Jamie Fargen's Weblog

Tag: rhel

RHCE Exam Objective: Use Firewalld

by on Nov.06, 2016, under Cert, RHCE, Training

Just going to cover the basics, for reference refer to manpage.

Check what the current active zones:

# firewall-cmd –get-active-zones

 

 

 

Check the config of a zone

# firewall-cmd –info-zone=public

 

 

 

 

 

 

 

Open a port for a service in an active zone. Note that this is temporary. A reload or reboot of the firewall will blow this config away.
# firewall-cmd –zone=public –add-service=http

Close a port for a service in an active zone. Note that this too is temporary.
# firewall-cmd –zone=public –remove-service=http

To make this change active and permanent the command needs to be run twice, once with –permanent in place.
# firewall-cmd –permanent –zone=public –add-service=http
# firewall-cmd –zone=public –add-service=http

Now view the info for the zone and notice how the http service has been added.

 

 

 

 

 

 

 

 

Configuring a host to work as a NAT gateway

To enable NAT you first need to configure the kernel to forward IPv4 traffic. This can be done by adding the following file to
/etc/sysctl.d/98-ipv4-forward.conf with the following contents.

# cat /etc/sysctl.d/98-ipv4-forward.conf
net.ipv4.ip_forward = 1

To immediately enable this setting then run the following command.

# sysctl -w net.ipv4.ip_forward=1

 

Next add your interfaces to different zones and reload the firewalld config.

# firewall-cmd –zone=external –add-interface=enp0s3 –permanent
# firewall-cmd –zone=internal –add-interface=Team1 –permanent
# firewall-cmd –complete-reload

Next enable masquarading on your external interface.
# firewall-cmd –zone=external –add-masquerade –permanent

Then add a postrouting rule using rich iptables rules.
# firewall-cmd –permanent –direct –passthrough ipv4 -t nat -I POSTROUTING -o enp0s3 -j MASQUERADE -s 10.0.0.0/24

There use to be an issue where after a restart the adapter would lose its zone config because it was not added into the ifcfg- file. This seems to no longer be the case in RHEL7.3, but it is something to watch for on the RHCE exam if it is an older version.

 

As a test I pinged an ip address on the internet from the client VM and ran tcpdump on the server VM. As you can see the ICMP traffic is traversing through the server VM as expected.

 

 

 

 

 

 

 

 

 

 

For more information on the configuring RHEL7 as a NAT Gateway check out this blog.

Leave a Comment :, , , , more...

RHCE 7 Exam Objective: Configure IPv6

by on Nov.06, 2016, under Cert, RHCE, Training

Configure IPv6

This was a little painful, it maybe an issue with VBox, teaming, or IPv6. I expect in the EX300 exam simply adding the IPV6ADDR=wxyz.wxyz… and nmcli con reload will work with out any issues. To get this working on my VBox setup took a lot more work and research.

 

First, here is the configuration of the NAT network.

 

Next, there was an issue with duplicate local IPv6 addresses. First, I disabled IPv6 on the enp0s8 and enp0s9, then I disabled dad, on both the server and client VMs.

 

Here are the relevent sections in /etc/sysconfig/network-scrtips/ifcfg-enp0s[8-9]

IPV6INIT=no
IPV6_AUTOCONF=no
IPV6_DEFROUTE=no
IPV6_PEERDNS=no
IPV6_PEERROUTES=no
IPV6_FAILURE_FATAL=no

 

Then I added this file and contents to disable dad:

# cat /etc/sysctl.d/90-ipv6-disable-dad.conf
net.ipv6.conf.default.optimistic_dad=1
net.ipv6.conf.default.accept_dad=0
net.ipv6.conf.enp0s8.optimistic_dad=1
net.ipv6.conf.enp0s8.accept_dad=0
net.ipv6.conf.enp0s9.optimistic_dad=1
net.ipv6.conf.enp0s9.accept_dad=0
net.ipv6.conf.Team1.optimistic_dad=1
net.ipv6.conf.Team1.accept_dad=0
net.ipv6.conf.all.use_tempaddr=-1

 

Then I went to this site to generate a local Unique Local Address (ULA):

You can just pick the first subnet.

My subnet was fdf8:d910:d680::/64.

I used fdf8:d910:d680::0001/64 server VM IPv6 address and fdf8:d910:d680::0002/64 for the client VM Ipv6 address.

Example: Add this line to /etc/sysconfig/network-scripts/ifcfg-Team1 on the server VM

IPV6ADDR=fdf8:d910:d680::0001/64

Then start the VMs once this is completed.

To test, I tried pinging the client VM from itself, which was successful.

Then I attempted to ping the client VM from the server VM which was also successful.

If you want my info on IPv6 their are excellent tutorials at the site TunnelBroker. They also have an interesting service that allows you to tunnel IPv6 over IPv4, but the last time I checked they had a feud with Cogent Communications that broke half the IPv6 internet.

Leave a Comment :, , , , more...

RHCE 7 Exam Objectives

by on Nov.06, 2016, under Cert, RHCE, Training

RHCE 7 Exam Objectives

This page will contain the RHCE7 exam objectives for the exam EX300 published here on Sunday November 6, 2016. No warranty or guarantee that these topics will be applicable when you begin your review of the exam.

System configuration and management

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service
  • Configure SELinux to support the service
  • Use SELinux port labeling to allow services to use non-standard ports
  • Configure the service to start when the system is booted
  • Configure the service for basic operation
  • Configure host-based and user-based security for the service

HTTP/HTTPS

  • Configure a virtual host
  • Configure access restrictions on directories
  • Deploy a basic CGI application
  • Configure group-managed content
  • Configure TLS security

DNS

  • Configure a caching-only name server
  • Troubleshoot DNS client issues

NFS

  • Provide network shares to specific clients
  • Provide network shares suitable for group collaboration
  • Use Kerberos to control access to NFS network shares

SMB

  • Provide network shares to specific clients
  • Provide network shares suitable for group collaboration

SMTP

  • Configure a system to forward all email to a central mail server

SSH

  • Configure key-based authentication
  • Configure additional options described in documentation

NTP

  • Synchronize time using other NTP peers

Database services

  • Install and configure MariaDB
  • Backup and restore a database
  • Create a simple database schema
  • Perform simple SQL queries against a database
Leave a Comment :, , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Blogroll

A few highly recommended websites...