem using
recursion.
To understand the gcc
Lab 11: Introduction to gcc
Lab No. 11: Introduction to gcc
Objective:
Objective of this lab is to familiarize the student with the GNU C compiler.
Scope:
The student will be able to know the following at the end of this lab:
• Use command line editor to write a C/C++ program
• Compile a/C++ C program
• Make a program
• Debug and execute a C/C++ program
Useful Concepts
gcc
A command line GNU C compiler
g++
A command line C++ compiler
Compiling
A process of converting source code to object code
Make
• A utility used to manage large projects involving different files
• Out put is a makefile that describes the files involved in the project and the dependencies
between them
Debugging
• Process of removing logical errors form the code
• GNU DDD (Data Display Debugger) is a debugger with a more sophisticated interface
that, among other things, incorporates an interactive graphical data display feature, where
data structures are displayed as graphs.
Exercise-1:- This exercise demonstrates Writing a C Program in linux test editors.
To write a C program, you can use any editor. Linux has a rich set of Code-oriented GUI Editors (with
syntax highlighting, indentation, etc.) i.e. glimmer, nedit, gvim, kwrite, and xemacs etc. But if you are
using the command line, you can try vim or emacs editor, we will use vim in our example.
Type the following on command prompt.
Vim introprogram.c
And you will have an empty file opened in the vim editor if the file intoprogram.c does not exist before.
Press I key to switch to insert mode and type the following program:
#include<stdoi.h>
#include<stdio.h>
Int main ()
{
Printf("\n welcome to gcc tutorial");
Return 0;
}
Hit ESC key to switch back to command mode and type
:wq
to save the program and exit the editor.
Exercise-2:- This exercise demonstrates Compiling Programs
You can learn more about g++ later by looking at the man pages. (There’s a lot there!) For now, we’ll just
look at the basics.
To compile the C program of exercise 1, in the shell, simply type
gcc -o intro_program introporgram.c
in the terminal window. The -o option gives the name of the executable to create; if omitted, the executa-
ble will be called a.out.
In general you’ll probably want to compile programs with more options specified. Here is a better way to
compile a program:
gcc -g -Wall -o intro_program introporgram.c
The -g option produces debugging information in the executable.
The -Wall option instructs the compile to display “all warnings
To compile multiple source files into one executable, just include them all on the command line. For ex-
ample, to compile
Prog1.c and prog2.c into a single executable called prog, type:
gcc -g Wall -o prog prog1.c prog2.c
Once you have a working executable program, go to a terminal window to execute it. Make sure you are
in the correct directory and then type the name of the executable program.
Exercise-3:- This exercise explains the used of Make utility
When you are creating large software projects, it is usually a good idea to break the code into multiple
source files. This way, errors are usually easier to find and edit, and when you recompile the program you
only need to recompile the file you changed and those upon which it depends. Of course, this can become
confusing and complicated when the system becomes large. Linux has a powerful tool called make that
allows you to efficiently manage a complex project and compile it efficiently. The make utility reads a
file called a makefile that describes the files involved in the project and the dependencies between them.
Each line in a makefile is of the form:
targets: dependencies
<Tab> commands
Here, targets is a list of target files separated by spaces and dependencies is a list of files on which the
targets depend. In other words, if any of the files in a dependency list is modified, make should recompile
and/or relink the target. The commands are the commands used to recreate the targets. (Note that the
<Tab> preceding commands really must be a tab character and not several spaces.)
For example, consider the following simple makefile:
# A simple makefile
sort: sort.o list.o g++ sort.o list.o -o sort sort.o: sort.cc sort.h g++ -g -c sort.cc list.o: list.cc list.h g++ -g -c list.cc
This file states that the executable sort is dependent on the object files sort.o and list.o. If either of these
object files change, the command g++ sort.o list.o -o sort should be used to recreate (link) sort from the
object files. The next two groups show how to create the object files. The first states that sort.o should be
recreated (compiled using g++) if sort.cc or sort.h changes. (The -c option to g++ tells the compiler to
only compile, creating object files, and not to link them together.) The third group does a similar thing for
list.o. So, you can see that if, for example, list.h is modified,
list.o and then sort will need to be recreated but sort.o will not.
To use this makefile, it should be placed in the same directory as the source files and named Makefile.
Then, execute make sort to compile and link everything.
Exercise-4:- This exercise demonstrates the Debugging process.
You can start up DDD by typing ddd in the shell, followed by the name of your executable program. In
order for the source program to be visible to the debugger, you had to have compiled the program with the
-g option, which includes debugging information in the executable. To simply run your program in DDD,
press the Run button in the small floating window that appears. The output of your program will be dis-
played in the window below your source code. The Interrupt button will stop a running program, the same
way a Ctrl - C does in the shell. If you want to continue to run your program from where you left off,
press the Cont button. Usually, when you are debugging a program, you want the program to stop execu-
tion at some point so that you can examine the value of a variable or check some other part of your pro-
gram. To stop your program, you set a breakpoint. To set a breakpoint, find the line of your source code
where you wish to stop and click to the left of it with the left mouse button. Then press the Break button
(with the stop sign) below the menu bar. A stop sign icon should appear to the left of the line. Now, when
you run your program, execution will stop every time this line is reached. You can set as many break-
points as needed. To clear a breakpoint, do the same thing, except this time the stop sign will be dimmed
and the button will say Clear instead.
If you wish to have your program stop every time the value of some variable changes, you can set a
watchpoint. To set a watchpoint, left-click on a variable name in your source code and press the Watch
button below the menu bar.
Once your program has stopped, there are two options (buttons) for stepping through your program a line
at a time — Step and Next. To step means to proceed to the next line of source code in your program,
even if it is inside a function. The Next option advances to the next source line, but treats function-calls as
if they were single instructions. The Stepi and Nexti buttons behave similarly, but recognize individual
machine language instructions, not lines of source code.
To view the value of a variable as your program runs, select that variable name by left-clicking on it and
then press the Display button below the menu bar. A box with that variable’s value will appear in a new
window above your source code.
These are the basics of DDD. But there is quite a bit more to learn if you desire. The display function of
DDD, in particular, is quite sophisticated and flexible. Under the Help menu, you can find context sensi-
tive help and a detailed manual (also available at w.gnu.org/manual/ddd/). You will also notice that if
you linger over a button with the cursor, a description of that button will appear.
Exercise-5:- This exercise demonstrates the Execution of a program
To execute the program form the terminal window or a shell, type the name of the executable file (the
output file of compiling process). For example, to run the program of exercise 1, type.
./introprogram
Where ./ is te relative path of the executable file named introprogram.
You can also use the ablolute path to execute a program or add the directory to the users search path in-
order to execute the program without referring path.
To use absolute path, for example your executable file is located at /home/cs, type:
/home/cs/introprogram
To at the directory cs to users search path, first type
Export PATH=$PATH:/home/cs
And then to run the program now just type
introprogram
Exercises for lab:
Exercise 1:- Write a C program that display your name and registration number using vim editor
Exercise 2:- Compile the program using a default output file name a.out
Exercise 3:- debug the program using ddd debugger.
Home Work:
1) Go to the manual page of gcc and g++ and find the difference between them
2) Practice the different options available with gcc talked about in gcc's manual bage.
To understand the Basic Linux Networking 1
Lab 12: Linux Networking 1
Lab No. 12: Linux Networking 1
Objective:
To familiarize students with the configuration, activation/de-activation and virtual interfacing
Scope:
The students would be able to do the following at the end of this lab:
• Find all the interfaces available on the system
• List the active interaces.
• Configure TCP/IP options for an interface.
• Configure an interface for atomatic configuration via DHCP or bootp server.
• Create virtual interaces and use single NIC for multiple networks at a time.
Exercise -1:- This exercise illustrate how to Determining Your IP Address
Most modern PCs come with an Ethernet port. When Linux is installed, this device is called eth0. You
can determine the IP address of this device with the ifconfig command.
[root@tmp]# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:08:C7:10:74:A8
inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:47379 errors:0 dropped:0 overruns:0 frame:0
TX packets:107900 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:4676853 (4.4 Mb) TX bytes:43209032 (41.2 Mb)
Interrupt:11 Memory:c887a000-c887b000
[root@tmp]#
In this example, eth0 has an IP address of 192.168.1.100 and a subnet mask of 255.255.255.0. This com-
mand gives good information on the interrupts, or PCI bus ID, used by card.
Exercise -2:- This exercise demonstrates how to Changing Your IP Address
You can give eth0 interface an IP address using the ifconfig command:
[root@tmp]# ifconfig eth0 10.0.0.1 netmask 255.255.255.0 up
The "up" at the end of the command activates the interface. To make this permanent each time you boot
up you'll have to add this command in your /etc/rc.local file which is run at the end of every reboot.
Exercise-3:- This exercise demonstrates how to assign Multiple IP Addresses on a Single
NIC
A virtual subinterface is also known as an IP alias. IP aliasing is one of the most common ways of creat-
ing multiple IP addresses associated with a single NIC. Aliases have the name format parent-interface-
name:X, where X is the sub-interface number of your choice.
The process for creating an IP alias is very similar to the steps outlined for the real interface in the pre-
vious section, "Changing Your IP Address":
First ensure the parent real interface exists
Verify that no other IP aliases with the same name exists with the name you plan to use. In this we want
to create interface eth0:0.
Exercise-4:- This exercise demonstrates how to Create the virtual interface with the ifcon-
fig command
root@tmp]# ifconfig eth0:0 192.168.1.99 netmask 255.255.255.0 up
Exercise-5:- This exercise demonstrates How to Activate/Shut Down Your NIC
The ifup and ifdown commands can be used respectively to activate and deactivate a NIC interface. You
must have an ifcfg file in the /etc/sysconfig/network-scripts directory for these commands to work. Here
is an example for interface eth0:
[root@bigboy tmp]# ifdown eth0
[root@bigboy tmp]# ifup eth0
Exercises for lab:
Exercise 1:- Check the IP address of network interface.
Exercise 2:- Assign the IP address to your Ethernet interface manually and also configure it to be as-
signed automatically at startup.
Home Work:
1) Create configuration files for virtual interfaces eth0:0 and wlan0:0 with the following configura-
tions
• The Ethernet interface has a static IP of network 192.168.0.0 that start at boot time
• The wireless LAN interface gets its IP from DHCP server. The interface is disabled by default.
To understand the Basic Linux Networking 2
Lab 13: Linux Networking 2
Lab No. 13: Linux Networking 2
Objective:
To familiarize students that how a Linux server could be used as router
Scope:
The students would be able to do the following at the end of this lab:
• Configure the default gateway for the Linux router.
• Add/Delete static routes to the Linux router.
Useful Concepts:
Router
• The node in the internework which connects two homogenious networks.
Internewrok
• A network that is built up of networks.
Exercise-1:- This exercise demonstrate How to View Your Current Routing Table
The netstat -nr command will provide the contents of the touting table. Networks with a gateway of
0.0.0.0 are usually directly connected to the interface. No gateway is needed to reach your own directly
connected interface, so a gateway address of 0.0.0.0 seems appropriate. The route with a destination ad-
dress of 0.0.0.0 is your default gateway.
In the following example there are two gateways, the default and the one to 255.255.255.255 which is
usually added on DHCP servers. It is a DHCP server in this case.
[root@tmp]# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
255.255.255.255 0.0.0.0 255.255.255.255 UH 40 0 0 wlan0
192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 wlan0
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
0.0.0.0 192.168.1.1 0.0.0.0 UG 40 0 0 wlan0
[root@tmp]#
In this example, there are multiple gateways handling traffic destined for different networks on different
interfaces.
[root@tmp]# netstat -nr
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 172.16.68.64 172.16.69.193 255.255.255.224 UG 40 0 0 eth1 172.16.11.96 172.16.69.193 255.255.255.224 UG 40 0 0 eth1 172.16.68.32 172.16.69.193 255.255.255.224 UG 40 0 0 eth1 172.16.67.0 172.16.67.135 255.255.255.224 UG 40 0 0 eth0 172.16.69.192 0.0.0.0 255.255.255.192 U 40 0 0 eth1 172.16.67.128 0.0.0.0 255.255.255.128 U 40 0 0 eth0 172.160.0 172.16.67.135 255.255.0.0 UG 40 0 0 eth0 172.16.0.0 172.16.67.131 255.240.0.0 UG 40 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo [root@tmp]#
Exercise-2:- This exercise demonstrate How to Change Your Default Gateway
Your server needs to have a single default gateway. DHCP servers will automatically assign a default ga-
teway to DHCP configured NICs, but NICs with configured static IP addresses will need to have a ma-
nually configured default gateway. This can be done with a simple command:
[root@tmp]# route add default gw 192.168.1.1 eth0
In this case, make sure that the router/firewall with IP address 192.168.1.1 is connected to the same net-
work as interface eth0!
Once done, you'll need to update your /etc/sysconfig/network file to reflect the change. This file is used to
configure your default gateway each time Linux boots.
NETWORKING=yes HOSTNAME=bigboy GATEWAY=192.168.1.1
Exercise-3:- This exercise demonstrate How to Configure Two Gateways
Some networks may have multiple router/firewalls providing connectivity. Here's a typical scenario:
You have one router providing access to the Internet that you'd like to have as your default gateway (see
the default gateway example earlier)
You also have another router providing access to your corporate network using addresses in the range
10.0.0.0 to 10.255.255.255. Let's assume that this router has an IP address of 192.168.1.254
The Linux box used in this example uses interface wlan0 for its Internet connectivity.
There are a number of ways to add this new route.
Exercise-4:- This exercise demonstrate how to add Temporary and Permanent Static
Routes
The route add command can be used to add new routes to your server that will last till the next reboot. In
our example the reference to the 10.0.0.0 network has to be preceded with a -net switch and the subnet
mask and gateway values also have to be preceded by the netmask and gw switches respectively.
[root@tmp]#route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.16.1.254
wlan0
If you wanted to add a route to an individual server, then the "-host" switch would be used with no net-
mask value. (The route command automatically knows the mask should be 255.255.255.255). Here is an
example for a route to host 10.0.0.1.
[root@tmp]# route add -host 10.0.0.1 gw 192.168.1.254 wlan0
A universal way of making this change persistent after a reboot would be to place this route add command
in the file /etc/rc.d/rc.local, which is always run at the end of the booting process.
In Fedora Linux, permanent static routes are added on a per interface basis in files located in the
/etc/sysconfig/network-scripts directory. The filename format is routeinterface-name so the filename for
interface wlan0 would be route-wlan0. The format of the file is quite intuitive with the target network
coming in the first column followed by the word via and then the gateway's IP address. In our routing ex-
ample, to set up a route to network 10.0.0.0 with a subnet mask of 255.0.0.0 (a mask with the first 8 bits
set to 1) via the 192.168.1.254 gateway, we would have to configure file /etc/sysconfig/network-
scripts/route-wlan0 to look like this:
# # File /etc/sysconfig/network-scripts/route-wlan0
# 10.0.0.0/8 via 192.168.1.254.
Exercise-5:- This exercise demonstrate How to Delete a Route
Here's how to delete the routes added in the previous section.
[root@tmp]#route del -net 10.0.0.0 netmask 255.0.0.0 gw 192.16.1.254
wlan0
The file /etc/sysconfig/network-scripts/route-wlan0 will also have to be updated so that when you reboot
the server will not reinsert the route. Delete the line that reads:
10.0.0.0/8 via 192.16.1.254
Exercises for lab:
Exercise 1:- View the current routing table of Linux server.
Exercise 2:- Configure default gateway for the router.
Exercise 3:- Add static routes to the router.
Exercise 4:- Delete static routes from the router.
Home Work:
1) Defferenciate between a gateway and a router.
2) Why do we need a default gateway?
To understand simple Network Troubleshooting
Lab 14: Network Troubleshooting
Lab No. 14: Network troubleshooting
Objective:
To give the students an introduction to the main causes of network related problems.
Scope:
At the end of this lab students will be able to fix a network related problem which is either in the forms of
slow response times from the remote server, or a complete lack of connectivity.
Useful Concepts:
Sources of Network Slowness
• NIC duplex and speed incompatibilities
• Network congestion
• Poor routing
• Bad cabling
• Electrical interference
• An overloaded server at the remote end of the connection
• Mis-configured DNS
Sources of a Lack of Connectivity
• Severe sources of
• Power failures
• Shut down The remote server or an application on the remote server.
Excercise-1:- This exercise illustrate Basic Cable and Link Tests
Your server won't be able to communicate with any other device on your network unless the NIC's "link"
light is on. This indicates that the connection between your server and the switch/router is functioning
correctly.
In most cases a lack of link is due to the wrong cable type being used. There are two types of Ethernet
cables crossover and straight-through. Always make sure you are using the correct type.
Other sources of link failure include:
The cables are bad.
The switch or router to which the server is connected is powered down.
The cables aren't plugged in properly.
If you have an extensive network, investment in a battery-operated cable tester for basic connectivity test-
ing is invaluable. More sophisticated models in the market will be able to tell you the approximate loca-
tion of a cable break and whether an Ethernet cable is too long to be used.
EExxeerrcciissee -2:- This exercise demonstrates Testing Your NIC
Your NICs are labeled as eth0, eth1 etc. for Ethernet NICs and wlan0, wlan1 etc for wireless LAN cards
Where 0 and 1 represent the first and second NIC respectively.
To View Your Activated Interfaces, use ifconfig command, type:
ifconfig
To View All Interfaces whether they are functional or not, use ifconfig -a command, type:
ifconfig -a
Shut Down Interface will have no IP address and UP status in the 2nd line.
eth0 Link encap:Ethernet HWaddr 00:06:25:08:6A:1D
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:2924 errors:0 dropped:0 overruns:0 frame:0
TX packets:2287 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:180948 (176.7 Kb) TX bytes:166377 (162.4 Kb)
Interrupt:10 Memory:c88b5000-c88b6000
Active Interface
eth0 Link encap:Ethernet HWaddr 00:06:25:08:6A:1D
inet addr:192.168.0.69 Bcast:192.168.0.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2924 errors:0 dropped:0 overruns:0 frame:0
TX packets:2295 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:180948 (176.7 Kb) TX bytes:166521 (162.6 Kb)
Interrupt:10 Memory:c88b5000-c88b6000
Note that DHCP clients automatically give their NICs and IP address starting with 169.254.x.x until they
can make contact with their DHCP server. When contact is made they reconfigure their IP addresses to
the values provided by the DHC server. An interface with a 169.254.x.x address signifies a failure to
communicate with the DHCP server.
Check your cabling, routing and DHCP server configuration to rectify such a problem.
EExxeerrcciissee-3:- This exercise demonstrates how to Test Link Status from the Command Line
Both the mii-tool and ethtool commands command will provide reports on the link status and duplex set-
tings for supported NICs.
When used without any switches, the mii-tool gives a very brief report. Use it with the –v switch because
it provides more information on the supported auto negotiation speeds of the NIC and this can be useful
in troubleshooting speed and duplex issues.
The ethtool command provides much more information than mii-tool and should be your command of
choice, especially because mii-tool will be soon deprecated in Linux. In both of the following examples
the NICs are operating at 100Mbps, full duplex and the link is ok.
Link Status Output from mii-tool
[root@bigboy tmp]# mii-tool -v
eth0: 100 Mbit, full duplex, link ok
product info: Intel 82555 rev 4
basic mode: 100 Mbit, full duplex
basic status: link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
link partner: 100baseTx-HD
[root@bigboy tmp]#
Link Status Output from ethtool
[root@bigboy tmp]# ethtool eth0
Settings for eth0:
Supported ports: [ TP MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised auto-negotiation: No
Speed: 100Mb/s
Duplex: Full
Port: MII
PHYAD: 1
Transceiver: internal
Auto-negotiation: off
Supports Wake-on: g
Wake-on: g
Current message level: 0x00000007 (7)
Link detected: yes
[root@bigboy tmp]#
Viewing NIC Errors
Errors are a common symptom of slow connectivity due to poor configuration or excessive bandwidth
utilization. They should always be corrected whenever possible.
Error rates in excess of 0.5% can result in noticeable sluggishness.
Ifconfig Error Output
The ifconfig command also shows the number of overrun, carrier, dropped packet and frame errors.
wlan0 Link encap:Ethernet HWaddr 00:06:25:09:6A:D7
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:2924 errors:0 dropped:0 overruns:0 frame:0
TX packets:2287 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:180948 (176.7 Kb) TX bytes:166377 (162.4 Kb)
Interrupt:10 Memory:c88b5000-c88b6000
ethtool Error Output
The ethtool command can provide a much more detailed report when used with the –s switch.
[root@probe-001 root]# ethtool -S eth0
NIC statistics:
rx_packets: 1669993
tx_packets: 627631
rx_bytes: 361714034
tx_bytes: 88228145
rx_errors: 0
tx_errors: 0
rx_dropped: 0
tx_dropped: 0
multicast: 0
collisions: 0
rx_length_errors: 0
rx_over_errors: 0
rx_crc_errors: 0
rx_frame_errors: 0
rx_fifo_errors: 0
rx_missed_errors: 0
tx_aborted_errors: 0
tx_carrier_errors: 0
tx_fifo_errors: 0
tx_heartbeat_errors: 0
tx_window_errors: 0
tx_deferred: 0
tx_single_collisions: 0
tx_multi_collisions: 0
tx_flow_control_pause: 0
rx_flow_control_pause: 0
rx_flow_control_unsupported: 0
tx_tco_packets: 0
rx_tco_packets: 0
[root@probe-001 root]#
netstat Error Output
The netstat command is very versatile and can provide a limited report when used with the -i switch. This
is useful for systems where mii-tool or ethtool are not available.
[root@bigboy tmp]# netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 18976655 2 0 0 21343152 142 0 3 BMRU
eth1 1500 0 855154 0 0 0 15196620 0 0 0 BMRU
lo 16436 0 1784272 0 0 0 1784272 0 0 0 LRU
[root@bigboy tmp]#
Possible Causes of Ethernet Errors
Collisions: Signifies when the NIC card detects itself and another server on the LAN attempting data
transmissions at the same time. Collisions can be expected as a normal part of Ethernet operation and are
typically below 0.1% of all frames sent. Higher error rates are likely to be caused by faulty NIC cards or
poorly terminated cables.
Single Collisions: The Ethernet frame went through after only one collision
Multiple Collisions: The NIC had to attempt multiple times before successfully sending the frame due to
collisions.
CRC Errors: Frames were sent but were corrupted in transit. The presence of CRC errors, but not many
collisions usually is an indication of electrical noise. Make sure that you are using the correct type of ca-
ble, that the cabling is undamaged and that the connectors are securely fastened.
Frame Errors: An incorrect CRC and a non-integer number of bytes are received. This is usually the result
of collisions or a bad Ethernet device.
FIFO and Overrun Errors: The number of times that the NIC was unable of handing data to its memory
buffers because the data rate the capabilities of the hardware. This is usually a sign of excessive traffic.
Length Errors: The received frame length was less than or exceeded the Ethernet standard. This is most
frequently due to incompatible duplex settings.
Carrier Errors: Errors are caused by the NIC card losing its link connection to the hub or switch. Check
for faulty cabling or faulty interfaces on the NIC and networking equipment.
EExxeerrcciissee-4:- This exercise demonstrates how to view ARP table entries.
The arp -a command will show you the MAC addresses in your server's ARP table and all the other serv-
ers on the directly connected network. Here we see we have some form of connectivity with the router at
address 192.168.0.1
arp -a
bigboypix (192.168.0.1) at 00:09:E8:9C:FD:AB [ether] on etho0
? (192.168.1.101) at 00:06:25:09:6A:D7 [ether] on wlan0
Note: Make sure the IP addresses listed in the ARP table match those of servers expected to be on your
network. If they don't, your server might be plugged into the wrong switch or router port.
You should also check the ARP table of the remote server to see whether it is populated with acceptable
values.
EExxeerrcciissee-5:- This exercise demonstrates how to Use ping to Test Network Connectivity
One of the most common methods used to test connectivity across multiple networks is the ping com-
mand. ping sends ICMP echo packets that request a corresponding ICMP echo-reply response from the
device at the target address. Because most servers will respond to a ping query it becomes a very handy
tool. A lack of response could be due to:
1. A server with that IP address doesn't exist
2. The server has been configured not to respond to pings
3. A firewall or router along the network path is blocking ICMP traffic
4. You have incorrect routing. Check the routes and subnet masks on both the local and remote
servers and all routers in between. A classic symptom of bad routes on a server is the ability to
ping servers only on your local network and nowhere else.
Use traceroute to ensure you're taking the correct path.
5. Either the source or destination device having an incorrect IP address or subnet mask.
The Linux ping command will send continuous pings, once a second, until stopped with a Ctrl-C. Here is
an example of a successful ping to the server bigboy at 192.168.1.100
[root@smallfry tmp]# ping 192.168.1.101
PING 192.168.1.101 (192.168.1.101) from 192.168.1.100 : 56(84) bytes of data.
64 bytes from 192.168.1.101: icmp_seq=1 ttl=128 time=3.95 ms
64 bytes from 192.168.1.101: icmp_seq=2 ttl=128 time=7.07 ms
64 bytes from 192.168.1.101: icmp_seq=3 ttl=128 time=4.46 ms
64 bytes from 192.168.1.101: icmp_seq=4 ttl=128 time=4.31 ms
--- 192.168.1.101 ping statistics ---
4 packets transmitted, 4 received, 0% loss, time 3026ms
rtt min/avg/max/mdev = 3.950/4.948/7.072/1.242 ms
[root@smallfry tmp]#
You may get a "Destination Host Unreachable" message. There message is caused by your router or serv-
er knowing that the target IP address is part of a valid network, but is getting no response from the target
server. There are a number of reasons for this:
If you are trying to ping a host on a directly connected network:
1. The client or server might be down, or disconnected for the network.
2. Your NIC might not have the correct duplex settings; you may verify this with the mii-tool
command.
3. You might have the incorrect type of cable connecting your Linux box to the network. There
are two basic types, straight through and crossover.
4. In the case of a wireless network, your SSID or encryption keys might be incorrect.
If you are trying to ping a host on remote network:
The network device doesn't have a route in its routing table to the destination network and sends an ICMP
reply type 3 which triggers the message. The resulting message might be Destination Host Unreachable or
Destination Network Unreachable.
[root@smallfry tmp]# ping 192.168.1.105
PING 192.168.1.105 (192.168.1.105) from 192.168.1.100 : 56(84) bytes of data.
From 192.168.1.100 icmp_seq=1 Destination Host Unreachable
From 192.168.1.100 icmp_seq=2 Destination Host Unreachable
From 192.168.1.100 icmp_seq=3 Destination Host Unreachable
From 192.168.1.100 icmp_seq=4 Destination Host Unreachable
From 192.168.1.100 icmp_seq=5 Destination Host Unreachable
From 192.168.1.100 icmp_seq=6 Destination Host Unreachable
--- 192.168.1.105 ping statistics ---
8 packets transmitted, 0 received, +6 errors, 100% loss, time 7021ms, pipe 3
[root@smallfry tmp]#
EExxeerrcciissee-6:- This exercise demonstrates how to Use telnet to Test Network Connectivity
An easy way to tell if a remote server is listening on a specific TCP port is to use the telnet command. By
default, telnet will try to connect on TCP port 23, but you can specify other TCP ports by typing them in
after the target IP address. HTTP uses TCP port 80, HTTPS uses port 443.
Here is an example of testing server 192.168.1.102 on the TCP port 22 reserved for SSH:
[root@bigboy tmp]# telnet 192.168.1.102 22
When using telnet troubleshooting, here are some useful guidelines to follow that will help to isolate the
source of the problem:
Test connectivity from the remote PC or server.
Test connectivity on the server itself. Try making the connection to the loopback address as well as the
NIC IP address. If the server is running a firewall package such as the Linux iptables software, all loop-
back connectivity is allowed, but connectivity to desired TCP ports on the NIC interface might be blocked
sometimes.
Further discussion of the Linux iptables package is covered in a later section.
Test connectivity from another server on the same network as the target server. This helps to eliminate the
influence of any firewalls protecting the entire network from outside.
Linux telnet Troubleshooting
The following sections the use of telnet troubleshooting from a Linux box.
Note: Always remember that many Linux servers have the iptables firewall package installed by default.
This is often the cause of many connectivity problems and the firewall rules should be correctly updated.
In some cases where the network is already protected by a firewall, iptables might be safely turned off.
You can use the /etc/init.d/iptables status command on the target server to determine whether iptables is
running.
Successful Connection
With Linux a successful telnet connection is always greeted by a Connected to message like the one seen
below when trying to test connectivity to server 192.168.1.102 on the SSH port (TCP 22).
[root@bigboy tmp]# telnet 192.168.1.102 22
Trying 192.168.1.102...
Connected to 192.168.1.102.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.4p1
^]
telnet> quit
Connection closed.
[root@ bigboy tmp]#
To break out of the connection you have to press the Ctrl and ] keys simultaneously, not the usual Ctrl-C.
Note: In many cases you can successfully connect on the remote server on the desired TCP port, yet the
application doesn't appear to work. This is usually caused by there being correct network connectivity but
a poorly configured application.
Connection Refused Messages
You will get a connection refused message for one of the following reasons:
The application you are trying to test hasn't been started on the remote server.
There is a firewall blocking and rejecting the connection attempt
Here is some sample output:
[root@bigboy tmp]# telnet 192.168.1.100 22
Trying 192.168.1.100...
telnet: connect to address 192.168.1.100: Connection refused
[root@bigboy tmp]#
telnet Timeout or Hanging
The telnet command will abort the attempted connection after waiting a predetermined time for a re-
sponse. This is called a timeout. In some cases, telnet won't abort, but will just wait indefinitely. This is
also known as hanging. These symptoms can be caused by the one of the following reasons:
The remote server doesn't exist on the destination network. It could be turned off.
A firewall could be blocking and not rejecting the connection attempt, causing it to
timeout instead of being quickly refused.
[root@bigboy tmp]# telnet 216.10.100.12 22
Trying 216.10.100.12...
telnet: connect to address 216.10.100.12: Connection timed out
[root@bigboy tmp]#
EExxeerrcciissee-7:- This exercise demonstrates how to Use traceroute to Test Network Connectivi-
ty Another tool for network troubleshooting is the traceroute command. It gives a listing of all the router
hops between your server and the target server. This helps you verify that routing over the networks in
between is correct.
The traceroute command works by sending a UDP packet destined to the target with a TTL of 0. The first
router on the route recognizes that the TTL has already been exceeded and discards or drops the packet,
but also sends an ICMP time exceeded message back to the source. The traceroute program records the IP
address of the router that sent the message and knows that that is the first hop on the path to the final des-
tination. The traceroute program tries again, with a TTL of 1. The first hop sees nothing wrong with the
packet, decrements the TTL to 0 as expected, and forwards the packet to the second hop on the path. Rou-
ter 2, sees the TTL of 0, drops the packet and replies with an ICMP time exceeded message. traceroute
now knows the IP address of the second router. This continues around and around until the final destina-
tion is reached.
Note: In Linux the traceroute command is traceroute. In Windows it is tracert.
Note: You will receive traceroute responses only from functioning devices. If a device responds it is less
likely to be the source of your problems.
Sample traceroute Output
Here is a sample output for a query to 144.232.20.158. Notice that all the hop times are
under 50 milliseconds (ms) which is acceptable.
[root@bigboy tmp]# traceroute -I 144.232.20.158
traceroute to 144.232.20.158 (144.232.20.158), 30 hops max, 38 byte packets
1 adsl-67-120-221-110.dsl.sntc01.pacbell.net (67.120.221.110) 14.408 ms 14.064 ms 13.111 ms
2 dist3-vlan50.sntc01.pbi.net (63.203.35.67) 13.018 ms 12.887 ms 13.146 ms
3 bb1-g1-0.sntc01.pbi.net (63.203.35.17) 12.854 ms 13.035 ms 13.745 ms
4 bb2-p11-0.snfc21.pbi.net (64.161.124.246) 16.260 ms 15.618 ms 15.663 ms
5 bb1-p14-0.snfc21.pbi.net (64.161.124.53) 15.897 ms 15.785 ms 17.164 ms
6 sl-gw11-sj-3-0.sprintlink.net (144.228.44.49) 14.443 ms 16.279 ms 15.189 ms
7 sl-bb25-sj-6-1.sprintlink.net (144.232.3.133) 16.185 ms 15.857 ms 15.423 ms
8 sl-bb23-ana-6-0.sprintlink.net (144.232.20.158) 27.482 ms 26.306 ms 26.487 ms
[root@bigboy tmp]#
Possible traceroute Messages
There are a number of possible message codes traceroute can give, these are listed in
Traceroute Symbol Description
***
Expected 5 second response time exceeded. Could be caused by:
A router on the path not sending back the ICMP "time exceeded" messages
A router or firewall in the path blocking the ICMP "time exceeded" messages
The target IP address not responding
!H, !N, or !P Host, network or protocol unreachable
!X or !A Communication administratively prohibited. A router Access Control List (ACL)
or firewall is in the way
!S Source route failed. Source routing attempts to force traceroute to use a certain
path. Failure might be due to a router security setting
EExxeerrcciissee-8:- This exercise illustrate how to Use MTR to Detect Network Congestion
Matt's Traceroute is an application you can use to do a repeated traceroute in real time; it dynamically
shows the round-trip time to reach each hop along the traceroute path. The constant updates enable you
not only to visually determine which hops are slow, but also to determine when they appear to be slow. It
is a good tool to use whenever you suspect there is some intermittent network congestion.
You type in the word mtr followed by the target IP address to get output similar to the following:
[root@bigboy tmp]# mtr 192.168.25.26
Matt's traceroute [v0.52] Bigboy Fri Feb 20 17:19:17 2004 Keys: D - Display mode R - Restart statistics Q - Quit Packets Pings Hostname %Loss Rcv Snt Last Best Avg Worst 1. 192.168.1.1 0% 17 17 32 10 15 32 2. 192.168.2.254 0% 17 17 12 11 18 41 3. 192.168.3.15 0% 17 17 23 14 18 25 4. 192.168.18.35 0% 16 16 24 23 29 42 5. 192.168.25.26 0% 16 16 23 21 26 37 ^C [root@bigboy tmp]#
One of the nice features of MTR is that it gives you the best, worst and average roundtrip times in milli-
seconds for the probe packets between each hop along the way to the final destination. The advantage of
this is that you can let MTR run for an extended period of time, acting as a constant monitor of communi-
cation path quality. The constant refreshing of the screen also enables you to instantaneously spot tran-
sient changes in quality fairly easily, making it much more convenient than a regular traceroute.
EExxeerrcciissee-9:- This exercise demonstrates how to View Packet Flows with tcpdump
The tcpdump command is one of the most popular packages for viewing the flow of packets through your
Linux box's NIC card. It is installed by default on RedHat/Fedora Linux and has very simple syntax, es-
pecially if you are doing simpler types of troubleshooting.
One of the most common uses of tcpdump is to determine whether you are getting basic two-way com-
munication. Lack of communication could be due to the following:
Bad routing
Faulty cables, interfaces of devices in the packet flow
The server not listening on the port because the software isn't installed or started
A network device in the packet path is blocking traffic; common culprits are firewalls, routers with
access control lists and even your Linux box running iptables.
Analyzing tcpdump in much greater detail is beyond the scope of this section.
Like most Linux commands, tcpdump uses command-line switches to modify the output.
Some of the more useful command-line switches are listed in the Table.
tcpdump
command switch
Description
-c Stop after viewing count packets.
-i Listen on interface. If this is not specified, then the command will
use the lowest numbered interface that is UP
-w Dump the output to a specially formatted TCPdump dump file
-C Specifies the size the dump file must reach before a new one with a
numeric extension is created.
-t Don't print a timestamp at the beginning of each line
You can also add expressions after all the command-line switches. These act as filters to limit the volume
of data presented on the screen. You can also use keywords such as and, or or between expressions to fur-
ther fine-tune your selection criteria. Some useful expressions are listed in the Table.
tcpdump command
expression
Description
host host-address View packets from the IP address host-address
icmp View icmp packets
tcp port port-number View TCP packets with packets with either a source or destination
TCP port of port-number
udp port port-number View UDP packets with either a source or destination UDP port of
port-number
The following is an example of tcpdump being used to view ICMP ping packets going through interface
wlan0:
[root@bigboy tmp]# tcpdump -i wlan0 icmp
tcpdump: listening on wlan0 21:48:58.927091 smallfry > bigboy.my-site.com: icmp: echo request (DF) 21:48:58.927510 bigboy.my-site.com > smallfry: icmp: echo reply 21:48:58.928257 smallfry > bigboy.my-site.com: icmp: echo request (DF) 21:48:58.928365 bigboy.my-site.com > smallfry: icmp: echo reply 21:48:58.943926 smallfry > bigboy.my-site.com: icmp: echo request (DF) 21:48:58.944034 bigboy.my-site.com > smallfry: icmp: echo reply 21:48:58.962244 bigboy.my-site.com > smallfry: icmp: echo reply 21:48:58.963966 bigboy.my-site.com > smallfry: icmp: echo reply 21:48:58.968556 bigboy.my-site.com > smallfry: icmp: echo reply 9 packets received by filter 0 packets dropped by kernel [root@bigboy tmp]#
In this example:
The first column of data is a packet timestamp.
The second column of data shows the packet source and then the destination IP address or server name
of the packet.
The third column shows the packet type.
Two-way communication is occurring as each echo gets an echo reply.
The following example shows tcpdump being used to view packets on interface wlan0 to/from host
192.168.1.102 on TCP port 22 with no timestamps in the output (-t switch).
[root@bigboy tmp]# tcpdump -i wlan0 -t host 192.168.1.102 and tcp port
22
tcpdump: listening on wlan0
smallfry.32938 > bigboy.my-site.com.ssh: S 2013297020:2013297020(0) win 5840 <mss 1460,sackOK,timestamp bigboy.my-site.com.ssh > smallfry.32938: R 0:0(0) ack 2013297021 win 0 (DF) [tos 0x10] smallfry.32938 > bigboy.my-site.com.ssh: S 2013297020:2013297020(0) win 5840 <mss 1460,sackOK,timestamp bigboy.my-site.com.ssh > smallfry.32938: R 0:0(0) ack 1 win 0 (DF) [tos 0x10] smallfry.32938 > bigboy.my-site.com.ssh: S 2013297020:2013297020(0) win 5840 <mss 1460,sackOK,timestamp 7 7 packets received by filter 0 packets dropped by kernel [root@bigboy tmp]#
In this example:
The first column of data shows the packet source and then the destination IP address or server name of the
packet
The second column shows the TCP flags within the packet
The client named bigboy is using port 32938 to communicate with the server named smallfry on the TCP
SSH port 22.
Two-way communication is occurring
Analyzing tcpdump files
By using the -w filename option you can send the entire Ethernet frame, not just a brief IP information
that normally goes to the screen, to a file. This can then be analyzed by graphical analysis tools such as
Wireshark, which is available in both Windows and
Linux, with customized filters, colorization of packet records based on criteria deemed interesting, and
the capability of automatically highlighting certain error conditions such as data retransmissions:
tcpdump -i eth1 -w /tmp/packets.dump tcp port 22
Covering Wireshark is beyond the scope of this book but that shouldn't discourage you from using it. The
application is part of the Fedora RPM suite, and a Windows version is also available.
Common Problems with tcpdump
By default tcpdump will attempt to determine the DNS names of all the IP addresses it sees while logging
data. This can slow down tcpdump so much that it appears not to be working at all. The -n switch stops
DNS name lookups and will make tcpdump work more reliably.
The following are examples of how the -n switch affects the output:
Without the -n switch
[root@bigboy tmp]# tcpdump -i eth1 tcp port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 02:24:34.818398 IP 192-168-1-242.my-site.com.1753 > bigboy-100.my-site.com.ssh: . ack 318574223 win 65471 02:24:34.818478 IP bigboy-100.my-site.com.ssh > 192-168-1-242.my-site.com.1753: P 1:165(164) ack 0 win 64 02:24:35.019042 IP 192-168-1-242.my-site.com.1753 > bigboy-100.my-site.com.ssh: . ack 165 win 65307 02:24:35.019118 IP bigboy-100.my-site.com.ssh > 192-168-1-242.my-site.com.1753: P 165:401(236) ack 0 win 02:24:35.176299 IP 192-168-1-242.my-site.com.1753 > bigboy-100.my-site.com.ssh: P 0:20(20) ack 401 win 65
02:24:35.176337 IP bigboy-100.my-site.com.ssh > 192-168-1-242.my-site.com.1753: P 401:629(228) ack 20 win 6 packets captured 7 packets received by filter 0 packets dropped by kernel [root@bigboy tmp]#
With the -n switch
[root@bigboy tmp]# tcpdump -i eth1 -n tcp port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 02:25:53.068511 IP 192.168.1.242.1753 > 192.168.1.100.ssh: . ack 318576011 win 65163 02:25:53.068606 IP 192.168.1.100.ssh > 192.168.1.242.1753: P 1:165(164) ack 0 win 6432 02:25:53.269152 IP 192.168.1.242.1753 > 192.168.1.100.ssh: . ack 165 win 64999 02:25:53.269205 IP 192.168.1.100.ssh > 192.168.1.242.1753: P 165:353(188) ack 0 win 6432 02:25:53.408556 IP 192.168.1.242.1753 > 192.168.1.100.ssh: P 0:20(20) ack 353 win 64811 02:25:53.408589 IP 192.168.1.100.ssh > 192.168.1.242.1753: P 353:541(188) ack 20 win 6432 6 packets captured 7 packets received by filter 0 packets dropped by kernel [root@bigboy tmp]#
Exercises for lab:
Exercise 1:- Display the routing table maintained on your system and slist the networks that are contected
to your system and their corresponding gateways. That is the IP address of the default gate-
way that is set on your system?
Home Work:
1) Configure a network containing two PCs and troubleshoot the network for any broblem in the
network. Follow the procedure step-by-step as given in the manual.
To understand the Installing Linux Software
Lab 15: Installing Linux Software
Lab No. 15: Installing Linux Software
Objective:
To familiarize students that how a Linux server could be used as router
Scope:
The students would be able to do the following at the end of this lab:
• list installed and available packages
• Install a package locally
• Install a package from the internet.
Useful Concepts:
Automated Package Download
The disadvantage of manual downloads is that the packages often won't install unless certain prerequisite
packages have been installed beforehand. This can lead to the download and installation of several pack-
ages which can become tedious.
All the major Linux distributions have automated download and update utilities. For example, Fedora
uses yum and Ubuntu and Debian use apt.
Exercise-1:- This exercise illustrates how to get RPMs Using Command-Line Anonymous
FTP
Anonymous FTP allows you to log in and download files from a FTP server using the username anonym-
ous or the shorter username ftp and a password that matches your email address. This way anyone can
access the data. Let's illustrate this with an example of using anonymous FTP to download the SSH pack-
age from download.fedora.redhat.com:
1) First we issue the FTP command targeting download.fedora.redhat.com at the command line.
[root@bigboy tmp]# ftp download.fedora.redhat.com
Trying 66.187.232.35...
Connected to download.fedora.redhat.com (66.187.232.35).
220 Fedora FTP server ready. All transfers are logged.
Name (download.fedora.redhat.com:root): anonymous
331 Please specify the password.
Password:
230 Login successful. Have fun.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> ls
227 Entering Passive Mode (66,187,232,35,57,155)
150 Here comes the directory listing.
drwxr-xr-x 3 ftp ftp 4096 Oct 29 15:59 pub
226 Directory send OK.
ftp>:
2) After we've logged in, we can use the help command to see what options we have at our disposal.
ftp> help
Commands may be abbreviated. Commands are:
! cr mdir proxy send
------
ftp>
3) By using the Web browsing feature on the Web site ahead of time, I know that the Fedora Core 2
RPMs are located in the pub/fedora/linux/core/2/i386/os/Fedora/RPMS/ directory and will use the cd
command to change my directory to there. We can use the ls command to get a listing of files in this di-
rectory.
ftp> cd pub/fedora/linux/core/2/i386/os/Fedora/RPMS/
250 Directory successfully changed.
ftp> ls open*
227 Entering Passive Mode (66,187,232,35,58,3)
150 Here comes the directory listing.
...
...
-rw-r--r-- ... ... 184281 Oct 28 23:29 openssh-3.6.1p2-34.i386.rpm
...
...
226 Directory send OK.
ftp>
4) Next we get the file we need and place it in the local directory /usr/rpm. The hash command will print
"#" hash signs on the screen during the download.
ftp> hash
Hash mark printing on (1024 bytes/hash mark).
ftp> lcd /usr/rpm
Local directory now /usr/rpm
ftp> get openssh-3.6.1p2-34.i386.rpm
local: openssh-3.6.1p2-34.i386.rpm remote: openssh-3.6.1p2-34.i386.rpm
227 Entering Passive Mode (66,187,232,35,58,25)
150 Opening BINARY mode data connection for openssh-3.6.1p2-34.i386.rpm (184281 bytes).
################################################226 File send OK.
184281 bytes received in 3.41 secs (53 Kbytes/sec)
ftp>
Note: You can also use wildcards to download the RPMs you need using the mget command. You'll be
prompted for each of the matching RPM files. In the next example, we just aborted this download by typ-
ing n.
ftp> mget openssh-3.6*
mget openssh-3.6.1p2-34.i386.rpm? n
ftp>
5) Finally we use the exit command to leave FTP.
ftp> exit
221 Goodbye.
root@bigboy tmp]#
Exercise-2:- This exercise illustrates download Software using wget utility.
The wget command can be used to download files quickly when you already know the URL at which the
RPM is located. Here is an example downloading a DHCP update from Fedora.
[root@tmp]# wget <URL>
--17:38:36-- ftp://linux.stanford.edu/pub/mirrors/fedora/linux/core/2/i386/os/Fedora/RPMS/dhcp-3.0pl2-
6.
=> `dhcp-3.0pl2-6.16.i386.rpm.5'
Resolving linux.stanford.edu... done.
Connecting to linux.stanford.edu[171.66.2.18]:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD /pub/mirrors/fedora/linux/core/2/i386/os/Fedora/RPMS ... done.
==> PASV ... done. ==> RETR dhcp-3.0pl2-6.16.i386.rpm ... done.
Length: 529,890 (unauthoritative)
100%[===============================>] 529,890 889.12K/s ETA 00:00
17:38:36 (889.12 KB/s) - `dhcp-3.0pl2-6.16.i386.rpm.5' saved [529890]
[root@tmp]#
Exercise-3:- This exercise illustrates How to Install RPMs Manually
Download / Copy RPMs (which usually have a file extension ending with .rpm) into a temporary directo-
ry, such as /tmp. The next step is to issue the rpm -Uvh command to install the package.
The -U qualifier is used for updating an RPM to the latest version, the -h qualifier gives a list of hash #
characters during the installation and the -v qualifier prints verbose status messages while the command is
run. Here is an example of a typical RPM installation command to install the MySQL server package:
[root@bigboy tmp]# rpm -Uvh mysql-server-3.23.58-9.i386.rpm
Preparing... ####################### [100%]
1:mysql-server ####################### [100%]
[root@bigboy tmp]#
How to Install Source RPMs
Sometimes the packages you want to install need to be compiled in order to match your kernel version.
This requires you to use source RPM files:
Download the source RPMs or locate them on your CD collection. They usually have a file extension
ending with (.src.rpm)
Run the following commands as root:
Compiling and installing source RPMs with Fedora can be done simply with the rpmbuild command
[root@tmp]# rpmbuild --rebuild filename.src.rpm
Here is an example in which we install the tacacs plus package.
[root@bigboy rpm]# rpmbuild --rebuild tac_plus-4.0.3-2.src.rpm
Installing tac_plus-4.0.3-2.src.rpm Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.61594 + umask 022 + cd /usr/src/redhat/BUILD + cd /usr/src/redhat/BUILD + rm -rf tac_plus-4.0.3 + /usr/bin/gzip -dc /usr/src/redhat/SOURCES/tac_plus-4.0.3.tgz + tar -xvvf - ... ... ... + umask 022 + cd /usr/src/redhat/BUILD + rm -rf tac_plus-4.0.3 + exit 0 [root@rpm]#
Exercise-4:- This exercise illustrates How to List Installed RPMs
The rpm -qa command will list all the packages installed on your system:
[root@tmp]# rpm -qa
perl-Storable-1.0.14-15 smpeg-gtv-0.4.4-9 audiofile-0.2.3-3 ... ... [root@tmp]#
Exercise-5:- This exercise illustrates Uninstalling RPMs
The rpm -e command will erase an installed package. The package name given must match that listed in
the rpm -qa command because the version of the package is important:
[root@tmp]# rpm -e package-name
Exercises for lab:
Exercise 1:- Download RPMs using anonymous FTP.
Exercise 2:- Download RPMs using wget.
Exercise 3:- Install MySQL database using RPM.
Exercise 4:- Install java using source RPM.
Home Work
1) Compare the strengths of apt and yum utility.
To understand the Linux Boot Process
Lab 16: Linux Boot Process
Lab No. 16: Linux Boot Process
Objective:
To familiarize students with the Linux boot process and how to customize various boot options.
Scope:
The students would be able to do the following at the end of this lab:
• Change the default boot order of the operating systems installed
• Perform root password recovery
• Staring and stopping daemons when needed
• Start/Stop daemons at the startup
Useful Concepts:
Sample grub.conf file
default=0
timeout=10
splashimage=(hd0,0)/grub/splash.xpm.gz
title Fedora Core (2.6.8-1.521)
root (hd0,0)
kernel /vmlinuz-2.6.8-1.521 ro root=LABEL=/
initrd /initrd-2.6.8-1.521.img
title Windows 2000
rootnoverify (hd0,1)
chainloader +1
Exercise-1:- This exercise demonstrates the procedure of Determining the Default Boot
runlevel
The default boot runlevel is set in the file /etc/inittab with the initdefault variable. When
set to 3, the system boots up with the text interface on the VGA console; when set to 5,
you get the GUI. Here is a snippet of the file (delete the initdefault line you don't need):
# Default runlevel. The runlevels used by RHS are:
# 0 - halt (Do NOT set initdefault to this)
# 1 - Single user mode
# 2 - Multiuser, without NFS (The same as 3, if you do not have networking)
# 3 - Full multiuser mode
# 4 - unused
# 5 - X11
# 6 - reboot (Do NOT set initdefault to this)
#
id:3:initdefault: # Console Text Mode
id:5:initdefault: # Console GUI Mode
Exercise-2:- This exercise demonstrates Root Password Recovery
Sometimes you might forget the root password, or the previous systems administrator may move on to a
new job without giving it to you. To do this, follow these steps:
1. Go to the VGA console and press Ctrl-Alt-Del. The system will then shut down in
an orderly fashion.
2. Reboot the system and enter single-user mode.
3. Once at the command prompt, change your password. Single user mode assumes the
person at the console is the systems administrator root, so you don't have to specify
a root username.
4. Return to your default runlevel by using the exit command.
EExxeerrcciissee-3:- This exercise demonstrates how to Start and Stop the server
If a startup script exists in the /etc/init.d directory, then its daemon can be started by specifying its file-
name followed by the keyword "start" as seen below:
Starting a Daemon
root@localhost# /etc/init.d/apache start
* Starting apache 1.3 web server...
...done.
root@localhost#
Stopping a Daemon
root@localhost# /etc/init.d/apache stop
* Starting apache 1.3 web server...
...done.
root@localhost#
EExxeerrcciissee-4:- Using chkconfig to Start Daemons at Each runlevel
As stated earlier, the chkconfig command can be used to adjust which applications start at each runlevel.
You can use this command with the --list switch to get a full listing of packages listed in /etc/init.d and
the runlevels at which they will be on or off:
[root@root]# chkconfig --list
keytable 0:off 1:on 2:on 3:on 4:on 5:on 6:off
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off
kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off
wlan 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sendmail 0:off 1:off 2:off 3:on 4:off 5:on 6:off
netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
random 0:off 1:off 2:on 3:on 4:on 5:on 6:off
...
...
Switch Off sendmail Starting Up in Levels 3 and 5
[root@root]# chkconfig --level 35 sendmail off
Switch On sendmail
[root@root]# chkconfig sendmail on
Exercises for lab:
Exercise 1:-Using the grub.conf file change the default boot operating system from linux to windows.
Exercise 2:-Perform the root password recovery process given in Exercise 2.
Exercise 3:-Switch off network startup using chkconfig and then turn in back on.
Home Work:
1) If it is possible to recover the root password as shown in Exercise 2, than why is it said that Linux
has a better security? How can you secure the system by protecting this process to be carried out
by annonimous users?
To understand the Configuring Linux DHCP Server
Lab 17: Configuring Linux DHCP Server
Lab No. 17: Configuring Linux DHCP Server
Objective:
To familiarize students with the configuration of DHCP server along with installing DHCP server on a
Linux machine
Scope:
The students would be able to do the following at the end of this lab:
• To download and install DHCP Server
• Cofigure and customize various DHCP server options
Exercise-1:- This exercise demonstrates how to Download and Install the DHCP Package
For systems using RPMs: When searching for the file, remember that the DHCP server RPM's filename
usually starts with the word dhcp followed by a version number like this: dhcp-3.0.1rc14-1.i386.rpm.
For Debian Linux systems: With Debian / Ubuntu the package name may include a version number. Use
the dpkg --list | grep dhcp command to get a list of all your dhcp packages and use the output to infer
what the DHCP server package name would be. In this case we can guess that the package name should
be dhcp3-server.
• root@root# dpkg --list | grep dhcp
• dhcp3-client 3.0.3-6ubuntu7 DHCP Client
• dhcp3-common 3.0.3-6ubuntu7 Files used by all the dhcp3* packages.
EExxeerrcciissee-2:- This exercise describes The /etc/dhcpd.conf File
configure your network. The standard DHCP RPM package doesn't automatically install
a /etc/dhcpd.conf file, but you can find a sample copy of dhcpd.conf in the following
directory which you can always use as a guide.
/usr/share/doc/dhcp-<version-number>/dhcpd.conf.sample
You have to copy the sample dhcpd.conf file to the /etc directory and then you'll have to
edit it. Here is the command to do the copying for the version 3.0p11 RPM file:
[root@root]# cp /usr/share/doc/dhcp-3.0pl1/dhcpd.conf.sample /etc/dhcpd.conf
EExxeerrcciissee-3:- This exercise demonstrates how to Configure the DHCP Server
Here is a quick explanation of the dhcpd.conf file: Most importantly, there must be a subnet section for
each interface on your Linux box.
ddns-update-style interim
ignore client-updates
subnet 192.168.1.0 netmask 255.255.255.0 {
# The range of IP addresses the server
# will issue to DHCP enabled PC clients
# booting up on the network
range 192.168.1.201 192.168.1.220;
# Set the amount of time in seconds that
# a client may keep the IP address
default-lease-time 86400;
max-lease-time 86400;
# Set the default gateway to be used by
# the PC clients
option routers 192.168.1.1;
# Don't forward DHCP requests from this
# NIC interface to any other NIC
# interfaces
option ip-forwarding off;
# Set the broadcast address and subnet mask
# to be used by the DHCP clients
option broadcast-address 192.168.1.255;
option subnet-mask 255.255.255.0;
# Set the NTP server to be used by the
# DHCP clients
option ntp-servers 192.168.1.100;
# Set the DNS server to be used by the
# DHCP clients
option domain-name-servers 192.168.1.100;
# If you specify a WINS server for your Windows clients,
# you need to include the following option in the dhcpd.conf file:
option netbios-name-servers 192.168.1.100;
# You can also assign specific IP addresses based on the clients'
# ethernet MAC address as follows (Host's name is "laser-printer":
host laser-printer {
hardware ethernet 08:00:2b:4c:59:23;
fixed-address 192.168.1.222;
}
}
#
# List an unused interface here
#
subnet 192.168.2.0 netmask 255.255.255.0 {
}
Exercises for lab:
Exercise 1:- Download and install DHCP server.
Exercise 2:- Configure DHCP server to lease a range of class B IP addresses.
Home Work:
1) Specify Default Gateway and DNS server IPs in DHCP configuration.
2) Using chkconfig configure DHCP to start during boot process.
To understand the Managing Linux Users and sudo
Lab 18: Managing Linux Users and sudo
Lab No. 18: Managing Linux Users and sudo
Objective:
To familiarize students with the Linux user management
Scope:
The students would be able to do the following at the end of this lab:
• Create user groups.
• Create user accounts and assign them appropriate groups
• Running commands with privileged access
Exercise-1:- This exercise illustrates How to Add Users to the system
Adding users takes some planning; read through these steps below before starting:
1) Arrange your list of users into groups by function. In this example there are two groups "parents",
"children".
Parents Children
Asif Sami
Fatima Owais
2) Add the Linux groups to your server:
[root@tmp]# groupadd parents
[root@tmp]# groupadd children
3) Add the Linux users and assign them to their respective groups
[root@tmp]# useradd -g parents asif
[root@tmp]# useradd -g parents fatima
[root@tmp]# useradd -g children sami
[root@tmp]# useradd -g children owais
If you don't specify the group with the -g, RedHat/Fedora Linux creates a group with the same name as
the user you just created; this is also known as the User Private Group Scheme. When each new user first
logs in, they are prompted for their new permanent password.
4) Each user's personal directory is placed in the /home directory. The directory name will be the same as
their user name.
Exercise-2:- This exercise illustrates How to Change Passwords
You need to create passwords for each account. This is done with the passwd command.
You are prompted once for your old password and twice for the new one.
User root changing the password for user asif.
[root@root]# passwd asif
Changing password for user asif.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@root]#
Users might wish to change their passwords in future. Here is how unprivileged user asif would change
his own password.
[asif@asif]$ passwd
Changing password for asif
Old password: your current password
Enter the new password (minimum of 5, maximum of 8 characters)
Please use a combination of upper and lower case letters and numbers.
New password: your new password
Re-enter new password: your new password
Password changed.
[asif@asif]$
Exercise-3:- This exercise illustrates How to Delete Users
The userdel command is used to remove the user's record from the /etc/passwd and /etc/shadow used in
the login process. The command has a single argument, the username.
[root@tmp]# userdel sami
There is also an optional -r switch that additionally removes all the contents of the user's home directory.
Use this option with care. The data in a user's directory can often be important.
Exercise-4:- This exercise illustrates how to get privileges using sudo
If a server needs to be administered by a number of people it is normally not a good idea for them all to
use the root account. This is because it becomes difficult to determine exactly who did what, when and
where if everyone logs in with the same credentials. The sudo utility was designed to overcome this diffi-
culty.
The sudo utility allows users defined in the /etc/sudoers configuration file to have temporary access to run
commands they would not normally be able to due to file permission restrictions. The commands can be
run as user "root" or as any other user defined in the /etc/sudoers configuration file.
Simple Sudo Examples:
Using sudo is relatively simple as we can see from these examples.
Temporarily gaining root Privileges
In this example, user asif attempts to view the contents of the /etc/sudoers file, which is an action that
normally requires privileged access. Without sudo, the command fails:
[asif@asif]$ more /etc/sudoers
/etc/sudoers: Permission denied
[asif@asif]$
asif tries again using sudo and his regular user password and is successful:
[asif@asif]$ sudo more /etc/sudoers
Password:
...
...
[asif@asif]$
Becoming root for a Complete Login Session
The su command allows a regular user to become the system's root user if they know the root password.
A user with sudo rights to use the su command can become root, but they only need to know their own
password, not that of root as seen here.
someuser@tmp:~$ sudo su -
Password:
root@tmp:~#
Exercises for lab:
Exercise 1:- Add a group with the name of relatives.
Exercise 2:- Add a user with the name of Asim and assign it to the relatives group.
Exercise 3:- Try to edit the file /etc/profile without sudo and then with sudo.
Home Work:
1) Read the /etc/sudoers file thoroughly and modify it to add a user Asim to the /etc/sudoers file.
To understand the Configuring Samba
Lab 19: Configuring Samba
Lab No. 19: Configuring Samba
Objective:
To familiarize students with the working and configuration of samba server
Scope:
The students would be able to do the following at the end of this lab:
• Install Samba server.
• Managing the services related to samba server
• Preparing SWAT to be used for samba configuration
• Using SWAT for samba configuration
Useful Concepts
Download and Install Packages
Samba is comprised of a suite of RPMs files named:
samba
samba-common
samba-client
samba-swat:
Exercise-1:- This exercise illustrates How to Get Samba Started
You can configure Samba to start at boot time using the chkconfig command:
[root@tmp]# chkconfig smb on
You can start/stop/restart Samba after boot time using the smb initialization script as in the examples be-
low:
[root@tmp]# service smb start
[root@tmp]# service smb stop
[root@tmp]# service smb restart
Sometimes Samba may have an ancillary nmb daemon that also needs to be started. The syntax is the
same as that for the smb daemon.
[root@tmp]# service nmb start
[root@tmp]# service nmb stop
[root@tmp]# service nmb restart
Note: Unlike many Linux packages, Samba does not need to be restarted after changes have been made to
its configuration file, as it is read after the receipt of every client request.
Exercise-2:- This exercise explains The Samba Configuration File
The /etc/samba/smb.conf file is the main configuration file you'll need to edit. It is split into five major
sections, outlined in the following table:
Exercise-3:- This exercise illustrates the SWAT utility
SWAT, Samba's web based configuration tool enables you configure your smb.conf file without you
needing to remember all the formatting. Each SWAT screen is actually a form that covers a separate sec-
tion of the smb.conf file into which you fill in the desired parameters. For ease of use, each parameter box
has its own online help. The figure below shows the main SWAT login screen.
Basic SWAT Setup
The enabling and disabling, starting and stopping of SWAT is controlled by xinetd, via a configu-
ration file named /etc/xinetd.d/swat. Here is a sample:
service swat { port = 901 socket_type = stream protocol = tcp
wait = no user = root server = /usr/sbin/swat log_on_failure += USERID disable = no only_from = localhost }
The file's formatting is fairly easy to understand, especially as there are only two entries of interest.
The disable parameter must be set to no to accept connections. This can automatically be switch-
ed between yes and no as we will see later.
The default configuration only allows SWAT web access from the VGA console only as user root
on port 901 with the Linux root password. This means you'll have to enter "http://127.0.0.1:901"
in your browser to get the login screen.
Controlling SWAT
As with all xinetd-controlled applications, the chkconfig command automatically modifies the disable
field accordingly in the configuration file and activates the change. Before SWAT can be used, the xinetd
program which controls it must be activated in advance.
You can start/stop/restart xinetd after boot time using the xinetd initialization cript as in the examples be-
low:
[root@bigboy tmp]# service xinetd start
[root@bigboy tmp]# service xinetd stop
[root@bigboy tmp]# service xinetd restart
Just like most Linux systems applications, you can configure xinetd to start at boot time using the chkcon-
fig command:
[root@bigboy tmp]# chkconfig xinetd on
To activate SWAT use:
[root@bigboy tmp] chkconfig swat on
To deactivate SWAT use:
[root@bigboy tmp] chkconfig swat off
Exercise-4:- This exercise illustrates how to Create a Starter Configuration
We will now illustrate how to configure a Samba server to be the PDC for a small network by using
SWAT. You'll need to edit the various sections of the smb.conf file, so I'll walk you through what you'll
find in each.
The [Global] Section
The [global] section governs the general Samba settings.
Here's how to set the values using SWAT.
1. Log into SWAT and click on the [global] section.
2. Click the Advanced button to see all the options.
3. Make your changes and click on the Commit Changes button when finished.
4. Your smb.conf file should resemble the example below when you're finished. You can view
the contents of the configuration file by logging in to the samba server via a command prompt
and using the cat /etc/samba/smb.conf to verify your changes as you do them.
[global] workgroup = HOMENET time server = Yes domain logons = Yes os level = 65 preferred master = Yes domain master = Yes smb passwd file = /etc/samba/smbpasswd private dir = /etc/samba
Note: security = user and WINS support = yes are default settings for Samba and they may not show up in
your smb.conf file, even though you may see them in SWAT.
The [homes] Section
Here's how to set the values using SWAT:
1. Click on the SWAT shares button to proceed to where shared directories are configured.
2. Click the Advanced button to see all the options.
3. Choose the Homes share.
4. Make your changes and click on the Commit Changes button when finished.
5. Your smb.conf file should resemble this when finished. You can view the contents of the con-
figuration file by logging in to the samba server via a command prompt and using the cat
/etc/samba/smb.conf to verify your changes as you do them.
[homes] read only = No browseable = No create mask = 0644 directory mask = 0755
The [netlogon] and [profiles] Share Sections
The [netlogon] share section contains scripts that the windows clients may use when they log into the
domain. The [profiles] share section stores settings related to the look and feel of windows so that the user
has the same settings no matter which Windows PC is logged into. The [profiles] share section stores
things such as favourites and desktop icons.
Your smb.conf file should look like this when you're finished:
[netlogon] path = /home/samba/netlogon guest ok = Yes [profiles] path = /home/samba/profiles read only = No create mask = 0600 directory mask = 0700
Here's how to do it.
1. Click the Shares button.
3. Modify the path and guest ok settings.
4. Click on the Commit Changes button.
5. Create a [profiles] share section.
6. Modify the path, mask and read only settings. The mask settings allow only the owner of the
netlogon subdirectory to be able to modify its contents.
7. Click on the Commit Changes button.
Remember to create these share directories from the command line afterwards.
[root@tmp]# mkdir -p /home/samba/netlogon
[root@tmp]# mkdir -p /home/samba/profile
[root@tmp]# chmod -R 0755 /home/samba
Exercises for lab:
Exercise 1:- Install samba server.
Exercise 2:- Prepare SWAT for samba configuration.
Exercise 3:- Configure samba as a Primary Domain Controller.
Home Work:
1) What is the difference between smbpasswd and shadowpasswd?
2) Write a comprehencive note on primary domain controller (PDC).
To understand the Sharing Resources using samba
Lab 20: Sharing Resources using samba
Lab No. 20: Sharing Resources using samba
Objective:
To familiarize students with the file/printer sharing features of samba.
Scope:
The students would be able to do the following at the end of this lab:
• Share a printer on the network using samba.
• Create group shares on the samba server.
• Share CD-ROM drive and folders on the samba server
• Automate the mounting process using SMB clients
Exercise-1:- This exercise illustrates Adding a Printer to a Samba PDC
The easiest way to let Samba know the printer is available is via the Samba SWAT Web interface. Once
you are in SWAT:
1. Click the "Printers" button
2. Find your printer in the pull-down menu. If the printer name has an asterisk (*) beside it, it has
been auto-configured by Samba. It might not be visible on your network, however, if Samba
hasn't been restarted since creating the printer. If this is the case, restart Samba.
3. If Samba did not auto-configure your printer, you need to edit or create it yourself. Click on the
"Commit Changes" button to create an updated /etc/samba/smb.conf file.
4. Click on the "Status" tab at the top of the screen and restart smbd and nmbd to restart Samba.
Your printer will now be available for use by all Windows workstations.
Exercise-2:- This exercise illustrates Creating Group Shares in SAMBA
On occasion, subgroups of a family need a share that is fully accessible by all members of the group. For
example, parents working in a home office environment may need a place where they can share, distri-
bute, or collaboratively work on documents. Here's how it's done.
Create The Directory And User Group
As with any group activity, the first step is to get organized.
1. Create a new Linux group parents:
[root@tmp]# /usr/sbin/groupadd parents
2. Create a new directory for the group's files. If one user is designated as the leader, you might want to
change the chown statement to make them owner
[root@tmp]# mkdir /home/parent-files
[root@tmp]# chgrp parents /home/parent-files
[root@tmp]# chmod 0770 /home/parent-files
3. Add the group members to the new group. For instance, the command to add a user named father to the
group is:
[root@tmp]# /usr/sbin/usermod -G parents father
All your members are in the group; now they need to share.
Configure the Share In SWAT
Next, you need to create the share in Samba using SWAT.
1. Click on the shares button then enter the name of the share you want to create, such as only-
parents.
2. Click on the "Create Share" button. Make sure the path maps to /home/parent-files and make
the valid users be @parents, where parents is the name of the Linux user group.
3. Click on the "Commit Changes" button to create a new /etc/samba/smb.conf file.
4. Click on the "Status" tab at the top of the screen and restart smbd and nmbd to restart Samba.
Your /etc/samba/smb.conf file should have an entry like this at the end:
# Parents Shared Area [only-parents] path = /home/parent-files valid users = @parents
If it does, all is well and you can move on. If not, double check your work in the last steps.
Map the Directory Using "My Computer"
Finally, let the user log into the domain from a remote PC
1. Right click on the "My Computer" icon on the desktop
2. Click on "Map Network Drive"
3. Select a drive letter.
4. Browse to the HOMENET domain, then the Samba server, then the share named only-parents.
5. Click on the check box "Reconnect at Logon", to make the change permanent.
Now the files located in the Linux /home/parent-files directory will be accessible to the parents only and
your job is complete!
Create a CD-ROM Drive Mount Point on Your Samba Server
You'll now need to create the mount point on the Linux server to mount and access the CD-ROM drive.
In this case, I've named it /mnt/winclient-cdrom, and you'll use the mount command to get access to this
device from the Linux server.
Password Prompt Method
The Linux mount command will try to access the CD-ROM device as user "username" by using the
"username=" option. You will be prompted for a password.
[root@tmp]# mkdir /mnt/winclient-cdrom
[root@tmp]# mount -t smbfs -o username=username \
//winclient/cdrom /mnt/winclient-cdrom
No Prompt Method
Linux won't prompt you for a password if you embed the access password into the mount command string
along with username as in the example below.
[root@tmp]# mkdir /mnt/winclient-cdrom
[root@tmp]# mount -t smbfs -o \
username=username,password=password \
//winclient/cdrom /mnt/cdrom
Using the smbmount Command Method
Some versions of Linux support the smbmount command to mount the remote drive.
Incompatible versions will give errors like this:
[root@tmp]# smbmount //winclient/cdrom \
/mnt/winclient-cdrom -o username=username
Password:
27875: session setup failed: ERRDOS - ERRnoaccess (Access denied.)
SMB connection failed
To be safe, stick with using the Linux mount command.
Automating Mounting with Linux SAMBA Clients
You can also automate the mounting of shares by placing entries in your /etc/fstab file. In the example
below the home directory of user peter on server 192.168.1.100 will be mounted on the /mnt/smb mount
point as a samba filesystem (smbfs) using the login information in the file named /etc/cred.
#
# File: /etc/fstab
#
//192.168.1.100/peter /mnt/smb smbfs credentials=/etc/cred 0 0
The contents of the /etc/cred file needs to have the username and password for the account in this format:
#
# File: /etc/cred
#
username = peter
password = peterspassword
Once finished you can use the mount -a to mount the new /etc/fstab entry, and the /mnt/smb directory will
now contain the contents of the share.
[root@smallfry tmp]# mount -a
[root@smallfry tmp]# ls /mnt/smb
backups profile docs data music
[root@smallfry tmp]#
Exercises for lab:
Exercise 1:- Share a printer on the network using samba shares.
Exercise 2:- Create group shares on the samba server.
Exercise 3:- Share CD-ROM drive and folders on the samba server.
Exercise 4:- Automate the mounting process using /etc/fstab.
Home Work:
1) write a note on access permission setting for shared resourses on samba.
To understand the iptables configuration
Lab 21: Linux firewalls using iptables
Lab No. 21 Linux firewalls using iptables
Objective:
To make the students understand the use of Linux popular firewalls, the iptables, for securing systems and
websites.
Scope:
On completion of this lab the student will be able to:
• understand what iptables is
• Download and Install the Iptables Package
• Start iptables
• Determine the Status of iptables
• understand Packet Processing In iptables
• understand Targets and Jumps
• use Important Iptables Command Switch Operations
• Use User Defined Chains.
Useful Concepts
Firewall
• Utility software that provides protection to the system by monitoring all incoming traffic
ipchains
• The predecessor most popular firewall/NAT package running on Linux.
• Had a number of shortcomings.
iptables
• An improved product of Netfilter organization to rectify the shortcomings of ipchains
Exercise-1:- This exercise is about Downloading and Installing the Iptables
Before you begin, you need to make sure that the iptables package is installed. When searching for the
RPMs or DEB, remember that the filename usually starts with the software package name by a version
number, as in iptables-1.2.9-1.0.i386.rpm.
To install the package online on REDHAT distributions, use yum utility.
yum install iptables-1.2.9-1.0.i386.rpm
to install the pachage from hard disk, move to the directory containing the package and use rpm com-
mand.
rpm –ivh iptables-1.2.9-1.0.i386.rpm
To install the package online on DEBIAN distributions, use apt-get utility.
apt-get -install iptables-1.2.9-1.0.i386.deb
to install the pachage from hard disk, move to the directory containing the package and use dpkg com-
mand.
dpkg --install iptables-1.2.9-1.0.i386.deb
Exercise -2:- This exercise is about Starting, stopping, restarting and checking the status of
iptables
You can start, stop, and restart iptables after booting by using the commands:
javidali@JLaptop$service iptables start
javidali@JLaptop$service iptables stop
javidali@JLaptop$service iptables restart
To get iptables configured to start at boot, use the chkconfig command:
javidali@JLaptop$chkconfig iptables on
You can determine whether iptables is running or not via the service iptables status command. Fedora
Core will give a simple status message. For example
javidali@JLaptop$service iptables status
Firewall is stopped.
javidali@JLaptop$
Exercise -3:- This exercise is about Packet processing in iptables
All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Each
of these queues is dedicated to a particular type of packet activity and is controlled by an associated pack-
et transformation/filtering chain.
There are three tables in total. The first is the mangle table which is responsible for the alteration of quali-
ty of service bits in the TCP header. This is hardly used in a home or SOHO environment.
The second table is the filter queue which is responsible for packet filtering. It has three built-in chains in
which you can place your firewall policy rules. These are the:
• Forward chain: Filters packets to servers protected by the firewall.
• Input chain: Filters packets destined for the firewall.
• Output chain: Filters packets originating from the firewall.
The third table is the nat queue which is responsible for network address translation. It has two built-in
chains; these are:
• Pre-routing chain: NATs packets when the destination address of the packet needs to be
changed.
• Post-routing chain: NATs packets when the source address of the packet needs to be
changed
Table Processing For Packets Routed By The Firewall
Queue
Type
Queue
Function
Packet
Transformation
Chain in Queue
Chain Function
Filter Packet filter-
ing
FORWARD
Filters packets to servers accessible by another NIC on the fire-
wall.
INPUT
Filters packets destined to the firewall
OUTPUT
Filters packets originating from the firewall
Nat Network Ad-
dress
Translation
PREROUTING
Address translation occurs before routing. Facilitates the transfor-
mation of the destination IP address to be compatible with the
firewall's routing table. Used with NAT of the destination IP ad-
dress, also known as destination NAT or DNAT.
POSTROUTING Address translation occurs after routing. This implies that there
was no need to modify the destination IP address of the packet as
in pre-routing. Used with NAT of the source IP address using ei-
ther one-to-one or many-to-one NAT. This is known as source
NAT, or SNAT.
OUTPUT
Network address translation for packets generated by the firewall.
(Rarely used in SOHO environments)
Mangle
TCP header
modification
PREROUTING
POSTROUTING
OUTPUT
INPUT
FORWARD
Modification of the TCP packet quality of service bits before
routing occurs. (Rarely used in SOHO environments)
You need to specify the table and the chain for each firewall rule you create. There is an exception: Most
rules are related to filtering, so iptables assumes that any chain that's defined without an associated table
will be a part of the filter table. The filter table is therefore the default.
To help make this clearer, take a look at the way packets are handled by iptables. In the Figure a TCP
packet from the Internet arrives at the firewall's interface on Network A to create a data connection.
The packet is first examined by your rules in the mangle table's PREROUTING chain, if any. It is then
inspected by the rules in the nat table's PREROUTING chain to see whether the packet requires DNAT. It
is then routed.
If the packet is destined for a protected network, then it is filtered by the rules in the FORWARD chain of
the filter table and, if necessary, the packet undergoes SNAT in the POSTROUTING chain before arriv-
ing at Network B. When the destination server decides to reply, the packet undergoes the same sequence
of steps. Both the FORWARD and POSTROUTING chains may be configured to implement quality of
service (QoS) features in their mangle tables, but this is not usually done in SOHO environments.
If the packet is destined for the firewall itself, then it passes through the mangle table ofthe INPUT chain,
if configured, before being filtered by the rules in the INPUT chain of the filter table before. If it success-
fully passes these tests then it is processed by the intended application on the firewall.
At some point, the firewall needs to reply. This reply is routed and inspected by the rules in the OUTPUT
chain of the mangle table, if any. Next, the rules in the OUTPUT chain of the nat table determine whether
DNAT is required and the rules in the OUTPUT chain of the filter table are then inspected to help restrict
unauthorized packets. Finally, before the packet is sent back to the Internet, SNAT and QoS mangling is
done by the POSTROUTING chain
Iptables Packet Flow Diagram
It is now time to discuss the ways in which you add rules to these chains.
Exercise-4:- This exercise is about Targets And Jumps
Each firewall rule inspects each IP packet and then tries to identify it as the target of some sort of opera-
tion. Once a target is identified, the packet needs to jump over to it for further processing. Following table
lists the built-in targets that iptables uses.
Table Descriptions Of The Most Commonly Used Targets
target Desciption Most Common Options
ACCEPT iptables stops further processing. The packet is
handed over to the end application or the operating
system for processing
N/A
DROP iptables stops further processing.
The packet is blocked
N/A
LOG The packet information is sent to the syslog dae-
mon for logging iptables continues processing
with the next rule in the table
As you can't log and drop at the same time, it is
common to have two similar rules in sequence.
The first will log the packet, the second will drop
it.
--log-prefix "string"
Tells iptables to prefix all log
messages with a user defined
string. Frequently used to tell
why the logged packet was
dropped
REJECT
Works like the DROP target, but will also return
an error message to the host sending the packet
that the packet was blocked
--reject-with qualifier
The qualifier tells what type of
reject message is returned. Qua-
lifiers include:
icmp-host-unreachable
icmp-proto-unreachable
icmp-net-prohibited
icmp-host-prohibited
tcp-reset
echo-reply
icmp-port-unreachable (default)
icmp-net-unreachable
DNAT Used to do destination network address transla-
tion. ie. rewriting the destination IP
address of the packet
--to-destination ipaddress
Tells iptables what the destina-
tion IP address should be
SNAT
Used to do source network address translation re-
writing the source IP address of the packet The
source IP address is user defined
--to-source
<address>[-<address>][:<port>-
<port>]
Specifies the source IP address
and ports to be used by SNAT
MASQUERADE
Used to do Source Network Address Translation.
By default the source IP address is the same as that
used by the firewall's interface
[--to-ports <port>[-<port>]]
Specifies the range of source
ports to which the original source
port can be mapped.
Important Iptables Command Switch Operations Each line of an iptables script not only has a jump, but they also have a number of command line options
that are used to append rules to chains that match your defined packet characteristics, such the source IP
address and TCP port. There are also options that can be used to just clear a chain so you can start all over
again. Following tables list the most common options.
General Iptables Match Criteria iptables command
Switch
Desciption
-t <-table-> If you don't specify a table, then the filter table is assumed. As dis-
cussed before, the possible built-in tables include: filter, nat, mangle
-j <target> Jump to the specified target chain when the packet matches the cur-
rent rule.
-A Append rule to end of a chain
-F Flush. Deletes all the rules in the selected table
-p <protocoltype> Match protocol. Types include, icmp, tcp, udp, and all
-s <ip-address> Match source IP address
-d <ip-address> Match destination IP address
-i <interfacename> Match "input" interface on which the packet enters.
-o <interfacename> Match "output" interface on which the packet exits
In this command switches example
iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p TCP -j ACCEPT
iptables is being configured to allow the firewall to accept TCP packets coming in on interface eth0 from
any IP address destined for the firewall's IP address of 192.168.1.1. The 0/0 representation of an IP ad-
dress means any.
Common TCP and UDP Match Criteria
Switch Description
-p tcp –sport <port> TCP source port. Can be a single value or a range in the format:
start-port-number:end-port-number
-p tcp --dport<port> TCP destination port. Can be a single value or a range in the
format: starting-port:ending-port
-p tcp --syn Used to identify a new TCP connection request. ! --syn means, not
a new connection request
-p udp --sport
<port>
UDP source port. Can be a single value or a range in the format:
starting-port:ending-port
-p udp --dport
<port>
UDP destination port. Can be a single value or a range in the for-
mat: starting-port:ending-port
In this example:
iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \
--sport 1024:65535 --dport 80 -j ACCEPT
iptables is being configured to allow the firewall to accept TCP packets for routing when they enter on
interface eth0 from any IP address and are destined for an IP address of 192.168.1.58 that is reachable via
interface eth1. The source port is in the range 1024 to 65535 and the destination port is port 80
(www/http).
Exercise-5:- This exercise demonstrate a Sample iptables Script for Basic Operating Sys-
tem Defense
You can do several things before employing your firewall script to improve the resilience of your firewall
to attack. For example, the Linux operating system has a number of builtin protection mechanisms that
you should activate by modifying the system kernel parameters in the /proc filesystem via the
/etc/sysctl.conf file.
Here is a sample configuration:
# File: /etc/sysctl.conf
#---------------------------------------------------------------
# Disable routing triangulation. Respond to queries out
# the same interface, not another. Helps to maintain state
# Also protects against IP spoofing
#---------------------------------------------------------------
net/ipv4/conf/all/rp_filter = 1
#---------------------------------------------------------------
# Enable logging of packets with malformed IP addresses
#---------------------------------------------------------------
net/ipv4/conf/all/log_martians = 1
#---------------------------------------------------------------
# Disable redirects
#---------------------------------------------------------------
net/ipv4/conf/all/send_redirects = 0
#---------------------------------------------------------------
# Disable source routed packets
#---------------------------------------------------------------
net/ipv4/conf/all/accept_source_route = 0
#---------------------------------------------------------------
# Disable acceptance of ICMP redirects
#---------------------------------------------------------------
net/ipv4/conf/all/accept_redirects = 0
#---------------------------------------------------------------
# Turn on protection from Denial of Service (DOS) attacks
#---------------------------------------------------------------
net/ipv4/tcp_syncookies = 1
#---------------------------------------------------------------
# Disable responding to ping broadcasts
#---------------------------------------------------------------
net/ipv4/icmp_echo_ignore_broadcasts = 1
#---------------------------------------------------------------
# Enable IP routing. Required if your firewall is protecting a
# network, NAT included
#---------------------------------------------------------------
net/ipv4/ip_forward = 1
Exercises for lab
Exercise 1:- check the iptables package and install the package using online installation utilities available
(apt-get or yum).
Exercise 2:- Check the status of the ipdables process. Start stop and restart the process.
Exercise 3:- configure the firewall for allowing local networks.
Home Work
1) What were the limitations of ipchains that were overcome in iptables in iptables?
2) Which level of security is provided by a firewall?
To understand the Configuring Linux FTP Server
Lab 22: Configuring Linux FTP Server
Lab No. 22: Configuring Linux FTP Server
Objective:
To familiarize students with the working of FTP Server and configuration of FTP server.
Scope:
The students would be able to do the following at the end of this lab:
• Install/manage FTP services on a linux machine.
• Configure FTP for anonymous access
• Configure FTP for restricted access
Useful Concepts
FTP Overview
FTP relies on a pair of TCP ports to get the job done. It operates in two connection channels:
FTP Control Channel, TCP Port 21: All commands you send and the ftp server's responses to those com-
mands will go over the control connection, but any data sent back (such as "ls" directory lists or actual file
data in either direction) will go over the data connection.
FTP Data Channel, TCP Port 20: This port is used for all subsequent data transfers between the client and
server.
Regular FTP
By default, the VSFTPD package allows regular Linux users to copy files to and from their home directo-
ries with an FTP client using their Linux usernames and passwords as their login credentials.
VSFTPD also has the option of allowing this type of access to only a group of Linux users, enabling you
to restrict the addition of new files to your system to authorized personnel.
The disadvantage of regular FTP is that it isn't suitable for general download distribution of software as
everyone either has to get a unique Linux user account or has to use a shared username and password.
Anonymous FTP allows you to avoid this difficulty.
Anonymous FTP
Anonymous FTP is the choice of Web sites that need to exchange files with numerous unknown remote
users. Common uses include downloading software updates and MP3s and uploading diagnostic informa-
tion for a technical support engineers' attention. Unlike regular FTP where you login with a preconfigured
Linux username and password, anonymous FTP requires only a username of anonymous and your email
address for the password. Once logged in to a VSFTPD server, you automatically have access to only the
default anonymous FTP directory (/var/ftp in the case of VSFTPD) and all its subdirectories.
Exercise-1:- This exercise illustrates How to Get VSFTPD Started
With Fedora, Redhat, Ubunbtu and Debian You can start, stop, or restart VSFTPD after booting by using
these commands:
[root@tmp]# /etc/init.d/vsftpd start
[root@tmp]# /etc/init.d/vsftpd stop
[root@tmp]# /etc/init.d/vsftpd restart
With Redhat / Fedora you can configure VSFTPD to start at boot you can use the chkconfig command.
[root@tmp]# chkconfig vsftpd on
With Ubuntu / Debian the sysv-rc-conf command can be used like this:
root@u-bigboy:/tmp# sysv-rc-conf on
Note: In RedHat Linux version 8.0 and earlier, VSFTPD operation is controlled by the xinetd process.
Exercise-2:- This exercise is bout Testing the Status of VSFTPD
You can always test whether the VSFTPD process is running by using the netstat –a command which lists
all the TCP and UDP ports on which the server is listening for traffic. This example shows the expected
output.
[root@root]# netstat -a | grep ftp
tcp 0 0 *:ftp *:* LISTEN
[root@root]#.
If VSFTPD wasn't running, there would be no output at all.
Exercise-3:- This exercise describes important configuration files related to FTP server
VSFTPD only reads the contents of its vsftpd.conf configuration file only when it starts, so you'll have to
restart VSFTPD each time you edit the file in order for the changes to take effect. The file may be located
in either the /etc or the /etc/vsftpd directories depending on your Linux distribution.
This file uses a number of default settings you need to know about.
VSFTPD runs as an anonymous FTP server. Unless you want any remote user to log into to your default
FTP directory using a username of anonymous and a password that's the same as their email address, I
would suggest turning this off. The configuration file's anonymous_enable directive can be set to no to
disable this feature. You'll also need to simultaneously enable local users to be able to log in by removing
the comment symbol (#) before the local_enable instruction.
If you enable anonymous FTP with VSFTPD, remember to define the root directory that visitors will vis-
it. This is done with the anon_root directive.
anon_root=/data/directory
VSFTPD allows only anonymous FTP downloads to remote users, not uploads from them. This can be
changed by modifying the anon_upload_enable directive shown later.
VSFTPD doesn't allow anonymous users to create directories on your FTP server. You can change this by
modifying the anon_mkdir_write_enable directive.
VSFTPD logs FTP access to the /var/log/vsftpd.log log file. You can change this by modifying the xfer-
log_file directive.
By default VSFTPD expects files for anonymous FTP to be placed in the /var/ftp directory. You can
change this by modifying the anon_root directive. There is always the risk with anonymous FTP that us-
ers will discover a way to write files to your anonymous FTP directory. You run the risk of filling up your
/var partition if you use the default setting. It is best to make the anonymous FTP directory reside in its
own dedicated partition.
The configuration file is fairly straight forward as you can see in the snippet below where we enable ano-
nymous FTP and individual accounts simultaneously.
# Allow anonymous FTP? anonymous_enable=YES
... # The directory which vsftpd will try to change # into after an anonymous login. (Default = /var/ftp) anon_root=/data/directory ... # Uncomment this to allow local users to log in. local_enable=YES ... # Uncomment this to enable any form of FTP write command. # (Needed even if you want local users to be able to upload files) write_enable=YES ... # Uncomment to allow the anonymous FTP user to upload files. This only # has an effect if global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES ... # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES ... # Activate logging of uploads/downloads. xferlog_enable=YES ... # You may override where the log file goes if you like. # The default is shown below. xferlog_file=/var/log/vsftpd.log ...
To activate or deactivate a feature, remove or add the # at the beginning of the appropriate line.
Other vsftpd.conf Options
There are many other options you can add to this file:
Limiting the maximum number of client connections (max_clients)
Limiting the number of connections by source IP address (max_per_ip)
The maximum rate of data transfer per anonymous login. (anon_max_rate)
The maximum rate of data transfer per non-anonymous login. (local_max_rate).
FTP Security Issues
FTP has a number of security drawbacks, but you can overcome them in some cases. You can restrict an
individual Linux user's access to non-anonymous FTP, and you can change the configuration to not dis-
play the FTP server's software version information, but unfortunately, though very convenient, FTP lo-
gins and data transfers are not encrypted.
The /etc/vsftpd.ftpusers File
For added security, you may restrict FTP access to certain users by adding them to the list of users in the
/etc/vsftpd.ftpusers file. The VSFTPD package creates this file with a number of entries for privileged
users that normally shouldn't have FTP access. As FTP doesn't encrypt passwords, thereby increasing the
risk of data or passwords being compromised, it is a good idea to let these entries remain and add new
entries for additional security.
Exercise-4:- This exercise illustrates Anonymous Uploads on ftp and banner setting
If you want remote users to write data to your FTP server, then you should create a writeonly directory
within /var/ftp/pub. This will allow your users to upload but not access other files uploaded by other us-
ers. The commands you need are:
[root@tmp]# mkdir /var/ftp/pub/upload
[root@tmp]# chmod 722 /var/ftp/pub/upload
FTP Greeting Banner
Change the default greeting banner in the vsftpd.conf file to make it harder for malicious users to deter-
mine the type of system you have. The directive in this file is.
ftpd_banner= New Banner Here.
Exercise-5:- This exercise illustrates privileged user setting
In this example, anonymous FTP is not desired, but a group of trusted users need to have read only access
to a directory for downloading files. Here are the steps:
1) Disable anonymous FTP. Comment out the anonymous_enable line in the vsftpd.conf file like this:
# Allow anonymous FTP?
anonymous_enable=NO
2) Enable individual logins by making sure you have the local_enable line uncommented in the
vsftpd.conf file like this:
# Uncomment this to allow local users to log in.
local_enable=YES
3) Start VSFTP.
[root@tmp]# service vsftpd start
4) Create a user group and shared directory. In this case, use /home/ftp-users and a user group name of
ftp-users for the remote users
[root@tmp]# groupadd ftp-users
[root@tmp]# mkdir /home/ftp-docs
5) Make the directory accessible to the ftp-users group.
[root@tmp]# chmod 750 /home/ftp-docs
[root@tmp]# chown root:ftp-users /home/ftp-docs
6) Add users, and make their default directory /home/ftp-docs
[root@tmp]# useradd -g ftp-users -d /home/ftp-docs user1
[root@tmp]# useradd -g ftp-users -d /home/ftp-docs user2
[root@tmp]# useradd -g ftp-users -d /home/ftp-docs user3
[root@tmp]# useradd -g ftp-users -d /home/ftp-docs user4
[root@tmp]# passwd user1
[root@tmp]# passwd user2
[root@tmp]# passwd user3
[root@tmp]# passwd user4
7) Copy files to be downloaded by your users into the /home/ftp-docs directory
8) Change the permissions of the files in the /home/ftp-docs directory for read only access by the group
[root@tmp]# chown root:ftp-users /home/ftp-docs/*
[root@tmp]# chmod 740 /home/ftp-docs/*
Users should now be able to log in via FTP to the server using their new usernames and passwords. If you
absolutely don't want any FTP users to be able to write to any directory, then you should set the
write_enable line in your vsftpd.conf file to no:
write_enable = NO
Remember, you must restart VSFTPD for the configuration file changes to take effect.
Exercises for lab
Exercise 1:- Install FTP server.
Exercise 2:- Configure FTP to start at system boot.
Exercise 3:- Allow anonymous users to only read from a shared directory.
Home Work
1) Configure FTP server to allow only a certain group of user to write to the shared directory.
To understand the Telnet and TFTP and XINETD
Lab 23: Telnet and TFTP and XINETD
Lab No. 23: Telnet and TFTP and XINETD
Objective:
To familiarize students with the working and configuration of Telnet Server and TFTP Server
Scope:
The students would be able to do the following at the end of this lab:
• understand and configure xinetd service
• Install and configure Telnet Server
• Implement security for Telnet access
• Install and configure TFTP server software
Useful Concepts:
Telnet
Telnet is a program that allows users to log into your server and get a command prompt just as if they
were logged into the VGA console. The Telnet server RPM is installed and disabled by default on Fedora
Linux.
Exercise-1:- This exercise illustrates how to Control xinetd
The starting and stopping of the xinetd daemon is controlled by the by scripts in the /etc/init.d directory
and its behavior at boot time is controlled by chkconfig.
You can start/stop/restart xinetd after booting by using the following commands:
[root@root]# service xinetd start
[root@root]# service xinetd stop
[root@root]# service xinetd restart
To get xinetd configured to start at boot you can use the chkconfig command.
[root@root]# chkconfig xinetd on
Installing The Telnet Server Software
Older versions of RedHat had the Telnet server installed by default. Fedora Linux doesn't do this and you
will have to install it yourself.
When searching for the file, remember that the Telnet server RPM's filename usually starts with the word
"telnet-server" followed by a version number as in telnet-server-0.17-28.i386.rpm.
With Debian / Ubuntu, the Telnet server package would have a "telnetd" prefix like this: telnetd_0.17-
32_i386.deb.
Basic Telnet Security
There are a number of things you can do to improve the security of telnet. For example, you should also
try to ensure that telnet sessions run over secure internal networks or across VPNs to reduce the risk of
exposing sensitive data to unauthorized eyes. Check out some other options.
Let Telnet Listen On Another TCP Port
Letting telnet run on an alternate TCP port doesn't encrypt the traffic, but it makes it less likely to be de-
tected as telnet traffic. Remember that this isn't a foolproof strategy; good port scanning programs can
detect telnet and other applications running on alternative ports.
1) Edit your /etc/services file and add an entry for a new service. Call it stelnet.
# Local services
stelnet 7777/tcp # "secure" telnet
2) Copy the telnet configuration file called /etc/xinetd.d/telnet and call it /etc/xinetd.d/stelnet:
[root@tmp]# cp /etc/xinetd.d/telnet /etc/xinetd.d/stelnet
3) Edit the new /etc/xinetd.d/stelnet file. Make the new service stelnet and add a port statement for TCP
port 7777.
# default: on
# description: The telnet server serves telnet sessions
# unencrypted username/password pairs for authentication.
service stelnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
port = 7777
}
4) Use chkconfig to activate stelnet.
[root@tmp]# chkconfig stelnet on
5) Check to make sure your server is now listening on port 7777 with the netstat command.
[root@tmp]# netstat -an | grep 777
tcp 0 0 0.0.0.0:7777 0.0.0.0:* LISTEN
[root@tmp]#
You should now be able to log in to the new stelnet server on port 7777. This is done using the
telnet command with the TCP port as the second argument.
[root@tmp]# telnet 192.168.1.100 7777
Trying 192.168.1.100...
Connected to 192.168.1.100.
Escape character is '^]'.
Fedora Core release 2 (Tettnang)
Kernel 2.6.8-1.521 on an i686
login:
Let Telnet Allow Connections From Trusted Addresses
You can restrict telnet logins access to individual remote servers by using the only_from keyword in the
telnet configuration file. Here's how.
1) Add a list of trusted servers to the /etc/xinetd.d/telnet file separated by spaces:
# default: on # description: The telnet server serves telnet sessions # unencrypted username/password pairs for authentication. service telnet { flags = REUSE socket_type = stream wait = no
user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = no only_from = 192.168.1.100 127.0.0.1 192.168.1.200 }
2) Restart telnet.
[root@tmp]# chkconfig telnet off
[root@tmp]# chkconfig telnet on
3) Test the telnet session. Servers that are not on the trusted list get the message Connection closed by
foreign host.
[root@tmp]# telnet 192.168.1.100
Trying 192.168.1.100...
Connected to 192.168.1.100.
Escape character is '^]'.
Connection closed by foreign host.
[root@tmp]#
Configuring The TFTP Server
The procedure to set up a TFTP Server is straightforward, but it is different between the Redhat and De-
bian distributions as we will soon see.
Redhat / Fedora
By default, the TFTP application expects files to be located in the /tftpboot directory. You can change this
setting in the /etc/xinetd.d/tftp file via the server_args option. It is usually best to place the TFTP files in a
partition other than the root partition. TFTP files of increasing size could eventually fill the partition af-
fecting your ability to install new software or even the overall performance of your system. Creating a
symbolic link for /tftpboot to another directory will not work with all versions of Fedora.
This example creates a new tftpboot directory in the /var partition, and then configures TFTP to be
enabled while using the new directory.
[root@tmp]# mv /tftpboot /var
[root@tmp]# vi /etc/xinetd.d/tftp
#
# File /etc/xinetd.d/tftp
#
service tftp
{
...
...
server_args = -s /var/tftpboot
disable = no
}
Debian / Ubuntu
With the Debian / Ubuntu distributions, the TFTP server configuration file is /etc/default/tftpd-hpa and by
default it instructs the TFTP daemon to use the /var/lib/tftpboot directory to store its files. Also by default,
the daemon is disabled. Another thing to remember is that the tftpd-hpa server daemon runs independent-
ly of xinetd and has its own startup script in the /etc/init.d directory. By default, the daemon is started at
boot time, but the configuration file's default configuration setting disables it by forcing the daemon to
exit prematurely.
This example enables the daemon in the configuration file and then starts the TFTP
server:
root@/tmp# vi /etc/default/tftpd-hpa
...
...
#
# File: /etc/default/tftpd-hpa
#
#Defaults for tftpd-hpa
RUN_DAEMON="yes"
OPTIONS="-l -s /var/lib/tftpboot"
...
...
root@/tmp# /etc/init.d/tftpd-hpa start
Starting HPA's tftpd: in.tftpd.
root@/tmp#
Note: With both Redhat and Debian distributions, you can test whether the TFTP process is running with
the netstat command which is used to check the TCP/UDP ports on which your server is listening. If it
isn't running then there will be no response.
[root@tmp]# netstat -a | grep tftp
udp 0 0 *:tftp *:*
[root@tmp]#
Exercises for lab:
Exercise 1:- Cofigure xinetd to start at system boot.
Exercise 2:- Download / install Telnet and TFTP server.
Exercise 3:- Configure Telnet server and implement security for telnet access.
Exercise 4:- Configure TFTP server.
Home Work:
1) Compare FTP and TFTP protocol
2) Describe the purpose of xinetd program.
3) What is the main difference between TELNET and SSH servers
To understand the Web Hosting With the Apache Web Server
Lab 24: Web Hosting With the Apache Web Server
Lab No. 24: Web Hosting With the Apache Web Server
Objective:
To familiarize students with the configuration of Apache Web Server.
Scope:
The students would be able to do the following at the end of this lab:
• To configure basic functions of Apache web server
• configure named virtual hosts
• configure IP-based virtual hosts
Useful Concepts:
General Configuration
The configuration file used by Apache is /etc/httpd/conf/httpd.conf in Redhat /
Fedora distributions and /etc/apache*/httpd.conf in Debian / Ubuntu distributions.
As for most Linux applications, you must restart Apache before changes to this
configuration file take effect.
Where To Put Your Web Pages
All the statements that define the features of each web site are grouped together inside their own <Virtua-
lHost> section, or container, in the httpd.conf file. The most commonly used statements, or directives,
inside a <VirtualHost> container are:
servername: Defines the name of the website managed by the <VirtualHost> container. This is needed in
named virtual hosting only.
DocumentRoot: Defines the directory in which the web pages for the site can be found.
By default, Apache searches the DocumentRoot directory for an index, or home, page named index.html.
So for example, if you have a servername of www.my-site.com with a DocumentRoot directory of
/home/www/site1/, Apache displays the contents of the file /home/www/site1/index.html when you enter
http://www.my-site.com in your browser.
Named Virtual Hosting
You can make your Web server host more than one site per IP address by using Apache's named virtual
hosting feature. You use the NameVirtualHost directive in the /etc/httpd/conf/httpd.conf file to tell
Apache which IP addresses will participate in this feature.
The <VirtualHost> containers in the file then tell Apache where it should look for the Web pages used on
each Web site. You must specify the IP address for which each <VirtualHost> container applies.
Named Virtual Hosting Example
Consider an example in which the server is configured to provide content on 97.158.253.26. In the code
that follows, notice that within each <VirtualHost> container you specify the primary Web site domain
name for that IP address with the ServerName directive. The DocumentRoot directive defines the directo-
ry that contains the index page for that site.
NameVirtualHost 97.158.253.26
<VirtualHost *>
Default Directives. (In other words, not site #1 or site #2)
</VirtualHost>
<VirtualHost 97.158.253.26>
servername www.my-site.com
Directives for site #1
</VirtualHost>
<VirtualHost 97.158.253.26>
servername www.another-site.com
Directives for site #2
</VirtualHost>
IP-Based Virtual Hosting
The other virtual hosting option is to have one IP address per Web site, which is also known as IP-based
virtual hosting. In this case, you will not have a NameVirtualHost directive for the IP address, and you
must only have a single <VirtualHost> container per IP address.
Also, because there is only one Web site per IP address, the ServerName directive isn't needed in each
<VirtualHost> container, unlike in named virtual hosting.
IP Virtual Hosting Example: Wild Card and IP addresses
In this example, Apache listens on all interfaces, but gives different content for addresses 97.158.253.26
and 97.158.253.27. Web surfers get the site1 content if they try to access the web server on any of its oth-
er IP addresses.
<VirtualHost *>
DocumentRoot /home/www/site1
</VirtualHost>
<VirtualHost 97.158.253.26>
DocumentRoot /home/www/site2
</VirtualHost>
<VirtualHost 97.158.253.27>
DocumentRoot /home/www/site3
</VirtualHost>
Exercises for lab:
Exercise 1:- Configure Apache server to load at system startup.
Exercise 2:- Configure multiple websites on a single IP address.
Exercise 3:- Configure different websites on different IP addresses.
Home Work:
1) Write the configureation lines require to set a webwerver with IP address 25.15.12.14 for to
werbsite that have the web addresses course.nos.com and nos.operatingsystem.com respectively.
To understand network performance Monitoring
Lab 25: Monitoring Server Performance
Lab No. 25: Monitoring Server Performance
Objective:
To familiarize students with the use graphical Linux tools, including MRTG and Webalizer, to monitor server performance.
Scope:
On the completion of this lab, students will be able to:
• Use MRTG
• Download and Install MRTG
• Configuring MRTG
• Getting MRTG To Poll Multiple Devices
• Configuring Apache To Work With MRTG
• Webalizer
• View Your Webalizer Statistics
• Understand The Webalizer Configuration File
Useful Concepts:
SNMP
• Simple Network Management Protocol, a protocol for network management
MIB
• Management Information Base
• Files for devices that define the functions of the OIDs they contain
OID
• object identifier
• A database used to keep the operational statistics of routers and firewalls
MRTG
• Multi-Router Traffic Grapher
• based on SNMP and monitors raw network traffic
• A public domain package for producing graphs of various router statistics via a Web page
Webalizer
• A utility that tracks Web site hits, to monitor your system's Web performance
Exercise-1:- This exercise illustrates SNMP Queries
Configuring SNMP on a server isn't hard, but it does require a number of detailed steps.
Installing SNMP Utilities on a Linux Server
If you intend to use your Linux box to query your network devices, other servers or even itself using
MRTG or any other tool, you need to have the SNMP utility tools package net-snmp-utils installed. This
package may also require pre-requisite packages, so it is best to use an automated package updater such
yum or apt to do this.
When searching for these packages the filenames will start with the package name followed by a version
number, as in net-snmp-utils-5.1.1-2.i386.rpm
SNMP Utilities Command Syntax
The SNMP utility tools package installs a number of new commands on your system for doing SNMP
queries, most notably snmpget for individual OIDs and snmpwalk for obtaining the contents of an entire
MIB. Both commands require you to specify the community string with a -c operator. They also require
you to specify the version of the SNMP query to be used with a -v 1, -v 2c, or -v 3 operator for versions 1,
2, and 3, respectively. The first argument is the name or IP address of the target device and all other ar-
guments list the MIBs to be queried.
This example gets all the values in the interface MIB of the local server using SNMP version 1 and the
community string of craz33guy.
[root@bigboy tmp]# snmpwalk -v 1 -c craz33guy localhost interface
...
... IF-MIB::ifDescr.1 = STRING: lo IF-MIB::ifDescr.2 = STRING: eth0 IF-MIB::ifDescr.3 = STRING: eth1 ... ... IF-MIB::ifPhysAddress.1 = STRING: IF-MIB::ifPhysAddress.2 = STRING: 0:9:5b:2f:9e:d5 IF-MIB::ifPhysAddress.3 = STRING: 0:b0:d0:46:32:71 ... ... [root@bigboy tmp]#
Upon inspecting the output of the snmpwalk command, you can see that the second interface seems to
have the name eth0 and the MAC address 0:9:5b:2f:9e:d5. You can now retrieve the individual MAC ad-
dress using the snmpget command.
[root@bigboy tmp]# snmpget -v 1 -c const1payted localhost ifPhysAd-
dress.2
IF-MIB::ifPhysAddress.2 = STRING: 0:9:5b:2f:9e:d5
[root@bigboy tmp]#
You can confirm this information using the ifconfig command for interface eth0; the very first line shows
a matching MAC address.
[root@bigboy tmp]# ifconfig -a eth0
eth0 Link encap:Ethernet HWaddr 00:09:5B:2F:9E:D5
inet addr:216.10.119.244 Bcast:216.10.119.255 Mask:255.255.255.240
...
...
[root@bigboy tmp]#
You'll now see how you can configure SNMP on your Linux server to achieve these results.
Configuring Simple SNMP on a Linux Server
By default Fedora, installs the net-snmp package as its SNMP server product. This package uses a confi-
guration file named /etc/snmp/snmpd.conf in which the community strings and other parameters may be
set. The version of the configuration file that comes with net-snmp is quite complicated. I suggest archiv-
ing it and using a much simpler version with only a single line containing the keyword rocommunity fol-
lowed by the community string. Here is an example.
1) Save the old configuration file
[root@bigboy tmp]# cd /etc/snmp/
[root@bigboy snmp]# mv snmpd.conf snmpd.conf.old
[root@bigboy snmp]# vi snmpd.conf
2) Enter the following line in the new configuration file to set the Read Only community string to
craz33guy.
rocommunity craz33guy
3) Configure Linux to start SNMP services on each reboot with the chkconfig command:
[root@bigboy root]# chkconfig snmpd on
[root@bigboy root]#
4) Start SNMP to load the current configuration file.
[root@bigboy root]# service snmpd start
Starting snmpd: [ OK ]
[root@bigboy root]#
5) Test whether SNMP can read the system and interface MIBs using the snmpwalk command.
[root@bigboy snmp]# snmpwalk -v 1 -c craz33guy localhost system
SNMPv2-MIB::sysDescr.0 = STRING: Linux bigboy 2.4.18-14 #1 Wed Sep 4
11:57:57 EDT 2002 i586
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
SNMPv2-MIB::sysUpTime.0 = Timeticks: (425) 0:00:04.25
SNMPv2-MIB::sysContact.0 = STRING: root@localhost
SNMPv2-MIB::sysName.0 = STRING: bigboy
...
...
...
[root@bigboy snmp]# snmpwalk -v 1 -c craz33guy localhost interface
IF-MIB::ifNumber.0 = INTEGER: 3
IF-MIB::ifIndex.1 = INTEGER: 1
IF-MIB::ifIndex.2 = INTEGER: 2
IF-MIB::ifIndex.3 = INTEGER: 3
IF-MIB::ifDescr.1 = STRING: lo
IF-MIB::ifDescr.2 = STRING: wlan0
IF-MIB::ifDescr.3 = STRING: eth0
...
...
...
[root@bigboy snmp]#
Now that you know SNMP is working correctly on your Linux server, you can configure SNMP statistics
gathering software, such as MRTG, to create online graphs of your traffic flows.
SNMP on Other Devices
In the example, you were polling localhost. You can poll any SNMP-aware network device that has
SNMP enabled. All you need is the IP address and SNMP Read Only string and you'll be able to get simi-
lar results. Here is an example of a query of a device with an IP address of 192.168.1.1.
[root@bigboy snmp]# snmpwalk -v 1 -c chir1qui 192.168.1.1 interface
Note: When issuing snmpwalk and snmpget commands, remember to use the proper version switch (-v 1,
-v 2c, or -v 3) for the version of SNMP you're using.
Basic SNMP Security
The security precautions that need to be taken with SNMP vary depending on the version you are using.
This section outlines the basic steps for protecting your MIB data.
SNMP Versions 1 and 2
The most commonly supported versions of SNMP don't encrypt your community string password so you
shouldn't do queries over insecure networks, such as the Internet. You should also make sure that you use
all reasonable security measures to allow queries only from trusted IP addresses either via a firewall or
the SNMP security features available in the snmp.conf file.
In case you need it, the snmpd.conf file can support limiting MIB access to trusted hosts and networks.
The snmpd.conf file has two security sections; a section with very restrictive access sits at the top of the
file and is immediately followed by a less restrictive section. The example that follows is a modification
of the less restrictive section. You will have to comment out the more restrictive statements at the top of
the file for it to work correctly.
## sec.name source community
## ======== ====== =========
com2sec local localhost craz33guy
com2sec network_1 172.16.1.0/24 craz33guy
com2sec network_2 192.168.2.0/24 craz33guy
## Access.group.name sec.model sec.name
## ================= ========= ========
group MyROGroup_1 v1 local
group MyROGroup_1 v1 network_1
group MyROGroup_2 v2c network_2
## MIB.view.name incl/excl MIB.subtree mask
## ============== ========= =========== ====
view all-mibs included .1 80
## MIB
## group.name context sec.model sec.level prefix read write notif
## ========== ======= ========= ========= ====== ==== ===== =====
access MyROGroup_1 "" v1 noauth exact all-mibs none none
access MyROGroup_2 "" v2c noauth exact all-mibs none none
In our example:
Only three networks (localhost, 172.16.1.0/24, and 192.168.1.0/24) are allowed to access the server with
the craz33guy community string.
Each network is matched to a either a group called MyROGroup_1 using SNMP version 1, or group
called MyROGroup_2 using SNMP version 2.
All the MIBs on the server are defined by the view named all-mibs.
An access statement ensures that only the defined networks have read only access to all the MIBs. My-
ROGroup_1 only has version 1 access with MyROGroup_2 only having version 2 access.
Modification of the MIBs via SNMP is denied because the word "none" is in the write section of the
access statement.
These precautions are probably unnecessary in a home environment where access is generally limited to
devices on the home network by a NAT firewall.
SNMP Version 3
SNMP Version 3 SNMPv3 is a much more secure alternative to earlier versions as it encrypts all its data
and uses a username / password combination for client authentication. The username should be located in
the /etc/snmp/snmpd.conf file with a corresponding automatically generated password located in the
/var/net-snmp/snmpd.conf file. Here is how it's done.
1. Install the net-snmp-devel package as it contains the utility that will allow you to generate the pass-
word.
2. Stop the snmpd process.
[root@bigboy tmp]# service snmpd stop
Stopping snmpd: [ OK ]
[root@bigboy tmp]#
3. Automatically create the /etc/snmp/snmpd.conf and /var/net-snmp/snmpd.conf username and password
entries using the net-snmp-config command. In this example the authentication password of "rootsrock-
reggae" for the read only (-ro) username "username4snmpv3" is encrypted using the MD5 algorithm. The
data received will not be encrypted.
[root@bigboy tmp]# net-snmp-config --create-snmpv3-user -ro \
-a MD5 -A rootsrockreggae username4snmpv3
adding the following line to /var/net-snmp/snmpd.conf:
createUser username4snmpv3 MD5 "rootsrockreggae" DES
adding the following line to /etc/snmp/snmpd.conf:
rouser username4snmpv3
[root@bigboy tmp]# service snmpd start
Starting snmpd: [ OK ]
[root@bigboy tmp]#
4. To encrypt the data received we use the net-snmp-config command again to create a username just for
this purpose. A new read only username "securev3user" and authentication password "mandeville" are
used, but this time the data will be encrypted using the DES algorithm with the privacy password of "sav-
lamar".
[root@bigboy tmp]# net-snmp-config --create-snmpv3-user -ro \
-a MD5 -A mandeville -x DES -X savlamar securev3user
adding the following line to /var/net-snmp/snmpd.conf:
createUser securev3user MD5 "mandeville" DES savlamar
adding the following line to /etc/snmp/snmpd.conf:
rouser securev3user
[root@bigboy tmp]#
5. Start the snmpd process.
[root@bigboy tmp]# service snmpd start
Starting snmpd: [ OK ]
[root@bigboy tmp]#
6. First we'll do a query from remote host smallfry. We specify the authentication password and authenti-
cation encryption method, and we also use the -l flag to indicate that authentication will be used, but that
data privacy will be disabled (the authNoPriv option).
[root@smallfry ~]# snmpget -v 3 -u username4snmpv3 -l authNoPriv \
-a MD5 -A rootsrockreggae 192.168.1.100 SNMPv2-MIB::sysORDescr.8
SNMPv2-MIB::sysORDescr.8 = STRING: The management information defini-
tions for the SNMP User-based Securit
[root@smallfry ~]#
The query returns an easy to read string, "The management information definitions for the SNMP User-
based Security Model". This unencrypted string can also be seen in the tshark packet capture of the serv-
er's interface.
[root@bigboy tmp]# tshark -n -i eth1 -x port 161
Capturing on eth1
...
...
...
0.005889 192.168.1.100 -> 192.168.1.50 SNMP get-response
0000 00 c0 4f 46 0c 2e 00 b0 d0 46 32 71 08 00 45 00 ..OF.....F2q..E.
0010 00 f0 00 00 40 00 40 11 b3 b2 c0 a8 02 c8 c0 a8 ....@.@.........
0020 02 32 00 a1 80 0a 00 dc 87 38 30 81 d1 02 01 03 .2.......80.....
0030 30 11 02 04 45 a2 23 54 02 03 00 ff e3 04 01 01 0...E.#T........
0040 02 01 03 04 38 30 36 04 0d 80 00 1f 88 80 71 11 ....806.......q.
0050 68 72 0e b1 e7 45 02 01 12 02 01 39 04 0f 75 73 hr...E.....9..us
0060 65 72 6e 61 6d 65 34 73 6e 6d 70 76 33 04 0c 46 ername4snmpv3..F
0070 6c 74 26 51 4d aa 65 61 59 06 1a 04 00 30 7f 04 lt&QM.eaY....0..
0080 0d 80 00 1f 88 80 71 11 68 72 0e b1 e7 45 04 00 ......q.hr...E..
0090 a2 6c 02 04 43 4e da d7 02 01 00 02 01 00 30 5e .l..CN........0^
00a0 30 5c 06 0a 2b 06 01 02 01 01 09 01 03 08 04 4e 0\..+..........N
00b0 54 68 65 20 6d 61 6e 61 67 65 6d 65 6e 74 20 69 The management i
00c0 6e 66 6f 72 6d 61 74 69 6f 6e 20 64 65 66 69 6e nformation defin
00d0 69 74 69 6f 6e 73 20 66 6f 72 20 74 68 65 20 53 itions for the S
00e0 4e 4d 50 20 55 73 65 72 2d 62 61 73 65 64 20 53 NMP User-based S
00f0 65 63 75 72 69 74 79 20 4d 6f 64 65 6c 2e ecurity Model.
4 packets captured
[root@bigboy tmp]#
7. Next we'll do a query that will return a response over an encrypted data channel while crossing the
network (the authPriv option).
[root@smallfry ~]# snmpget -v 3 -u securev3user -l authPriv \
-a MD5 -A mandeville -x DES -X savlamar 192.168.1.100 SNMPv2-
MIB::sysORDescr.8
SNMPv2-MIB::sysORDescr.8 = STRING: The management information defini-
tions for the SNMP User-based Securit
[root@smallfry ~]#
The query returns the same string, but the tshark packet capture only sees encrypted data, with only the
username being visible.
[root@bigboy tmp] # tshark -n -i eth1 -x port 161
Capturing on eth1
...
...
...
0.003675 192.168.1.200 -> 192.168.1.50 SNMP Source port: 161 Destina-
tion port: 32778 [UDP CHECKSUM INC
0000 00 c0 4f 46 0c 2e 00 b0 d0 46 32 71 08 00 45 00 ..OF.....F2q..E.
0010 01 00 00 00 40 00 40 11 b3 a2 c0 a8 02 c8 c0 a8 ....@.@.........
0020 02 32 00 a1 80 0a 00 ec 87 48 30 81 e1 02 01 03 .2.......H0.....
0030 30 11 02 04 17 52 82 96 02 03 00 ff e3 04 01 03 0....R..........
0040 02 01 03 04 3e 30 3c 04 0d 80 00 1f 88 80 71 11 ....>0<.......q.
0050 68 72 0e b1 e7 45 02 01 11 02 02 00 8e 04 0c 73 hr...E.........s
0060 65 63 75 72 65 76 33 75 73 65 72 04 0c 01 b2 00 ecurev3user.....
0070 6e 23 07 83 dc a2 b6 d6 3d 04 08 00 00 00 11 4e n#......=......N
0080 df 19 a3 04 81 88 36 dd e0 ce e0 52 19 ff 58 7e ......6....R..X~
0090 be fa d1 96 20 2b 28 65 59 30 e8 d4 cb 18 9f 8f .... +(eY0......
00a0 1e 5b a3 d6 ae f7 4a 86 bd ed 2a 4b a8 df 52 fb .[....J...*K..R.
00b0 00 b4 a8 37 3d 74 9e 6d 1d 56 9a ba f2 13 fa 72 ...7=t.m.V.....r
00c0 4d 47 fb 88 7b d3 54 e1 9d b3 66 f0 29 ab 8a 55 MG..{.T...f.)..U
00d0 6f 77 65 40 87 ab 0c 51 d9 0e bf 33 7f 9a cb ea [email protected]....
00e0 37 50 3c 8e 65 dd 8f 3c 49 71 96 59 f9 d3 a8 23 7P<.e..<Iq.Y...#
00f0 81 c6 1b b2 c2 d0 57 9b 98 1b 89 1e ca 77 3d 84 ......W......w=.
0100 6f af b6 9b 86 3a 2f 66 44 1a 41 51 03 bc o....:/fD.AQ..
4 packets captured
[root@bigboy tmp] #
8. Your password and privilege information are stored in /var/net-snmp/snmpd.conf using the format dis-
played when you used the net-snmp-config command. here is an example.
# File: /var/net-snmp/snmpd.conf before SNMP starts
createUser securev3user MD5 "mandeville" DES savlamar
createUser username4snmpv3 MD5 "rootsrockreggae" DES
The snmpd daemon will completely encrypt the SNMP password data in this file when it restarts which
helps to further increase security. We can see an example of this configuration here.
# File: /var/net-snmp/snmpd.conf after SNMP starts
usmUser 1 3 0x80001f88780711168720eb1e745
0x73656375626576337573657200
0x73656375726576337573657200
NULL .1.3.6.1.6.3.10.1.1.2 0xd951
ac1d95033f4afgf31243eb6907df .1.3.6.1.6.3.10.1.2.2
0xf1f4bb00452211d27b50c273c09031ac 0x00
usmUser 1 3 0x80001f8880711168720eb1e745
0x757365726e61657534736e6d70763300
0x757365726e616d6534736e6d70763300
NULL .1.3.6.1.6.3.10.
1.1.2 0x5e35c9f5352519aa4f53eded09bbdddd
.1.3.6.1.6.3.10.1.2.2 0x5e35c9f5122519aa4f53eded09bbdddd ""
setserialno 1464593474
Practice using the net-snmp-config command so that you can become familiar with the syntax it uses to
edit the SNMP configuration files. When in doubt, you can get a full syntax listing of the command if you
use it without any arguments like this:
[root@bigboy tmp]# net-snmp-config
...
...
SNMP Setup commands:
--create-snmpv3-user [-ro] [-A authpass] [-X privpass]
[-a MD5|SHA] [-x DES|AES] [username]
...
...
[root@bigboy tmp]#
With experience, you should become confident enough to edit the configuration files by yourself.
As you can see, SNMPv3 is more secure than previous versions and should be your first SNMP choice
whenever possible.
Simple SNMP Troubleshooting
If your SNMP queries fail, then verify that:
You restarted your snmp.conf file so the configuration settings become active.
Remember, the snmpd.conf file is only read by the snmpd daemon when it starts up.
You are using the correct community string.
Firewalls aren't preventing SNMP queries from the SNMP client to the SNMP target.
Your SNMP security policy allows the query from your network.
Any TCP wrappers configuration on your SNMP target machine allows SNMP queries from your SNMP
client. Generally speaking in a home environment protected by NAT your TCP wrappers files
(/etc/hosts.allow) and (/etc/hosts.deny) should be blank.
Network routing between the client and target devices is correct. A simple ping or
traceroute test should be sufficient.
The snmpd daemon is running on the SNMP client.
You are querying using the correct SNMP version.
Your /var/log/messages file does not contain errors that may have occurred while starting snmpd.
Troubleshooting to get functioning SNMP queries is important as many other supporting applications,
such as MRTG which I'll discuss next, rely on them in order to work correctly.
MRTG
The MRTG product is available from the MRTG Web site (www.mrtg.org) and also on your distribution
CDs.
Figure shows a sample MRTG graph
MRTG Download and Installation
You need to install MRTG before proceeding. Most RedHat and Fedora Linux software products are
available in the RPM format. When searching for the file, remember that the MRTG RPM's filename
usually starts with mrtg and a version number, as in mrtg-2.10.5- 3.i386.rpm.
In addition to MRTG, you need to install the SNMP utility tools as explained earlier and you need to have
a Web server package installed for MRTG to work. RedHat Linux usually comes with the Apache Web
server software preinstalled. The easiest way to tell if Apache is installed is to run the rpm -q httpd com-
mand. If you don't get a positive response, you can refer to Chapter 20, "The Apache Web Server", for
installation details.
By default Apache expects the HTML files for your Web site to be located in /var/www/html. MRTG
places its HTML files in /var/www/mrtg.
Configuring MRTG
By default, MRTG maps the inbound and outbound data throughput rates on the device it is polling. Me-
thods for specifying other OIDs, such as CPU and memory usage, are discussed in Chapter 23, "Ad-
vanced MRTG for Linux". For now, I'll stick with the default configuration.
When the MRTG RPM is installed, it creates a directory called /etc/mrtg in which all future configuration
files are stored. To create a replacement default /etc/mrtg/mrtg.cfg configuration file for the server, follow
these steps.
1) Use MRTG's cfgmaker command to create a configuration file named mrtg.cfg for the server (bigboy)
using a Read Only community string of craz33guy. Place all data files in the directory /var/www/mrtg.
[root@bigboy tmp]# cfgmaker --output=/etc/mrtg/mrtg.cfg \
--global "workdir: /var/www/mrtg" -ifref=ip \
--global 'options[_]: growright,bits' \
craz33guy@localhost
--base: Get Device Info on craz33guy@localhost:
--base: Vendor Id:
--base: Populating confcache
--snpo: confcache craz33guy@localhost: Descr lo --> 1
--snpo: confcache craz33guy@localhost: Descr wlan0 --> 2
...
...
...
--base: Walking ifAdminStatus
--base: Walking ifOperStatus
--base: Writing /etc/mrtg/mrtg.cfg
[root@bigboy tmp]#
SNMPv2: As explained in the SNMP section, there are different versions of SNMP. If your query doesn't
work, check to make sure you are using the required version and then check other SNMP configuration
parameters on the target device. You can specify MRTG's SNMP query version with the --snmp-options
cfgmaker option. Here is an example of cfgmaker using an SNMP version 2 query of a router with an IP
address of 192.168.1.3. The --snmp-options option's five colons before the 2 are important.
[root@bigboy tmp]# cfgmaker --output=/etc/mrtg/192.168.1.3.cfg \
-ifref=ip --global "workdir: /var/www/mrtg" \
--snmp-options=:::::2 [email protected]
SNMPv3: The cfgmaker command can also be used to poll SNMPv3 enabled devices, but you have to
first install the Net::SNMP PERL module.
[root@bigboy tmp]# yum -y install perl-Net-SNMP
or
[root@bigboy tmp]# perl -MCPAN -e "install Net::SNMP"
If you fail to install the module, you will get an error looking like this:
Undefined subroutine &main::snmpmapOID called at ./cfgmaker line 1480.
Next you need to know the SNMPv3 ID of the host you intend to poll. In fedora, this is value is located in
the /var/net-snmp/snmpd.conf file. You can use the grep command to obtain it.
[root@bigboy tmp]# grep oldEngineID /var/net-snmp/snmpd.conf
oldEngineID 0x80001f8880711168720eb1e745
[root@bigboy tmp]#
You can then repeat the cfgmaker command with options specific to the privacy and authentication
schemes configured on the SNMP target device. Using the configurations of our previous SNMPv3 ex-
ample, our configuration for encrypted authentication only would look like this:
[root@bigboy tmp]# cfgmaker --global 'WorkDir: /var/www/mrtg' \
--global 'Options[_]: growright, bits' \
--output=/etc/mrtg/192.168.1.100.cfg \
--enablesnmpv3 --username=username4snmpv3 \
--authpassword=rootsrockreggae --authproto=md5 \
--snmp-options=:::::3 \
--contextengineid=0x80001f8880711168720eb1e745 \
Our configuration for encrypted authentication and data privacy only would look like this:
[root@bigboy tmp]# cfgmaker --global 'WorkDir: /var/www/mrtg' \
--global 'Options[_]: growright, bits' \
--output=/etc/mrtg/192.168.1.100-secure.cfg \
--enablesnmpv3 --username=securev3user --authpassword=mandeville \
--authproto=md5 --privpassword=savlamar --privprotocol=des \
--snmp-options=:::::3 \
--contextengineid=0x80001f8880711168720eb1e745 \
Note: The MRTG cfgmaker command reliably supports SNMPv3 as of MRTG version 2.15. Prior to this
version you would commonly see this error when attempting to do DNMPv3 queries.
SNMP V3 requires a --username parameter as part of the User Security
Model for router [email protected]
2) Edit /etc/mrtg/mrtg.cfg, and remove the sections related to interfaces you don't need to monitor. A cer-
tain candidate would be the virtual loopback interface Lo: (with the IP address of 127.0.0.1), which
doesn't pass any network traffic at all.
3) Run MRTG using /etc/mrtg/mrtg.cfg as your argument three times. You'll get an error the two times as
MRTG tries to move old data files, and naturally, the first time it is run, MRTG has no data files to move.
[root@bigboy tmp]# env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg
Rateup WARNING: /usr/bin/rateup could not read the primary log file for
localhost_192.168.1.100
Rateup WARNING: /usr/bin/rateup The backup log file for local-
host_192.168.1.100 was invalid as well
Rateup WARNING: /usr/bin/rateup Can't remove local-
host_192.168.1.100.old updating log file
Rateup WARNING: /usr/bin/rateup Can't rename local-
host_192.168.1.100.log to localhost_192.168.1.100.old u
[root@bigboy tmp]# env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg
Rateup WARNING: /usr/bin/rateup Can't remove local-
host_192.168.1.100.old updating log file
[root@bigboy tmp]# env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg
[root@bigboy tmp]#
4) Use MRTG's indexmaker command to create a Web index page using your new
mrtg.cfg file as a guide. The MRTG Web GUI expects to find the index file in the default MRTG Web
directory of /var/www/mrtg/, so the format of the command would be.
[root@bigboy tmp]# indexmaker --output=/var/www/mrtg/index.html \
/etc/mrtg/mrtg.cfg
5) MRTG is run every five minutes by default, and the file that governs this is /etc/cron.d/mrtg. For
MRTG to work correctly, edit this file, replacing all occurrences of /usr/bin/mrtg with env LANG=C
/usr/bin/mrtg. The explanation for changing the language character set for MRTG is given in the "Troub-
leshooting MRTG" section.
This isn't all; you need to view the graphs too. This will be covered later, but first I'll show you how to
poll multiple devices.
Getting MRTG to Poll Multiple Devices
The Fedora Core MRTG installation process creates a cron file named /etc/cron.d/mrtg.
This file tells the cron daemon to run MRTG using the /etc/mrtg/mrtg.cfg file every five minutes to poll
your network devices. You can configure MRTG to poll multiple devices, each with a separate configura-
tion file. Here's how:
1) Create a new configuration file using the steps from the previous section; choose a filename that is not
mrtg.cfg.
2) Add a new MRTG line in /etc/cron.d/mrtg for each new configuration file you create.
0-59/5 * * * * root env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg
0-59/5 * * * * root env LANG=C /usr/bin/mrtg /etc/mrtg/device1.cfg
0-59/5 * * * * root env LANG=C /usr/bin/mrtg /etc/mrtg/device2.cfg
3) Run the indexmaker command, and include all of your /etc/mrtg configuration files, to regenerate your
Web index page.
[root@bigboy tmp]# indexmaker --output=/var/www/mrtg/index.html \
/etc/mrtg/mrtg.cfg /etc/mrtg/device1.cfg /etc/mrtg/device2.cfg
4) Other versions of Linux keep their MRTG cron entries inside the /etc/crontab file. Edit this file using
the same syntax as the Fedora /etc/cron.d/mrtg file, and then restart the cron daemon to re-read the confi-
guration:
[root@bigboy tmp]# service crond restart
You could also create a script with the /usr/bin/mrtg /etc/mrtg/device.cfg entries in it and make cron run it
every five minutes. This way you can just edit the script each time you add a device without having to
restart cron.
Configuring Apache to Work With MRTG
MRTG is useful because it can provide a graphical representation of your server's performance statistics
via a Web browser.
With Fedora Core, MRTG creates an add-on configuration file named /etc/httpd/conf.d/mrtg.conf that
includes all the necessary Apache commands for MRTG to work.
Some configuration may need to be done, because by default MRTG accepts Web requests from the Li-
nux console only. You can add your home network to the file by inserting the network on the Allow from
line, or you can allow universal access by commenting out that line along with the Deny from line. This
example adds access from the 192.168.1.0 network.
<Location /mrtg>
Order deny,allow
Deny from all
Allow from localhost 192.168.1.0/24
</Location>
If you want to access MRTG from the Internet, then you'll have to comment out the Deny statement and
allow from all IP addresses:
<Location /mrtg>
Order deny,allow
Allow from all
</Location>
Remember to restart Apache once you have made these modifications in order for these changes to take
effect.
Note: With newer versions of Fedora, Apache automatically reads the add-on files in the /etc/httpd/conf.d/
directory. With Fedora Core 1, you have to specifically configure the Apache configuration file
/etc/httpd/conf/httpd.conf to find it. You can do this yourself by inserting this line at the very bottom of
the main Apache configuration file before restarting Apache for the change to take effect.
include "/etc/httpd/conf.d/mrtg.conf"
Basic Security
If you are accessing MRTG graphs from the Internet, you may want to add password protection to the
directory by using a .htaccess file
How To View The MRTG Graphs In Your Web Browser
You can now access your MRTG graphs by pointing your browser to the URL:
http://server-ip-address/mrtg/
Exercise-2:- This exercise gives a an introduction to the use of Webalizer utility
Webalizer is a Web server log file analysis tool that comes installed by default on
RedHat/Fedora Linux. Each night, Webalizer reads your Apache log files and creates a set of Web pages
that enable you to view Web surfer statistics for your site. The information provided includes a list of
your Web site's most popular pages sorted by hits along with traffic graphs showing the times of day
when your site is most popular.
How to View Your Webalizer Statistics
Fedora creates an add-on configuration file named /etc/httpd/conf.d/Webalizer.conf that includes all the
necessary Apache commands for Webalizer to work. As in the case of the MRTG add-on file mentioned
above, you have to edit it to allow access to the Webalizer pages from locations other than the Linux con-
sole. You also have to restart Apache to make the changes take effect.
By default, Webalizer places its index page in the directory /var/www/html/usage and allows you to view
your data by visiting the URL http://server-ip-address/usage.
The Webalizer Configuration File
Webalizer stores its configuration in the file /etc/Webalizer.conf. The default settings should be sufficient
for your Web server, but you may want to adjust the directory in which Webalizer places your graph sta-
tistics. This can be adjusted with the OutputDir directive in the file. After adjustments, Webalizer func-
tions with few annoyances; however, be aware that running in quiet mode could hide deeper problems
that could occur in future.
The vmstat Command
You can determine memory and swap usage with the vmstat command, which provides a summary of
what top produces. In the example, memory is still 14% free (57,452MB used from a total of 130,780)
and swap isn't being used at all.
[root@bigboy tmp]# vmstat
procs memory swap io system cpu
r b w swpd free buff cache si so bi bo in cs us sy id
0 0 0 0 57452 101584 130780 0 0 0 4 18 1 3 1 1
[root@bigboy tmp]#
As your memory fills up, your system will temporarily store programs and data on your hard disk's
"swap" partition. Excess swapping of programs and data between disk and memory can cause your sys-
tem to slow down significantly and memory usage should be monitored to allow you to plan ways to ei-
ther increase RAM or tune the way your system operates. System tuning is beyond the scope of this book,
but there are many reference guides which can show you how to do this.
The free Utility
The free utility can determine the amount of free RAM on your system. The output is easier to understand
than vmstat's. Here's a sample.
[root@bigboy tmp]# free
total used free shared buffers cached
Mem: 126060 119096 6964 0 58972 40028
-/+ buffers/cache: 20096 105964
Swap: 522072 15496 506576
[root@bigboy tmp]#
You should generally try to make your system run with at least 20% free memory on average, which
should allow it to handle moderate spikes in usage caused by running memory-intensive cron batch jobs
or tape backups. If you cannot achieve this, consider running more efficient versions of programs, of-
floading some applications to servers with less load, and, of course, upgrading the capacity of your RAM.
Exercises for lab:
Exercise 1:- write an SNMP quiry to get all the values in the interface MIB of the local server using
SNMP version 1 and the community string of 10.0.0.3 (a node in your local network).
Home Work:
To understand the Linux Installation over the network
Lab 26: Network Based Linux Installation
Lab No. 26: Network Based Linux Installation
Objective:
You will be introduced to the Linux installation over the network using an FTP, NFS or HTTP server.
Scope:
On the completion of this lab, you will be able to:
• Set Up The Installation Server
• Create a Kickstart Boot CD
• Automating Installation With Kickstart
Useful Concepts:
Network installation
• Installation of OS from a remote installation server as apposed to local installation from
CD or local hard disk.
Kickstart Server
Server that has the OS installation image and provides much faster installation procedure than using CDs and the process can be automated.
Procedure at a glance
The procedure is fairly simple:
• Connect the new server (installation client) to the same network as the server with the
pre-loaded installation files (installation server).
• Boot the installation client from a specially created boot CD
• Enter your preferred installation method (FTP, HTTP, NFS) and the needed network pa-
rameters to do this
• The installation procedure will then continue with the more familiar Fedora Linux instal-
lation screens. Enter your selections and then complete the installation.
This manual will set up a single installation server (bigboy) with an IP address of 192.168.1.100.
Exercise-1:- This exercise demonstrates how to Set Up the Installation Server
Kickstart can be configured on an FTP, NFS or Apache server. Each method is explained below, but my
experience has been that the Apache server has a number of advantages over the other two.
Using a web server for kickstart is generally easier because:
Sometimes a kickstart server has to be located on a remote network, often passing through a firewall.
Strict firewall rules for HTTP are generally easier to configure than those for FTP or NFS.
The http:// nomenclature used by kickstart for accessing files is more familiar to users than that used for
NFS and FTP. This may be important for you when configuring files for automated kickstart installation.
Basic Preparation
In this example we are going to set up a kickstart server that will be used in Fedora Core installations. All
the necessary files will be placed in the /data/network-install directory.
Create The Installation Directories
We'll first create the directories /data/network-install/RPM and /data/networkinstall/ ISO in which we will
copy the necessary files.
[root@bigboy tmp]# mkdir -p /data/network-install/RPM
[root@bigboy tmp]# mkdir -p /data/network-install/ISO
You now need to place the network installation driver files into the base directory.
Copying The Files
The HTTP, NFS and FTP kickstart methods all require the base set of Fedora files to be installed on the
kickstart server. Here's how to do it:
1) Create a mount point for your CD ROM drive.
[root@bigboy tmp]# mkdir /mnt/cdrom
2) Mount your first Fedora CD ROM.
[root@bigboy tmp]# mount /dev/cdrom /mnt/cdrom
3) Copy the files from the CD ROM base directory to the hard disk
[root@bigboy tmp]# cp -r /mnt/cdrom/* /data/network-install/RPM
4) Unmount your CD ROM and use the eject command to retrieve it from the drive bay.
[root@bigboy tmp]# umount /dev/cdrom
[root@bigboy tmp]# eject cdrom
5) Repeat steps 2 to 4 with all your CDROMs. Overwrite files when prompted.
Note: Note: You also have the option to FTP all the files of the desired version of Fedora from the Fedora
website to the /data/network-install/RPM directory.
HTTP & FTP Preparation
Copy all the contents of each installation CD to the /data/network-install/RPM directory. This will require
about 3-5 GB of space. When this is completed, your /data/network-install/RPM directory should look
like this:
[root@bigboy tmp]# ls -1 /data/network-install/RPM
eula.txt
Fedora
fedora.css
GPL
images
index.html
isolinux
README-Accessibility
RELEASE-NOTES-en_US.html
repodata
RPM-GPG-KEY
RPM-GPG-KEY-beta
RPM-GPG-KEY-fedora
RPM-GPG-KEY-fedora-extras
RPM-GPG-KEY-fedora-legacy
RPM-GPG-KEY-fedora-rawhide
RPM-GPG-KEY-fedora-test
RPM-GPG-KEY-rawhide
stylesheet-images
[root@bigboy tmp]#
NFS Preparation
Create ISO images of the installation CDs and place them in the /data/networkinstall/ ISO directory. This
will require about 3-5 GB of space as well. You can download the ISO images from the Fedora website or
use the Fedora CDs as shown below. If you create the ISOs files from CDs, make sure they have the same
file names as the ones you can download from the Fedora Web site.
Follow these steps for each CD, substituting the filename where necessary:
[root@bigboy tmp]# cd /data/network-install/ISO
[root@bigboy ISO]# dd if=/dev/cdrom of=filename.iso bs=32k
...
...
[root@bigboy ISO]# eject cdrom
Note: Here is a sample procedure to make ISO files with the older mkisofs command.
You may have to install the mkisofs RPM on newer Fedora versions. The command requires a mounted
CDROM drive, so don't forget the mount command.
[root@bigboy ISO]# mount /mnt/cdrom
[root@bigboy ISO]# mkisofs -J -r -T -o filename.iso /mnt/cdrom
[root@bigboy ISO]# eject cdrom
Setup Your Webserver
You will now have to setup Apache to give the file listings of your /data/networkinstall/
RPM and /data/network-install/ISO directories by pointing your browser to the URL
http://192.168.1.100/network-install/RPM/ or http://192.168.1.100/network-install/ISO/ respectively. A
sample /etc/httpd/conf.d/kickstart.conf configuration is below. Remember to restart Apache to make these
settings take effect.
NameVirtualHost 192.168.1.100
#
# For HTTP Installations
#
<VirtualHost 192.168.1.100>
ServerName 192.168.1.100
DocumentRoot /data/
</VirtualHost>
<Directory /data/network-install>
Options +Indexes
AllowOverride AuthConfig
order allow,deny
allow from all
</Directory>
Setup Your FTP Server
You'll also have to set up your VSFTPD server to make incoming anonymous FTP connections log in to
the /data/network-install/RPM directory by default. You will also want to enable the correct logging. Here
is a sample snippet of the vsftpd.conf file. Remember to restart VSFTPD to make these settings take ef-
fect
#
# File: vsftpd.conf
#
#
# Anonymous FTP Root Directory
#
anon_root=/data/network-install/RPM
#
# Log file definition
#
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
Create A Special FTP User
You can also create a special user for non anonymous FTP installations with its home directory as "/".
You must also make sure that the user has read access to the /data/network-install directory. An example
is below.
[root@bigboy tmp]# useradd -g users ftpinstall
[root@bigboy tmp]# passwd ftpinstall
Changing password for user ftpinstall.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@bigboy tmp]#
[root@bigbot tmp]# usermod -d / ftpinstall
[root@bigbot tmp]#
Setup Your NFS Server
The steps for setting up an NFS server are more complicated.
1) Create a /etc/exports file with the following entry in it. You must use tabs, not spaces between the en-
tries
/data/network-install *(ro,sync)
2) Make sure that the rpcbind (portmap on older versions of Linux) , nfs, nfslock and netfs daemons are
all running to create an NFS server. The startup scripts for these are found in the /etc/init.d directory.
3) Run the exportfs command to add this directory to the NFS database of network available directories.
[root@bigboy tmp]# exportfs -ra
4) The installation client must have a matching pair of forward and reverse DNS entries on your DNS
server. In other words, a DNS lookup on the IP address of the installation client must return a server name
that will map back to the original IP address when a DNS lookup is done on that same server name.
[root@bigboy tmp]# host 192.168.1.96
96.1.168.192.in-addr.arpa domain name pointer 192-168-1-96.my-site.com.
[root@bigboy tmp]#
[root@bigboy tmp]# host 192-168-1-96.my-site.com
192-168-1-96.my-site.com has address 192.168.1.96
[root@bigboy tmp]#
This may mean that you will have to create entries for all your DHCP IP addresses if you choose to use a
DHCP method of assigning IP addresses during installation.
Configure Your DHCP Server
During the installation procedure, the installation client will prompt you for the IP address it should use
for the installation process. I recommend selecting the option that makes the Installation Client get its ad-
dress via DHCP. This will automate the installation more and will therefore make it faster. It will also
reduce the possibility of human error.
Exercise-2:- This exercise demonstrates how to Create A Kickstart Boot CD
Creating a kickstart boot CD is easy to do. Here are the steps:
1. Your RPM directory should have a subdirectory named images in it. There will be a file there named
boot.iso which is used in booting your system when installing Linux from DVD or CD. Fedora mirror
sites that have directory structures similar to that of the DVD also have a boot.iso file located in the <fe-
dora-version>/Fedora/i386/os/images/ directory. This file is different in both size and function to that on
your DVD. It usually larger than 10 MB in size and it is the boot file you need for kickstart. Download
the boot.iso file from your favorite mirror site using a utility like wget.
[root@bigboy tmp]# wget http://website.org/8/Fedora/i386/os/images/boot.iso
2. You will now need the device name of your CDROM device. This can be obtained using the wodim
command. In this case it is called /dev/scd0.
[root@bigboy tmp]# wodim --devices
wodim: Overview of accessible drives (1 found) :
-------------------------------------------------------------
0 dev='/dev/scd0' rwr--- : 'LITE-ON' 'DVDRW LH-20A1P'
-------------------------------------------------------------
[root@bigboy tmp]#
3. Insert a blank CD. The wodim command can now be used again to burn the boot.iso ISO image file to
the CD.
[root@bigboy tmp]# wodim dev=/dev/scd0 driveropts=burnfree,noforcespeed \
fs=14M -dao -eject -overburn -v boot.iso
...
...
...
BURN-Free was never needed.
wodim: fifo had 6 puts and 6 gets.
wodim: fifo was 0 times empty and 0 times full, min fill was 100%.
[root@bigboy RPM]#
Keep the CD. You will soon need it for your kickstart client machine.
Exercise-3:- This exercise demonstrates The Network Installation
From here on, the installation procedure mimics the regular Linux installation, except for the first couple
steps.
Connect your client Linux box to the DHCP network.
Boot your system using the kickstart boot CD. This is the only CD you'll need for future network instal-
lations.
A menu will appear. Select “Install or upgrade an existing system”.
Go through the usual steps until the process prompts for the "Installation Method".
You will see a number of choices
Local CDROM
Hard Drive
NFS Image
FTP
HTTP
Select the network option of your choice (NFS, FTP, HTTP)
Select the Ethernet device to which the installation client is connected to the installation server network.
This would most likely be interface "eth0".
Select "DHCP" in the following "Configure TCP/IP" screen. This will make the
Installation client use DHCP during the installation.
If You Selected The NFS Method
You will now reach the "NFS setup" menu. Enter the IP address of the installation server as the "NFS
Server Name". The "Red Hat directory" will be "/data/network-install/ISO".
The following menus will be the usual Fedora GUI installation screens.
If You Selected The HTTP Method
You will now reach the "HTTP Setup" menu. Enter the IP address of the installation server when prompt-
ed for a "Web site name".The "Red Hat directory" will be /networkinstall/RPM. The following menus
will be text based versions of the usual Fedora installation screens.
During the installation, issue the following command on the server to check the Apache logs. It will help
to verify whether the kickstart client is accessing the files correctly. You should get a status code of
200<code> after each GET statement. You should retrace your steps if you are not.
[root@bigboy tmp]# tail -f /var/log/httpd/access_log
192.168.1.247 - - [12/Nov/2006:12:01:04 -0800] "GET /network-
install/RPM/repodata/repomd.xml HTTP/1.1" 20
192.168.1.247 - - [12/Nov/2006:12:01:05 -0800] "GET /network-
install/RPM/repodata/primary.xml.gz HTTP/1.1
192.168.1.247 - - [12/Nov/2006:12:01:19 -0800] "GET /network-
install/RPM/repodata/comps.xml HTTP/1.1" 200
If You Selected The FTP Method
You will now reach the "FTP Setup" menu. Enter the IP address of the installation server as the "FTP Site
Name".
"Not Selecting" The Non-Anonymous FTP Box
The "Red Hat directory" will be "/". The following menus will be text based versions of the usual Fedora
installation screens.
"Selecting" The Non-Anonymous FTP Box
The "Red Hat directory" will be "/data/network-install/RPM".
Enter the username and password of your special FTP user account.
The following menus will be text based versions of the usual
RedHat installation screens.
Note: During the installation, issue the following command on the server to check the FTP logs. It will
help to verify whether the kickstart client is accessing the files correctly.
[root@bigboy ~]# tail -f /var/log/vsftpd.log
Sun Nov 12 20:53:12 2006 1 192.168.1.231 1140 /data/network-
install/RPM/repodata/repomd.xml b _ o r ftp-i
Sun Nov 12 20:53:21 2006 2 192.168.1.231 844228 /data/network-
install/RPM/repodata/primary.xml.gz b _ o r
Sun Nov 12 20:53:40 2006 2 192.168.1.231 853899 /data/network-
install/RPM/repodata/comps.xml b _ o r ftp-
Troubleshooting The Network Installation
You can do some basic troubleshooting by accessing the various installation status screens available.
The installation logs can always be viewed by hitting <CTRL-ALTF3>
Kernel messages can be seen by hitting <CTRL-ALT-F4>
Access to a limited BASH shell Kernel can be gained by hitting
<CTRL-ALT-F2>
You can return to the main installation screen at any time by hitting <CTRL-ALT-F1> for text based
installations and <CTRL-ALTF7> when the GUI is used.
Examine your server's <code>/var/log/httpd/access_log, /var/log/httpd/error_log files for the
HTTP method; the /var/log/vsftpd.log file for the FTP method; and
your /var/log/messages file for the NFS method.
Exercise-4:- This exercise demonstrates Automating Installation With Kickstart
Both Fedora and RedHat Linux save all the parameters you used during installation in the /root/anaconda-
ks.cfg kickstart configuration file. You can use this file to create an automated installation of a duplicate
system which can be useful if you have a large number of servers to install.
This section shows you how to automate network installations using the kickstart application and NFS.
You can use HTTP and FTP but they have been omitted to keep the discussion brief.
How To Create New Kickstart Configuration Files
You can create a customized kickstart configuration file by using the "ksconfig" command from a GUI
console. It will bring up a menu from which you can select all your installation options. When finished,
you save the configuration with the filename of your choice.
You may want to then edit the configuration file and comment out certain parameters that may change
from system to system with a "#". These could include things like the system's name and IP address. Dur-
ing the kickstart process you will be prompted for these unspecified values.
Note: Do not change the order of the entries in the kickstart configuration file.
Note: The IP address you assign must be on the same subnet as that of the DHCP server for kickstart to
work. If the server is going to reside on a different network after the installation, then you'll have to run a
separate script to change the IP addressing information after the installation is complete.
Adding Post Installation Commands
You may want to run some commands on the newly created Linux installation after
kickstart is complete. Some processes that are activated by default by Fedora may not be suitable for your
server and may need to be disabled.
This can be done by placing a %post section at the end of the kicksrart file with all the post installation
commands you wish to run. Here is an example:
%post
chkconfig isdn off
chkconfig pcmcia off
chkconfig portmap off
chkconfig apmd off
chkconfig nfslock off
chkconfig nfs off
A Note About Using anaconda-ks.cfg
It is possible to use the /root/anaconda-ks.cfg file as a template for future installations.
RedHat comments out the partitioning information in this file, so you will either have to uncomment it
and then make your partitioning modifications or be prepared to be prompted for your portioning infor-
mation.
How To Run A Kickstart Installation
It is best to place your kickstart files in a subdirectory under the /data/network-install directory. The ex-
amples below assume the subdirectory is called /data/networkinstall/kickstart.
Remember that you may want to remove the "#" comments from the partition section of the file. If not,
you will be prompted for this information.
Using a NFS Server
Verify that the first two lines of the file look like this or else you may be prompted for NFS ISO file loca-
tion information.
install
nfs --server=192.16.1.100 --dir=/data/network-install/ISO
Using a Web Server
Verify that the first two lines of the file look like this or else you may be prompted for RPM base file lo-
cation information.
install
url --url http://192.168.1.100/network-install/RPM
Booting With Your Kickstart Files
There are two ways to specify the name of the kickstart file to use. The first is to enter it manually from
the LILO boot: prompt when you insert the boot CD. The second is to have your DHCP server automati-
cally tell the Kickstart client about the name of the kickstart file to use when it assigns the IP address.
Both methods are listed below:
Manually Specifying the Kickstart Filename
Once you have booted from your boot CDROM, you'll need to use the following command at the lilo
boot: prompt to continue with the installation. The ks.cfg file is the kickstart configuration file we want to
use.
NFS Method
boot: linux ks=nfs:192.168.1.100:/kickstart/ks.cfg
HTTP Method
boot: linux ks=http://192.168.1.100/network-install/kickstart/ks.cfg
Configuring The Filename Automatically
Whenever you have to create lots of cloned Linux servers, then you may want to configure your DHCP
server to specify the single kickstart configuration file you wish to use. Here is how it's done:
1) Place your kickstart file in the /data/network-install/kickstart directory.
2) Edit your dhcpd.conf file and add the following lines to the section for the interface that will be serving
DHCP IP addresses. The next-server value is the IP address of the kickstart server.
filename "/data/network-install/kickstart/ks.cfg";
next-server 192.168.1.100;
3) Insert the boot CD into the kickstart client Linux box and connect it to the DHCP network. At the boot:
prompt type in the following command:
boot: linux ks
Kickstart will first search for a configuration file named ks.cfg on either the boot CD. It will then auto-
matically attempt to get a DHCP IP address and see if the DHCP server will specify a configuration file.
Kickstart will then use NFS to get both the configuration file and the installation ISOs.
The rest should be automatic.
Exercises for lab:
Exercise 1:- create an image of fedora installation CDs on your systems and configure FTP, NFS and
apache server to access that image.
Home Work:
1) Configure a kick start file for automatic installation over NFS.
To understand the Remote File Sharing among LINUX OSs
Lab 27: Remote Disk Access with NFS
Lab No. 27: Remote Disk Access with NFS
Objective:
To equip students with the practical knowledge to configure Linux boxes for file sharing using Network
File System Protocol
Scope:
The student will be able to know the following at the end of this lab:
• Installing NFS
• Configuring NFS on The Client
• Configuring NFS on The Server
• Accessing NFS Server Directories from the Client
• Activating Modifications To The /etc/exports File
• Troubleshooting NFS
Useful Concepts:
The virtual filesystem (VFS)
Mechanism used by NFS to transparently and automatically redirect all access to NFS-mounted files to
the remote server.
Stateless Operation
Programs that read and write to files on a local filesystem rely on the operating system to track their
access location within the file with a pointer. As NFS is a network-based file system, and networks can be
unreliable, it was decided that the NFS client daemon would act as a failsafe intermediary between regu-
lar programs running on the NFS client and the NFS server.
Normally, when a server fails, file accesses timeout and the file pointers are reset to zero.
With NFS, the NFS server doesn't maintain the file pointer information, the NFS client does. This means
that if an NFS server suddenly fails, the NFS client can precisely restart the file access once more after
patiently waiting until the server returns online.
Caching
NFS clients typically request more data than they need and cache the results in memory locally so that
further sequential access of the data can be done locally versus over the network. This is also known as a
read ahead cache. Data that's to be written to the NFS server is cached with the data being written to the
server when the cache becomes full.
Caching therefore helps to reduce the amount of network traffic while simultaneously improving the
speed of some types of data access.
The NFS server caches information too, such as the directory information for the most recently accessed
files and a read ahead cache for recently read files.
NFS and Symbolic Links
You have to be careful with the use of symbolic links on exported NFS directories. If an absolute link
points to a directory on the NFS server that hasn't been exported, then the NFS client won't be able to
access it. Unlike absolute links, relative symbolic links are interpreted relative to the client's filesystem.
Consider an example where the /data1 directory on the server is mounted on the /data1 directory. If there
is a link to the ../data2 directory on the NFS server and a directory corresponding to ../data2 doesn't exist
on the NFS client, then an error will occur.
Also, mounting a filesystem on a symbolic link actually mounts the filesystem on the target of the sym-
bolic link. You'll have to be careful not to obscure the contents of this original directory in the process.
Plan carefully before doing this.
NFS Background Mounting
NFS clients use the remote procedure call (RPC) suite of network application helper programs to mount
remote filesystems. If the mount cannot occur during the default RPC timeout period, then the client re-
tries the mount process until the NFS number of retires has been exceeded. The default is 10,000 minutes,
which is approximately a week. The difficulty here is that if the NFS server is unavailable, the mount
command will hang for a week until it returns online. It is possible to use a bg option spawn the retries off
as a subprocess so that the main mount command can continue to process other requests.
Hard and Soft Mounts
The process of continuous retrying, whether in the background or foreground, is called a hard mount.
NFS attempts to guarantee the consistency of your data with these constant retries. With soft mounts, re-
peated RPC failures cause the NFS operation to fail not hang and data consistency is therefore not guaran-
teed. The advantage is that the operation completes quickly, whether it fails or not. The disadvantage is
that the use of the soft option implies that you are using an unreliable NFS server; if this is the case it is
best not to place critical data that needs to be updated regularly or executable programs in such a location.
Exercise-1:- This exercise illustrates NFS Installation RedHat Linux installs nfs by default, and also by default nfs is activated when the system boots. You can
determine whether you have nfs installed using the RPM command in conjunction with the grep com-
mand to search for all installed nfs packages.
[root@bigboy tmp]# rpm -qa | grep nfs
redhat-config-nfs-1.1.3-1
nfs-utils-1.0.1-3.9
[root@bigboy tmp]#
A blank list means that you'll have to install the required packages.
You also need to have the RPC rpcbind package installed, and the rpm command can tell you whether it's
on your system already. When you use rpm in conjunction with grep, you can determine all the rpcbind
applications installed:
[root@bigboy tmp]# rpm -q rpcbind
rpcbind-4.0-57
[root@bigboy tmp]#
A blank list means that you'll have to install the required packages.
If nfs and rpcbind are not installed, they can be added fairly easily once you find the nfsutils and rpcbind
RPMs. (Remember that RPM filenames usually start with the software's name and a version number, as in
nfs-utils-1.1.3-1.i386.rpm.)
Using yum or apt-get is a suitable option.
Exercise-2:- This exercise illustrates Scenario Based NFS configuration
Scenario
A small office has an old Linux server that is running out of disk space. The office cannot tolerate any
down time, even after hours, because the server is accessed by overseas programmers and clients at nights
and local ones by day.
Budgets are tight and the company needs a quick solution until it can get a purchase order approved for a
hardware upgrade. Another Linux server on the network has additional disk capacity in its /data partition
and the office would like to expand into it as an interim expansion NFS server.
Configuring NFS on the Server
Both the NFS server and NFS client have to have parts of the NFS package installed and running. The
server needs rpcbind, nfs, and nfslock operational, as well as a correctly configured /etc/exports file.
Here's how to do it.
The /etc/exports File
The /etc/exports file is the main NFS configuration file, and it consists of two columns.
The first column lists the directories you want to make available to the network. The second column has
two parts. The first part lists the networks or DNS domains that can get access to the directory, and the
second part lists NFS options in brackets.
For the scenario you need:
• Read-only access to the /data/files directory to all networks
• Read/write access to the /home directory from all servers on the 192.168.1.0 /24 network,
which is all addresses from 192.168.1.0 to 192.168.1.255
• Read/write access to the /data/test directory from servers in the my-site.com DNS domain
• Read/write access to the /data/database directory from a single server 192.168.1.203.
In all cases, use the sync option to ensure that file data cached in memory is automatically written to the
disk after the completion of any disk data copying operation.
#/etc/exports /data/files *(ro,sync) /home 192.168.1.0/24(rw,sync) /data/test *.my-site.com(rw,sync) /data/database 192.168.1.203/32(rw,sync)
After configuring your /etc/exports file, you need to activate the settings, but first make sure that NFS is
running correctly.
Starting NFS on the Server
Configuring an NFS server is straightforward:
1) Use the chkconfig command to configure the required nfs and RPC rpcbind daemons to start at boot.
You also should activate NFS file locking to reduce the risk of corrupted data.
[root@bigboy tmp]# chkconfig --level 35 nfs on
[root@bigboy tmp]# chkconfig --level 35 nfslock on
[root@bigboy tmp]# chkconfig --level 35 rpcbind on
2) Use the init scripts in the /etc/init.d directory to start the nfs and RPC rpcbind daemons. The examples
use the start option, but when needed, you can also stop and restart the processes with the stop and restart
options.
[root@bigboy tmp]# service rpcbind start
[root@bigboy tmp]# service nfs start
[root@bigboy tmp]# service nfslock start
3) Test whether NFS is running correctly with the rpcinfo command. You should get a listing of running
RPC programs that must include mountd, portmapper, nfs, and nlockmgr.
[root@bigboy tmp]# rpcinfo -p localhost
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100021 1 udp 1024 nlockmgr
100021 3 udp 1024 nlockmgr
100021 4 udp 1024 nlockmgr
100005 1 udp 1042 mountd
100005 1 tcp 2342 mountd
100005 2 udp 1042 mountd
100005 2 tcp 2342 mountd
100005 3 udp 1042 mountd
100005 3 tcp 2342 mountd
[root@bigboy tmp]#
Configuring NFS on the Client
NFS configuration on the client requires you to start the NFS application; create a directory on which to
mount the NFS server's directories that you exported via the /etc/exports file, and finally to mount the
NFS server's directory on your local directory, or mount point. Here's how to do it all.
Starting NFS on the Client
Three more steps easily configure NFS on the client.
1) Use the chkconfig command to configure the required nfs and RPC rpcbind daemons to start at boot.
Activate nfslock to lock the files and reduce the risk of corrupted data.
[root@smallfry tmp]# chkconfig --level 35 netfs on
[root@smallfry tmp]# chkconfig --level 35 nfslock on
[root@smallfry tmp]# chkconfig --level 35 rpcbind on
2) Use the init scripts in the /etc/init.d directory to start the nfs and RPC rpcbind daemons. As on the
server, the examples use the start option, but you can also stop and restart the processes with the stop and
restart options.
[root@smallfry tmp]# service rpcbind start
[root@smallfry tmp]# service netfs start
[root@smallfry tmp]# service nfslock start
3) Test whether NFS is running correctly with the rpcinfo command. The listing of running RPC pro-
grams you get must include status, portmapper, and nlockmgr.
[root@smallfry root]# rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 32768 status
100024 1 tcp 32768 status
100021 1 udp 32769 nlockmgr
100021 3 udp 32769 nlockmgr
100021 4 udp 32769 nlockmgr
100021 1 tcp 32769 nlockmgr
100021 3 tcp 32769 nlockmgr
100021 4 tcp 32769 nlockmgr
391002 2 tcp 32770 sgi_fam
[root@smallfry root]#
NFS and DNS
The NFS client must have a matching pair of forward and reverse DNS entries on the DNS server used by
the NFS server. In other words, a DNS lookup on the NFS server for the IP address of the NFS client
must return a server name that will map back to the original IP address when a DNS lookup is done on
that same server name.
[root@bigboy tmp]# host 192.168.1.102
201.1.168.192.in-addr.arpa domain name pointer 192-168-1-102.my-
site.com.
[root@bigboy tmp]# host 192-168-1-102.my-site.com
192-168-1-102.my-site.com has address 192.168.1.102
[root@bigboy tmp]#
This is a security precaution added into the nfs package that lessens the likelihood of unauthorized servers
from gaining access to files on the NFS server. Failure to correctly register your server IPs in DNS can
result in "fake hostname" errors:
Nov 7 19:14:40 bigboy rpc.mountd: Fake hostname smallfry.my-site.com for 192.168.1.1 - forward lookup do
Accessing NFS Server Directories from the Client
In most cases, users want their NFS directories to be permanently mounted. This requires an entry in the
/etc/fstab file in addition to the creation of the mount point directory.
The /etc/fstab File
The /etc/fstab file lists all the partitions that need to be auto-mounted when the system boots. Therefore,
you need to edit the /etc/fstab file if you need the NFS directory to be made permanently available to us-
ers on the NFS. For the example, mount the /data/files directory on server bigboy (IP address
192.16801.100) as an NFS-type filesystem using the local /mnt/nfs mount point directory.
#/etc/fstab #Directory Mount Point Type Options Dump FSCK 192.168.1.100:/data/files /mnt/nfs nfs soft,nfsvers=2 0 0
This example used the soft and nfsvers options; Table 29.1 outlines these and other useful NFS mounting
options you may want to use. See the NFS man pages for more details.
Possible NFS Mount Options
Option Description
bg Retry mounting in the background if mounting initially fails
fg Mount in the foreground
soft Use soft mounting
hard Use hard mounting
rsize=n The amount of data NFS will attempt to access per read operation. The default is dependent on the ker-
nel. For NFS version 2, set it to 8192 to assure maximum throughput.
wsize=n The amount of data NFS will attempt to access per write operation. The default is dependent on the ker-
nel. For NFS version 2, set it to 8192 to assure maximum throughput.
nfsvers=n The version of NFS the mount command should attempt to use
tcp Attempt to mount the filesystem using TCP packets: the default is UDP.
intr If the filesystem is hard mounted and the mount times out, allow for the process to be aborted using the
usual methods such as CTRL-C and the kill command.
The steps to mount the directory are fairly simple, as you'll see.
Permanently Mounting the NFS Directory
You'll now create a mount point directory, /mnt/nfs, on which to mount the remote NFS directory and
then use the mount -a command activate the mount. Notice how before mounting there were no files visi-
ble in the /mnt/nfs directory, this changes after the mounting is completed:
[root@smallfry tmp]# mkdir /mnt/nfs
[root@smallfry tmp]# ls /mnt/nfs
[root@smallfry tmp]# mount -a
[root@smallfry tmp]# ls /mnt/nfs
ISO ISO-RedHat kickstart RedHat
[root@smallfry tmp]#
Each time your system boots, it reads the /etc/fstab file and executes the mount –a command, thereby
making this a permanent NFS mount.
Note: There are multiple versions of NFS, the most popular of which is version 2, which most NFS
clients use. Newer NFS servers may also be able to handle NFS version 4. To be safe, it is best to force
the NFS server to export directories as version 2 using the nfsvers=2 option in the /etc/fstab file as shown
in the example. Failure to do so may result in an error message.
[root@probe-001 tmp]# mount -a
mount to NFS server '192.168.1.100' failed: server is down.
[root@probe-001 tmp]#
Exercise-3:- This exercise illustrates NFS Troubleshooting A basic NFS configuration usually works without problems when the client and server are on the same
network. The most common problems are caused by forgetting to start NFS, to edit the /etc/fstab file, or
to export the /etc/exports file. Another common cause of failure is the iptables firewall daemon running
on either the server or client without the administrator realizing it.
When the client and server are on different networks, these checks still apply, but you'll also have to make
sure basic connectivity has been taken care of. Sometimes a firewall being present on the path between
the client and server can cause difficulties.
As always, no troubleshooting plan would be complete without frequent reference to the
/var/log/messages file when searching for additional clues. Following Table shows some common NFS
errors you'll encounter.
Some Common NFS Error Messages
Error Description
Too many levels of remote in path Attempting to mount a filesystem that has already been mounted.
Permission denied User is denied access. This could be the client's root user who has unprivi-
leged status on the server due to the root_squash option. Could also be
because the user on the client doesn't exist on the server.
No such host Typographical or DNS configuration error in the name of the server.
No such file or Directory Typographical error in the name of the file or directory: they don't exist.
NFS server is not responding The server could be overloaded or down.
Stale file handle A file that was previously accessed by the client was deleted on the server
before the client closed it
Fake hostname Forward and reverse DNS entries don't exist for the NFS client.
The showmount Command
When run on the server, the showmount -a command lists all the currently exporte directories. It also
shows a list of NFS clients accessing the server; in this case one client has an IP address of
192.168.1.102.
[root@bigboy tmp]# showmount -a
All mount points on bigboy:
*:/home
192.168.1.102:*
[root@bigboy tmp]#
The "df" Command
The df command lists the disk usage of a mounted filesystem. Run it on the NFS client to verify that NFS
mounting has occurred. In many cases, the root_squash mount option will prevent the root user from
doing this, so it's best to try it as an unprivileged user.
[nfsuser@smallfry nfsuser]$ df -F nfs
Filesystem 1K-blocks Used Available Use% Mounted on
192.168.1.100:/home/nfsuser
1032056 346552 633068 36% /home/nfsuser
[nfsuser@smallfry nfsuser]$
The nfsstat Command
The nfsstat command provides useful error statistics. The -s option provides NFS server stats, while the -c
option provides them of for clients. Threshold guidelines are provided in the Table.
[root@bigboy tmp]# nfsstat -s
Server rpc stats:
calls badcalls badauth badclnt xdrcall
1547 0 0 0 0
Server nfs v2:
null getattr setattr root lookup readlink
244 100% 0 0% 0 0% 0 0% 0 0% 0 0%
read wrcache write create remove rename
0 0% 0 0% 0 0% 0 0% 0 0% 0 0%
link symlink mkdir rmdir readdir fsstat
0 0% 0 0% 0 0% 0 0% 0 0% 0 0%
Server nfs v3:
null getattr setattr lookup access readlink
251 19% 332 25% 0 0% 265 20% 320 24% 0 0%
read write create mkdir symlink mknod
39 2% 14 1% 1 0% 1 0% 0 0% 0 0%
remove rmdir rename link readdir readdirplus
0 0% 0 0% 0 0% 0 0% 0 0% 31 2%
fsstat fsinfo pathconf commit
1 0% 34 2% 0 0% 14 1%
[root@bigboy tmp]#
Error Thresholds For The "nfsstat" Command
Value Threshold Description
readlink > 10% Excessive numbers of symbolic links slowing performance.
Try to replace them with a directory and mount the filesystem directly on
this new mount point.
getattr > 50% File attributes, like file data, is cached in NFS. This value tracks the percen-
tage of file attribute reads that are not from cache refresh requests. Usually
caused by the NFS "noac" mount option which prevents file attribute cach-
ing.
badcalls > 0 Bad RPC requests. Could be due to poorly configured authentication, the
root user attempting to access data governed by the "root_squash" directive
or having a user in too many groups.
retrans > 5% Percentage of requests for service that the client had to retransmit to the
servers. Could be due to slow NFS servers or poor network conditions.
writes > 10% Writes are slow due to poor caching values. Check the "noac" and "wsize"
mount options.
Exercises for lab
Exercise 1:- This exercise illustrates NFS Installation
Exercise 2:-create a directory named 'shared' and configure the NFS server for sharing the newly created
directory 'shared' with other systems.
Home Work
Configure an NFS server for the scenario given below:
A home user has a Linux server with low disk space. S(he) has another linux system in the house with
some extra space in /home filesystem. Keeping the budget aspect in mind the user wants to share the free
space on /home filesystem on the other system. Help him/her in configuring an NFS
1)
2) a Read-only access to the /data/files directory to all networks
3) Read/write access to the /home directory from all servers on the 192.168.1.0 /24 network, which
is all addresses from 192.168.1.0 to 192.168.1.255
4) Read/write access to the /data/test directory from servers in the my-site.com DNS domain
5) Read/write access to the /data/database directory from a single server 192.168.1.203.
6)
To understand the Controlling Web Usage with Squid
Lab No.28: Controlling Web Usage with Squid
Lab No. 28: Controlling Web Usage with Squid
Objective:
To familiarize students how to limit the web access to only authorized users.
Scope:
The students would be able to do the following at the end of this lab:
• Configure squid proxy server to provide restricted access to the internet using access list.
• Provide transparent proxy services to the users.
Useful Concepts
Squid Configuration File
The main Squid configuration file is squid.conf, and, like most Linux applications, Squid needs to be res-
tarted for changes to the configuration file can take effect. In the next sections we will illustrate the vari-
ous useful sections of squid.conf file.
The Visible Host Name
Squid will fail to start if you don't give your server a hostname. You can set this with the visi-
ble_hostname parameter. Here, the hostname is set to the real name of the server ciit.
visible_hostname ciit
Access Control Lists
You can limit users' ability to browse the Internet with access control lists (ACLs). Each ACL line defines
a particular type of activity, such as an access time or source network, they are then linked to an
http_access statement that tells Squid whether or not to deny or allow traffic that matches the ACL.
Squid matches each Web access request it receives by checking the http_access list from top to bottom. If
it finds a match, it enforces the allow or deny statement and stops reading further. You have to be careful
not to place a deny statement in the list that blocks a similar allow statement below it. The final
http_access statement denies everything, so it is best to place new http_access statements above it.
Note: The very last http_access statement in the squid.conf file denies all access. You therefore have to
add your specific permit statements above this line.
Exercise-1:- This exercise illustrates Restricting Web Access By Time
You can create access control lists with time parameters. For example, you can allow only business hour
access from the home network, while always restricting access to host 192.168.1.23.
#
# Add this to the bottom of the ACL section of squid.conf
#
acl home_network src 192.168.1.0/24
acl business_hours time M T W H F 9:00-17:00
acl RestrictedHost src 192.168.1.23
#
# Add this at the top of the http_access section of squid.conf
#
http_access deny RestrictedHost
http_access allow home_network business_hours
Or, you can allow morning access only:
#
# Add this to the bottom of the ACL section of squid.conf
#
acl mornings time 08:00-12:00
#
# Add this at the top of the http_access section of squid.conf
#
http_access allow mornings.
Exercise-2:- This exercise illustrates Restricting Access to specific Web sites
Squid is also capable of reading files containing lists of web sites and/or domains for use in ACLs. In this
example we create to lists in files named /usr/local/etc/allowedsites.squid and /usr/local/etc/restricted-
sites.squid.
# File: /usr/local/etc/allowed-sites.squid
www.openfree.org
www.google.com
# File: /usr/local/etc/restricted-sites.squid
www.restricted-site.com
www.illegal.com
These can then be used to always block the restricted sites and permit the allowed sites during working
hours. This can be illustrated by expanding our previous example slightly.
#
# Add this to the bottom of the ACL section of squid.conf
#
acl home_network src 192.168.1.0/24
acl business_hours time M T W H F 9:00-17:00
acl GoodSites dstdomain "/usr/local/etc/allowed-sites.squid"
acl BadSites dstdomain "/usr/local/etc/restricted-sites.squid"
#
# Add this at the top of the http_access section of squid.conf
#
http_access deny BadSites
http_access allow home_network business_hours GoodSites
Exercise-3:- This exercise illustrates Restricting Web Access By IP Address
You can create an access control list that restricts Web access to users on certain networks. In this case,
it's an ACL that defines a home network of 192.168.1.0.
#
# Add this to the bottom of the ACL section of squid.conf
#
acl home_network src 192.168.1.0/255.255.255.0
You also have to add a corresponding http_access statement that allows traffic that
matches the ACL:
#
# Add this at the top of the http_access section of squid.conf
#
http_access allow home_network
Exercise-4:- This exercise illustrates Configuring Web Browsers to Use Your Squid Server
If you don't have a firewall that supports redirection, then you need to configure your firewall to only ac-
cept HTTP Internet access from the Squid server, as well as configure your PC browser's proxy server
settings manually to use the Squid server. The method you use depends on your browser.
For example, to make these changes using Internet Explorer
1. Click on the "Tools" item on the menu bar of the browser.
2. Click on "Internet Options"
3. Click on "Connections"
4. Click on "LAN Settings"
5. Configure with the address and TCP port (3128 default) used by your Squid server.
Here's how to make the same changes using Mozilla or Firefox.
1. Click on the "Edit" item on the browser's menu bar.
2. Click on "Preferences"
3. Click on "Advanced"
4. Click on "Proxies"
5. Configure with the address and TCP port (3128 default) used by your Squid server under "Ma-
nual Proxy Configuration".
Exercises for lab
Exercise 1:- Install Squid proxy server.
Exercise 2:- Using squid proxy server restrict user from visiting illegal sites.
Exercise 3:- Allow users to only visit legal/allowed sites from trusted IP addresses only.
Home Work
1) Make your squid server transparent to users using transparent proxy configuration.
To understand the DNS bind process and DNS client settings
Lab 29: DNS Configuration 1
Lab No. 29: DNS Configuration 1
Objective:
To familiarize students with the bind process and DNS client settings
Scope:
The students would be able to do the following at the end of this lab:
• To manage BIND process
• Client side DNS configuration options
• Test the DNS server working
Exercise-1:- This exercise illustrates How to Get BIND Started
Setting up your DNS server is easy to do, but the procedure differs between Linux distributions.
Redhat / Fedora
You can use the chkconfig command to get BIND configured to start at boot
[root@root]# chkconfig named on
To start, stop, and restart BIND after booting, use:
[root@root]# /etc/init.d/named start
[root@root]# /etc/init.d/named stop
[root@root]# /etc/init.d/named restart
Remember to restart the BIND process every time you make a change to the configuration file for the
changes to take effect on the running process.
Debian / Ubuntu
You can use the sysv-rc-conf command to get BIND configured to start at boot
[root@root]# sysv-rc-conf bind on
To start, stop, and restart BIND after booting, use:
[root@root]# /etc/init.d/bind start
[root@root]# /etc/init.d/bind stop
[root@root]# /etc/init.d/bind restart
Exercise-2:- This exercise describe the /etc/resolv.conf File
DNS clients (servers not running BIND) use the /etc/resolv.conf file to determine both the location of
their DNS server and the domains to which they belong. The file generally has two columns; the first con-
tains a keyword, and the second contains the desired values separated by commas. See the Table below
for a list of keywords:
Take a look at a sample configuration in which the client server's main domain is mysite.com, but it also
is a member of domains my-site.net and my-site.org, which should be searched for shorthand references
to other servers. Two name servers, 192.168.1.100 and 192.168.1.102, provide DNS name resolution:
search my-site.com my-site.net my-site.org
nameserver 192.168.1.100
nameserver 192.168.1.102
The first domain listed after the search directive must be the home domain of your network, in this case
my-site.com. Placing a domain and search entry in the /etc/resolv.conf is redundant, therefore.
Exercise-3:- This exercise illustrates Basic DNS Testing of DNS Resolution
There are a number of commands you can use do these lookups. Linux uses the host command, for exam-
ple, but Windows uses nslookup.
The Host Command
The host command accepts arguments that are either the fully qualified domain name or the IP address of
the server when providing results. To perform a forward lookup, use the syntax:
[root@root]# host www.google.com
www.google.com has address 65.115.71.34
[root@root]#
The nslookup Command
The nslookup command provides the same results on Windows PCs. To perform forward lookup, use:
C:\> nslookup www.google.com
Server: 192-168-1-200.my-site.com
Address: 192.168.1.200
Non-authoritative answer:
Name: www.google.com
Address: 65.115.71.34
C:\>
Exercises for lab:
Exercise 1:- Configure bind process to load at system startup.
Exercise 2:- Configure resolv.conf file for client side configuration to use proper DNS name server.
Exercise 3:- Test whether the DNS server is working or not.
Home Work:
1) Explain the used of forward lookup zone and reverse lookup zone in DNS
To understand the DNS DNS Zone files and Schema
Configuration
Lab 30: DNS Configuration 2
Lab No. 30: DNS Configuration 2
Objective:
To familiarize the students with the configuring of DNS Zone files and Schema.
Scope:
The students would be able to do the following at the end of this lab:
• Configure basic DNS settings
• Setup forward and reverse zone files for name resolution
Exercise-1:- This exercise illustrates how to configure your own Nameserver
For the purposes of this tutorial, assume your ISP assigned you the subnet 97.158.253.24 with a subnet
mask of 255.255.255.248 (/29).
Configuring resolv.conf
You'll have to make your DNS server refer to itself for all DNS queries by configuring the
/etc/resolv.conf file to reference localhost only.
nameserver 127.0.0.1
Creating a named.conf Base Configuration
The /etc/named.conf file contains the main DNS configuration and tells BIND where to find the configu-
ration, or zone files for each domain you own. This file usually has two zone areas:
Forward zone file definitions list files to map domains to IP addresses.
Reverse zone file definitions list files to map IP addresses to domains.
The first task is to make sure your DNS server will listening of requests on all the required network inter-
faces. The options section of named.conf may be configured to listen exclusively on its internal hidden
localhost interface with an IP address of 127.0.0.1 as we see in this example:
# File: /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; };
};
If other devices are going to rely on your server for queries, then you’ll need to either change this or add a
selected number of IP addresses on your server. In this example, we allow queries on any interface.
listen-on port 53 { any; };
In this example, we allow queries on localhost and address 192.168.1.100.
listen-on port 53 { 127.0.0.1; 192.168.1.100; };
Note: Always make sure localhost, 127.0.0.1 is included.
Forward Zone File References in named.conf
Let’s describe how we point to forward zone files in a typical named.conf file.
In this example the zone file is named my-site.zone, and, although not explicitly stated, the file my-
site.zone should be located in the default directory of /var/named/chroot/var/named in a chroot configura-
tion or in /var/named in a regular one. With Debian / Ubuntu, references to the full file path will have to
be used. Use the code:
zone “my-web-site.org” {
type master;
notify no;
allow-query { any; };
file “my-site.zone”;
};
In addition, you can insert more entries in the named.conf file to reference other Web domains you host.
Here is an example for another-site.com using a zone file named another-site.zone.
zone “another-site.com” {
type master;
notify no;
allow-query { any; };
file “another-site.zone”;
};
Note: The allow-query directive defines the networks that are allowed to query your DNS server for in-
formation on any zone. For example, to limit queries to only your 192.168.1.0 network, you could modify
the directive to:
allow-query { 192.168.1.0/24; };
Reverse Zone File References in named.conf
Here’s how to format entries that refer to zone files used for reverse lookups for your IP addresses.
zone “1.168.192.in-addr.arpa” {
type master;
notify no;
allow-query { any; };
file “192-168-1.zone”;
};
Sample Forward Zone File
Now that you know the key elements of a zone file, it's time to examine a working
example for the domain my-site.com
;
; Zone file for my-site.com
;
; The full zone file
;
$TTL 3D
@ IN SOA ns1.my-site.com. hostmaster.my-site.com. (
200211152 ; serial#
3600 ; refresh, seconds
3600 ; retry, seconds
3600 ; expire, seconds
3600 ) ; minimum, seconds
NS www ; Inet Address of nameserver
my-site.com. MX 10 mail ; Primary Mail Exchanger
localhost A 127.0.0.1
bigboy A 97.158.253.26
mail A 97.158.253.27
ns1 CNAME bigboy
www CNAME bigboy
Sample Reverse Zone File
;
; Filename: 192-168-1.zone
;
; Zone file for 192.168.1.x
;
$TTL 3D
@ IN SOA www.my-site.com. hostmaster.my-site.com. (
200303301 ; serial number
8H ; refresh, seconds
2H ; retry, seconds
4W ; expire, seconds
1D ) ; minimum, seconds
NS www ; Nameserver Address
100 PTR bigboy.my-site.com.
103 PTR smallfry.my-site.com.
102 PTR ochorios.my-site.com.
105 PTR reggae.my-site.com.
32 PTR dhcp-192-168-1-32.my-site.com.
33 PTR dhcp-192-168-1-33.my-site.com.
34 PTR dhcp-192-168-1-34.my-site.com.
35 PTR dhcp-192-168-1-35.my-site.com.
36 PTR dhcp-192-168-1-36.my-site.com.
Exercises for lab:
Exercise 1:- Configure the DNS server for name resolution.
Home Work:
1) Elucidate the purpose of scema file used in configuring a DNS server?
2) Explain the used of forward lookup zone and reverse lookup zone in DNS
To understand the DNS cache nameserver
Lab 31: DNS Configuration 3
Lab No. 31: DNS Configuration 3
Objective:
To familiarize students with the use of cache Nameserver.
Scope:
The students would be able to do the following at the end of this lab:
• Understand the cache nameserver
• Configure a linux box as a cache nameserver
Useful Concepts:
Authoritative servers
• Authoritative servers provide the definitive information for your DNS domain, such as
the names of servers and Web sites in it. They are the last word in information related to
your domain.
Caching DNS server
• These servers, through a process called recursion, sequentially query the authoritative
servers at the root, main domain and sub domain levels to get eventually get the specific
information requested.
When to Use A DNS Caching Name Server
• Most servers don’t ask for authoritative DNS server directly, they usually ask a caching
DNS server to do it on their behalf. The most frequently requested information is then
stored (or cached) to reduce the lookup overhead of subsequent queries.
Exercise-1:- This exercise illustrates how to configure your Nameserver as a caching name-
server
If your DNS server is also acting as a caching DNS server, then you'll also need a view for localhost to
use. We'll use a view called localhost_resolver for this.
The Caching Nameserver localhost_resolver View
The localhost_resolver view is used for your caching DNS server configuration and should look like this:
view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver
* ( caching only nameserver ). If all you want is a
* caching-only nameserver, then you need only define this view:
*/
match-clients { localhost; };
match-destinations { localhost; };
// As your caching name server clients will be using this server
// for DNS lookups to get to sites all over the Web you’ll need to
// turn on recursion
recursion yes;
// All views used by caching nameserver clients must
// contain the root hints zone. Recursive lookups to DNS domains
// you don’t own (non-authoritative) starts here.
zone "." IN {
type hint;
file "named.ca";
};
/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names should
* ONLY be served to localhost clients:
*/
include "/etc/named.rfc1912.zones";
/*
* Include zonefiles for internal zones
*/
include "/var/named/zones/internal/internal_zones.conf";
};
There are some quick facts you should be aware of with your caching name server configuration:
1. If you want your server to be only a caching DNS server, then delete all other views in named.conf and
restart the named daemon.
[root@bigboy tmp]# /etc/init.d/named restart
2. Make all the other machines on your network point to the caching DNS server as their primary DNS
server.
3. Remember that all DNS queries done on your DNS server appear to come from localhost. If your serv-
er is also an authoritative server for your domain, you will have to include a reference to your domain's
zone files in this section for the server's own DNS lookups to work. If not, queries from clients defined by
the internal and external ACLs will work correctly, but queries for the domain from the server itself will
fail. In this example we have included a reference to the internal_zones.conf zone file which we'll visit
again soon. This line can be deleted if your server isn't an authoritative server for your domain.
Note: If you have a localhost only view like this, make sure you don't reference localhost in any of your
other views as one view will take precedence over the other for queries from your server. This could lead
to unpredictable results.
Exercises for lab:
Exercise 1:- Configure the DNS server for cache nameserver for authoritative nameserver.
Home Work:
1) Describe the deference between an authoritative nameserver and a cache nameserver.
•
To understand the Dynamic DNS
Lab 32: Dynamic DNS
Lab No. 32: Dynamic DNS
Objective:
To familiarize students with working of Dynamic DNS and it’s configuration.
Scope:
The students would be able to do the following at the end of this lab:
• Able to understand the working of Dynamic DNS
• Install Dynamic DNS Client
• Configure Dynamic DNS client
• Configure DDNS authentication
Useful Concepts:
Dynamic DNS (DDNS)
Used when you get a changing dynamic Internet IP addresses via DHCP from your ISP. You will have to
use the services of a third-party DNS provider to provide DNS information for your my-site.com domain.
Exercise-1:- This exercise illustrates Registering DDNS
Once you have decided to go ahead with DDNS you'll need to choose between the broad categories of
Dynamic DNS service.
Free Dynamic DNS: Your website name will be a sub domain of the DDNS provider's domain. For ex-
ample if the DDNS provider's domain is isp.net, then your site will become my-site.my-isp.net. You can
perform all the necessary steps on your DDNS service provider's Web site. Remember that this type of
service may be undesirable for a company that wants to establish its own corporate identity.
Another disadvantage is that you must rely on your DDNS provider staying in business or else you may
lose your domain. When you own your own domain this worry largely goes away as you are fully in con-
trol of the DNS registration and renewal process.
Paid Customized DNS: You can register the domain name of your choice and still
host your website on a DHCP line..
If you choose to create your own domain and use a paid DDNS service then you'll need to follow these
steps:
1. Register your domains (such as my-site.com) with such companies as Verisign and RegisterFree.
2. Create an account with the DDNS provider and register your websites (sometimes called hosts) as part
of your domain (as in www.my-site.com and mail.my-site.com) with them. Your DDNS registration
process will provide you with a username and password which you'll need to use when configuring your
DDNS client.
3. Update your domain information with your main DNS registrar (Verisign and RegisterFree) to tell
them to direct queries to *.my-site.com to the DNS name servers of the DDNS provider.
4. Install a DDNS client on your web servers that continuously runs, only updating the DDNS provider's
DNS servers with the most current DHCP IP address of the site whenever it detects a change.
Note: You should also be prepared for slower response times for your home-based site than if you were
using a static IP and a regular DNS service
Exercise-2:- This exercise illustrates how to install a DDNS Client On Your Server
All DDNS service providers require that you use a DDNS client on your web server that will periodically
update the IP address information in your provider's DDNS record. The very popular one DDclient, for
example, now comes in a RPM format.
DDNS Client Software - Linux DDclient
One of the most commonly used clients is DDclient, which can overcome the NAT limitations of DDNS
by actually logging into your SOHO firewall to determine the latest IP address information. Like most
RedHat and Fedora Linux software products, DDclient is available in the RPM format. You can usually
download the software from your DDNS provider, or you can find it at rpmfind.net. The RPM name
usually starts with ddclient followed by a version number, as in ddclient-3.6.3-1.noarch.rpm.
The /etc/ddclient.conf file
The ddclient.conf file is usually installed completely commented out, but provides many configuration
examples for the most popular DDNS providers. The most important general parameters to configure are:
Username: Your DDNS account's login name
Password: Your DDNS account's password
Use: The method used to determine the IP address to advertise to the DDNS server.
Some important DDNS provider parameters are:
Server: The name of the DDNS provider's main DNS server
Protocol: The methodology the DDNS client should use to communicate with the DDNS server
Your domain: The domain to which your web server will belong
You can use the ddclient command to determine the best use parameter to use in the ddclient.conf file. In
this example, only the use=web option gives a valid Internet IP address and should be considered as a first
option:
[root@root]# ddclient -daemon=0 -query
use=if, if=lo address is 127.0.0.1
use=if, if=wlan0 address is 192.168.1.100
use=web, web=dyndns address is 97.158.253.26
[root@root]#
Take a look at a sample configuration. This example specifies a username of my-accountlogin- name and
a password of my-account-password using the dyndns DDNS service provider's settings to track the Web
site named mysite-example.dnsalias.com.
# General Parameter Section
login=my-account-login-name
password=my-account-password
# DDNS Provider Parameters Section
server=members.dyndns.org, \
protocol=dyndns2 \
mysite-example.dnsalias.com
You can add one of the following use lines to the General Parameter Section near the top of the file to
define the method that will be used to determine the correct IP address:
Query A Well Known Internet Server: The web method queries two well known servers run by
DynDNS.org and DNSpark to determine the public Internet IP address of the web server running the
DDclient software. This method is the simplest as it requires no further information and handles NAT
correctly.
use=web
Use The IP Address Of A Specific Server NIC: You can also use this option which will query the IP
address of the DDclient web server's NIC interface of your choice. This is probably most valuable for
servers connected directly to the Internet, and not via NAT
use=if, if=eth0
Login To Your SOHO Firewall For Information: The ddclient.conf file has a list of use statements for
various vendor's firewalls. If your model isn't listed, you can create your own parameters as outlined in
the ddclient README file. This option is good for NAT environments where the "use=web" option isn't
considered a good alternative.
After editing your configuration file you'll have to start ddclient as shown in the next section.
Exercise-3:- This exercise illustrates How to Get DDclient Started
You can configure DDclient to start at boot time using the chkconfig command:
[root@root]# chkconfig ddclient on
You can start, stop, and restart DDclient after boot time using the DDclient initialization script as in:
[root@root]# service ddclient start
[root@root]# service ddclient stop
[root@root]# service ddclient restart
Remember to restart the ddclient process every time you make a change to the ddclient.conf file for the
changes to take effect on the running process.
You can test whether the ddclient process is running with the pgrep command, you should
get a response of plain old process ID numbers:
[root@root]# pgrep ddclient
Exercises for lab:
• Exercise 1:- Install Dynamic DNS client software.
• Exercise 2:- Configure DDNS client authentication.
Home Work:
1) What are the advantages of dynamic DNS server?
References:
www.linuxhomenetworking.com.