A) iptables script

#!/bin/bash

ipt=$(which iptables)

#Flush all existing rules  
$ipt -F

#Set default policies  
$ipt -P INPUT DROP  
$ipt -P OUTPUT ACCEPT  
$ipt -P FORWARD DROP

$ipt -A INPUT -i lo -j ACCEPT

#Allow stuff back in that we’ve sent out  
$ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Allow inbound SSH to this box  
$ipt -A INPUT -p tcp --dport 22 --source 172.16.0.0/16 -j ACCEPT

#Save the rules  
/sbin/service iptables save

#Show the rules  
$ipt --list -n -v

Test (from desktop machine):
nmap -PN server.example.com

B) Caching Nameserver

Objectives:

  • Configure a caching-only name server.
  • Configure a caching-only name server to forward DNS queries.
  • Note: Candidates are not expected to configure master or slave name servers.

1) Install bind and start it

yum install -y bind  
chkconfig named on

2) Make changes to named.conf - vim /etc/named.conf

listen-on port 53 { any; };  
allow-query { 172.16.0.0/16; };  
forwarders { 172.16.200.1; };  
dnssec-validation no;

3) Create the necessary iptables rules (append to /root/resetfw.sh) - vim /root/resetfw.sh

iptables -A INPUT -p tcp --dport 53 --source 172.16.0.0/16 -j ACCEPT
iptables -A INPUT -p udp --dport 53 --source 172.16.0.0/16 -j ACCEPT

5) start named
service named start

6) Turn query logging on or off as required (/var/log/messages):
rndc querylog

C) NFS

Objectives:

  • Provide network shares to specific clients.
  • Provide network shares suitable for group collaboration.

1) Install NFS
yum groupinstall -y nfs-file-server

2) Create the shared directories

mkdir -p /exports/read  
mkdir /exports/write
chgrp groupname /exports/write  
chmod 775 /exports/write  
chmod g+s /exports/write *(files created in write dir owned by groupname, not by file creator*)  
chmod o+t /exports/write *(files created in write dir can only be deleted by the user who created it)*

3) Create /etc/exports file

/exports/read  172.16.0.0/16(ro,sync)  
/exports/write 172.16.0.0/16(rw,sync)

4) Create /etc/sysconfig/nfs file and change ports - vim /etc/sysconfig/nfs.new grep PORTS /etc/sysconfig/nfs > /etc/sysconfig/nfs.new

RQUOTAD_PORT=4000  
LOCKD_TCPPORT=4001  
LOCKD_UDPPORT=4001  
MOUNTD_PORT=4002  
STATD_PORT=4003

mv /etc/sysconfig/nfs.new /etc/sysconfig/nfs

5) Create the necessary iptables rules (append to /root/resetfw.sh)

iptables -A INPUT -p tcp --dport 111 -s 172.16.0.0/16 -j ACCEPT  
iptables -A INPUT -p udp --dport 111 -s 172.16.0.0/16 -j ACCEPT
iptables -A INPUT -p tcp --dport 2049 -s 172.16.0.0/16 -j ACCEPT  
iptables -A INPUT -p udp --dport 2049 -s 172.16.0.0/16 -j ACCEPT
iptables -A INPUT -p tcp --dport 4000:4003 -s 172.168.0.0/16 -j ACCEPT
iptables -A INPUT -p udp --dport 4000:4003 -s 172.168.0.0/16 -j ACCEPT

6) Restart NFS and load new firewall rules

/root/resetfw.sh  
service nfs restart && service rpcbind restart

7) Use the automounter on the client to test

Test by becoming a user (on the nfs client) in the group and attempting to create a file in both the /exports/read and /exports/write directories. Become another user in the same group and try to delete files created by another user in the /exports/write directory (sticky bit o+t should prevent this from happening)

su - user1  
showmount -e server1.example.com  
cd /net/server1.example.com/export/write  
touch testfile1  
exit  
su - user2  
cd /net/server1.example.com/export/write  
rm testfile1

D) RPM

Objectives:

  • Build a simple RPM that packages a single file.

If you intend to sign this package, you’ll need to create a gpg key with “gpg –gen-key” (graphical session required)

1) Install RPM Build
yum install -y rpm-build

2) Create the required directories in the user’s home

su - user  
mkdir ~/rpmbuild  
mkdir ~/rpmbuild/SOURCES  
mkdir ~/rpmbuild/SPECS

3) Create a tarball which contains the required file(s)

cd ~/rpmbuild/sources  
mkdir helloworld-1.1 (put a shell script or similar in here)  
tar zcvf helloworld-1.1.tar.gz helloworld-1.1  
rm -rf helloworld-1.1

4) Create the spec file
cd ~/rpmbuild/SPECS vim helloworld.spec

Name:	    helloworld	  
Version:	1.1  
Release:	1%{?dist}  
Summary:	helloworld script  
Group:		Applications  
BuildArch:	noarch		  
License:	GPL  
Source0:      helloworld-1.1.tar.gz	  
BuildRoot:	%(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)

BuildRequires:/bin/bash  
Requires:	/bin/bash

%description

This is a simple rpm containing helloworld

%prep  
%setup -q

%build

%install  
rm -rf $RPM_BUILD_ROOT  
mkdir $RPM_BUILD_ROOT  
mkdir -p $RPM_BUILD_ROOT/usr/bin  
install -m '0755' helloworld $RPM_BUILD_ROOT/usr/bin

%clean  
rm -rf $RPM_BUILD_ROOT

%files  
%defattr(-,root,root,-)  
%doc  
/usr/bin/helloworld

%changelog  
* Tue Sep 28 2004 Joe Orton <[email protected]> 2.0.52-2  
- update to 2.0.52

6) Build the rpm
rpmbuild -ba helloworld.spec

7) Sign the rpm

gpg  --list-keys (note unique identifier)  
vim ~/.rpmmacros  
%_gpg_name A123456  
rpm --resign rpmbuild/RPMS/noarch/helloworld-1.1-1.el6.noarch.rpm

8) Test that your RPM installs

su -  
cd /home/jane/rpmbuild/RPMS/noarch/  
rpm -Uvh helloworld-1.1-1.el6.noarch.rpm  
rpm -e helloworld

9) To host it in a yum repo, make a directory underneath the webroot

su -   
mkdir /var/www/html/jane  
cd /home/jane/rpmbuild/RPMS/noarch  
mv helloworld-1.1-1.el6.noarch.rpm /var/www/html/jane  
yum install -y createrepo  
createrepo /var/www/html/jane

10) Export the user’s public key and put a copy in the web repo directory:

gpg --export -a -o /home/jane/jane.key 80E0FDD  
su -  
cp /home/jane/jane.key /var/www/html/jane

11) Create the repo file - vim /etc/yum.repos.d/jane.repo

[jane]  
baseurl=[http://server1.example.com/jane](http://server1.example.com/jane)  
enabled=1  
gpgkey=[http://server1.example.com/jane/jane.key](http://server1.example.com/jane/jane.key)  
gpgcheck=1

12) Ensure that SELinux will allow us to download the package
restorecon -Rv /var/www/html/jane/

13) Test by doing:
yum install helloworld

E) iSCSI

Objective:

  • Configure a system as an iSCSI initiator that persistently mounts an iSCSI target.

1) Install the software
yum install -y iscsi-initiator-utils

2) Get the targetname (specify an IP, NOT a hostname)
iscsiadm -m discovery -t st -p 172.16.100.100

3) Log into the target (specify an IP, NOT a hostname)
iscsiadm -m node -T iqn.1234.com.test:abc1 -p 172.16.100.100 -l

4) Find out what the new disk has been presented to the OS as:

dmesg  
tail /var/log/messages  
fdisk -cul

5) Use fdisk in the usual way to create a new partition
fdisk /dev/sdc

5) Make a new filesystem on the device
mkfs.ext4 /dev/sdc1

6) Get the block device id of the new partition
blkid /dev/sdc1

7) Include an entry in fstab with the _netdev directive
UID=1234 /mnt/point ext4 _netdev 1 2