Cloud Network

Networking | Support | Tricks | Troubleshoot | Tips

Buymecoffe

Buy Me A Coffee

Tuesday, September 2, 2014

What is Iptables & How to Implement on Linux

September 02, 2014
What is Iptables & How to Implement on Linux
Iptables

How To Start iptables
You can start, stop, and restart iptables after booting by using the commands:
[root@bigboy tmp]# service iptables start
[root@bigboy tmp]# service iptables stop
[root@bigboy tmp]# service iptables restart
To get iptables configured to start at boot, use the chkconfig command:.
[root@bigboy tmp]# chkconfig iptables on

Determining The Status of iptables
You can determine whether iptables is running or not via the service iptables status command. Fedora Core will give a simple status message. For example
[root@bigboy tmp]# service iptables status
Firewall is stopped.
[root@bigboy tmp]#

Table 14-1 Processing For Packets Routed By The Firewall
Queue Type
Queue Function
Packet Transformation Chain in Queue
Chain Function
Filter Packet filtering FORWARD Filters packets to servers accessible by another NIC on the firewall.
INPUT Filters packets destined to the firewall.
OUTPUT Filters packets originating from the firewall
Nat Network Address Translation PREROUTING Address translation occurs before routing. Facilitates the transformation of the destination IP address to be compatible with the firewall's routing table. Used with NAT of the destination IP address, also known as destination NAT or DNAT.
POSTROUTING Address translation occurs after routing. This implies that there was no need to modify the destination IP address of the packet as in pre-routing. Used with NAT of the source IP address using either one-to-one or many-to-one NAT. This is known as source NAT, or SNAT.
OUTPUT Network address translation for packets generated by the firewall. (Rarely used in SOHO environments)
Mangle TCP header modification
PREROUTING
POSTROUTING
OUTPUT
INPUT
FORWARD
Modification of the TCP packet quality of service bits before routing occurs. (Rarely used in SOHO environments)

Targets And Jumps
target
Desciption
Most Common Options
ACCEPT
  • iptables stops further processing.
  • The packet is handed over to the end application or the operating system for processing
N/A
DROP
  • iptables stops further processing.
  • The packet is blocked
N/A
LOG
  • The packet information is sent to the syslog daemon for logging
  • iptables continues processing with the next rule in the table
  • As you can't log and drop at the same time, it is common to have two similar rules in sequence. The first will log the packet, the second will drop it.
--log-prefix "string"
Tells iptables to prefix all log messages with a user defined string. Frequently used to tell why the logged packet was dropped
REJECT
  • Works like the DROP target, but will also return an error message to the host sending the packet that the packet was blocked
--reject-with qualifier
The qualifier tells what type of reject message is returned. Qualifiers include:
icmp-port-unreachable (default)
icmp-net-unreachable
icmp-host-unreachable
icmp-proto-unreachable
icmp-net-prohibited
icmp-host-prohibited
tcp-reset
echo-reply
DNAT
  • Used to do destination network address translation. ie. rewriting the destination IP address of the packet
--to-destination ipaddress
Tells iptables what the destination IP address should be
SNAT
  • Used to do source network address translation rewriting the source IP address of the packet
  • The source IP address is user defined
--to-source <address>[-<address>][:<port>-<port>]
Specifies the source IP address and ports to be used by SNAT.
MASQUERADE
  • Used to do Source Network Address Translation.
  • By default the source IP address is the same as that used by the firewall's interface
[--to-ports <port>[-<port>]]
Specifies the range of source ports to which the original source port can be mapped.

Table 14-2 General Iptables Match Criteria
iptables command Switch
Desciption
-t <-table-> If you don't specify a table, then the filter table is assumed. As discussed before, the possible built-in tables include: filter, nat, mangle
-j <target> Jump to the specified target chain when the packet matches the current rule.
-A Append rule to end of a chain
-F Flush. Deletes all the rules in the selected table
-p <protocol-type> Match protocol. Types include, icmp, tcp, udp, and all
-s <ip-address> Match source IP address
-d <ip-address> Match destination IP address
-i <interface-name> Match "input" interface on which the packet enters.
-o <interface-name> Match "output" interface on which the packet exits

In this command switches example
iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p TCP -j ACCEPT
iptables is being configured to allow the firewall to accept TCP packets coming in on interface eth0 from any IP address destined for the firewall's IP address of 192.168.1.1. The 0/0 representation of an IP address means any.

In this example:
iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \

In this example:

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT

This is an expansion on the previous example:
iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \ --sport 1024:65535 -m multiport --dports 80,443 -j ACCEPT iptables -A FORWARD -d 0/0 -o eth0 -s 192.168.1.58 -i eth1 -p TCP \ -m state --state ESTABLISHED -j ACCEPT
Using User Defined Chains

iptables -A INPUT -i eth0 -d 206.229.110.2 -j fast-input-queue
iptables -A OUTPUT -o eth0 -s 206.229.110.2 -j fast-output-queue

iptables -A fast-input-queue -p icmp -j icmp-queue-in
iptables -A fast-output-queue -p icmp -j icmp-queue-out

iptables -A icmp-queue-out -p icmp --icmp-type echo-request \
-m state --state NEW -j ACCEPT

Custom Queues Example Listing
Chain
Desciption
INPUT The regular built-in INPUT chain in iptables
OUTPUT The regular built-in OUTPUT chain in iptables
fast-input-queue Input chain dedicated to identifying specific protocols and shunting the packets to protocol specific chains.
fast-output-queue Output chain dedicated to identifying specific protocols and shunting the packets to protocol specific chains.
icmp-queue-out Output queue dedicated to ICMP
icmp-queue-in Input queue dedicated to ICMP

Saving Your iptables Scripts

[root@bigboy tmp]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.2.9 on Mon Nov 8 11:00:07 2004
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [144:12748]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Nov 8 11:00:07 2004
This example exports the iptables-save output to a text file named firewall-config.
[root@bigboy tmp]# iptables-save > firewall-config 
[root@bigboy tmp]# cat firewall-config 
                              # Generated by iptables-save v1.2.9 on Mon Nov 8 11:00:07 2004 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [144:12748] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT 
[root@bigboy tmp]# iptables-restore < firewall-config
Finally, you should permanently save the active configuration so that it will be loaded automatically when the system reboots:
[root@bigboy tmp]# service iptables save

Loading Kernel Modules Needed By iptables
# File: /etc/rc.local

# Module to track the state of connections
modprobe ip_conntrack

# Load the iptables active FTP module, requires ip_conntrack
modprobe ip_conntrack_ftp
# Load iptables NAT module when required
modprobe iptable_nat
# Module required for active an FTP server using NAT

Allowing DNS Access To Your Firewall
You'll almost certainly want your firewall to make DNS queries to the Internet. This is not because it is required for the basic functionality of the firewall, but because of Fedora Linux's yum RPM updater which will help to keep the server up to date with the latest security patches. The following statements will apply not only for firewalls acting as DNS clients but also for firewalls working in a caching or regular DNS server role.
#---------------------------------------------------------------
# Allow outbound DNS queries from the FW and the replies too
#
# - Interface eth0 is the internet interface
#
# Zone transfers use TCP and not UDP. Most home networks
# / websites using a single DNS server won't require TCP statements
#
#---------------------------------------------------------------
iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 \
-j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 \

Allowing WWW And SSH Access To Your Firewall
This sample snippet is for a firewall that doubles as a web server that is managed remotely by its system administrator via secure shell (SSH) sessions. Inbound packets destined for ports 80 and 22 are allowed thereby making the first steps in establishing a connection. It isn't necessary to specify these ports for the return leg as outbound packets for all established connections are allowed. Connections initiated by persons logged into the Web server will be denied as outbound NEW connection packets aren't allowed.
#--------------------------------------------------------------- # Allow previously established connections # - Interface eth0 is the internet interface #--------------------------------------------------------------- iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \ -j ACCEPT #--------------------------------------------------------------- # Allow port 80 (www) and 22 (SSH) connections to the firewall #--------------------------------------------------------------- iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 \ -m state --state NEW -j ACCEPT iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 \ -m state --state NEW -j ACCEPT
Allowing Your Firewall To Access The Internet
This iptables script enables a user on the firewall to use a Web browser to surf the Internet. HTTP traffic uses TCP port 80, and HTTPS uses port 443.
Note: HTTPS (secure HTTP) is used for credit card transactions frequently, as well as by RedHat Linux servers running up2date. FTP and HTTP are frequently used with yum.
#--------------------------------------------------------------- # Allow port 80 (www) and 443 (https) connections from the firewall #--------------------------------------------------------------- iptables -A OUTPUT -j ACCEPT -m state \ --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp \ -m multiport --dports 80,443 --sport 1024:65535 #--------------------------------------------------------------- # Allow previously established connections # - Interface eth0 is the internet interface #--------------------------------------------------------------- iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED \ -i eth0 -p tcp
If you want all TCP traffic originating from the firewall to be accepted, then remove the line:
-m multiport --dports 80,443 --sport 1024:65535
Allow Your Home Network To Access The Firewall
In this example, eth1 is directly connected to a home network using IP addresses from the 192.168.1.0 network. All traffic between this network and the firewall is simplistically assumed to be trusted and allowed.
Further rules will be needed for the interface connected to the Internet to allow only specific ports, types of connections and possibly even remote servers to have access to your firewall and home network.
#--------------------------------------------------------------- # Allow all bidirectional traffic from your firewall to the # protected network # - Interface eth1 is the private network interface #--------------------------------------------------------------- iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/24 -i eth1 iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/24 -o eth1
Checking The Firewall Logs

#---------------------------------------------------------------
# Log and drop all other packets to file /var/log/messages
# Without this we could be crawling around in the dark
#---------------------------------------------------------------
iptables -A OUTPUT -j LOG
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
iptables -A OUTPUT -j DROP
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

iptables Won't Start

oot@bigboy tmp]# service iptables start
[root@bigboy tmp]#

[root@bigboy tmp]# touch /etc/sysconfig/iptables
[root@bigboy tmp]# chmod 600 /etc/sysconfig/iptables

[root@bigboy tmp]# service iptables start
Applying iptables firewall rules: [ OK ]
[root@bigboy tmp]#

Here are some examples of the output of this file:
  • Firewall denies replies to DNS queries (UDP port 53) destined to server 192.168.1.102 on the home network.
Feb 23 20:33:50 bigboy kernel: IN=wlan0 OUT= MAC=00:06:25:09:69:80:00:a0:c5:e1:3e:88:08:00 SRC=192.42.93.30 DST=192.168.1.102 LEN=220 TOS=0x00 PREC=0x00 TTL=54 ID=30485 PROTO=UDP SPT=53 DPT=32820 LEN=200
  • Firewall denies Windows NetBIOS traffic (UDP port 138)
Feb 23 20:43:08 bigboy kernel: IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:25:09:6a:b5:08:00 SRC=192.168.1.100 DST=192.168.1.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=221
  • Firewall denies Network Time Protocol (NTP UDP port 123)
Feb 23 20:58:48 bigboy kernel: IN= OUT=wlan0 SRC=192.168.1.102 DST=207.200.81.113 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56

-j ACCEPT

modprobe ip_nat_ftp

[root@bigboy tmp]#


iptables -A icmp-queue-in -p icmp --icmp-type echo-reply -j ACCEPT


iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

iptables is being configured to allow the firewall to send ICMP echo-requests (pings) and in turn, accept the expected ICMP echo-replies.
Consider another example
iptables -A INPUT -p icmp --icmp-type echo-request \ -m limit --limit 1/s -i eth0 -j ACCEPT
--sport 1024:65535 --dport 80 -j ACCEPT


###IPTables###
Features:
 1. Firewall for Linux
 2. Interface to Netfilter, which is loaded by the kernel
 3. Operates primarily @ layers 3 & 4 of the OSI model
 4. Modular
 5. Provides Network Address Translation (NAT)
 6. IPTables can also access other layers (2, 5-7), with modules

1. grep -i config_netfilter /boot/config*

Note: Save rules in: /etc/sysconfig/iptables so that when IPTables is restarted, the rules will be applied OR, update /etc/sysconfig/iptables-config to save the rules automatically

/sbin/iptables - primary ACL modifier utility
/sbin/iptables-restore - restores rules to current IPTables instance
/sbin/iptables-save - saves rules to STDOUT, by default, or to a file


IPTables includes 3 default tables, which you cannot remove:
 1. NAT
 2. Mangle
 3. Filter (Default) - filters inbound/outbound traffic

Note: Each table, includes chains, which include Access Control Entries (ACEs)

Usage:
 1. iptables -L

Note: The Filter table includes 3 chains:
 1. INPUT - applies to traffic destined to a service that our system is bound to

 2. FORWARD - applies to traffic being routed through the system

 3. OUTPUT - applies to traffic sourced from our system, heading outbound


Tasks:
 1. Filter inbound traffic to remote RH5 system to SSH
  a. iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  b. iptables -A INPUT -j DROP

 2. Filter outbound traffic to ANY remote SSH port
  a. iptables -A OUTPUT -p tcp --dport 22 -j DROP

 3. Flush ALL rules from OUTPUT chain of the Filter table 
  a. iptables -F OUTPUT

 4. Save rules to file, then flush rules
  a. iptables-save > iptables.rules.1

 5. Reinstate flushed rules
  a. iptables-restore iptables.rules.1


###IPv6 IPTables###
Features:
 1. Firewall for IPv6

/etc/rc.d/init.d/ip6tables - run-script
/etc/sysconfig/ip6tables-config - system-wide config file

/sbin/ip6tables - primary tool for administering IP6Tables
/sbin/ip6tables-restore
/sbin/ip6tables-save

 2. Maintains 3 default tables:
  a. Filter - matches IPTables(IPv4)
  b. Mangle - matches IPTables(IPv4)
  c. Raw

 
Usage:
 1. ip6tables -L

Note: IPv6 firewall rules are administered independently of IPv4 rules

Tasks:
1. Filter inbound traffic to remote RH5 system to SSH
  a. ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
  b. ip6tables -A INPUT -j DROP

 2. Filter outbound traffic to ANY remote SSH port
  a. ip6tables -A OUTPUT -p tcp --dport 22 -j DROP

 3. Flush ALL rules from OUTPUT chain of the Filter table 
  a. ip6tables -F OUTPUT

 4. Save rules to file, then flush rules
  a. ip6tables-save > ip6tables.rules.1

 5. Reinstate flushed rules
  a. ip6tables-restore ip6tables.rules.1

Thanking you
Hope U Like it.......

Fedora 20 in Virtual box

Roboform in linux

Ubuntu server 12.04

Nagios 4.0.7

Oracle Linux 7
Free BSD 10

How to Use the vi Editor and What is vi Editior?

September 02, 2014
How to Use the vi Editor and What is vi Editior?
vi - text Editor

The vi editor is available on almost all Unix systems. vi can be used from any type of terminal because it does not depend on arrow keys and function keys--it uses the standard alphabetic keys for commands.
vi (pronounced "vee-eye") is short for "vi"sual editor. It displays a window into the file being edited that shows 24 lines of text. vi is a text editor, not a "what you see is what you get" word processor. vi lets you add, change, and delete text, but does not provide such formatting capabilities as centring lines or indenting. paragraphs.
This help note explains the basics of vi:
  • opening and closing a file
  • moving around in a file
  • elementary editing
vi has many other commands and options not described here. The following resources can help you get started using the vi editor, and are available at the UW University Book Store:
  • "vi Tutorial." Specialized Systems Consultants (SSC).
  • "vi Reference." Specialized Systems Consultants (SSC).
  • "Learning the vi Editor." Linda Lamb, 1990.

Starting vi

You may use vi to open an already existing file by typing
vi filename
where "filename" is the name of the existing file. If the file is not in your current directory, you must use the full pathname.
Or you may create a new file by typing
vi newname
where "newname" is the name you wish to give the new file.
To open a new file called "testvi," enter
vi testvi
On-screen, you will see blank lines, each with a tilde (~) at the left, and a line at the bottom giving the name and status of the new file:
~
"testvi" [New file]

vi Modes

vi has two modes:
  • command mode
  • insert mode
In command mode, the letters of the keyboard perform editing functions (like moving the cursor, deleting text, etc.). To enter command mode, press the escape <Esc> key.
In insert mode, the letters you type form words and sentences. Unlike many word processors, vi starts up in command mode.

Entering Text

In order to begin entering text in this empty file, you must change from command mode to insert mode. To do this, type
i
Nothing appears to change, but you are now in insert mode and can begin typing text. In general, vi's commands do not display on the screen and do not require the Return key to be pressed.
Type a few short lines and press <Return> at the end of each line. If you type a long line, you will notice the vi does not word wrap, it merely breaks the line unceremoniously at the edge of the screen.
If you make a mistake, pressing <Backspace> or <Delete> may remove the error, depending on your terminal type.

Moving the Cursor

To move the cursor to another position, you must be in command mode. If you have just finished typing text, you are still in insert mode. Go back to command mode by pressing <Esc>. If you are not sure which mode you are in, press <Esc> once or twice until you hear a beep. When you hear the beep, you are in command mode.
The cursor is controlled with four keys: h, j, k, l.
Key Cursor Movement
--- ---------------
h left one space
j down one line
k up one line
l right one space
When you have gone as far as possible in one direction, the cursor stops moving and you hear a beep. For example, you cannot use l to move right and wrap around to the next line, you must use j to move down a line. See the section entitled "Moving Around in a File" for ways to move more quickly through a file.

Basic Editing

Editing commands require that you be command mode. Many of the editing commands have a different function depending on whether they are typed as upper- or lowercase. Often, editing commands can be preceded by a number to indicate a repetition of the command.

Deleting Characters

To delete a character from a file, move the cursor until it is on the incorrect letter, then type
x
The character under the cursor disappears. To remove four characters (the one under the cursor and the next three) type
4x
To delete the character before the cursor, type
X (uppercase)

Deleting Words

To delete a word, move the cursor to the first letter of the word, and type
dw
This command deletes the word and the space following it.
To delete three words type
3dw

Deleting Lines

To delete a whole line, type
dd
The cursor does not have to be at the beginning of the line. Typing dd deletes the entire line containing the cursor and places the cursor at the start of the next line. To delete two lines, type
2dd
To delete from the cursor position to the end of the line, type
D (uppercase)

Replacing Characters

To replace one character with another:
  1. Move the cursor to the character to be replaced.
  2. Type r
  3. Type the replacement character.
The new character will appear, and you will still be in command mode.

Replacing Words

To replace one word with another, move to the start of the incorrect word and type
cw
The last letter of the word to be replaced will turn into a $. You are now in insert mode and may type the replacement. The new text does not need to be the same length as the original. Press <Esc> to get back to command mode. To replace three words, type
3cw

Replacing Lines

To change text from the cursor position to the end of the line:
  1. Type C (uppercase).
  2. Type the replacement text.
  3. Press <Esc>.

Inserting Text

To insert text in a line:
  1. Position the cursor where the new text should go.
  2. Type i
  3. Enter the new text.
The text is inserted BEFORE the cursor.
4. Press <Esc> to get back to command mode.

Appending Text

To add text to the end of a line:
  1. Position the cursor on the last letter of the line.
  2. Type a
  3. Enter the new text.
This adds text AFTER the cursor.
4. Press <Esc> to get back to command mode.

Opening a Blank Line

To insert a blank line below the current line, type (lowercase)
To insert a blank line above the current line, type O (uppercase)

Joining Lines

To join two lines together:
  1. Put the cursor on the first line to be joined.
  2. Type J
To join three lines together:
  1. Put the cursor on the first line to be joined.
  2. Type 3J

Undoing

To undo your most recent edit, type  U
To undo all the edits on a single line, type U (uppercase)
Undoing all edits on a single line only works as long as the cursor stays on that line. Once you move the cursor off a line, you cannot use U to restore the line.

Moving Around in a File

There are shortcuts to move more quickly though a file. All these work in command mode.
Key Movement
--- --------
w forward word by word
b backward word by word
$ to end of line
0 (zero) to beginning of line
H to top line of screen
M to middle line of screen
L to last line of screen
G to last line of file
1G to first line of file
<Control>f scroll forward one screen
<Control>b scroll backward one screen
<Control>d scroll down one-half screen
<Control>u scroll up one-half screen

Moving by Searching

To move quickly by searching for text, while in command mode:
  1. Type / (slash).
  2. Enter the text to search for.
  3. Press <Return>.
The cursor moves to the first occurrence of that text.
To repeat the search in a forward direction, type  N
To repeat the search in a backward direction, type  N

Closing and Saving a File

With vi, you edit a copy of the file, rather than the original file. Changes are made to the original only when you save your edits.
To save the file and quit vi, type  ZZ
The vi editor editor is built on an earler Unix text editor called ex. ex commands can be used within vi. ex commands begin with a : (colon) and end with a <Return>. The command is displayed on the status line as you type. Some ex commands are useful when saving and closing files.
To save the edits you have made, but leave vi running and your file open:
  1. Press <Esc>.
  2. Type :w
  3. Press <Return>.
To quit vi, and discard any changes your have made since last saving:
  1. Press <Esc>.
  2. Type :q!
  3. Press <Return>.

Command Summary

STARTING vi
vi filename edit a file named "filename"
vi newfile create a new file named "newfile"
ENTERING TEXT
i insert text left of cursor
a append text right of cursor
MOVING THE CURSOR
h left one space
j down one line
k up one line
l right one space
BASIC EDITING
x delete character
nx delete n characters
X delete character before cursor
dw delete word
ndw delete n words
dd delete line
ndd delete n lines
D delete characters from cursor to end of line
r replace character under cursor
cw replace a word
ncw replace n words
C change text from cursor to end of line
o insert blank line below cursor
(ready for insertion)
O insert blank line above cursor
(ready for insertion)
J join succeeding line to current cursor line
nJ join n succeeding lines to current cursor line
u undo last change
U restore current line
MOVING AROUND IN A FILE
w forward word by word
b backward word by word
$ to end of line
0 (zero) to beginning of line
H to top line of screen
M to middle line of screen
L to last line of screen
G to last line of file
1G to first line of file
<Control>f scroll forward one screen
<Control>b scroll backward one screen
<Control>d scroll down one-half screen
<Control>u scroll up one-half screen
n repeat last search in same direction
N repeat last search in opposite direction
CLOSING AND SAVING A FILE
ZZ save file and then quit
:w save file
:q! discard changes and quit file


Thanking You
Hope U Like it.....


Ubuntu 14.04

Linux Mint 17

Ubuntu Root Password Reset

Lamp in Ubuntu 14.04

Redhat Linux 7 server
Gentoo Linux 12.1

Install LAMP Server in Linux Step by Step Process

September 02, 2014
Install LAMP Server in Linux Step by Step Process
Install LAMP in Windows 7 
How to Install LAMP(Apache, MySql and Php) Server in Redhat Linux Step by Step Process Based from Terminal Command.

  • Uninstall previous versions of apache and mysql
  • rpm -e httpd mysql
  • Download and install RPM packages of MySQL's server, client and dynamic shared libraries from mysql.com. do not opt to change the password on MySQL database unless you know what you're doing (I don't). If requested at first installation attempt, download the appropriate version of perl-dbi from rpmfind.net.
  • rpm -ivh MySQL-client-5.0.20-0.glibc23.i386.rpm MySQL-server-5.0.20-0.glibc23.i386.rpm MySQL-shared-5.0.20-0.glibc23.i386.rpm
  • Initialize mysql database after installation by typing..
  • mysql_install_db
  • Make sure /etc/ld.so.conf contains:
  • /usr/lib
  • Run ldconfig
  • /sbin/ldconfig
  • Download, unpack, and install Apache 2.0 from source at apache.org
  • mv httpd-2.0.55.tar.gz /usr/local/; cd /usr/local/
  • tar -xzvf httpd-2.0.55.tar.gz
  • cd httpd-2.0.55
  • ./configure --enable-so
  • make
  • make install
  • Ensure Apache functions properly by starting, testing, and stopping it.
  • /usr/local/apache2/bin/apachectl start
  • /usr/local/apache2/bin/apachectl stop
  • Download, unpack, and install the newest 4.4.x version of PHP from php.net
  • mv php-4.4.1.tar.gz /usr/local/; cd /usr/local/
  • tar -xzvf php-4.4.1.tar.gz; cd php-4.4.1/
  • ./configure --with-apxs2=/usr/local/apache2/bin/apxs --with-mysql
  • make
  • make install
  • Add the following to your httpd.conf file:
  • LoadModule php4_module modules/libphp4.so
  • AddType application/x-httpd-php .php .phtml
  • AddType application/x-httpd-php-source .phps
  • Modify httpd.conf again, and then restart the httpd (/usr/local/apache2/bin/apachectl restart):
  • DirectoryIndex index.html index.php
  • To test your accomplishments, drop the following text into an index.php file within your DocumentRoot directory:
  • <?php
  • phpinfo();
  • ?>


Thanking You
Hope U Like it......

Reset Root Password in linux

Linux Mint 17

pendrive bootable for ubuntu

Nagios 4.0.7

Oracle Linux 7
Fedora 20

How to install FTP Server in Linux

September 02, 2014
How to install FTP Server in Linux
FTP Server Configurations


FTP Server Configurations
How to install FTP Server in Linux  and also Interview Questions on File Transfer Protocol(FTP).
1 ) Install FTP server – vsftpd
          $yum install vsftpd
Or download the rpm afrom the below links
or
use the below command to install
          $rpm –ivh vsftpd*.rpm
2) Add the line to the /etc/sysconfig/iptables file to open port no 21 which is the default port for FTP in Firewall
        iptables -A INPUT 192.168.1.102 -p tcp --dport 21 -j ACCEPT
3) open the /etc/vsftpd/ftpuser and the /etc/vsftpd/user_list file and remove the user name you want to access from remote
4) restart the iptables service
          $service iptables restart
5) run the commands
        $setsebool -P ftp_home_dir on
        $setsebool -P allow_ftpd_full_access on
6)Restart the vsftpd service
       $service vsftpd restart
 
Interview Questions on File Transfer Protocol(FTP).......
###Very Secure File Transfer Protocol Daemon (VSFTPD)###
Features:
 1. FTPD
 2. Chroot jail
 3. anonymous and local-user auth
 4. Rate-limiting

Tasks:
 1. Install 'vsftpd'
  a. yum -y install vsftpd

 2. Start the server
  a. service vsftpd start
  b. netstat -ntlp | grep 21

 3. Configure service to start when system boots into multi-user runlevel
  a. chkconfig vsftpd on
  b. chkconfig --list vsftpd

 4. Connect to the FTPD service:
  a. Use web browser, which defaults to anonymous
  b. Use standard FTP client, as anonymous
  c. setsebool -P ftp_home_dir=1 - permits users access to their home directory
  d. service vsftpd restart - for changes to take effect

 5. Chroot jail local users & disable 'anonymous' access
  a. chroot_local_user=YES - this jails users
  b. service vsftpd restart - for changes to take effect
  c. test connectivity as 'anonymous' and 'non-anonymous' users

 6. Enable IPv6 listener:
  a. listen_ipv6=YES - DO NOT USE WITH 'listen=YES(IPv4)'

 7. Restrict 'non-anonymous' user's transfer rate
  a. local_max_rate=1000 - restricts connections to 1000/bps (1K/s)

Thanking You
Hope U like it...

Oracle Linux 7

Fedora 20 in Virtual box

Nagios 4.0.7

Roboform in linux

Ubuntu server 12.04
Zimbra Desktop 7

What is Files and Directory Permission.

September 02, 2014
What is Files and Directory Permission.
Files and Directory Permission

What is Files and Directory Permission & How to Understand it in Ubuntu 12.04/14.04 and Red hat Linux 6 ...?

ll Command is used to display the information about the files and directory including date, time, users,group, size, name and permission.
Four symbols are used when displaying permission.
R    :    Read 4
W    :    Write 2
X    :    Execute 1
-    :    no permission

-rwxrwxrwx :     files
drwxrwxrwx :    directory
files and directory permission are symbolized by ten character.

If we want to change permission, then there are two methods:
1.    symbolic
2.    Numeric

1.    Symbolic Method:
Syntax:
Chmod mode directory/filename
Mode Option:
1.    u,g,o
2.    w,r,x
3.    +,-
4.    =

1.    # chmod u+rwx file or directory : in case of user only
2.    # chmod ug+rwx file or directoty : in case of user and group
3.    # chmod u+w,g+r,o+x directory/file
4.    # chmod u+rw,g+rw directory/file
5.    # chmod u-r, g-w,o-rw directory/file
6.    # chmod ugo+rwx file/directory
7.    # chmod ugo-rwx file/directory

•    + is used to add permission
•    - is used remove permission
chmod ugo=rw directory/file
this command will assign read/write permission to u,g,o
suppose we have one file as
test.txt
permission : -r- - r- -r- -
chmod u=w,g=wx,o=w test.txt
this command will assign write to user, write/execute to group and write to other while remove the previous permission.
The main difference between +,= are + operator simply add the new permission with previous one and = assign the new permission while removing old (new permission overwrite an old)

2.    Numeric Method:
In this method, calculation are based on following numbers
r=4    w=2    x=1    0= no permission

Example:
#chmod 777 file/directory
in this case user get 7 means that user has permission of read/write/execute, group get 7 means read/write/execute and ame for other

# chmod 531 file/directory
in this case user get 5 means that user has permission of read/execute, group get 3 means write/execute and other get 1 means that other has permission to execute.

#chmod 742 file/directory
7 : User : rwx
4 :Group : r
2 : Other : w


Thanking You
Hope U like it...

What is Domain Name System(DNS) & How DNS Works.

September 02, 2014
What is Domain Name System(DNS) & How DNS Works.
DNS - Domain Name System
Domain Name System --Berkeley Internet Name Domain (BIND)

RHEL 5 includes BIND version 9.3

TCP/IP port 53

system-config-bind

 /etc/hosts 
/etc/ resolv.conf

Provides resolution of names to IP addresses
and resolution of IP addresses to names.

Defines a hierarchical namespace where each level of
the namespace is separated by a "."

How DNS works?
-----------------
we ask DNS server for www.cloudnetwork.in resolution it asks Root(.)then (.com ;.net; etc) then ( cloudnetwork.in) then IP address of
www.cloudnetwork.in is sent.

/etc/hosts

Host File provides resolution of hostnames
to IP addresses.

types of DNS servers
---------------------
A master DNS server for your domain(s), which stores authoritative records for your domain.

A slave DNS server, which relies on a master DNS server for data.

A caching-only DNS server, which stores recent requests like a proxy server. It otherwise refers to other DNS servers.

If the DNS server is outside your network, this request can take time. If you have a caching-only name server, these queries are stored locally, which can save significant time while you or others on your network are browsing the same sites on the Internet.

A forwarding-only DNS server, which refers all requests to other DNS servers.


Common host name services :
---------------------------
files /etc/hosts ; /etc/networks
DNS and NIS

/etc/nsswitch.conf determine the order in which to query name service

default is

hosts: files,dns

NIS domain and DNS domain names should usually be different to simplify torubleshooting and
avoid name collisions

Client-side resolvers:
----------------------
dig  ( never look /etc/nsswitch.conf)

dig +trace redhat.com ( reads /etc/nsswitch.conf to determine nameserver)
host ( never look /etc/nsswitch.conf)
nslookup


It can only resolve the names provide in the local host
file.

It cannot be used as central Database.

You can add the name and ip address in /etc/hosts


192.168.0.2      server1.learnadmin.com Server1

Using nslookup to Test DNS
--------------------------
nslookup www.learnadmin.com

Name:   www.learnadmin.com
Address: 192.168.0.2

Using the host Command to Test DNS
-----------------------------------
 host 192.168.0.2

ZONE
-----
Zone is a storage database which contains
all zone Records

 Forward Lookup Zone
--------------------
 Used for Resolving Host Names to IP-Address
 It maintains Host to IP Address Mapping Information

 Reverse Lookup Zone
--------------------
 Used for Resolving IP-Address to Host Names
 It maintains IP Address to Host Mapping Information


SOA is a Start Of Authority record, which is a first record in DNS, which controls the
startup behavior of DNS. We can configure TTL, refresh, and retry intervals in this
record.

###BIND DNS###
Features:
 1. Name-to-IP address mapping
 2. Name resolution for DNS clients
 3. Caching-only server (Default)
 4. Primary DNS server
 5. Slave server
 6. Replication of DNS database information between servers
 7. Dynamic DNS updates
 8. Provides numerous client tools: nslookup, dig, host

Tasks:
 1. Installation of BIND on the remote system: linuxcbtserv4
  a. yum -y install bind

 2. Setup service to auto-start at boot
  a. chkconfig --level 35 named on - enables the service in runlevels: 3,5

 3. Configure a default, caching-only, named.conf file
  a. rpm -ql bind - to see samples
  b. cp /usr/share/doc/bind*/sample/* to /etc/ and /var/named
  c. Modify /etc/named.conf - disable DDNS_KeyGen sections
  d. Start the server - service named start
 
 4. Query the server
  a. dig @localhost www.cloudnetwork.in
   a1. Returns: question, answer, authoritative DNS servers, query time
  b. nslookup www.cloudnetwork.in OR nslookup - server 127.0.0.1 - www.cloudnetwork.in

Note: The server has cached: www.cloudnetwork.in, evidenced by the decrementing TTL values for the various records associated with the zone

  c. host www.cloudnetwork.in - also performs a lookup

Note: /etc/resolv.conf controls the DNS servers that are consulted by lookup tools such as: Web browser, GFTP, LFTP, nslookup, dig, host, etc.

  d. dig cloudnetwork.in MX - queries the domain for mail exchangers

Note: DNS is organized into an inverted tree, with '.' representing the root of the DNS tree. e.g.

dig mail1.cloudnetwork.in.
 - . = root
  - .com = top level
   - .linuxgenius = second level
      -mail = third level
Note: A trailing '.' in a DNS query is implied, and may optionally be indicated if desired in any standard Internet application (web browser, FTP client, wget, nslookup, dig, host, etc.)


Primary & Secondary Zones:
 Features:
  1. Ability to service zones
  2. Authoritative support for a zone

Tasks:
 1. Create internal zone named 'linuxcbt.internal'
  a. modify /etc/named.conf to include the new zone

zone "linuxcbt.internal" {
                type master;
                #allow-update { key ddns_key; };
                file "linuxcbt.internal.db";
        };

  b. create the corresponding zone file
  c. restart named
  d. test resolution of DNS primary zone

Note: Install 'caching-nameserver*' for Caching-only DNS server

 2. Create a slave (Secondary) server
  a. yum -y install bind
  b. copy sample files from primary server to secondary server
  c. modify /etc/named.conf and set 'linuxcbt.internal' zone to slave
  d. start named service - 'service named start'
  e. chkconfig --level 35 named on
  f. Update: /var/named/linuxcbt.internal.db to reflect new name server

 3. Create a primary zone on the "secondary" server
  a. create a zone for: linuxcbt.external - in /etc/named.conf
  b. copy/create 'linuxcbt.external.db' zone file
  c. setup 'linuxcbtserv4' to be a slave for the zone: linuxcbt.external
 
 4. Start 'named' as a caching-only DNS server (Default)
  a. service named start
  b. 'dig @192.168.75.199 www.cloudnetwork.in' - forces a caching-only lookup query

Forward IPv6 Records:
Implemented primarily as AAAA records:

linuxcbtserv1    IN    AAAA    2002:4687:db25:3:202:b3ff:fe98:4108
linuxcbtserv4    IN    AAAA    2002:4687:db25:3:20c:29ff:feb5:1692
linuxcbtmedia1    IN    AAAA    2002:4687:db25:3:20a:5eff:fe1b:4aad
linuxcbtrouter1    IN    AAAA    2002:4687:DB25:3:21A:2FFF:FEE3:F240

Test IPv6 resolution using:
 1. ping6 linuxcbtrouter1.linuxcbt.internal
 2. dig @192.168.75.10 linuxcbtrouter1.linuxcbt.internal


Reverse Zones:
 Features:
  1. The ability to resolve a name, given an IPv4 or IPv6 address


Tasks:
 1. Define an IPv4 reverse zone for the local subnet:
  a. Define zone name: '75.168.192.in-addr.arpa' - /etc/named.conf
  b. Update: /etc/named.conf
  c. Create zone file in: /var/named
  d. Update configuration
  e. Restart named
  f. test using 'dig -x 192.168.75.1'

Note: Reverse zones are built from the prefix in IPv4 subnets


IPv6 Reverse Zone:
 Requirements:
  1. /etc/named.conf entry
zone "3.0.0.0.5.2.b.d.7.8.6.4.2.0.0.2.ip6.arpa" {
        type master;
        file "3.0.0.0.5.2.b.d.7.8.6.4.2.0.0.2.ip6.arpa.reverse";
};

Note: IPv6 reverse zone names are in nibble format, with ALL zeros expanded for the network prefix portion of the address, which is usually 64-bits in length


  2. /var/named/zone_file
   a. Include entries using the last 64-bits or IPv6 host part

d.a.a.4.b.1.e.f.f.f.e.5.a.0.2.0 IN PTR linuxcbtmedia1.linuxcbt.internal.

Note: When creating reverse IPv6 entries for hosts, do the following:
 a. reverse the 64-bit portion of the address that corresponds to the host, expanding all zeros
 b. Create PTR record based on the reverse, nibble-format of the address

Test using dig:
 a. dig -x 2002:4687:db25:3:20a:5eff:fe1b:4aad


Thanking You
Hope U like it.....

Windows Server 2008

Orientdb NoSQL part2

Python 3.4.1

Install OrientDB Document Graph

Netbeans IDE
Vtiger CRM Database