System Configuration and Management

Route IP traffic and create static routes For instance:

route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.1.254 route add -host 192.168.3.3 dev tun0

Persisting to /etc/sysconfig/network-scripts/route-device:
192.168.3.0/255.255.255.0 via 192.168.1.254 192.168.3.3 dev tun0

Use iptables to implement packet filtering and configure network address translation (NAT)
-vnl line-numbers: list all rules, in full, numeric mode. -A CHAIN <rule> -j <TARGET>: adds a rule to the end for CHAIN -I CHAIN # <rule> -j <TARGET>: inserts a rule as rule # in CHAIN -D CHAIN #: deletes rule # from CHAIN -F CHAIN: delete all rules from CHAIN

(first if no # is given).

Source IP or network: -s 192.0.2.0/24 Destination IP or network: -d 10.0.0.1 UDP/TCP and ports: -p udp sport 68 dport 67 ICMP and types: -p icmp icmp-type echo-reply Inbound network interface: -i eth0 Outbound network interface: -o eth0 Remember doing service iptables save | restart (review the /etc/sysconfig/iptables file). An example, open ssh: iptables -I INPUT 5 -p tcp -m tcp --dport 22 -j ACCEPT Destination NAT uses the PREROUTING chain. Source NAT uses the POSTROUTING chain. For instance, for a gateway of an internal network (with eth0 for outside network) use SNAT:
iptables -t nat -I POSTROUTING -o eth0 -s 172.168.1.0/24 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward

An example for DNAT (for port forwarding):

iptables -t nat -A PREROUTING -p tcp -dport 80 -j DNAT -to-destination 172.168.1.230

Use /proc/sys and sysctl to modify and set kernel run-time parameters sysctl -a visualiza, sysctl -w cambia en caliente. Usar sysctl -p despus de modificar /etc/sysctl.conf. Configure system to authenticate using Kerberos 1

Install krb5-workstation if not installed. Configure using system-config-authentication: LDAP Server: <host> LDAP Certficate: <URL> LDAP Base DN: <DN> Kerberos REALM: <realm> Kerberos KDC: <host> Kerberos Admin Server: <host> Select LDAP for User Account Database and Kerberos for Authentication Metod. Be sure the ssd service is running. Build a simple RPM that packages a single file Use a normal user:
mkdir -p rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS} cd rpmbuild/SPECS vi test.spec rpmbuild [--sign] -ba test.spec

If you need a GPG signing key:

gpg --gen-key (get the <public key ID> from the output) gpg -a -o <filename> --export <public key ID> echo %_gpg_name <public key ID> > ~/.rpmmacros

You can use rpmdevtools package (commands rpmdev-setuptree and rpmdev-newspec), for assistance. Remeber the createrepo package, if you need to build a yum repo. Configure a system as an iSCSI initiator that persistently mounts an iSCSI target Install the iscsi-initiator-utils package and start the iscsi and iscsid services. Find targets:
iscsiadm -m discovery -t sendtargets -p host

Login to target:

iscsiadm -m node targetname iqn.2001-05.com.doe:test -p host:port login

If you want to logout from an iSCSI target temporarily use the -u option, and if you want to disconnect persistently use the -o delete. If you want mount automatically, use the UUID in the /etc/fstab, and mount with _netdev option. Produce and deliver reports on system utilization (processor, memory, disk, and network) Use sar (sar -A reports all simultaneosly, review the man page for specific info), from sysstat package. Without a range of time gives stats for the day. Schedule: /etc/cron.d/sysstat. Use shell scripting to automate system maintenance tasks 2

Some random examples: Doing something to each file in a dsirectory:

for i in [`ls`]; do echo $i; done

Doing something for each line in a file: Repeating a task every 10 seconds

while read i; do echo $i; done < anaconda-ks.cfg while true; do echo Hello World; sleep 10; done

Create a task that occurs the same time every day

crontab -e Enter 1 22 * * * echo Hello World at 10pm Dec 31 [return] echo Hello World [return] [CTRL]+z

Create a task that occurs once at a specific time/day

Boolean expresions: test EXPRESSION or [ EXPRESSION ] test -{ n | z } for non-zero or zero length string ==, !=, <, >, <=, >= for string comparison -eq, -ne, -lt, -gt, -le, -ge for numerical comparison test -{e | f | d | r | w | x | s } FILE for file status -o, -a, ! are logical operators Positional parameters: $1, $2, ... Number of positional parameters: $# All parameters: $@ Configure a system to log to a remote system For instance, send the security logs to remote, edit /etc/rsyslog.conf:
authpriv.* @192.168.54.250

Use @@notation if you want use TCP instead UDP. Configure a system to accept logging from a remote system Uncomment the following lines from /etc/rsyslog.conf:
#$ModLoad imudp.so #$UDPServerRun 514

Restart the rsyslog service:

service rsyslog restart

Create the rule for allowing the port in the firewall

iptables -I INPUT 5 -p udp -m udp --dport 514 -j ACCEPT service iptables save service iptables restart

Network Services
3

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below: Install the packages needed to provide the service Configure SELinux to support the service Configure the service to start when the system is booted Configure the service for basic operation Configure host-based and user-based security for the service RHCE candidates should also be capable of meeting the following objectives associated with specific services:

HTTP/HTTPS
Configure a virtual host Edit the configuration file /etc/httpd/conf/httpd.conf:
NameVirtualHost *:80 <VirtualHost *:80> ServerName www.wonka-chocolates.com ServerAlias wonka-chocolates.com DocumentRoot /var/www/wonka-chocolates.com/html </VirtualHost>

Configure private directories Create user/password file:

htpasswd -cm /etc/httpd/.htpasswd bob htpasswd -m /etc/httpd/.htpasswd alice

Edit /etc/httpd/conf/httpd.conf:
<Directory /var/www/virtual1/html> AuthType basic AuthName Secret Stuff AuthUserFile /etc/httpd/.htpasswd Require valid-user </Directory>

Of course, you can use a .htaccess file, but you need to permit AllowOverride Authconfig for that directory. Deploy a basic CGI application /etc/httpd/conf/httpd.conf:
Directory Options +ExecCGI AddHandler cgi-script .pl .cgi

Edit cgi-bin/hello.pl:
print Content-type: text/html\n\n; print hello!;

Configure group-managed content Configuring one DocumentRoot to be administered by a group (the idea is to use a set-GID dir):
chgrp -R webadmins <document_root> chmod 2775 <document_root> or chmod g+s

Remember the SELinux type on the contents of <document_root> is either httpd_sys_content_t or public_content_t. For example (the package libsemanage-python must be installed):
semanage fcontext -a -t httpd_sys_content_t <document_root>(/.*)?' restorecon -vFR <document_root>

DNS
Configure a caching-only name server By default, RHEL6 brings you a caching namesever.
yum install bind vim /etc/named.conf service named start chkconfig named on

Don't forget configure the firewall (open 53 TCP/UDP) and review the SELinux (getsebool -a | grep named). After that, review the following options directives:
listen-on [port 53] { <IP_interfaces>; }; listen-on-v6 [port 53] { <IP_interfaces>; }; allow-query { <IP_or_network>; }; recursion yes;

The IP can be a list of IP addresses or subnets in CIDR notation, or named ACLs as any; (all hosts) or none; (no hosts). Configure a caching-only name server to forward DNS queries Use the following options directive:
forwarders { <ip_servidor_dns>; }; forward only;

Use dig for troubleshooting: dig (host|domain) [record_type]. Note: Candidates are not expected to configure master or slave name servers

FTP
5

Configure anonymous-only download Install the packages needed to provide the service yum install vsftpd Configure anonymous-only download vsftpd.conf: anonymous_enable=YES anon_upload_enable=NO local_enable=NO Configure SELinux to support the service getsebool -a | grep ftpd Use public_content_t file context for content
semanage fcontext -a -t public_content_t '<ftp_directory>(/.*)?' restorecon -vvFR <ftp_directory>

Configure host-based and user-based security for the service Host Use iptables User vsftpd.conf: local_enable=YES

NFS
yum install nfs-utils getsebool -a | grep nfs Open the firewall (port 2049 if NFSv4) chkconfig nfs on

The services rpcbind and nfslock must be running. Provide network shares to specific clients /etc/exports: /mpoint host(ro) host2(rw) 192.168.2.0/24(ro) allow read/write access to host2, readonly to host and 192.168.2.0/24 Provide network shares suitable for group collaboration Create a sharegroup 6

Add users to sharegroup Create shared directory and set-GID on it.

SMB
yum install samba getsebool -a | grep samba chkconfig smb start Open the firewall: tcp ports 139 and 445, udp ports 137 and 138

Provide network shares to specific clients In the global or share specific section, use the hosts allow (and hosts deny) directive for limiting the access to a list of hosts (using the trailing dot notation, for instance 10.0.2. ). Of course, you can use the valid users (and write list) directives also, for user-driven security. Provide network shares suitable for group collaboration Add group workers: groupadd -r workers Create the collaborative directory, and set-GID with the group workers: chmod 2770 /shared Correct the SELinux context:
semanage fcontext -a -t samba_share_t '/shared(/.*)?' restorecon -vvFR /shared

Add users to group: useradd user1 ... In smb.conf create a section like:
[shared] path = /shared valid users = @workers writeable = yes public = no

If you want that other users can read the share change the permissions at Linux level:
chmod 2775 /shared

and use the following share definition:

[shared] path = /shared writeable = no write list = @workers public = no

SMTP
yum install postfix chkconfig postfix on

Open the 25/TCP in the firewall.

Configure a mail transfer agent (MTA) to accept inbound email from other systems By default, only listen for local connections, you must enable with the following directive and restarting the service:
inet_interfaces = all

Configure an MTA to forward (relay) email through a smart host You must change the following directive:
relayhost = [<host>] (the brackets are for not us DNS resolution)

Note: other directives used are the following: myorigin: masquerade as ... mydestination: receive mail for local_transport: local delivery mynetworks: relay from And some commands: postfix flush: manually flush the pending mails. mailq: see the enqueud mails. postconf -e: change a directive in /etc/postfix/main.cfg. /var/log/maillog is the default log file of the service

SSH
Configure key-based authentication Configure /etc/ssh/sshd_config:
PubkeyAuthentication yes

Test: ssh-keygen
ssh-copy-id user@host ssh user@host

Configure additional options described in documentation