Scribd
Upload
111 views32 pages

Firewall and Network Configuration Guide

The document provides instructions for configuring basic system services and network settings on a Linux server. It discusses: 1. Configuring the firewall (firewalld) service and SELinux settings. 2. Configuring the network interface, including setting the hostname, IP address, gateway, and DNS settings. 3. Enabling and configuring the Cockpit web console management interface. 4. Providing instructions for basic DNS and DHCP configuration using Dnsmasq.

Uploaded by

ntuta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
111 views32 pages

Firewall and Network Configuration Guide

The document provides instructions for configuring basic system services and network settings on a Linux server. It discusses: 1. Configuring the firewall (firewalld) service and SELinux settings. 2. Configuring the network interface, including setting the hostname, IP address, gateway, and DNS settings. 3. Enabling and configuring the Cockpit web console management interface. 4. Providing instructions for basic DNS and DHCP configuration using Dnsmasq.

Uploaded by

ntuta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

1

I.1 Gestion du pare feu

1. Vérification

[root@localhost ~]# systemctl status firewalld

* [Link] - firewalld - dynamic firewall daemon


Loaded: loaded (/usr/lib/systemd/system/[Link];
enabled; vendor p>
Active: active (running) since Wed 2019-09-24 [Link]
JST; 18min ago
Docs: man:firewalld(1)
Main PID: 801 (firewalld)
Tasks: 2 (limit: 25025)
Memory: 30.9M
CGroup: /[Link]/[Link]
└─801 /usr/libexec/platform-python -s
/usr/sbin/firewalld --nofork ->

Sep 24 [Link] [Link] systemd[1]: Starting


firewalld - dynamic >
Sep 24 [Link] [Link] systemd[1]: Started
firewalld - dynamic f>

# [Active: active (running) ***] means firewalld is running


now

2. Arrêt et désactivation

# stop service

[root@localhost ~]# systemctl stop firewalld

# disable service

[root@localhost ~]# systemctl disable firewalld

Removed /etc/systemd/system/multi-
[Link]/[Link].
Removed /etc/systemd/system/dbus-
[Link].

I.2. Gestion de SELINUX


[root@localhost ~]# getenforce

Enforcing # SELinux is enabled


2

[root@localhost ~]# vi /etc/selinux/config


# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of
enforcing.
# disabled - No SELinux policy is loaded.
# change the value below
# enforcing ⇒ enabled
# disabled ⇒ disabled
# permissive ⇒ enabled but only loging, not deny accesses
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only
selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

# restart computer to apply setting

[root@localhost ~]# reboot

I.2. Gestion de paramètres réseau


# if you did not set Host Name during installation, set it
like follows

[root@localhost ~]# hostnamectl set-hostname [Link]

# display devices

[root@localhost ~]# nmcli device

DEVICE TYPE STATE CONNECTION


ens2 ethernet connected ens2
lo loopback unmanaged --

# set IPv4 address

[root@localhost ~]# nmcli connection modify ens2


[Link] [Link]/24

# set gateway

[root@localhost ~]# nmcli connection modify ens2 [Link]


[Link]
3

# set DNS

[root@localhost ~]# nmcli connection modify ens2 [Link]


[Link]

# set manual for static setting (it's [auto] for DHCP)

[root@localhost ~]# nmcli connection modify ens2 [Link]


manual

# restart the interface to reload settings

[root@localhost ~]# nmcli connection down ens2; nmcli


connection up ens2

Connection 'ens2' successfully deactivated (D-Bus active


path: /org/freedesktop/NetworkManager/ActiveConnection/1)
Connection successfully activated (D-Bus active path:
/org/freedesktop/NetworkManager/ActiveConnection/2)

# show settings

[root@localhost ~]# nmcli device show ens2

[Link]: ens2
[Link]: ethernet
[Link]: [Link]
[Link]: 1500
[Link]: 100 (connected)
[Link]: ens2
[Link]-PATH:
/org/freedesktop/NetworkManager/ActiveC>
[Link]: on
[Link][1]: [Link]/24
[Link]: [Link]
[Link][1]: dst = [Link]/24, nh
= [Link], mt = 1>
[Link][2]: dst = [Link]/0, nh =
[Link], mt = 100
[Link][1]: [Link]
[Link][1]:
fe80::5054:ff:fed0:8f0b/64
[Link]: --
[Link][1]: dst = fe80::/64, nh =
::, mt = 100
[Link][2]: dst = ff00::/8, nh =
::, mt = 256, tabl>

# show state
4

[root@localhost ~]# ip addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state


UNKNOWN group default qlen 1000
link/loopback [Link] brd [Link]
inet [Link]/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
fq_codel state UP group default qlen 1000
link/ether [Link] brd [Link]
inet [Link]/24 brd [Link] scope global
noprefixroute ens2
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fed0:8f0b/64 scope link noprefixroute
valid_lft forever preferred_lft forever

I.3. Paramétrer le console de gestion web


[root@dlp ~]# systemctl enable --now [Link]

[root@dlp ~]# ss -napt

State Recv-Q Send-Q Local Address:Port


Peer Address:Port
LISTEN 0 128 [Link]:22
[Link]:* users:(("sshd",pid=831,fd=6))
LISTEN 0 128 [::]:22
[::]:* users:(("sshd",pid=831,fd=8))
LISTEN 0 128 *:9090
*:* users:(("systemd",pid=1,fd=24))
# Cockpit listens 9090 port

# if Firewalld is running, confirm inbound settings


(generally cockpit is allowed by default)

[root@dlp ~]# firewall-cmd --list-service

cockpit dhcpv6-client ssh


# if [cockpit] is not allowed, set it to allow

[root@dlp ~]# firewall-cmd --add-service=cockpit --permanent

success
[root@dlp ~]# firewall-cmd --reload
5

success
6
7
8
9
10
11
12
13

I.4. Gestion avec Vim


[root@dlp ~]# dnf -y install vim-enhanced

[root@dlp ~]# vi ~/.bashrc


# add alias to the end

alias vi='vim'
# apply changes

[root@dlp ~]# source ~/.bashrc


14

[root@dlp ~]# vi ~/.vimrc


" use extended function of vim (no compatible with vi)

set nocompatible
" specify encoding

set encoding=utf-8
" specify file encoding

set fileencodings=utf-8,iso-2022-jp,sjis,euc-jp
" specify file formats

set fileformats=unix,dos
" take backup

" if not, specify [ set nobackup ]

set backup
" specify backup directory

set backupdir=~/backup
" take 50 search histories

set history=50
" ignore Case

set ignorecase
" distinct Capital if you mix it in search words

set smartcase
" highlights matched words

" if not, specify [ set nohlsearch ]

set hlsearch
" use incremental search

" if not, specify [ set noincsearch ]

set incsearch
" show line number

" if not, specify [ set nonumber ]

set number
" Visualize break ( $ ) or tab ( ^I )

set list
" highlights parentheses
15

set showmatch
" not insert LF at the end of file

set binary noeol


" set auto indent

" if not, specify [ noautoindent ]

set autoindent
" show color display

" if not, specify [ syntax off ]

syntax on
" change colors for comments if [ syntax on ] is set

highlight Comment ctermfg=LightCyan


" wrap lines

" if not, specify [ set nowrap ]

set wrap

I.5 DNS et DHCP

I.5.1. DNS avec DNSMASK


[root@dlp ~]# dnf -y install dnsmasq

[root@dlp ~]# vi /etc/[Link]


# line 19: uncomment

# never forward addresses in the non-routed address spaces

domain-needed
# line 21: uncomment

# query with each server strictly in the order in [Link]

bogus-priv
# line 53: uncomment

# query with each server strictly in the order in [[Link]]

strict-order
# line 67: add if you need

# query the specific domain name to the specific DNS server


16

# example below means query [[Link]] domain to


[[Link]] server

server=/[Link]/[Link]
# line 135: uncomment

# add domain name automatically to hostnames

expand-hosts
# line : add your own domain name

domain=[Link]

[root@dlp ~]# systemctl enable --now dnsmasq

[root@dlp ~]# vi /etc/hosts


[Link] localhost [Link] localhost4
localhost4.localdomain4
::1 localhost [Link] localhost6
localhost6.localdomain6
# add records
[Link] [Link] dlp
[root@dlp ~]# systemctl restart dnsmasq

[root@dlp ~]# firewall-cmd --add-service=dns --permanent

success
[root@dlp ~]# firewall-cmd --reload

success

[root@node01 ~]# dnf -y install bind-utils


# change DNS to Dnsmasq Server (replace [ens2] to your own
environment)

[root@node01 ~]# nmcli connection modify ens2 [Link] [Link]

[root@node01 ~]# nmcli connection down ens2; nmcli connection up


ens2
[root@node01 ~]# dig [Link].

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-17.P2.el8_0.1 <<>>


[Link].
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43384
17

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0,


ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;[Link]. IN A

;; ANSWER SECTION:
[Link]. 0 IN A [Link]

;; Query time: 1 msec


;; SERVER: [Link]#53([Link])
;; WHEN: Thu Oct 02 [Link] JST 2019
;; MSG SIZE rcvd: 58

[root@node01 ~]# dig -x [Link]

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-17.P2.el8_0.1 <<>> -x


[Link]
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32941
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;[Link].[Link]. IN PTR

;; ANSWER SECTION:
[Link].[Link]. 0 IN PTR
[Link].

;; Query time: 0 msec


;; SERVER: [Link]#53([Link])
;; WHEN: Thu Oct 03 [Link] JST 2019
;; MSG SIZE rcvd: 78

I.5.2 DHCP avec DMASK


[root@dlp ~]# vi /etc/[Link]
# line 158: add ranges of IP address to lease and term of lease

dhcp-range=[Link],[Link],12h
# line 332: add entries for Gateway, NTP, DNS, Subnetmask
18

dhcp-option=option:router,[Link]
dhcp-option=option:ntp-server,[Link]
dhcp-option=option:dns-server,[Link]
dhcp-option=option:netmask,[Link]
[root@dlp ~]# systemctl restart dnsmasq

I.5.3. DNS BIND


[root@dlp ~]# dnf -y install bind bind-utils

[root@dlp ~]# vi /etc/[Link]


.....
.....
# add : set ACL entry for local network
acl internal-network {
[Link]/24;
};

options {
# change ( listen all )
listen-on port 53 { any; };
# change if need ( if not listen IPv6, set [none] )
listen-on-v6 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file
"/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/[Link]";
recursing-file "/var/named/data/[Link]";
# add local network set on [acl] section above
# network range you allow to recive queries from
hosts
allow-query { localhost; internal-network; };
# network range you allow to transfer zone files to
clients
# add secondary DNS servers if it exist
allow-transfer { localhost; };

.....
.....

recursion yes;

dnssec-enable yes;
dnssec-validation yes;

managed-keys-directory "/var/named/dynamic";
19

pid-file "/run/named/[Link]";
session-keyfile "/run/named/[Link]";

/*
[Link] */
include "/etc/crypto-policies/back-ends/[Link]";
};

logging {
channel default_debug {
file "data/[Link]";
severity dynamic;
};
};

zone "." IN {
type hint;
file "[Link]";
};

include "/etc/[Link]";
include "/etc/[Link]";

# add zones for your network and domain name


zone "[Link]" IN {
type master;
file "[Link]";
allow-update { none; };
};
zone "[Link]" IN {
type master;
file "[Link]";
allow-update { none; };
};
# if you don't use IPv6 and also suppress logs for IPv6 related,
possible to change

# set BIND to use only IPv4

[root@dlp ~]# vi /etc/sysconfig/named


# add to the end

OPTIONS="-4"
# For how to write the section [*.*.*.*.[Link]], write
your network address reversely like follows
# case of [Link]/24
# network address ⇒ [Link]
# network range ⇒ [Link] - [Link]
20

# how to write ⇒ [Link]

# case of [Link]/24
# network address ⇒ [Link]
# network range ⇒ [Link] - [Link]
# how to write ⇒ [Link]

[root@dlp ~]# vi /var/named/[Link]


$TTL 86400
@ IN SOA [Link]. [Link]. (
# any numerical values are OK for serial number but
# recommendation is [YYYYMMDDnn] (update date +
number)
2019100301 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
# define Name Server
IN NS [Link].
# define Name Server's IP address
IN A [Link]
# define Mail Exchanger Server
IN MX 10 [Link].

# define each IP address of a hostname


dlp IN A [Link]
www IN A [Link]

[root@dlp ~]# vi /var/named/[Link]


$TTL 86400
@ IN SOA [Link]. [Link]. (
2019100301 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
# define Name Server
IN NS [Link].

# define each hostname of an IP address


30 IN PTR [Link].
31 IN PTR [Link].
21

[root@dlp ~]# systemctl enable --now named

[root@dlp ~]# firewall-cmd --add-service=dns --permanent

success
[root@dlp ~]# firewall-cmd --reload

success

root@dlp ~]# nmcli connection modify ens2 [Link] [Link]

[root@dlp ~]# nmcli connection down ens2; nmcli connection up


ens2

[root@dlp ~]# dig [Link].

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-17.P2.el8_0.1 <<>>


[Link].
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4141
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1,
ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 0e9ca06c44ffe5e20209ad655d954316681848d8675423ab
(good)
;; QUESTION SECTION:
;[Link]. IN A

;; ANSWER SECTION:
[Link]. 86400 IN A [Link]

;; AUTHORITY SECTION:
[Link]. 86400 IN NS
[Link].

;; Query time: 0 msec


;; SERVER: [Link]#53([Link])
;; WHEN: Thu Oct 02 [Link] JST 2019
;; MSG SIZE rcvd: 100

[root@dlp ~]# dig -x [Link]


22

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-17.P2.el8_0.1 <<>> -x


[Link]
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61063
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1,
ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: cf5c64acd453263666c674db5d9543400d47bea92e41b7e1
(good)
;; QUESTION SECTION:
;[Link].[Link]. IN PTR

;; ANSWER SECTION:
[Link].[Link]. 86400 IN PTR
[Link].

;; AUTHORITY SECTION:
[Link]. 86400 IN NS
[Link].

;; ADDITIONAL SECTION:
[Link]. 86400 IN A [Link]

;; Query time: 0 msec


;; SERVER: [Link]#53([Link])
;; WHEN: Thu Oct 02 [Link] JST 2019
;; MSG SIZE rcvd: 136

I.5.4. Serveur et Client DHCP


[root@dlp ~]# dnf -y install dhcp-server
[root@dlp ~]# vi /etc/dhcp/[Link]
# create new

# specify domain name

option domain-name "[Link]";


# specify DNS server's hostname or IP address

option domain-name-servers [Link];


# default lease time

default-lease-time 600;
# max lease time

max-lease-time 7200;
23

# this DHCP server to be declared valid

authoritative;
# specify network address and subnetmask

subnet [Link] netmask [Link] {


# specify the range of lease IP address
range dynamic-bootp [Link] [Link];
# specify broadcast address
option broadcast-address [Link];
# specify gateway
option routers [Link];
}

[root@dlp ~]# systemctl enable --now dhcpd

[root@dlp ~]# firewall-cmd --add-service=dhcp --permanent

success
[root@dlp ~]# firewall-cmd --reload

success

[root@dlp ~]# ll /var/lib/dhcpd

total 40
-rw-r--r-- 1 dhcpd dhcpd 0 Apr 24 23:16 [Link]
-rw-r--r-- 1 dhcpd dhcpd 19311 Aug 5 14:49 [Link]
-rw-r--r-- 1 dhcpd dhcpd 18144 Aug 5 14:19 [Link]~

[root@dlp ~]# cat /var/lib/dhcpd/[Link]

# The format of this file is documented in the


[Link](5) manual page.
# This lease file was written by isc-dhcp-4.3.6

# authoring-byte-order entry is generated, DO NOT DELETE


authoring-byte-order little-endian;

lease [Link] {
starts 3 2020/08/05 [Link];
ends 3 2020/08/05 [Link];
cltt 3 2020/08/05 [Link];
binding state active;
next binding state free;
rewind binding state free;
hardware ethernet [Link];
24

uid
"\377+\2244\301\000\002\000\000\253\021\011\215\353J2\\\322\2
72";
client-hostname "dlp";
}
.....
.....

I.5.5. Client DHCP


# install DHCP client if not installed (generally installed
by default)

[root@client ~]# dnf -y install dhcp-client


[root@client ~]# nmcli connection modify ens2 [Link]
auto

[root@client ~]# nmcli connection down ens2; nmcli connection


up ens2

I.6. Installation du serveur de fichier SAMBA

I.6.1. Accès Pleine


[root@smb ~]# dnf -y install samba
[root@smb ~]# mkdir /home/share

[root@smb ~]# chmod 777 /home/share

[root@smb ~]# vi /etc/samba/[Link]


[global]
# line 7 : add (set charset)
unix charset = UTF-8
# change (Windows default)
workgroup = WORKGROUP
security = user
# add (IP addresses you allow to access)
hosts allow = 127. 10.0.0.
# add (no authentication)
map to guest = Bad User

.....
.....

# add to the end


# any Share name you like
[Share]
25

# specify shared directory


path = /home/share
# allow writing
writable = yes
# allow guest user (nobody)
guest ok = yes
# looks all as guest user
guest only = yes
# set permission [777] when file created
force create mode = 777
# set permission [777] when folder created
force directory mode = 777

[root@smb ~]# systemctl enable --now smb

[root@smb ~]# setsebool -P samba_enable_home_dirs on

[root@smb ~]# restorecon -R /home/share

[root@smb ~]# firewall-cmd --add-service=samba --permanent

success
[root@smb ~]# firewall-cmd --reload

success

I.6.2. Accès limité


[root@smb ~]# dnf -y install samba
[root@smb ~]# groupadd smbgroup01

[root@smb ~]# mkdir /home/share01

[root@smb ~]# chgrp smbgroup01 /home/share01

[root@smb ~]# chmod 770 /home/share01

[root@smb ~]# vi /etc/samba/[Link]


[global]
# line 7: add (set charset)
unix charset = UTF-8
# change (Windows default)
workgroup = WORKGROUP
security = user
# add (IP addresses you allow to access)
hosts allow = 127. 10.0.0.
26

.....
.....

# add to the end


# any Share name you like
[Share01]
# specify shared directory
path = /home/share01
# allow writing
writable = yes
# not allow guest user (nobody)
guest ok = no
# allow only [smbgroup01] group
valid users = @smbgroup01
# set permission [777] when file created
force create mode = 777
# set permission [777] when folder created
force directory mode = 777
# inherit permissions from parent folder
inherit permissions = yes

[root@smb ~]# systemctl enable --now smb

# add Samba user

[root@smb ~]# useradd cent

[root@smb ~]# smbpasswd -a cent

New SMB password:


# set password

Retype new SMB password:


Added user cent.
[root@smb ~]# usermod -aG smbgroup01 cent

[root@smb ~]# setsebool -P samba_enable_home_dirs on

[root@smb ~]# restorecon -R /home/share01

[root@smb ~]# firewall-cmd --add-service=samba --permanent

success
[root@smb ~]# firewall-cmd --reload

success
27

I.6.3. Client linux

[root@node01 ~]# dnf -y install samba-client cifs-utils


# with [smbclient] command access

# smbclient (share name) -U (user name)

[root@node01 ~]# smbclient '\\[Link]\Share01' -U cent

Enter SAMBA\cent's password:


Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Nov 1
[Link] 2019
.. D 0 Fri Nov 1
[Link] 2019
New Folder D 0 Fri Nov 1
[Link] 2019
New text [Link] A 0 Fri Nov 1
[Link] 2019

27245572 blocks of size 1024. 25679240 blocks


available

# download a file
smb: \> mget "New text [Link]"
Get file New text [Link]? y
getting file \New text [Link] of size 0 as New text
[Link] (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \> !ls
[Link] mariadb_backup.[Link]
mariadb_backup 'New text [Link]'
smb: \> exit

# with [mount] command access

# [vers=(SMB protocol version)]

[root@node01 ~]# mount -t cifs -o vers=3.0,username=cent


'\\[Link]\Share01' /mnt

Password for cent@\[Link]\Share: ******** #


password
[ 293.807990] CIFS VFS: error -95 on ioctl to get interface
list
# the error above does not affect to accesses (with
[vers=2.x], it's not shown)
28

[root@node01 ~]# df -hT

Filesystem Type Size Used Avail Use% Mounted


on
devtmpfs devtmpfs 1.9G 0 1.9G 0% /dev
tmpfs tmpfs 1.9G 0 1.9G 0%
/dev/shm
tmpfs tmpfs 1.9G 8.5M 1.9G 1% /run
tmpfs tmpfs 1.9G 0 1.9G 0%
/sys/fs/cgroup
/dev/mapper/cl-root xfs 26G 1.5G 25G 6% /
/dev/vda1 ext4 976M 126M 783M 14% /boot
tmpfs tmpfs 379M 0 379M 0%
/run/user/0
\\[Link]\Share cifs 26G 1.6G 25G 6% /mnt

# if share does not require authentication, specify [none]


for username

[root@node01 ~]# mount -t cifs -o


vers=3,username=none,password=none '\\[Link]\Share'
/mnt

Client Windows
29
30
31
32

You might also like