User:Tom/RHCE EX300-2: Difference between revisions

From RoggeWiki
Jump to navigation Jump to search
Line 125: Line 125:
Two types of NAT:
Two types of NAT:
* Masquerading: IP address of a node is changed by the IP address of the NAT router.
* Masquerading: IP address of a node is changed by the IP address of the NAT router.
* Port forwarding: The NAT router redirects all traffic to a public port on the NAT router to another port, and possible another host, on the private network.
* Port forwarding: The NAT router redirects all traffic to a public port on the NAT router to another port, and possible another host, on the private network. Masquerading needs to be activated for portforwarding to another host.
  Masquerading needs to be activated for portforwarding to another host.


====== Commands ======
====== Commands ======

Revision as of 14:47, 25 June 2017

25 Configuring Kerberos

KDC     Key Distribution Center. A central key server. Issues tickets.
Realm   All hosts taht use the same KDC to get tickets.
TGT     Ticket Granting Ticket

Principal name nfs/server.example.com@EXAMPLE.COM
User name      tom@EXAMPLE.COM
Using nslcd or sssd as Authentication Backend Service

Verify that sssd packges are installed before using the authconfig utilities.. Use a gui, sssd is then used by default. Use yum group install "Directory Client" to install sssd and related packages. Start sssd before using the authconfig utilities. 

/etc/sysconfig/authconfig
FORCELEGACY=no                Switch off nslcd.
USESSSD=yes
USESSSDAUTH=yes
Commands
authconfig                Configure LDAP authentication with Kerberos authorization.
authconfig --test         Get an overview of the current configuration and see what services are used.
authconfig-tui
authconfig-gtk

kinit                      Obtain and cache kerberos ticket-granting ticket.
klist                      Lists cached Kerberos tickets.
Files
/etc/krb5.keytab             Needed by a server hosting Kerberized services. Contains names of all service principals on that server.

/etc/nslcd.conf              Alternative for sssd.
/etc/nsswitch.conf 
/etc/openldap/cacerts        Stores root certificate authorities
/etc/openldap/ldap.conf      LDAP client configuration
/etc/pamd.d/
/etc/sssd/sssd.conf          Daemon used for retrieving and caching user and authentication information.
                             Install sssd service before using the authcong utilities (yum install group "Directory Client").
/etc/sysconfig/authconfig
Packages
pam_krb5
krb5-workstation

26 iSCSI

Commands
targetcli
firewall-cmd --add-service iscsi-target --permanent
firewall-cmd --reload
systemctl start target
systemctl enable target

iscsiadm
Files
Packages
targetcli                 Target

iscsi-initiator-utils     Initiator
lsscsi

30 Routing and Networking

Commands
IPv6 Addresses / Networks
::1/128                        Local host.
::                             All addresses.
::/0                           The default router
2000::/3                       Global unicast address.
fc00::/7                       Unique local address.
fe80::/64                      Link-local address.
ff00::/8                       Multicast
20001::db8/32                  Addresses reserved for use in documentation.

man 5 nmcli-examples           Examples how to create a team interface
man -k team                    

nmcli con add type team con-name team0 config '{ "runner"; {"name": "loadbalance"}}'
nmcli con mod team0 ipv4.addresses 192.168.122.131/24
nmcli con add tpye team-slave ifname eth1 master team0
nmcli con add type team-slave ifname eth2 master team0

nmcli con show et01                 Shows detailed IP configuration (for example: ipv4.addresses)
nmcli con add con-name eth1 type ethernet ifname eth1 ip6 2001:db8:0:1::100/64 gw6 2001:db8:0:1::1 ip4 192.168.122.131/24 gw4 192.168.122.1
mncli con mod con-name eth1 ipv6.address "2001:db8:0:1::1" 
nmcli con mod con-name eth1 +ipv6.address "2001:db8:0:2::1"

nmcli con up team0
nmcli con show
teamdctl team0 state 
teamdctl team0 state view
teamnl team0 options             
ip link show

ip route show
Files
/etc/sysconfig/network-scripts/ifcfg-team0
/etc/sysconfig/network-scripts/ifcfg-team-slave-eth[12]

/etc/sysctl.d/forwarding.conf (net.ipv4.p_forward = 1)            Enable forwarding to configurethe server as a router.

32 Advanced Firewall Configuration

Basic ordering rules within zones:

  • Direct rules
  • Port forwarding and masquerading
  • Logging rules
  • Allow rules
  • Deny rules

For NAT the server needs to be configured as a router: /proc/sys/netipv4/ip_forward=1

Two types of NAT:

  • Masquerading: IP address of a node is changed by the IP address of the NAT router.
  • Port forwarding: The NAT router redirects all traffic to a public port on the NAT router to another port, and possible another host, on the private network. Masquerading needs to be activated for portforwarding to another host.
Commands
firewall-cmd --reload                        
firewall-cmd --get-services                  Shows all services which are stored in /usr/lib/firewalld/services and /etc/firewalld/services

firewall-cmd --add-rich-rule=' rule '
firewall-cmd --remove-rich-rule=' rule '
firewall-cmd --query-rich-rule=' rule '
firewall-cmd --list-rich-rules

firewall-cmd --add-forward-port

firewall-cmd --timeout='xx'                  Lifetime of the rich rule

man firewalld.richlanguage                   Shows rich language examples
Files =
/etc/firewalld/services
/usr/lib/firewalld/services

...

34 DNS

Unbound is the preferred package.

Install, enable and start unbound. 

/etc/unbound/unbound.conf

35 MariaDB

install mariadb mariadb-server mariadb test
systemctl start mariadb
systemctl enable mariadb

Italic text 

firewall-cmd --add-service mysql --permanent

mysql_secure_installation
/usr/libexec/mysqld --help --verbose          Information about all the settings

show databases;
use databases;
create database dbname;
create tsble tablename (name varchar(40),place varchar(40));
describe tablename;

delete from tablename where field = ' value ';
update tablename set field = value where field2 = ' value ';
insert into tablename (field1,field2) values(' value1 ',' value2 ');

where clause = <> > >= <  >= BETWEEN LIKE IN

create user username@'localhost' identified by password;
drop user 'username'@'localhost';
grant select,update,delete,insert on *.* to username@'localhost';  
grant all priviliges on ...

mysqldump -u root =p -p database --databases >dumpfileItalic text
drop database databasename;
create database databasename;
mysql -u root -p -p databasename <dumpfile;

36 NFS

37 Samba

man mount.cifs credentials= option

38 SMTP Server

39 Configure SSH

semanage port, man sshd_config, ssh-agent, ssh-add, ssh tunnel.

40 Time synchronisation

Chronyd daemon, chronyc command. ntp port 123. start, enable, firewall-cmd --add-service 


List commands
getsebool -a                      List all selinux booleans
seinfo                            SELinux policy query tool
         --all
         -r                       List all roles
         -t                       List all types (*-t)
         -u                       List all users
semanage boolean --list           List SELinux booleans with comments
semanage fcontext -l              List all current rules
Retrieved from "https://wiki.roggeman.nl/index.php?title=User:Tom/RHCE_EX300-2&oldid=5220"