{"id":13519,"date":"2019-04-03T06:12:27","date_gmt":"2019-04-03T06:12:27","guid":{"rendered":"http:\/\/www.appservgrid.com\/paw92\/?p=13519"},"modified":"2019-04-03T06:12:27","modified_gmt":"2019-04-03T06:12:27","slug":"lfce-linux-foundation-certified-engineer","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/04\/03\/lfce-linux-foundation-certified-engineer\/","title":{"rendered":"LFCE (Linux Foundation Certified Engineer)"},"content":{"rendered":"<h1 class=\"post-title\">LFCE: Installing Network Services and Configuring Automatic Startup at Boot \u2013 Part 1<\/h1>\n<p>A\u00a0<strong>Linux Foundation Certified Engineer<\/strong>\u00a0(<strong>LFCE<\/strong>) is prepared to install, configure, manage, and troubleshoot network services in Linux systems, and is responsible for the design and implementation of system architecture.<\/p>\n<div id=\"attachment_9766\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/lfce1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-9766\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/lfce1.png\" alt=\"Configure Services at System Startup\" width=\"600\" height=\"400\" aria-describedby=\"caption-attachment-9766\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-9766\" class=\"wp-caption-text\">Linux Foundation Certified Engineer \u2013 Part 1<\/p>\n<\/div>\n<p>Introducing The Linux Foundation Certification Program.<\/p>\n<div class=\"post-format\">\n<div class=\"video-container\"><iframe loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/Y29qZ71Kicg\" width=\"640\" height=\"405\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\" data-mce-fragment=\"1\"><\/iframe><\/div>\n<\/div>\n<p>In this 12-article series, titled Preparation for the\u00a0<strong>LFCE<\/strong>\u00a0(<strong>Linux Foundation Certified Engineer<\/strong>) exam, we will cover the required domains and competencies in Ubuntu, CentOS, and openSUSE:<\/p>\n<div id=\"exam_announcement\"><b>Part 1<\/b>:\u00a0<b>Installing Network Services and Configuring Automatic Startup at Boot<\/b><\/div>\n<div id=\"exam_announcement\"><b>Part 2<\/b>:\u00a0<a href=\"https:\/\/www.tecmint.com\/configure-nfs-server\/\" target=\"_blank\" rel=\"noopener\">Setting Up Standard Linux File Systems and Configuring NFSv4 Server<\/a><\/div>\n<div id=\"exam_announcement\"><b>Part 3<\/b>:\u00a0<a href=\"https:\/\/www.tecmint.com\/disk-encryption-in-linux\/\" target=\"_blank\" rel=\"noopener\">How to Setup Encrypted Filesystems and Swap Space Using \u2018Cryptsetup\u2019 Tool<\/a><\/div>\n<div id=\"exam_announcement\"><b>Part 4<\/b>:\u00a0<a href=\"https:\/\/www.tecmint.com\/setup-apache-with-name-based-virtual-hosting-with-ssl-certificate\/\" target=\"_blank\" rel=\"noopener\">Setup Standalone Apache Server with Name-Based Virtual Hosting with SSL<\/a><\/div>\n<div id=\"exam_announcement\"><b>Part 5<\/b>:\u00a0<a href=\"https:\/\/www.tecmint.com\/configure-squid-server-in-linux\/\" target=\"_blank\" rel=\"noopener\">Configuring Squid Proxy Server with Restricted Access and Setting Up Clients to Use Proxy<\/a><\/div>\n<div id=\"exam_announcement\"><b>Part 6<\/b>:\u00a0<a href=\"https:\/\/www.tecmint.com\/configure-squidguard-for-squid-proxy\/\" target=\"_blank\" rel=\"noopener\">Configuring SquidGuard, Enabling Content Rules and Analyzing Squid Logs<\/a><\/div>\n<div id=\"exam_announcement\"><b>Part 7<\/b>:\u00a0<a href=\"https:\/\/www.tecmint.com\/setting-up-email-services-smtp-and-restricting-access-to-smtp\/\" target=\"_blank\" rel=\"noopener\">Setting Up Email Services (SMTP, Imap and Imaps) and Restricting Access to SMTP<\/a><\/div>\n<div id=\"exam_announcement\"><b>Part 8<\/b>:\u00a0<a href=\"https:\/\/www.tecmint.com\/configure-iptables-firewall\/\" target=\"_blank\" rel=\"noopener\">How To Setup an Iptables Firewall to Enable Remote Access to Services in Linux<\/a><\/div>\n<div id=\"exam_announcement\"><b>Part 9<\/b>:\u00a0<a href=\"https:\/\/www.tecmint.com\/linux-system-monitoring-troubleshooting-tools\/\" target=\"_blank\" rel=\"noopener\">How to Monitor System Usage, Outages and Troubleshoot Linux Servers<\/a><\/div>\n<div id=\"exam_announcement\"><b>Part 10<\/b>:\u00a0<a href=\"https:\/\/www.tecmint.com\/setup-linux-as-router\/\" target=\"_blank\" rel=\"noopener\">How To Setup an Iptables Firewall to Enable Remote Access to Services in Linux<\/a><\/div>\n<div id=\"exam_announcement\"><b>Part 11<\/b>:\u00a0<a href=\"https:\/\/www.tecmint.com\/setup-yum-repository-in-centos-7\/\" target=\"_blank\" rel=\"noopener\">Setting Up A Local\/Network Repository to Install\/Update Packages<\/a><\/div>\n<div id=\"exam_announcement\"><b>Part 12<\/b>:\u00a0<a href=\"https:\/\/www.tecmint.com\/audit-network-performance-security-and-troubleshooting-in-linux\/\" target=\"_blank\" rel=\"noopener\">How to Audit Network Performance, Security, and Troubleshooting in Linux<\/a><\/div>\n<h3>Installing Network Services<\/h3>\n<p>When it comes to setting up and using any kind of network services, it is hard to imagine a scenario that Linux cannot be a part of. In this article we will show how to install the following network services in Linux (each configuration will be covered in upcoming separate articles):<\/p>\n<ol>\n<li>NFS (Network File System) Server<\/li>\n<li>Apache Web Server<\/li>\n<li>Squid Proxy Server + SquidGuard<\/li>\n<li>Email Server (Postfix + Dovecot), and<\/li>\n<li>Iptables<\/li>\n<\/ol>\n<p>In addition, we will want to make sure all of those services are automatically started on boot or on-demand.<\/p>\n<p>We must note that even when you can run all of these network services in the same physical machine or virtual private server, one of the first so-called \u201c<b>rules<\/b>\u201d of network security tells system administrators to avoid doing so to the extent possible. What is the judgement that supports that statement? It\u2019s rather simple: if for some reason a network service is compromised in a machine that runs more than one of them, it can be relatively easy for an attacker to compromise the rest as well.<\/p>\n<p>Now, if you really need to install multiple network services on the same machine (in a test lab, for example), make sure you enable only those that you need at a certain moment, and disable them later.<\/p>\n<p>Before we begin, we need to clarify that the current article (along with the rest in the\u00a0<b>LFCS<\/b>\u00a0and\u00a0<b>LFCE<\/b>\u00a0series) is focused on a performance-based perspective, and thus cannot examine every theoretical detail about the covered topics. We will, however, introduce each topic with the necessary information as a starting point.<\/p>\n<p>In order to use the following network services, you will need to disable the firewall for the time being until we learn how to allow the corresponding traffic through the firewall.<\/p>\n<p>Please note that this is\u00a0<strong>NOT<\/strong>\u00a0recommended for a production setup, but we will do so for learning purposes only.<\/p>\n<p>In a default Ubuntu installation, the firewall should not be active. In openSUSE and CentOS, you will need to explicitly disable it:<\/p>\n<pre># systemctl stop firewalld\r\n# systemctl disable firewalld \r\nor\r\n# or systemctl mask firewalld\r\n<\/pre>\n<p>That being said, let\u2019s get started!<\/p>\n<h4>Installing A NFSv4 Server<\/h4>\n<p><b>NFS<\/b>\u00a0in itself is a network protocol, whose latest version is\u00a0<b>NFSv4<\/b>. This is the version that we will use throughout this series.<\/p>\n<p>A NFS server is the traditional solution that allows remote Linux clients to mount its shares over a network and interact with those file systems as though they are mounted locally, allowing to centralize storage resources for the network.<\/p>\n<h5>On CentOS<\/h5>\n<pre># yum update &amp;&amp; yum install nfs-utils\r\n<\/pre>\n<h5>On Ubuntu<\/h5>\n<pre># aptitude update &amp;&amp; aptitude install nfs-kernel-server\r\n<\/pre>\n<h5>On OpenSUSE<\/h5>\n<pre># zypper refresh &amp;&amp; zypper install nfsserver\r\n<\/pre>\n<p>For more detailed instructions, read our article that tells how to\u00a0<a href=\"https:\/\/www.tecmint.com\/how-to-setup-nfs-server-in-linux\/\" target=\"_blank\" rel=\"noopener\">Configuring NFS Server and Client<\/a>\u00a0on Linux systems.<\/p>\n<h4>Installing Apache Web Server<\/h4>\n<p>The\u00a0<b>Apache<\/b>\u00a0web server is a robust and reliable FOSS implementation of a HTTP server. As of the end of October 2014, Apache powers 385 million sites, giving it a\u00a0<b>37.45%<\/b>\u00a0share of the market. You can use Apache to serve a standalone website or multiple virtual hosts in one machine.<\/p>\n<pre># yum update &amp;&amp; yum install httpd\t\t[On CentOS]\r\n# aptitude update &amp;&amp; aptitude apache2 \t\t[On Ubuntu]\r\n# zypper refresh &amp;&amp; zypper apache2\t\t[On openSUSE]\r\n<\/pre>\n<p>For more detailed instructions, read our following articles that shows on how to create Ip-based &amp; Name-based Apache virtual hosts and how to secure Apache web server.<\/p>\n<ol>\n<li><a href=\"https:\/\/www.tecmint.com\/apache-ip-based-and-name-based-virtual-hosting\/\" target=\"_blank\" rel=\"noopener\">Apache IP Based and Name Based Virtual Hosting<\/a><\/li>\n<li><a href=\"https:\/\/www.tecmint.com\/apache-security-tips\/\" target=\"_blank\" rel=\"noopener\">Apache Web Server Hardening and Security Tips<\/a><\/li>\n<\/ol>\n<h4>Installing Squid and SquidGuard<\/h4>\n<p><b>Squid<\/b>\u00a0is a proxy server and web cache daemon and, as such, acts as intermediary between several client computers and the Internet (or a router connected to the Internet), while speeding up frequent requests by caching web contents and DNS resolution at the same time. It can also be used to deny (or grant) access to certain URLs by network segment or based on forbidden keywords, and keeps a log file of all connections made to the outside world on a per-user basis.<\/p>\n<p>Squidguard is a redirector that implements blacklists to enhance squid, and integrates seamlessly with it.<\/p>\n<pre># yum update &amp;&amp; yum install squid squidGuard\t\t\t[On CentOS] \r\n# aptitude update &amp;&amp; aptitude install squid3 squidguard\t\t[On Ubuntu]\r\n# zypper refresh &amp;&amp; zypper install squid squidGuard \t\t[On openSUSE]\r\n<\/pre>\n<h4>Installing Postfix and Dovecot<\/h4>\n<p><b>Postfix<\/b>\u00a0is a Mail Transport Agent (MTA). It is the application responsible for routing and delivering email messages from a source to a destination mail servers, whereas dovecot is a widely used IMAP and POP3 email server that fetches messages from the MTA and delivers them to the right user mailbox.<\/p>\n<p>Dovecot plugins for several relational database management systems are also available.<\/p>\n<pre># yum update &amp;&amp; yum install postfix dovecot \t\t\t\t[On CentOS] \r\n# aptitude update &amp;&amp; aptitude postfix dovecot-imapd dovecot-pop3d \t[On Ubuntu]\r\n# zypper refresh &amp;&amp; zypper postfix dovecot\t\t\t\t[On openSUSE]\t\r\n<\/pre>\n<h4>About Iptables<\/h4>\n<p>In few words, a\u00a0<b>firewall<\/b>\u00a0is a network resource that is used to manage access to or from a private network, and to redirect incoming and outgoing traffic based on certain rules.<\/p>\n<p><b>Iptables<\/b>\u00a0is a tool installed by default in Linux and serves as a frontend to the netfilter kernel module, which is the ultimate responsible for implementing a firewall to perform packet filtering \/ redirection and network address translation functionalities.<\/p>\n<p>Since iptables is installed in Linux by default, you only have to make sure it is actually running. To do that, we should check that the iptables modules are loaded:<\/p>\n<pre># lsmod | grep ip_tables\r\n<\/pre>\n<p>If the above command does not return anything, it means the\u00a0<b>ip_tables<\/b>\u00a0module has not been loaded. In that case, run the following command to load the module.<\/p>\n<pre># modprobe -a ip_tables\r\n<\/pre>\n<p><b>Read Also<\/b>:\u00a0<a href=\"https:\/\/www.tecmint.com\/basic-guide-on-iptables-linux-firewall-tips-commands\/\" target=\"_blank\" rel=\"noopener\">Basic Guide to Linux Iptables Firewall<\/a><\/p>\n<h3>Configuring Services Automatic Start on Boot<\/h3>\n<p>As discussed in\u00a0<a href=\"https:\/\/www.tecmint.com\/linux-boot-process-and-manage-services\/\" target=\"_blank\" rel=\"noopener\">Managing System Startup Process and Services \u2013 Part 7<\/a>\u00a0of the 10-article series about the\u00a0<b>LFCS<\/b>\u00a0certification, there are several system and service managers available in Linux. Whatever your choice, you need to know how to start, stop, and restart network services on-demand, and how to enable them to automatically start on boot.<\/p>\n<p>You can check what is your system and service manager by running the following command:<\/p>\n<pre># ps --pid 1\r\n<\/pre>\n<div id=\"attachment_9765\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Check-Linux-Service-Manager.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-9765\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Check-Linux-Service-Manager.png\" alt=\"Check Linux Service Manager\" width=\"476\" height=\"220\" aria-describedby=\"caption-attachment-9765\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-9765\" class=\"wp-caption-text\">Check Linux Service Manager<\/p>\n<\/div>\n<p>Depending on the output of the above command, you will use one of the following commands to configure whether each service should start automatically on boot or not:<\/p>\n<h5>On systemd-based<\/h5>\n<pre>----------- Enable Service to Start at Boot -----------\r\n# systemctl enable [service]\r\n<\/pre>\n<pre>----------- Prevent Service from Starting at Boot -----------\r\n# systemctl disable [service] # prevent [service] from starting at boot\r\n<\/pre>\n<h5>On sysvinit-based<\/h5>\n<pre>----------- Start Service at Boot in Runlevels A and B -----------\r\n# chkconfig --level AB [service] on \r\n<\/pre>\n<pre>-----------  Don\u2019t Start Service at boot in Runlevels C and D -----------\r\n# chkconfig --level CD service off \r\n<\/pre>\n<h5>On upstart-based<\/h5>\n<p>Make sure the\u00a0<b>\/etc\/init\/[service].conf<\/b>\u00a0script exists and contains the minimal configuration, such as:<\/p>\n<pre># When to start the service\r\nstart on runlevel [2345]\r\n# When to stop the service\r\nstop on runlevel [016]\r\n# Automatically restart process in case of crash\r\nrespawn\r\n# Specify the process\/command (add arguments if needed) to run\r\nexec \/absolute\/path\/to\/network\/service\/binary arg1 arg2\r\n<\/pre>\n<p>You may also want to check\u00a0<b>Part 7<\/b>\u00a0of the LFCS series (which we just referred to in the beginning of this section) for other useful commands to manage network services on-demand.<\/p>\n<h3>Summary<\/h3>\n<p>By now you should have all the network services described in this article installed, and possibly running with the default configuration. In later articles we will explore how to configure them according to our needs, so make sure to stay tuned! And please feel free to share your comments (or post questions, if you have any) on this article using the form below.<\/p>\n<h5>Reference Links<\/h5>\n<ol>\n<li><a href=\"https:\/\/training.linuxfoundation.org\/certification\/LFCE\" target=\"_blank\" rel=\"noopener\">About the LFCE<\/a><\/li>\n<li><a href=\"https:\/\/training.linuxfoundation.org\/certification\/why-certify-with-us\" target=\"_blank\" rel=\"noopener\">Why get a Linux Foundation Certification?<\/a><\/li>\n<li><a href=\"https:\/\/www.shareasale.com\/r.cfm?b=768109&amp;u=1260899&amp;m=59485&amp;urllink=&amp;afftrack=\" target=\"_blank\" rel=\"noopener\">Register for the LFCE exam<\/a><\/li>\n<\/ol>\n<h1 class=\"post-title\">Setting Up Standard Linux File Systems and Configuring NFSv4 Server \u2013 Part 2<\/h1>\n<p>A Linux Foundation Certified Engineer\u200b (<strong>LFCE<\/strong>)\u200b is trained to set up, configure, manage, and troubleshoot network services in Linux systems, and is answerable for the design and implementation of system architecture and solving everyday related issues.\u200b<\/p>\n<div id=\"attachment_9870\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/lfce2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-9870\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/lfce2.png\" alt=\"Configuring NFS Server\" width=\"600\" height=\"400\" aria-describedby=\"caption-attachment-9870\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-9870\" class=\"wp-caption-text\">Linux Foundation Certified Engineer \u2013 Part 2<\/p>\n<\/div>\n<p>Introducing The Linux Foundation Certification Program (LFCE).<\/p>\n<div class=\"post-format\">\n<div class=\"video-container\"><iframe loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/Y29qZ71Kicg\" width=\"720\" height=\"405\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\" data-mce-fragment=\"1\"><\/iframe><\/div>\n<\/div>\n<p>In Part 1 of this series we explained how to install a NFS (Network File System) server, and set the service to start automatically on boot. If you haven\u2019t already done so, please refer to that article and follow the outlined steps before proceeding.<\/p>\n<ol>\n<li><a href=\"https:\/\/www.tecmint.com\/installing-network-services-and-configuring-services-at-system-boot\/\" target=\"_blank\" rel=\"noopener\">Installing Network Services and Configuring Automatic Startup at Boot \u2013 Part 1<\/a><\/li>\n<\/ol>\n<p>I will now show you how to properly configure your\u00a0<b>NFSv4<\/b>\u00a0server (without authentication security) so that you can set up network shares to use in Linux clients as if those file systems were installed locally. Note that you can use LDAP or NIS for authentication purposes, but both options are out of the scope of the LFCE certification.<\/p>\n<h3>Configuring a NFSv4 server<\/h3>\n<p>Once the NFS server is up and running, we will focus our attention on:<\/p>\n<ol>\n<li>specifying and configuring the local directories that we want to share over the network, and<\/li>\n<li>mounting those network shares in clients automatically, either through the\u00a0<b>\/etc\/fstab<\/b>\u00a0file or the automount kernel-based utility (autofs).<\/li>\n<\/ol>\n<p>We will explain later when to choose one method or the other.<\/p>\n<p>Before we being, we need to make sure that the\u00a0<b>idmapd<\/b>\u00a0daemon is running and configured. This service performs the mapping of\u00a0<b>NFSv4<\/b>\u00a0names (<b>user@mydomain<\/b>) to user and group IDs, and is required to implement a NFSv4 server.<\/p>\n<p>Edit\u00a0<b>\/etc\/default\/nfs-common<\/b>\u00a0to enable idmapd.<\/p>\n<pre>NEED_IDMAPD=YES\r\n<\/pre>\n<p>And edit\u00a0<b>\/etc\/idmapd.conf<\/b>\u00a0with your local domain name (the default is the FQDN of the host).<\/p>\n<pre>Domain = yourdomain.com\r\n<\/pre>\n<p>Then start idmapd.<\/p>\n<pre># service nfs-common start \t[sysvinit \/ upstart based systems]\r\n# systemctl start nfs-common \t[systemd based systems]\r\n<\/pre>\n<h4>Exporting Network Shares<\/h4>\n<p>The\u00a0<b>\/etc\/exports<\/b>\u00a0file contains the main configuration directives for our NFS server, defines the file systems that will be exported to remote hosts and specifies the available options. In this file, each network share is indicated using a separate line, which has the following structure by default:<\/p>\n<pre>\/filesystem\/to\/export client1([options]) clientN([options])\r\n<\/pre>\n<p>Where\u00a0<b>\/filesystem\/to\/export<\/b>\u00a0is the absolute path to the exported file system, whereas\u00a0<b>client1<\/b>\u00a0(up to clientN) represents the specific client (hostname or IP address) or network (wildcards are allowed) to which the share is being exported. Finally, options is a list of comma-separated values (options) that are taken into account while exporting the share, respectively. Please note that there are no spaces between each hostname and the parentheses it precedes.<\/p>\n<p>Here is a list of the most-frequent options and their respective description:<\/p>\n<ol>\n<li><b>ro<\/b>\u00a0(short for read-only): Remote clients can mount the exported file systems with read permissions only.<\/li>\n<li><b>rw<\/b>\u00a0(short for read-write): Allows remote hosts to make write changes in the exported file systems.<\/li>\n<li><b>wdelay<\/b>\u00a0(short for write delay): The NFS server delays committing changes to disk if it suspects another related write request is imminent. However, if the NFS server receives multiple small unrelated requests, this option will reduce performance, so the\u00a0<b>no_wdelay<\/b>\u00a0option can be used to turn it off.<\/li>\n<li><b>sync<\/b>: The NFS server replies to requests only after changes have been committed to permanent storage (i.e., the hard disk). Its opposite, the\u00a0<b>async<\/b>\u00a0option, may increase performance but at the cost of data loss or corruption after an unclean server restart.<\/li>\n<li><b>root_squash<\/b>: Prevents remote root users from having superuser privileges in the server and assigns them the user ID for user nobody. If you want to \u201c<b>squash<\/b>\u201d all users (and not just root), you can use the\u00a0<b>all_squash<\/b>option.<\/li>\n<li><b>anonuid<\/b>\u00a0\/\u00a0<b>anongid<\/b>: Explicitly sets the UID and GID of the anonymous account (nobody).<\/li>\n<li><b>subtree_check<\/b>: If only a subdirectory of a file system is exported, this option verifies that a requested file is located in that exported subdirectory. On the other hand, if the entire file system is exported, disabling this option with\u00a0<b>no_subtree_check<\/b>\u00a0will speed up transfers. The default option nowadays is\u00a0<b>no_subtree_check<\/b>\u00a0as subtree checking tends to cause more problems than it is worth, according to man 5 exports.<\/li>\n<li><b>fsid=0<\/b>\u00a0|\u00a0<b>root<\/b>\u00a0(zero or root): Specifies that the specified file system is the root of multiple exported directories (only applies in NFSv4).<\/li>\n<\/ol>\n<p>In this article we will use the directories\u00a0<b>\/NFS-SHARE<\/b>\u00a0and\u00a0<b>\/NFS-SHARE\/mydir<\/b>\u00a0on\u00a0<b>192.168.0.10<\/b>\u00a0(NFS server) as our test file systems.<\/p>\n<p>We can always list the available network shares in a NFS server using the following command:<\/p>\n<pre># showmount -e [IP or hostname]\r\n<\/pre>\n<div id=\"attachment_9866\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Check-NFS-Shares.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-9866\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Check-NFS-Shares.png\" alt=\"Check NFS Shares\" width=\"363\" height=\"97\" aria-describedby=\"caption-attachment-9866\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-9866\" class=\"wp-caption-text\">Check NFS Shares<\/p>\n<\/div>\n<p>In the output above, we can see that the\u00a0<b>\/NFS-SHARE<\/b>\u00a0and\u00a0<b>\/NFS-SHARE\/mydir<\/b>\u00a0shares on\u00a0<b>192.168.0.10<\/b>\u00a0have been exported to client with IP address\u00a0<b>192.168.0.17<\/b>.<\/p>\n<p>Our initial configuration (refer to the\u00a0<b>\/etc\/exports<\/b>\u00a0directory on your NFS server) for the exported directory is as follows:<\/p>\n<pre>\/NFS-SHARE  \t192.168.0.17(fsid=0,no_subtree_check,rw,root_squash,sync,anonuid=1000,anongid=1000)\r\n\/NFS-SHARE\/mydir    \t192.168.0.17(ro,sync,no_subtree_check)\r\n<\/pre>\n<p>After editing the configuration file, we must restart the NFS service:<\/p>\n<pre># service nfs-kernel-server restart \t\t[sysvinit \/ upstart based system]\r\n# systemctl restart nfs-server\t\t\t[systemd based systems]\r\n<\/pre>\n<h6>Mounting exported network shares using autofs<\/h6>\n<p>You may want to refer to\u00a0<b>Part 5<\/b>\u00a0of the LFCS series (\u201c<a href=\"https:\/\/www.tecmint.com\/mount-filesystem-in-linux\/\" target=\"_blank\" rel=\"noopener\">How to Mount\/Unmount Local and Network (Samba &amp; NFS) Filesystems in Linux<\/a>\u201d) for details on mounting remote NFS shares on-demand using the\u00a0<b>mount<\/b>\u00a0command or permanently through the\u00a0<b>\/etc\/fstab<\/b>\u00a0file.<\/p>\n<p>The downside of mounting a network file system using these methods is that the system must allocate the necessary resources to keep the share mounted at all times, or at least until we decide to unmount them manually. An alternative is to mount the desired file system on-demand automatically (without using the\u00a0<b>mount<\/b>command) through\u00a0<b>autofs<\/b>, which can mount file systems when they are used and unmount them after a period of inactivity.<\/p>\n<p>Autofs reads\u00a0<b>\/etc\/auto.master<\/b>, which has the following format:<\/p>\n<pre>[mount point]\t[map file]\r\n<\/pre>\n<p>Where\u00a0<b>[map file]<\/b>\u00a0is used to indicate multiple mount points within\u00a0<b>[mount point]<\/b>.<\/p>\n<p>This master map file (<b>\/etc\/auto.master<\/b>) is then used to determine which mount points are defined, and then starts an automount process with the specified parameters for each mount point.<\/p>\n<h6>Mounting exported NFS shares using autofs<\/h6>\n<p>Edit your\u00a0<b>\/etc\/auto.master<\/b>\u00a0as follows:<\/p>\n<pre>\/media\/nfs\t\/etc\/auto.nfs-share\t--timeout=60\r\n<\/pre>\n<p>and create a map file named\u00a0<b>\/etc\/auto.nfs-share<\/b>\u00a0with the following contents:<\/p>\n<pre>writeable_share  -fstype=nfs4 192.168.0.10:\/\r\nnon_writeable_share  -fstype=nfs4 192.168.0.10:\/mydir\r\n<\/pre>\n<p>Note that the first field in\u00a0<b>\/etc\/auto.nfs-share<\/b>\u00a0is the name of a subdirectory inside\u00a0<b>\/media\/nfs<\/b>. Each subdirectory is created dynamically by autofs.<\/p>\n<p>Now, restart the autofs service:<\/p>\n<pre># service autofs restart \t\t\t[sysvinit \/ upstart based systems]\r\n# systemctl restart autofs \t\t\t[systemd based systems]\r\n<\/pre>\n<p>and finally, to enable\u00a0<b>autofs<\/b>\u00a0to start on boot, run the following command:<\/p>\n<pre># chkconfig --level 345 autofs on\r\n# systemctl enable autofs \t\t\t[systemd based systems]\r\n<\/pre>\n<h6>Examining mounted file systems after starting the autofs daemon<\/h6>\n<p>When we restart\u00a0<b>autofs<\/b>, the\u00a0<b>mount<\/b>\u00a0command shows us that the map file (<b>\/etc\/auto.nfs-share<\/b>) is mounted on the specified directory in\u00a0<b>\/etc\/auto.master<\/b>:<\/p>\n<div id=\"attachment_9867\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/NFS-Share-Mounted.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-9867\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/NFS-Share-Mounted-620x164.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/NFS-Share-Mounted-620x164.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/NFS-Share-Mounted.png 694w\" alt=\"NFS Share Mounted\" width=\"620\" height=\"164\" aria-describedby=\"caption-attachment-9867\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-9867\" class=\"wp-caption-text\">NFS Share Mounted<\/p>\n<\/div>\n<p>Please note that no directories have actually been mounted yet, but will be automatically when we try to access the shares specified in\u00a0<b>\/etc\/auto.nfs-share<\/b>:<\/p>\n<div id=\"attachment_9868\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Automount-NFS-Shares.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-9868\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Automount-NFS-Shares-620x196.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Automount-NFS-Shares-620x196.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Automount-NFS-Shares-1024x323.png 1024w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Automount-NFS-Shares.png 1135w\" alt=\"Automount NFS Shares\" width=\"620\" height=\"196\" aria-describedby=\"caption-attachment-9868\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-9868\" class=\"wp-caption-text\">Automount NFS Shares<\/p>\n<\/div>\n<p>As we can see, the autofs service \u201c<b>mounts<\/b>\u201d the map file, so to speak, but waits until a request is made to the file systems to actually mount them.<\/p>\n<h6>Performing write tests in exported file systems<\/h6>\n<p>The\u00a0<b>anonuid<\/b>\u00a0and\u00a0<b>anongid<\/b>\u00a0options, along with the\u00a0<b>root_squash<\/b>\u00a0as set in the first share, allow us to map requests performed by the root user in the client to a local account in the server.<\/p>\n<p>In other words, when root in the client creates a file in that exported directory, its ownership will be automatically mapped to the user account with UID and GID = 1000, provided that such account exists on the server:<\/p>\n<div id=\"attachment_9869\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Perform-NFS-Write-Tests.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-9869\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Perform-NFS-Write-Tests.png\" alt=\"Perform NFS Write Tests\" width=\"619\" height=\"184\" aria-describedby=\"caption-attachment-9869\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-9869\" class=\"wp-caption-text\">Perform NFS Write Tests<\/p>\n<\/div>\n<h3>Conclusion<\/h3>\n<p>I hope you were able to successfully setup and configure a NFS server fit for your environment using this article as a guide. You may also want to refer to the relevant man pages for further help (<b>man exports<\/b>\u00a0and\u00a0<b>man idmapd.conf<\/b>, for example).<\/p>\n<p>Feel free to experiment with other options and test cases as outlined earlier and do not hesitate to use the form below to send your comments, suggestions, or questions. We will be glad to hear from you.<\/p>\n<h1 class=\"post-title\">How to Setup Encrypted Filesystems and Swap Space Using \u2018Cryptsetup\u2019 Tool in Linux \u2013 Part 3<\/h1>\n<p>A\u00a0<b>LFCE<\/b>\u00a0(short for\u00a0<b>Linux Foundation Certified Engineer<\/b>\u200b) is trained and has the expertise to install, manage, and troubleshoot network services in Linux systems, and is in charge of the design, implementation and ongoing maintenance of the system architecture.<\/p>\n<div id=\"attachment_9948\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/lfce3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-9948\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/lfce3.png\" alt=\"Linux Hard Disk Encryption\" width=\"600\" height=\"400\" aria-describedby=\"caption-attachment-9948\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-9948\" class=\"wp-caption-text\">Linux Filesystem Encryption<\/p>\n<\/div>\n<p>Introducing The Linux Foundation Certification Program (LFCE).<\/p>\n<div class=\"post-format\">\n<div class=\"video-container\"><iframe loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/Y29qZ71Kicg\" width=\"720\" height=\"405\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\" data-mce-fragment=\"1\"><\/iframe><\/div>\n<\/div>\n<p>The idea behind encryption is to allow only trusted persons to access your sensitive data and to protect it from falling into the wrong hands in case of loss or theft of your machine \/ hard disk.<\/p>\n<p>In simple terms, a key is used to \u201c<b>lock<\/b>\u201d access to your information, so that it becomes available when the system is running and unlocked by an authorized user. This implies that if a person tries to examine the disk contents (plugging it to his own system or by booting the machine with a LiveCD\/DVD\/USB), he will only find unreadable data instead of the actual files.<\/p>\n<p>In this article we will discuss how to set up encrypted file systems with\u00a0<b>dm-crypt<\/b>\u00a0(short for device mapper and cryptographic), the standard kernel-level encryption tool. Please note that since\u00a0<b>dm-crypt<\/b>\u00a0is a block-level tool, it can only be used to encrypt full devices, partitions, or loop devices (will not work on regular files or directories).<\/p>\n<h3>Preparing A Drive \/ Partition \/ Loop Device for Encryption<\/h3>\n<p>Since we will wipe all data present in our chosen drive (<b>\/dev\/sdb<\/b>), first of all, we need to perform a backup of any important files contained in that partition\u00a0<b>BEFORE<\/b>\u00a0proceeding further.<\/p>\n<p>Wipe all data from\u00a0<b>\/dev\/sdb<\/b>. We are going to use\u00a0<b>dd<\/b>\u00a0command here, but you could also do it with other tools such as\u00a0<b>shred<\/b>. Next, we will create a partition on this device,\u00a0<b>\/dev\/sdb1<\/b>, following the explanation in\u00a0<a href=\"https:\/\/www.tecmint.com\/create-partitions-and-filesystems-in-linux\/\">Part 4 \u2013 Create Partitions and Filesystems in Linux<\/a>\u00a0of the LFCS series.<\/p>\n<pre># dd if=\/dev\/urandom of=\/dev\/sdb bs=4096 \r\n<\/pre>\n<h5>Testing for Encryption Support<\/h5>\n<p>Before we proceed further, we need to make sure that our kernel has been compiled with encryption support:<\/p>\n<pre># grep -i config_dm_crypt \/boot\/config-$(uname -r)\r\n<\/pre>\n<div id=\"attachment_9941\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Check-Encryption-Support.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-9941\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Check-Encryption-Support.png\" alt=\"Check Encryption Support in Linux\" width=\"559\" height=\"213\" aria-describedby=\"caption-attachment-9941\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-9941\" class=\"wp-caption-text\">Check Encryption Support<\/p>\n<\/div>\n<p>As outlined in the image above, the\u00a0<b>dm-crypt<\/b>\u00a0kernel module needs to be loaded in order to set up encryption.<\/p>\n<h5>Installing Cryptsetup<\/h5>\n<p><b>Cryptsetup<\/b>\u00a0is a frontend interface for creating, configuring, accessing, and managing encrypted file systems using\u00a0<b>dm-crypt<\/b>.<\/p>\n<pre># aptitude update &amp;&amp; aptitude install cryptsetup \t\t[On Ubuntu]\r\n# yum update &amp;&amp; yum install cryptsetup \t\t\t\t[On CentOS] \r\n# zypper refresh &amp;&amp; zypper install cryptsetup \t\t\t[On openSUSE]\r\n<\/pre>\n<h4>Setting Up an Encrypted Partition<\/h4>\n<p>The default operating mode for\u00a0<b>cryptsetup<\/b>\u00a0is\u00a0<b>LUKS<\/b>\u00a0(<b>Linux Unified Key Setup<\/b>) so we\u2019ll stick with it. We will begin by setting the LUKS partition and the passphrase:<\/p>\n<pre># cryptsetup -y luksFormat \/dev\/sdb1\r\n<\/pre>\n<div id=\"attachment_9942\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Creating-Encryption-Partition.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-9942\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Creating-Encryption-Partition.png\" alt=\"Creating an Encrypted Partition\" width=\"421\" height=\"182\" aria-describedby=\"caption-attachment-9942\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-9942\" class=\"wp-caption-text\">Creating an Encrypted Partition<\/p>\n<\/div>\n<p>The command above runs\u00a0<b>cryptsetup<\/b>\u00a0with default parameters, which can be listed with,<\/p>\n<pre># cryptsetup --version\r\n<\/pre>\n<div id=\"attachment_9943\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Cryptsetup-Parameters.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-9943\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Cryptsetup-Parameters-620x116.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Cryptsetup-Parameters-620x116.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Cryptsetup-Parameters.png 775w\" alt=\"Cryptsetup Parameters\" width=\"620\" height=\"116\" aria-describedby=\"caption-attachment-9943\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-9943\" class=\"wp-caption-text\">Cryptsetup Parameters<\/p>\n<\/div>\n<p>Should you want to change the\u00a0<b>cipher<\/b>,\u00a0<b>hash<\/b>, or\u00a0<b>key<\/b>\u00a0parameters, you can use the\u00a0<b>\u2013cipher<\/b>,\u00a0<b>\u2013hash<\/b>, and\u00a0<b>\u2013key-size<\/b>flags, respectively, with the values taken from\u00a0<b>\/proc\/crypto<\/b>.<\/p>\n<p>Next, we need to open the LUKS partition (we will be prompted for the passphrase that we entered earlier). If the authentication succeeds, our encrypted partition will be available inside\u00a0<b>\/dev\/mapper<\/b>\u00a0with the specified name:<\/p>\n<pre># cryptsetup luksOpen \/dev\/sdb1 my_encrypted_partition\r\n<\/pre>\n<div id=\"attachment_9944\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Encrypted-Partition.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-9944\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Encrypted-Partition-620x90.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Encrypted-Partition-620x90.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Encrypted-Partition.png 645w\" alt=\"Encrypted Partition\" width=\"620\" height=\"90\" aria-describedby=\"caption-attachment-9944\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-9944\" class=\"wp-caption-text\">Encrypted Partition<\/p>\n<\/div>\n<p>Now, we\u2019ll format out partition as\u00a0<b>ext4<\/b>.<\/p>\n<pre># mkfs.ext4 \/dev\/mapper\/my_encrypted_partition\r\n<\/pre>\n<p>and create a mount point to mount the encrypted partition. Finally, we may want to confirm whether the mount operation succeeded.<\/p>\n<pre># mkdir \/mnt\/enc\r\n# mount \/dev\/mapper\/my_encrypted_partition \/mnt\/enc\r\n# mount | grep partition\r\n<\/pre>\n<div id=\"attachment_9945\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Mount-Encrypted-Partition.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-9945\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Mount-Encrypted-Partition-620x69.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Mount-Encrypted-Partition-620x69.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Mount-Encrypted-Partition.png 844w\" alt=\"Mount Encrypted Partition in Linux\" width=\"620\" height=\"69\" aria-describedby=\"caption-attachment-9945\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-9945\" class=\"wp-caption-text\">Mount Encrypted Partition<\/p>\n<\/div>\n<p>When you are done writing to or reading from your encrypted file system, simply unmount it<\/p>\n<pre># umount \/mnt\/enc\r\n<\/pre>\n<p>and close the LUKS partition using,<\/p>\n<pre># cryptesetup luksClose my_encrypted_partition\r\n<\/pre>\n<h5>Testing Encryption<\/h5>\n<p>Finally, we will check whether our encrypted partition is safe:<\/p>\n<p>1. Open the LUKS partition<\/p>\n<pre># cryptsetup luksOpen \/dev\/sdb1 my_encrypted_partition\r\n<\/pre>\n<p>2. Enter your passphrase<\/p>\n<p>3. Mount the partition<\/p>\n<pre># mount \/dev\/mapper\/my_encrypted_partition \/mnt\/enc\r\n<\/pre>\n<p>4. Create a dummy file inside the mount point.<\/p>\n<pre># echo \u201cThis is Part 3 of a 12-article series about the LFCE certification\u201d &gt; \/mnt\/enc\/testfile.txt\r\n<\/pre>\n<p>5. Verify that you can access the file that you just created.<\/p>\n<pre># cat \/mnt\/enc\/testfile.txt\r\n<\/pre>\n<p>6. Unmount the file system.<\/p>\n<pre># umount \/mnt\/enc\r\n<\/pre>\n<p>7. Close the LUKS partition.<\/p>\n<pre># cryptsetup luksClose my_encrypted_partition\r\n<\/pre>\n<p>8. Try to mount the partition as a regular file system. It should indicate an error.<\/p>\n<pre># mount \/dev\/sdb1 \/mnt\/enc\r\n<\/pre>\n<div id=\"attachment_9946\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Test-Encryption-on-Partition.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-9946\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Test-Encryption-on-Partition-620x127.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Test-Encryption-on-Partition-620x127.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Test-Encryption-on-Partition.png 947w\" alt=\"Test Encryption on Partition\" width=\"620\" height=\"127\" aria-describedby=\"caption-attachment-9946\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-9946\" class=\"wp-caption-text\">Test Encryption on Partition<\/p>\n<\/div>\n<h3>Encryptin the Swap Space for Further Security<\/h3>\n<p>The\u00a0<b>passphrase<\/b>\u00a0you entered earlier to use the encrypted partition is stored in\u00a0<b>RAM<\/b>\u00a0memory while it\u2019s open. If someone can get his hands on this key, he will be able to decrypt the data. This is especially easy to do in the case of a laptop, since while hibernating the contents of RAM are kept on the swap partition.<\/p>\n<p>To avoid leaving a copy of your key accessible to a thief, encrypt the swap partition following these steps:<\/p>\n<p>1 Create a partition to be used as swap with the appropriate size (<b>\/dev\/sdd1<\/b>\u00a0in our case) and encrypt it as explained earlier. Name it just \u201c<b>swap<\/b>\u201d for convenience.\u2019<\/p>\n<p>2.Set it as swap and activate it.<\/p>\n<pre># mkswap \/dev\/mapper\/swap\r\n# swapon \/dev\/mapper\/swap\r\n<\/pre>\n<p>3. Next, change the corresponding entry in\u00a0<b>\/etc\/fstab<\/b>.<\/p>\n<pre>\/dev\/mapper\/swap none        \tswap\tsw          \t0   \t0\r\n<\/pre>\n<p>4. Finally, edit\u00a0<b>\/etc\/crypttab<\/b>\u00a0and reboot.<\/p>\n<pre>swap               \/dev\/sdd1         \/dev\/urandom swap\r\n<\/pre>\n<p>Once the system has finished booting, you can verify the status of the swap space:<\/p>\n<pre># cryptsetup status swap\r\n<\/pre>\n<div id=\"attachment_9947\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Check-Swap-Encryption-Status.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-9947\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/11\/Check-Swap-Encryption-Status.png\" alt=\"Check Swap Encryption Status\" width=\"358\" height=\"174\" aria-describedby=\"caption-attachment-9947\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-9947\" class=\"wp-caption-text\">Check Swap Encryption Status<\/p>\n<\/div>\n<h3>Summary<\/h3>\n<p>In this article we have explored how to encrypt a partition and swap space. With this setup, your data should be considerably safe. Feel free to experiment and do not hesitate to get back to us if you have questions or comments. Just use the form below \u2013 we\u2019ll be more than glad to hear from you!<\/p>\n<h1 class=\"post-title\">How to Setup Standalone Apache Server with Name-Based Virtual Hosting with SSL Certificate \u2013 Part 4<\/h1>\n<p>A\u00a0<b>LFCE<\/b>\u00a0(short for\u00a0<b>Linux Foundation Certified Engineer<\/b>) is a trained professional who has the expertise to install, manage, and troubleshoot network services in Linux systems, and is in charge of the design, implementation and ongoing maintenance of the system architecture.<\/p>\n<p>In this article we will show you how to configure Apache to serve web content, and how to set up name-based virtual hosts and SSL, including a self-signed certificate.<\/p>\n<div id=\"attachment_10063\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/lfce-4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10063\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/lfce-4.png\" alt=\"Setup Apache Virtual Hosts with SSL\" width=\"600\" height=\"400\" aria-describedby=\"caption-attachment-10063\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10063\" class=\"wp-caption-text\">Linux Foundation Certified Engineer \u2013 Part 4<\/p>\n<\/div>\n<p>Introducing The Linux Foundation Certification Program (LFCE).<\/p>\n<div class=\"post-format\">\n<div class=\"video-container\"><iframe loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/Y29qZ71Kicg\" width=\"720\" height=\"405\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\" data-mce-fragment=\"1\"><\/iframe><\/div>\n<\/div>\n<p><strong>Note<\/strong>: That this article is not supposed to be a comprehensive guide on Apache, but rather a starting point for self-study about this topic for the\u00a0<b>LFCE<\/b>\u00a0exam. For that reason we are not covering load balancing with Apache in this tutorial either.<\/p>\n<p>You may already know other ways to perform the same tasks, which is\u00a0<b>OK<\/b>\u00a0considering that the Linux Foundation Certification are strictly performance-based. Thus, as long as you \u2018<b>get the job done<\/b>\u2019, you stand good chances of passing the exam.<\/p>\n<h4>Requirements<\/h4>\n<p>Please refer to\u00a0<b>Part 1<\/b>\u00a0of the current series (\u201c<a href=\"https:\/\/www.tecmint.com\/installing-network-services-and-configuring-services-at-system-boot\/\" target=\"_blank\" rel=\"noopener\">Installing Network Services and Configuring Automatic Startup at Boot<\/a>\u201d) for instructions on installing and starting Apache.<\/p>\n<p>By now, you should have the Apache web server installed and running. You can verify this with the following command.<\/p>\n<pre># ps -ef | grep -Ei '(apache|httpd)' | grep -v grep\r\n<\/pre>\n<p><strong>Note<\/strong>: That the above command checks for the presence of either\u00a0<b>apache<\/b>\u00a0or\u00a0<b>httpd<\/b>\u00a0(the most common names for the web daemon) among the list of running processes. If Apache is running, you will get output similar to the following.<\/p>\n<div id=\"attachment_10046\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Apache-Processes.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10046\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Apache-Processes-620x193.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Apache-Processes-620x193.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Apache-Processes.png 726w\" alt=\"Check Apache Processes\" width=\"620\" height=\"193\" aria-describedby=\"caption-attachment-10046\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10046\" class=\"wp-caption-text\">Check Apache Processes<\/p>\n<\/div>\n<p>The ultimate method of testing the Apache installation and checking whether it\u2019s running is launching a web browser and point to the IP of the server. We should be presented with the following screen or at least a message confirming that Apache is working.<\/p>\n<div id=\"attachment_10048\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Apache-Webpage.jpeg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10048\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Apache-Webpage-620x231.jpeg\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Apache-Webpage-620x231.jpeg 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Apache-Webpage.jpeg 725w\" alt=\"Check Apache Webpage\" width=\"620\" height=\"231\" aria-describedby=\"caption-attachment-10048\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10048\" class=\"wp-caption-text\">Check Apache Webpage<\/p>\n<\/div>\n<h3>Configuring Apache<\/h3>\n<p>The main configuration file for Apache can be located in different directories depending on your distribution.<\/p>\n<pre>\/etc\/apache2\/apache2.conf \t\t[For Ubuntu]\r\n\/etc\/httpd\/conf\/httpd.conf\t\t[For CentOS]\r\n\/etc\/apache2\/httpd.conf \t\t[For openSUSE]\r\n<\/pre>\n<p>Fortunately for us, the configuration directives are extremely well documented in the\u00a0<a href=\"https:\/\/httpd.apache.org\/docs\/current\/mod\/directives.html\" target=\"_blank\" rel=\"noopener\">Apache project web site<\/a>. We will refer to some of them throughout this article.<\/p>\n<h6>Serving Pages in a Standalone Server with Apache<\/h6>\n<p>The most basic usage of Apache is to serve web pages in a standalone server where no virtual hosts have been configured yet. The\u00a0<b>DocumentRoot<\/b>\u00a0directive specifies the directory out of which Apache will serve web pages documents.<\/p>\n<p>Note that by default, all requests are taken from this directory, but you can also use symbolic links and \/ or aliases may be used to point to other locations as well.<\/p>\n<p>Unless matched by the\u00a0<b>Alias<\/b>\u00a0directive (which allows documents to be stored in the local filesystem instead of under the directory specified by\u00a0<b>DocumentRoot<\/b>), the server appends the path from the requested URL to the document root to make the path to the document.<\/p>\n<p>For example, given the following\u00a0<b>DocumentRoot<\/b>:<\/p>\n<div id=\"attachment_10049\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Apache-DocumentRoot.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10049\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Apache-DocumentRoot.png\" alt=\"Apache DocumentRoot\" width=\"268\" height=\"42\" aria-describedby=\"caption-attachment-10049\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10049\" class=\"wp-caption-text\">Apache DocumentRoot<\/p>\n<\/div>\n<p>When the web browser points to [<b>Server IP<\/b>\u00a0or\u00a0<b>hostname<\/b>]<b>\/lfce\/tecmint.html<\/b>, the server will open\u00a0<b>\/var\/www\/html\/lfce\/tecmint.html<\/b>\u00a0(assuming that such file exists) and save the event to its access log with a\u00a0<b>200<\/b>\u00a0(<b>OK<\/b>) response.<\/p>\n<p>The access log is typically found inside\u00a0<b>\/var\/log<\/b>\u00a0under a representative name, such as\u00a0<b>access.log<\/b>\u00a0or\u00a0<b>access_log<\/b>. You may even find this log (and the error log as well) inside a subdirectory (for example,\u00a0<b>\/var\/log\/httpd<\/b>\u00a0in CentOS). Otherwise, the failed event will still be logged to the access log but with a\u00a0<b>404<\/b>\u00a0(Not Found) response.<\/p>\n<div id=\"attachment_10050\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Apache-Access-Log.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10050\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Apache-Access-Log-620x102.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Apache-Access-Log-620x102.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Apache-Access-Log.png 723w\" alt=\"Apache Access Log\" width=\"620\" height=\"102\" aria-describedby=\"caption-attachment-10050\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10050\" class=\"wp-caption-text\">Apache Access Log<\/p>\n<\/div>\n<p>In addition, the failed events will be recorded in the\u00a0<b>error log<\/b>:<\/p>\n<div id=\"attachment_10051\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Apache-Error-Log.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10051\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Apache-Error-Log-620x68.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Apache-Error-Log-620x68.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Apache-Error-Log.png 722w\" alt=\"Apache Error Log\" width=\"620\" height=\"68\" aria-describedby=\"caption-attachment-10051\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10051\" class=\"wp-caption-text\">Apache Error Log<\/p>\n<\/div>\n<p>The format of the\u00a0<b>access log<\/b>\u00a0can be customized according to your needs using the\u00a0<b>LogFormat<\/b>\u00a0directive in the main configuration file, whereas you cannot do the same with the\u00a0<b>error log<\/b>.<\/p>\n<p>The default format of the\u00a0<b>access log<\/b>\u00a0is as follows:<\/p>\n<pre>LogFormat \"%h %l %u %t \\\"%r\\\" %&gt;s %b\" [nickname]\r\n<\/pre>\n<p>Where each of the letters preceded by a percent sign indicates the server to log a certain piece of information:<\/p>\n<table border=\"0\" cellspacing=\"0\">\n<tbody>\n<tr>\n<td align=\"center\" bgcolor=\"#666666\" height=\"18\"><b>String<\/b><\/td>\n<td align=\"center\" bgcolor=\"#666666\"><b>Description<\/b><\/td>\n<\/tr>\n<tr class=\"alt\">\n<td align=\"left\" height=\"18\">\u00a0%h<\/td>\n<td align=\"left\">\u00a0Remote hostname or IP address<\/td>\n<\/tr>\n<tr>\n<td align=\"left\" height=\"18\">\u00a0%l<\/td>\n<td align=\"left\">\u00a0Remote log name<\/td>\n<\/tr>\n<tr class=\"alt\">\n<td align=\"left\" height=\"18\">\u00a0%u<\/td>\n<td align=\"left\">\u00a0Remote user if the request is authenticated<\/td>\n<\/tr>\n<tr>\n<td align=\"left\" height=\"18\">\u00a0%t<\/td>\n<td align=\"left\">\u00a0Date and time when the request was received<\/td>\n<\/tr>\n<tr class=\"alt\">\n<td align=\"left\" height=\"18\">\u00a0%r<\/td>\n<td align=\"left\">\u00a0First line of request to the server<\/td>\n<\/tr>\n<tr>\n<td align=\"left\" height=\"18\">\u00a0%&gt;s<\/td>\n<td align=\"left\">\u00a0Final status of the request<\/td>\n<\/tr>\n<tr class=\"alt\">\n<td align=\"left\" height=\"18\">\u00a0%b<\/td>\n<td align=\"left\">\u00a0Size of the response [bytes]<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>and\u00a0<b>nickname<\/b>\u00a0is an optional alias that can be used to customize other logs without having to enter the whole configuration string again.<\/p>\n<p>You may refer to the\u00a0<b>LogFormat<\/b>\u00a0directive [<a href=\"https:\/\/httpd.apache.org\/docs\/2.4\/mod\/mod_log_config.html#formats\" target=\"_blank\" rel=\"noopener\">Custom log formats section<\/a>] in the Apache docs for further options.<\/p>\n<p>Both log files (<b>access<\/b>\u00a0and\u00a0<b>error<\/b>) represent a great resource to quickly analyze at a glance what\u2019s happening on the Apache server. Needless to say, they are the first tool a system administrator uses to troubleshoot issues.<\/p>\n<p>Finally, another important directive is\u00a0<b>Listen<\/b>, which tells the server to accept incoming requests on the specified port or address\/port combination:<\/p>\n<p>If only a port number is defined, the apache will listens to the given port on all network interfaces (the wildcard sign\u00a0<strong>*<\/strong>\u00a0is used to indicate \u2018all network interfaces\u2019).<\/p>\n<p>If both IP address and port is specified, then the apache will listen on the combination of given port and network interface.<\/p>\n<p>Please note (as you will see in the examples below) that multiple Listen directives can be used at the same time to specify multiple addresses and ports to listen to. This option instructs the server to respond to requests from any of the listed addresses and ports.<\/p>\n<h3>Setting Up Name-Based Virtual Hosts<\/h3>\n<p>The concept of virtual host defines an individual site (or domain) that is served by the same physical machine. Actually, multiple sites \/ domains can be served off a single \u201c<b>real<\/b>\u201d server as virtual host. This process is transparent to the end user, to whom it appears that the different sites are being served by distinct web servers.<\/p>\n<p>Name-based virtual hosting allows the server to rely on the client to report the hostname as part of the HTTP headers. Thus, using this technique, many different hosts can share the same IP address.<\/p>\n<p>Each virtual host is configured in a directory within\u00a0<b>DocumentRoot<\/b>. For our case, we will use the following dummy domains for the testing setup, each located in the corresponding directory:<\/p>\n<ol>\n<li><b>ilovelinux.com<\/b>\u00a0\u2013 \/var\/www\/html\/ilovelinux.com\/public_html<\/li>\n<li><b>linuxrocks.org<\/b>\u00a0\u2013 \/var\/www\/html\/linuxrocks.org\/public_html<\/li>\n<\/ol>\n<p>In order for pages to be displayed correctly, we will\u00a0<b>chmod<\/b>\u00a0each VirtualHost\u2019s directory to\u00a0<b>755<\/b>:<\/p>\n<pre># chmod -R 755 \/var\/www\/html\/ilovelinux.com\/public_html\r\n# chmod -R 755 \/var\/www\/html\/linuxrocks.org\/public_html\r\n<\/pre>\n<p>Next, create a sample\u00a0<b>index.html<\/b>\u00a0file inside each\u00a0<b>public_html<\/b>\u00a0directory:<\/p>\n<pre>&lt;html&gt;\r\n  &lt;head&gt;\r\n    &lt;title&gt;www.ilovelinux.com&lt;\/title&gt;\r\n  &lt;\/head&gt;\r\n  &lt;body&gt;\r\n    &lt;h1&gt;This is the main page of www.ilovelinux.com&lt;\/h1&gt;\r\n  &lt;\/body&gt;\r\n&lt;\/html&gt;\r\n<\/pre>\n<p>Finally, in\u00a0<b>CentOS<\/b>\u00a0and\u00a0<b>openSUSE<\/b>\u00a0add the following section at the bottom of\u00a0<b>\/etc\/httpd\/conf\/httpd.conf<\/b>\u00a0or\u00a0<b>\/etc\/apache2\/httpd.conf<\/b>, respectively, or just modify it if it\u2019s already there.<\/p>\n<pre>&lt;VirtualHost *:80&gt;\r\n     ServerAdmin admin@ilovelinux.com \r\n     DocumentRoot \/var\/www\/html\/ilovelinux.com\/public_html\r\n     ServerName www.ilovelinux.com\r\n     ServerAlias www.ilovelinux.com ilovelinux.com\r\n     ErrorLog \/var\/www\/html\/ilovelinux.com\/error.log\r\n     LogFormat \"%v %l %u %t \\\"%r\\\" %&gt;s %b\" myvhost\r\n     CustomLog \/var\/www\/html\/ilovelinux.com\/access.log\tmyvhost\r\n&lt;\/VirtualHost&gt;\r\n&lt;VirtualHost *:80&gt;\r\n     ServerAdmin admin@linuxrocks.org \r\n     DocumentRoot \/var\/www\/html\/linuxrocks.org\/public_html\r\n     ServerName www.linuxrocks.org\r\n     ServerAlias www.linuxrocks.org linuxrocks.org\r\n     ErrorLog \/var\/www\/html\/linuxrocks.org\/error.log\r\n     LogFormat \"%v %l %u %t \\\"%r\\\" %&gt;s %b\" myvhost\r\n     CustomLog \/var\/www\/html\/linuxrocks.org\/access.log\tmyvhost\r\n&lt;\/VirtualHost&gt;\r\n<\/pre>\n<p>Please note that you can also add each virtual host definition in separate files inside the\u00a0<b>\/etc\/httpd\/conf.d<\/b>directory. If you choose to do so, each configuration file must be named as follows:<\/p>\n<pre>\/etc\/httpd\/conf.d\/ilovelinux.com.conf\r\n\/etc\/httpd\/conf.d\/linuxrocks.org.conf\r\n<\/pre>\n<p>In other words, you need to add\u00a0<b>.conf<\/b>\u00a0to the site or domain name.<\/p>\n<p>In\u00a0<b>Ubuntu<\/b>, each individual configuration file is named\u00a0<b>\/etc\/apache2\/sites-available\/[site name].conf<\/b>. Each site is then enabled or disabled with the\u00a0<b>a2ensite<\/b>\u00a0or\u00a0<b>a2dissite<\/b>\u00a0commands, respectively, as follows.<\/p>\n<pre># a2ensite \/etc\/apache2\/sites-available\/ilovelinux.com.conf\r\n# a2dissite \/etc\/apache2\/sites-available\/ilovelinux.com.conf\r\n# a2ensite \/etc\/apache2\/sites-available\/linuxrocks.org.conf\r\n# a2dissite \/etc\/apache2\/sites-available\/linuxrocks.org.conf\r\n<\/pre>\n<p>The\u00a0<b>a2ensite<\/b>\u00a0and\u00a0<b>a2dissite<\/b>\u00a0commands create links to the virtual host configuration file and place (or remove) them in the\u00a0<b>\/etc\/apache2\/sites-enabled<\/b>\u00a0directory.<\/p>\n<p>To be able to browse to both sites from another Linux box, you will need to add the following lines in the\u00a0<b>\/etc\/hosts<\/b>\u00a0file in that machine in order to redirect requests to those domains to a specific IP address.<\/p>\n<pre>[IP address of your web server]\twww.ilovelinux.com\r\n[IP address of your web server]\twww.linuxrocks.org \r\n<\/pre>\n<p>As a security measure,\u00a0<strong>SELinux<\/strong>\u00a0will not allow\u00a0<strong>Apache<\/strong>\u00a0to write logs to a directory other than the default\u00a0<strong>\/var\/log\/httpd<\/strong>.<\/p>\n<p>You can either disable SELinux, or set the right security context:<\/p>\n<pre># chcon system_u:object_r:httpd_log_t:s0 \/var\/www\/html\/xxxxxx\/error.log\r\n<\/pre>\n<p>where\u00a0<strong>xxxxxx<\/strong>\u00a0is the directory inside\u00a0<strong>\/var\/www\/html<\/strong>\u00a0where you have defined your Virtual Hosts.<\/p>\n<p>After restarting Apache, you should see the following page at the above addresses:<\/p>\n<div id=\"attachment_10052\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Apache-VirtualHosts.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10052\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Apache-VirtualHosts-620x269.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Apache-VirtualHosts-620x269.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Apache-VirtualHosts.png 768w\" alt=\"Check Apache VirtualHosts\" width=\"620\" height=\"269\" aria-describedby=\"caption-attachment-10052\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10052\" class=\"wp-caption-text\">Check Apache VirtualHosts<\/p>\n<\/div>\n<h3>Installing and Configuring SSL with Apache<\/h3>\n<p>Finally, we will create and install a\u00a0<b>self-signed<\/b>\u00a0certificate to use with Apache. This kind of setup is acceptable in small environments, such as a private LAN.<\/p>\n<p>However, if your server will expose content to the outside world over the Internet, you will want to install a certificate signed by a 3rd party to corroborate its authenticity. Either way, a certificate will allow you to encrypt the information that is transmitted to, from, or within your site.<\/p>\n<p>In\u00a0<b>CentOS<\/b>\u00a0and\u00a0<b>openSUSE<\/b>, you need to install the\u00a0<b>mod_ssl<\/b>\u00a0package.<\/p>\n<pre># yum update &amp;&amp; yum install mod_ssl \t\t[On CentOS]\r\n# zypper refresh &amp;&amp; zypper install mod_ssl\t[On openSUSE]\r\n<\/pre>\n<p>Whereas in\u00a0<b>Ubuntu<\/b>\u00a0you\u2019ll have to enable the ssl module for Apache.<\/p>\n<pre># a2enmod ssl\r\n<\/pre>\n<p>The following steps are explained using a\u00a0<b>CentOS<\/b>\u00a0test server, but your setup should be almost identical in the other distributions (if you run into any kind of issues, don\u2019t hesitate to leave your questions using the comments form).<\/p>\n<p><b>Step 1 [Optional]<\/b>: Create a directory to store your certificates.<\/p>\n<pre># mkdir \/etc\/httpd\/ssl-certs\r\n<\/pre>\n<p><b>Step 2<\/b>: Generate your self signed certificate and the key that will protect it.<\/p>\n<pre># openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout \/etc\/httpd\/ssl-certs\/apache.key -out \/etc\/httpd\/ssl-certs\/apache.crt\r\n<\/pre>\n<p>A brief explanation of the options listed above:<\/p>\n<ol>\n<li><b>req -X509<\/b>\u00a0indicates we are creating a x509 certificate.<\/li>\n<li><b>-nodes<\/b>\u00a0(NO DES) means \u201cdon\u2019t encrypt the key\u201d.<\/li>\n<li><b>-days 365<\/b>\u00a0is the number of days the certificate will be valid for.<\/li>\n<li><b>-newkey rsa:2048<\/b>\u00a0creates a 2048-bit RSA key.<\/li>\n<li><b>-keyout \/etc\/httpd\/ssl-certs\/apache.key<\/b>\u00a0is the absolute path of the RSA key.<\/li>\n<li><b>-out \/etc\/httpd\/ssl-certs\/apache.crt<\/b>\u00a0is the absolute path of the certificate.<\/li>\n<\/ol>\n<div id=\"attachment_10054\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Create-Apache-SSL-Certificate.jpeg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10054\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Create-Apache-SSL-Certificate-620x357.jpeg\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Create-Apache-SSL-Certificate-620x357.jpeg 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Create-Apache-SSL-Certificate.jpeg 724w\" alt=\"Create Apache SSL Certificate\" width=\"620\" height=\"357\" aria-describedby=\"caption-attachment-10054\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10054\" class=\"wp-caption-text\">Create Apache SSL Certificate<\/p>\n<\/div>\n<p><b>Step 3<\/b>: Open your chosen virtual host configuration file (or its corresponding section in\u00a0<b>\/etc\/httpd\/conf\/httpd.conf<\/b>\u00a0as explained earlier) and add the following lines to a virtual host declaration listening on port\u00a0<b>443<\/b>.<\/p>\n<pre>SSLEngine on\r\nSSLCertificateFile \/etc\/httpd\/ssl-certs\/apache.crt\r\nSSLCertificateKeyFile \/etc\/httpd\/ssl-certs\/apache.key\r\n<\/pre>\n<p>Please note that you need to add.<\/p>\n<pre>NameVirtualHost *:443\r\n<\/pre>\n<p>at the top, right below<\/p>\n<pre>NameVirtualHost *:80\r\n<\/pre>\n<p>Both directives instruct apache to listen on ports\u00a0<b>443<\/b>\u00a0and\u00a0<b>80<\/b>\u00a0of all network interfaces.<\/p>\n<p>The following example is taken from\u00a0<b>\/etc\/httpd\/conf\/httpd.conf<\/b>:<\/p>\n<div id=\"attachment_10055\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Apache-VirtualHost-Directives.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10055\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Apache-VirtualHost-Directives.png\" alt=\"Apache VirtualHost Directives\" width=\"588\" height=\"447\" aria-describedby=\"caption-attachment-10055\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10055\" class=\"wp-caption-text\">Apache VirtualHost Directives<\/p>\n<\/div>\n<p>Then restart Apache,<\/p>\n<pre># service apache2 restart \t\t\t[sysvinit and upstart based systems]\r\n# systemctl restart httpd.service \t\t[systemd-based systems]\r\n<\/pre>\n<p>And point your browser to\u00a0<b>https:\/\/www.ilovelinux.com<\/b>. You will be presented with the following screen.<\/p>\n<div id=\"attachment_10056\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Apache-SSl-Certificate.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10056\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Apache-SSl-Certificate-620x354.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Apache-SSl-Certificate-620x354.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Apache-SSl-Certificate.png 897w\" alt=\"Check Apache SSl Certificate\" width=\"620\" height=\"354\" aria-describedby=\"caption-attachment-10056\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10056\" class=\"wp-caption-text\">Check Apache SSl Certificate<\/p>\n<\/div>\n<p>Go ahead and click on \u201c<b>I understand the risks<\/b>\u201d and \u201c<b>Add exception<\/b>\u201d.<\/p>\n<div id=\"attachment_10057\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Apache-Ceritficate-Warning.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10057\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Apache-Ceritficate-Warning.png\" alt=\"Apache Ceritficate Warning\" width=\"619\" height=\"192\" aria-describedby=\"caption-attachment-10057\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10057\" class=\"wp-caption-text\">Apache Ceritficate Warning<\/p>\n<\/div>\n<p>Finally, check \u201c<b>Permanently store this exception<\/b>\u201d and click \u201c<b>Confirm Security Exception<\/b>\u201d.<\/p>\n<div id=\"attachment_10058\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Add-SSl-Ceritficate.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10058\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Add-SSl-Ceritficate.png\" alt=\"Add SSl Ceritficate\" width=\"356\" height=\"88\" aria-describedby=\"caption-attachment-10058\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10058\" class=\"wp-caption-text\">Add SSl Ceritficate<\/p>\n<\/div>\n<p>And you will be redirected to your home page using\u00a0<b>https<\/b>.<\/p>\n<div id=\"attachment_10059\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Apache-HTTPS-Enabled.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10059\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Apache-HTTPS-Enabled-620x91.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Apache-HTTPS-Enabled-620x91.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Apache-HTTPS-Enabled.png 759w\" alt=\"Apache HTTPS Enabled\" width=\"620\" height=\"91\" aria-describedby=\"caption-attachment-10059\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10059\" class=\"wp-caption-text\">Apache HTTPS Enabled<\/p>\n<\/div>\n<h3>Summary<\/h3>\n<p>In this post we have shown how to configure\u00a0<b>Apache<\/b>\u00a0and\u00a0<b>name-based<\/b>\u00a0virtual hosting with\u00a0<b>SSL<\/b>\u00a0to secure data transmission. If for some reason you ran into any issues, feel free to let us know using the comment form below. We will be more than glad to help you perform a successful set up.<\/p>\n<p><b>Read Also<\/b><\/p>\n<ol>\n<li><a href=\"https:\/\/www.tecmint.com\/apache-ip-based-and-name-based-virtual-hosting\/\" target=\"_blank\" rel=\"noopener\">Apache IP Based and Name Based Virtual Hosting<\/a><\/li>\n<li><a href=\"https:\/\/www.tecmint.com\/apache-virtual-hosting-in-centos\/\" target=\"_blank\" rel=\"noopener\">Creating Apache Virtual Hosts with Enable\/Disable Vhosts Options<\/a><\/li>\n<li><a href=\"https:\/\/www.tecmint.com\/apache-web-administration-tool\/\" target=\"_blank\" rel=\"noopener\">Monitor \u201cApache Web Server\u201d Using \u201cApache GUI\u201d Tool<\/a><\/li>\n<\/ol>\n<h1 class=\"post-title\">Configuring Squid Proxy Server with Restricted Access and Setting Up Clients to Use Proxy \u2013 Part 5<\/h1>\n<p>A\u00a0<b>Linux Foundation Certified Engineer<\/b>\u200b is a skilled professional who has the expertise to install, manage, and troubleshoot network services in Linux systems, and is in charge of the design, implementation and ongoing maintenance of the system-wide architecture.<\/p>\n<div id=\"attachment_10195\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/lfce5.jpeg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10195\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/lfce5.jpeg\" alt=\"Configuring Squid Proxy Server\" width=\"600\" height=\"400\" aria-describedby=\"caption-attachment-10195\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10195\" class=\"wp-caption-text\">Linux Foundation Certified Engineer \u2013 Part 5<\/p>\n<\/div>\n<p>Introducing The Linux Foundation Certification Program.<\/p>\n<div class=\"post-format\">\n<div class=\"video-container\"><iframe loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/Y29qZ71Kicg\" width=\"720\" height=\"405\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\" data-mce-fragment=\"1\"><\/iframe><\/div>\n<\/div>\n<p>In\u00a0<b>Part 1<\/b>\u00a0of this series, we showed how to install squid, a proxy caching server for web clients. Please refer to that post (link given below) before proceeding if you haven\u2019t installed squid on your system yet.<\/p>\n<ol>\n<li><a href=\"https:\/\/www.tecmint.com\/installing-network-services-and-configuring-services-at-system-boot\/\" target=\"_blank\" rel=\"noopener\">Part 1 \u2013 Install Network Services and Configuring Auto Startup at Boot<\/a><\/li>\n<\/ol>\n<p>In this article, we will show you how to configure the Squid proxy server in order to grant or restrict Internet access, and how to configure an http client, or web browser, to use that proxy server.<\/p>\n<h4>My Testing Environment Setup<\/h4>\n<h5>Squid Server<\/h5>\n<pre>Operating System :\tDebian Wheezy 7.5\r\nIP Address \t :\t192.168.0.15\r\nHostname\t :\tdev2.gabrielcanepa.com.ar\r\n<\/pre>\n<h5>Client Machine 1<\/h5>\n<pre>Operating System :\tUbuntu 12.04\r\nIP Address \t :\t192.168.0.104 \r\nHostname\t :\tubuntuOS.gabrielcanepa.com.ar\r\n<\/pre>\n<h5>Client Machine 2<\/h5>\n<pre>Operating System :\tCentOS-7.0-1406\r\nIP Address \t :\t192.168.0.17 \r\nHostname\t :\tdev1.gabrielcanepa.com.ar\r\n<\/pre>\n<p>Let us remember that, in simple terms, a web proxy server is an intermediary between one (or more) client computers and a certain network resource, the most common being access to the Internet. In other words, the proxy server is connected on one side directly to the Internet (or to a router that is connected to the Internet) and on the other side to a network of client computers that will access the World Wide Web through it.<\/p>\n<p>You may be wondering, why would I want to add yet another piece of software to my network infrastructure?<\/p>\n<h6>Here are the top 3 reasons:<\/h6>\n<p>1.\u00a0<b>Squid stores files from previous requests to speed up future transfers<\/b>. For example, suppose\u00a0<b>client1<\/b>downloads\u00a0<b>CentOS-7.0-1406-x86_64-DVD.iso<\/b>\u00a0from the Internet. When\u00a0<b>client2<\/b>\u00a0requests access to the same file, squid can transfer the file from its cache instead of downloading it again from the Internet. As you can guess, you can use this feature to speed up data transfers in a network of computers that require frequent updates of some kind.<\/p>\n<p>2.\u00a0<b>ACLs<\/b>\u00a0(<b>Access Control Lists<\/b>) allow us to restrict the access to websites, and \/ or monitor the access on a per user basis. You can restrict access based on day of week or time of day, or domain, for example.<\/p>\n<p>3.\u00a0<b>Bypassing web filters<\/b>\u00a0is made possible through the use of a web proxy to which requests are made and which returns requested content to a client, instead of having the client request it directly to the Internet.<\/p>\n<p>For example, suppose you are logged on in\u00a0<b>client1<\/b>\u00a0and want to access\u00a0<b>www.facebook.com<\/b>\u00a0through your company\u2019s router. Since the site may be blocked by your company\u2019s policies, you can instead connect to a web proxy server and have it request access to\u00a0<b>www.facebook.com<\/b>. Remote content is then returned to you through the web proxy server again, bypassing your company\u2019s router\u2019s blocking policies.<\/p>\n<h3>Configuring Squid \u2013 The Basics<\/h3>\n<p>The access control scheme of the Squid web proxy server consists of two different components:<\/p>\n<ol>\n<li>The\u00a0<b>ACL elements<\/b>\u00a0are directive lines that begin with the word \u201c<b>acl<\/b>\u201d and represent types of tests that are performed against any request transaction.<\/li>\n<li>The\u00a0<b>access list rules<\/b>\u00a0consist of an\u00a0<i>allow<\/i>\u00a0or\u00a0<i>deny<\/i>\u00a0action followed by a number of ACL elements, and are used to indicate what action or limitation has to be enforced for a given request. They are checked in order, and list searching terminates as soon as one of the rules is a match. If a rule has multiple ACL elements, it is implemented as a boolean AND operation (all ACL elements of the rule must be a match in order for the rule to be a match).<\/li>\n<\/ol>\n<p>Squid\u2019s main configuration file is\u00a0<b>\/etc\/squid\/squid.conf<\/b>, which is\u00a0<b>~5000<\/b>\u00a0lines long since it includes both configuration directives and documentation. For that reason, we will create a new\u00a0<b>squid.conf<\/b>\u00a0file with only the lines that include configuration directives for our convenience, leaving out empty or commented lines. To do so, we will use the following commands.<\/p>\n<pre># mv \/etc\/squid\/squid.conf \/etc\/squid\/squid.conf.bkp\r\n<\/pre>\n<p>And then,<\/p>\n<pre># grep -Eiv '(^#|^$)' \/etc\/squid\/squid.conf.bkp\r\n\r\nOR\r\n\r\n# grep -ve ^# -ve ^$ \/etc\/squid\/squid.conf.bkp &gt; \/etc\/squid\/squid.conf\r\n<\/pre>\n<div id=\"attachment_10183\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Backup-Squid-Configuration-File.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10183\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Backup-Squid-Configuration-File-620x137.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Backup-Squid-Configuration-File-620x137.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Backup-Squid-Configuration-File.png 696w\" alt=\"Backup Squid Configuration File\" width=\"620\" height=\"137\" aria-describedby=\"caption-attachment-10183\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10183\" class=\"wp-caption-text\">Backup Squid Configuration File<\/p>\n<\/div>\n<p>Now, open the newly created\u00a0<b>squid.conf<\/b>\u00a0file, and look for (or add) the following\u00a0<b>ACL<\/b>\u00a0elements and access lists.<\/p>\n<pre>acl localhost src 127.0.0.1\/32\r\nacl localnet src 192.168.0.0\/24\r\n<\/pre>\n<p>The two lines above represent a basic example of the usage of\u00a0<b>ACL<\/b>\u00a0elements.<\/p>\n<ol>\n<li>The first word,\u00a0<b>acl<\/b>, indicates that this is a ACL element directive line.<\/li>\n<li>The second word,\u00a0<b>localhost<\/b>\u00a0or\u00a0<b>localnet<\/b>, specify a name for the directive.<\/li>\n<li>The third word,\u00a0<b>src<\/b>\u00a0in this case, is an ACL element type that is used to represent a client IP address or range of addresses, respectively. You can specify a single host by IP (or hostname, if you have some sort of DNS resolution implemented) or by network address.<\/li>\n<li>The fourth parameter is a filtering argument that is \u201c<b>fed<\/b>\u201d to the directive.<\/li>\n<\/ol>\n<p>The two lines below are\u00a0<b>access list<\/b>\u00a0rules and represent an explicit implementation of the\u00a0<b>ACL<\/b>\u00a0directives mentioned earlier. In few words, they indicate that\u00a0<b>http access<\/b>\u00a0should be granted if the request comes from the local network (<b>localnet<\/b>), or from\u00a0<b>localhost<\/b>. Specifically what is the allowed local network or local host addresses? The answer is: those specified in the localhost and localnet directives.<\/p>\n<pre>http_access allow localnet\r\nhttp_access allow localhost\r\n<\/pre>\n<div id=\"attachment_10184\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Squid-ACL-List.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10184\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Squid-ACL-List-620x235.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Squid-ACL-List-620x235.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Squid-ACL-List.png 655w\" alt=\"Squid ACL Allow Access\" width=\"620\" height=\"235\" aria-describedby=\"caption-attachment-10184\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10184\" class=\"wp-caption-text\">Squid ACL Allow Access List<\/p>\n<\/div>\n<p>At this point you can restart\u00a0<b>Squid<\/b>\u00a0in order to apply any pending changes.<\/p>\n<pre># service squid restart \t\t[Upstart \/ sysvinit-based distributions]\r\n# systemctl restart squid.service \t[systemd-based distributions]\r\n<\/pre>\n<p>and then configure a client browser in the local network (<b>192.168.0.104<\/b>\u00a0in our case) to access the Internet through your proxy as follows.<\/p>\n<h5>In Firefox<\/h5>\n<p><strong>1.<\/strong>\u00a0Go to the\u00a0<b>Edit<\/b>\u00a0menu and choose the\u00a0<b>Preferences<\/b>\u00a0option.<\/p>\n<p><strong>2.<\/strong>\u00a0Click on\u00a0<b>Advanced<\/b>, then on the\u00a0<b>Network<\/b>\u00a0tab, and finally on\u00a0<b>Settings<\/b>\u2026<\/p>\n<p><strong>3.<\/strong>\u00a0Check\u00a0<b>Manual proxy configuration<\/b>\u00a0and enter the\u00a0<b>IP address<\/b>\u00a0of the proxy server and the\u00a0<b>port<\/b>\u00a0where it is listening for connections.<\/p>\n<div id=\"attachment_10185\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Configure-Proxy-in-Firefox.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10185\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Configure-Proxy-in-Firefox.png\" alt=\"Configure Proxy in Firefox\" width=\"566\" height=\"397\" aria-describedby=\"caption-attachment-10185\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10185\" class=\"wp-caption-text\">Configure Proxy in Firefox<\/p>\n<\/div>\n<p><strong>Note<\/strong>\u00a0That by default, Squid listens on port\u00a0<b>3128<\/b>, but you can override this behaviour by editing the\u00a0<b>access list<\/b>rule that begins with\u00a0<b>http_port<\/b>\u00a0(by default it reads\u00a0<b>http_port 3128<\/b>).<\/p>\n<p><strong>4.<\/strong>\u00a0Click\u00a0<b>OK<\/b>\u00a0to apply the changes and you\u2019re good to go.<\/p>\n<h6>Verifying that a Client is Accessing the Internet<\/h6>\n<p>You can now verify that your local network client is accessing the Internet through your proxy as follows.<\/p>\n<p><strong>1.\u00a0<\/strong>In your client, open up a\u00a0<b>terminal<\/b>\u00a0and type,<\/p>\n<pre># ip address show eth0 | grep -Ei '(inet.*eth0)'\r\n<\/pre>\n<p>That command will display the current\u00a0<b>IP address<\/b>\u00a0of your client (<b>192.168.0.104<\/b>\u00a0in the following image).<\/p>\n<p><strong>2.<\/strong>\u00a0In your client, use a web browser to open any given web site (<b>www.tecmint.com<\/b>\u00a0in this case).<\/p>\n<p><strong>3.<\/strong>\u00a0In the server, run.<\/p>\n<pre># tail -f \/var\/log\/squid\/access.log\r\n<\/pre>\n<p>and you\u2019ll get a live view of requests being served through\u00a0<b>Squid<\/b>.<\/p>\n<div id=\"attachment_10186\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Proxy-Browsing.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10186\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Proxy-Browsing-620x332.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Proxy-Browsing-620x332.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Proxy-Browsing.png 910w\" alt=\"Check Squid Proxy Browsing\" width=\"620\" height=\"332\" aria-describedby=\"caption-attachment-10186\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10186\" class=\"wp-caption-text\">Check Proxy Browsing<\/p>\n<\/div>\n<h3>Restricting Access By Client<\/h3>\n<p>Now suppose you want to explicitly deny access to that particular client IP address, while yet maintaining access for the rest of the local network.<\/p>\n<p><strong>1.<\/strong>\u00a0Define a new\u00a0<b>ACL<\/b>\u00a0directive as follows (I\u2019ve named it\u00a0<b>ubuntuOS<\/b>\u00a0but you can name it whatever you want).<\/p>\n<pre>acl ubuntuOS src 192.168.0.104\r\n<\/pre>\n<p><strong>2.<\/strong>\u00a0Add the\u00a0<b>ACL<\/b>\u00a0directive to the\u00a0<b>localnet access<\/b>\u00a0list that is already in place, but prefacing it with an exclamation sign. This means, \u201c<b>Allow Internet access to clients matching the localnet ACL directive except to the one that matches the ubuntuOS directive<\/b>\u201d.<\/p>\n<pre>http_access allow localnet !ubuntuOS\r\n<\/pre>\n<p><strong>3.<\/strong>\u00a0Now we need to restart Squid in order to apply changes. Then if we try to browse to any site we will find that access is denied now.<\/p>\n<div id=\"attachment_10187\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Block-Internet-Access.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10187\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Block-Internet-Access-620x297.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Block-Internet-Access-620x297.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Block-Internet-Access.png 919w\" alt=\"Block Internet Access\" width=\"620\" height=\"297\" aria-describedby=\"caption-attachment-10187\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10187\" class=\"wp-caption-text\">Block Internet Access<\/p>\n<\/div>\n<h3>Configuring Squid \u2013 Fine Tuning<\/h3>\n<h6>Restricting access by domain and \/ or by time of day \/ day of week<\/h6>\n<p>To restrict access to Squid by domain we will use the\u00a0<b>dstdomain<\/b>\u00a0keyword in a\u00a0<b>ACL<\/b>\u00a0directive, as follows.<\/p>\n<pre>acl forbidden dstdomain \"\/etc\/squid\/forbidden_domains\"\r\n<\/pre>\n<p>Where\u00a0<b>forbidden_domains<\/b>\u00a0is a plain text file that contains the domains that we desire to deny access to.<\/p>\n<div id=\"attachment_10188\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Block-Domains-in-Squid.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10188\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Block-Domains-in-Squid.png\" alt=\"Block Domains in Squid\" width=\"366\" height=\"90\" aria-describedby=\"caption-attachment-10188\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10188\" class=\"wp-caption-text\">Block Access to Domains<\/p>\n<\/div>\n<p>Finally, we must grant access to Squid for requests not matching the directive above.<\/p>\n<pre>http_access allow localnet !forbidden\r\n<\/pre>\n<p>Or maybe we will only want to allow access to those sites during a certain time of the day (<b>10:00 until 11:00 am<\/b>) only on\u00a0<b>Monday (M)<\/b>,\u00a0<b>Wednesday (W)<\/b>, and\u00a0<b>Friday (F)<\/b>.<\/p>\n<pre>acl someDays time MWF 10:00-11:00\r\nhttp_access allow forbidden someDays\r\nhttp_access deny forbidden\r\n<\/pre>\n<p>Otherwise, access to those domains will be blocked.<\/p>\n<h6>Restricting access by user authentication<\/h6>\n<p>Squid support several authentication mechanisms (Basic, NTLM, Digest, SPNEGO, and Oauth) and helpers (SQL database, LDAP, NIS, NCSA, to name a few). In this tutorial we will use Basic authentication with\u00a0<b>NCSA<\/b>.<\/p>\n<p>Add the following lines to your\u00a0<b>\/etc\/squid\/squid.conf<\/b>\u00a0file.<\/p>\n<pre>auth_param basic program \/usr\/lib\/squid\/ncsa_auth \/etc\/squid\/passwd\r\nauth_param basic credentialsttl 30 minutes\r\nauth_param basic casesensitive on\r\nauth_param basic realm Squid proxy-caching web server for Tecmint's LFCE series\r\nacl ncsa proxy_auth REQUIRED\r\nhttp_access allow ncsa\r\n<\/pre>\n<p><strong>Note<\/strong>: In\u00a0<strong>CentOS 7<\/strong>, the NCSA plugin for squid can be found in\u00a0<strong>\/usr\/lib64\/squid\/basic_nsca_auth<\/strong>, so change accordingly in above line.<\/p>\n<div id=\"attachment_10189\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Squid-NCSA-Authentication.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10189\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Squid-NCSA-Authentication-620x97.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Squid-NCSA-Authentication-620x97.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Squid-NCSA-Authentication.png 671w\" alt=\"Squid NCSA Authentication\" width=\"620\" height=\"97\" aria-describedby=\"caption-attachment-10189\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10189\" class=\"wp-caption-text\">Enable NCSA Authentication<\/p>\n<\/div>\n<p>A few clarifications:<\/p>\n<ol>\n<li>We need to tell Squid which authentication helper program to use with the\u00a0<b>auth_param<\/b>\u00a0directive by specifying the name of the program (most likely,\u00a0<b>\/usr\/lib\/squid\/ncsa_auth<\/b>\u00a0or\u00a0<strong>\/usr\/lib64\/squid\/basic_nsca_auth<\/strong>), plus any command line options (<b>\/etc\/squid\/passwd<\/b>\u00a0in this case) if necessary.<\/li>\n<li>The\u00a0<b>\/etc\/squid\/passwd<\/b>\u00a0file is created through\u00a0<b>htpasswd<\/b>, a tool to manage basic authentication through files. It will allow us to add a list of usernames (and their corresponding passwords) that will be allowed to use Squid.<\/li>\n<li><b>credentialsttl 30 minutes<\/b>\u00a0will require entering your username and password every 30 minutes (you can specify this time interval with hours as well).<\/li>\n<li><b>casesensitive<\/b>\u00a0on indicates that usernames and passwords are case sensitive.<\/li>\n<li><b>realm<\/b>\u00a0represents the text of the authentication dialog that will be used to authenticate to squid.<\/li>\n<li>Finally, access is granted only when proxy authentication (<b>proxy_auth REQUIRED<\/b>) succeeds.<\/li>\n<\/ol>\n<p>Run the following command to create the file and to add credentials for user\u00a0<b>gacanepa<\/b>\u00a0(omit the\u00a0<b>-c<\/b>\u00a0flag if the file already exists).<\/p>\n<pre># htpasswd -c \/etc\/squid\/passwd gacanepa\r\n<\/pre>\n<div id=\"attachment_10190\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Restrict-Squid-Access-by-User-Login.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10190\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Restrict-Squid-Access-by-User-Login.png\" alt=\"Squid Restrict Users\" width=\"474\" height=\"161\" aria-describedby=\"caption-attachment-10190\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10190\" class=\"wp-caption-text\">Restrict Squid Access to Users<\/p>\n<\/div>\n<p>Open a web browser in the client machine and try to browse to any given site.<\/p>\n<div id=\"attachment_10191\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Squid-Authentiction.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10191\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Squid-Authentiction-620x207.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Squid-Authentiction-620x207.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Squid-Authentiction.png 767w\" alt=\"Squid Authentication Configuration\" width=\"620\" height=\"207\" aria-describedby=\"caption-attachment-10191\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10191\" class=\"wp-caption-text\">Enable Squid Authentication<\/p>\n<\/div>\n<p>If authentication succeeds, access is granted to the requested resource. Otherwise, access will be denied.<\/p>\n<h3>Using Cache to Sped Up Data Transfer<\/h3>\n<p>One of Squid\u2019s distinguishing features is the possibility of caching resources requested from the web to disk in order to speed up future requests of those objects either by the same client or others.<\/p>\n<p>Add the following directives in your\u00a0<b>squid.conf<\/b>\u00a0file.<\/p>\n<pre>cache_dir ufs \/var\/cache\/squid 1000 16 256\r\nmaximum_object_size 100 MB\r\nrefresh_pattern .*\\.(mp4|iso) 2880\r\n<\/pre>\n<p>A few clarifications of the above directives.<\/p>\n<ol>\n<li><b>ufs<\/b>\u00a0is the Squid storage format.<\/li>\n<li><b>\/var\/cache\/squid<\/b>\u00a0is a top-level directory where cache files will be stored. This directory must exist and be writeable by Squid (Squid will NOT create this directory for you).<\/li>\n<li><b>1000<\/b>\u00a0is the amount (in MB) to use under this directory.<\/li>\n<li><b>16<\/b>\u00a0is the number of 1st-level subdirectories, whereas\u00a0<b>256<\/b>\u00a0is the number of 2nd-level subdirectories within\u00a0<b>\/var\/spool\/squid<\/b>.<\/li>\n<li>The\u00a0<b>maximum_object_size<\/b>\u00a0directive specifies the maximum size of allowed objects in the cache.<\/li>\n<li><b>refresh_pattern<\/b>\u00a0tells Squid how to deal with specific file types (<b>.mp4<\/b>\u00a0and\u00a0<b>.iso<\/b>\u00a0in this case) and for how long it should store the requested objects in cache (2880 minutes = 2 days).<\/li>\n<\/ol>\n<p>The first and second\u00a0<b>2880<\/b>\u00a0are lower and upper limits, respectively, on how long objects without an explicit expiry time will be considered recent, and thus will be served by the cache, whereas\u00a0<b>0%<\/b>\u00a0is the percentage of the objects\u2019 age (time since last modification) that each object without explicit expiry time will be considered recent.<\/p>\n<h6>Case study: downloading a .mp4 file from 2 different clients and testing the cache<\/h6>\n<p>First client (<b>IP 192.168.0.104<\/b>) downloads a\u00a0<b>71 MB .mp4<\/b>\u00a0file in 2 minutes and 52 seconds.<\/p>\n<div id=\"attachment_10192\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Enable-Caching-on-Squid.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10192\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Enable-Caching-on-Squid-620x180.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Enable-Caching-on-Squid-620x180.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Enable-Caching-on-Squid.png 956w\" alt=\"Setup Squid Caching in Linux\" width=\"620\" height=\"180\" aria-describedby=\"caption-attachment-10192\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10192\" class=\"wp-caption-text\">Enable Caching on Squid<\/p>\n<\/div>\n<p>Second client (<b>IP 192.168.0.17<\/b>) downloads the same file in 1.4 seconds!<\/p>\n<div id=\"attachment_10193\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Verify-Squid-Caching.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10193\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Verify-Squid-Caching-620x185.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Verify-Squid-Caching-620x185.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Verify-Squid-Caching.png 862w\" alt=\"Verify Squid Caching\" width=\"620\" height=\"185\" aria-describedby=\"caption-attachment-10193\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10193\" class=\"wp-caption-text\">Verify Squid Caching<\/p>\n<\/div>\n<p>That is because the file was served from the\u00a0<b>Squid cache<\/b>\u00a0(indicated by\u00a0<b>TCP_HIT\/200<\/b>) in the second case, as opposed to the first instance, when it was downloaded directly from the Internet (represented by\u00a0<b>TCP_MISS\/200<\/b>).<\/p>\n<p>The\u00a0<b>HIT<\/b>\u00a0and\u00a0<b>MISS<\/b>\u00a0keywords, along with the\u00a0<b>200 http<\/b>\u00a0response code, indicate that the file was served successfully both times, but the cache was HIT and Missed respectively. When a request cannot be served by the cache for some reason, then Squid attempts to serve it from the Internet.<\/p>\n<div id=\"attachment_10194\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Squid-HTTP-Codes.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10194\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Squid-HTTP-Codes-620x84.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Squid-HTTP-Codes-620x84.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Squid-HTTP-Codes.png 857w\" alt=\"Squid HTTP Codes\" width=\"620\" height=\"84\" aria-describedby=\"caption-attachment-10194\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10194\" class=\"wp-caption-text\">Squid HTTP Codes<\/p>\n<\/div>\n<h3>Conclusion<\/h3>\n<p>In this article we have discussed how to set up a\u00a0<b>Squid web caching proxy<\/b>. You can use the proxy server to filter contents using a chosen criteria, and also to reduce latency (since identical incoming requests are served from the cache, which is closer to the client than the web server that is actually serving the content, resulting in faster data transfers) and network traffic as well (reducing the amount of used bandwidth, which saves you money if you\u2019re paying for traffic).<\/p>\n<p>You may want to refer to the\u00a0<a href=\"http:\/\/www.squid-cache.org\/\" target=\"_blank\" rel=\"noopener\">Squid web site<\/a>\u00a0for further documentation (make sure to also check the wiki), but do not hesitate to contact us if you have any questions or comments. We will be more than glad to hear from you!<\/p>\n<h1 class=\"post-title\">Configuring SquidGuard, Enabling Content Rules and Analyzing Squid Logs \u2013 Part 6<\/h1>\n<p>A\u00a0<b>LFCE<\/b>\u00a0(<b>Linux Foundation Certified Engineer<\/b>)\u200b is a professional who has the necessary skills to install, manage, and troubleshoot network services in Linux systems, and is in charge of the design, implementation and ongoing maintenance of the system architecture in its entirety.<\/p>\n<div id=\"attachment_10255\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Configure-SquidGuard-to-Use-Squid.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10255\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Configure-SquidGuard-to-Use-Squid.png\" alt=\"Configure SquidGuard for Squid \" width=\"600\" height=\"400\" aria-describedby=\"caption-attachment-10255\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10255\" class=\"wp-caption-text\">Linux Foundation Certified Engineer \u2013 Part 6<\/p>\n<\/div>\n<p>Introducing The Linux Foundation Certification Program.<\/p>\n<div class=\"post-format\">\n<div class=\"video-container\"><iframe loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/Y29qZ71Kicg\" width=\"720\" height=\"405\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\" data-mce-fragment=\"1\"><\/iframe><\/div>\n<\/div>\n<p>In previous posts we discussed how to install\u00a0<b>Squid<\/b>\u00a0+\u00a0<strong>squidGuard<\/strong>\u00a0and how to configure squid to properly handle or restrict access requests. Please make sure you go over those two tutorials and install both Squid and squidGuard before proceeding as they set the background and the context for what we will cover in this post: integrating squidguard in a working squid environment to implement blacklist rules and content control over the proxy server.<\/p>\n<h4>Requirements<\/h4>\n<ol>\n<li><a href=\"https:\/\/www.tecmint.com\/installing-network-services-and-configuring-services-at-system-boot\/\" target=\"_blank\" rel=\"noopener\">Install Squid and SquidGuard \u2013 Part 1<\/a><\/li>\n<li><a href=\"https:\/\/www.tecmint.com\/configure-squid-server-in-linux\/\" target=\"_blank\" rel=\"noopener\">Configuring Squid Proxy Server with Restricted Access \u2013 Part 5<\/a><\/li>\n<\/ol>\n<h3>What Can \/ Cannot I use SquidGuard For?<\/h3>\n<p>Though squidGuard will certainly boost and enhance Squid\u2019s features, it is important to highlight what it can and what it cannot do.<\/p>\n<p>squidGuard can be used to:<\/p>\n<ol>\n<li>limit the allowed web access for some users to a list of accepted\/well known web servers and\/or URLs only, while denying access to other blacklisted web servers and\/or URLs.<\/li>\n<li>block access to sites (by IP address or domain name) matching a list of regular expressions or words for some users.<\/li>\n<li>require the use of domain names\/prohibit the use of IP address in URLs.<\/li>\n<li>redirect blocked URLs to error or info pages.<\/li>\n<li>use distinct access rules based on time of day, day of the week, date etc.<\/li>\n<li>implement different rules for distinct user groups.<\/li>\n<\/ol>\n<p>However, neither squidGuard nor Squid can be used to:<\/p>\n<ol>\n<li>analyze text inside documents and act in result.<\/li>\n<li>detect or block embedded scripting languages like JavaScript, Python, or VBscript inside HTML code.<\/li>\n<\/ol>\n<h4>BlackLists \u2013 The Basics<\/h4>\n<p><b>Blacklists<\/b>\u00a0are an essential part of squidGuard. Basically, they are plain text files that will allow you to implement content filters based on specific keywords. There are both freely available and commercial blacklists, and you can find the download links in the\u00a0<a href=\"http:\/\/www.squidguard.org\/blacklists.html\" target=\"_blank\" rel=\"noopener\">squidguard blacklists<\/a>\u00a0project\u2019s website.<\/p>\n<p>In this tutorial I will show you how to integrate the blacklists provided by\u00a0<a href=\"http:\/\/www.shallalist.de\/\" target=\"_blank\" rel=\"nofollow noopener\">Shalla Secure Services<\/a>\u00a0to your squidGuard installation. These blacklists are free for personal \/ non-commercial use and are updated on a daily basis. They include, as of today, over\u00a0<b>1,700,000<\/b>\u00a0entries.<\/p>\n<p>For our convenience, let\u2019s create a directory to download the blacklist package.<\/p>\n<pre># mkdir \/opt\/3rdparty\r\n# cd \/opt\/3rdparty \r\n# wget http:\/\/www.shallalist.de\/Downloads\/shallalist.tar.gz\r\n<\/pre>\n<p>The latest download link is always available as highlighted below.<\/p>\n<div id=\"attachment_10248\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Download-Squidguard-Blacklist.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10248\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Download-Squidguard-Blacklist-620x264.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Download-Squidguard-Blacklist-620x264.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Download-Squidguard-Blacklist.png 723w\" alt=\"Download Squidguard Blacklist for Squid\" width=\"620\" height=\"264\" aria-describedby=\"caption-attachment-10248\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10248\" class=\"wp-caption-text\">Download Squidguard Blacklist<\/p>\n<\/div>\n<p>After untarring the newly downloaded file, we will browse to the blacklist (<b>BL<\/b>) folder.<\/p>\n<pre># tar xzf shallalist.tar.gz \r\n# cd BL\r\n# ls\r\n<\/pre>\n<div id=\"attachment_10249\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Squidguard-Blacklist-Domains.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10249\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Squidguard-Blacklist-Domains.png\" alt=\"Squidguard Blacklist Domains for Squid\" width=\"543\" height=\"284\" aria-describedby=\"caption-attachment-10249\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10249\" class=\"wp-caption-text\">Squidguard Blacklist Domains<\/p>\n<\/div>\n<p>You can think of the directories shown in the output of\u00a0<b>ls<\/b>\u00a0as backlist categories, and their corresponding (optional) subdirectories as subcategories, descending all the way down to specific URLs and domains, which are listed in the files\u00a0<b>urls<\/b>\u00a0and\u00a0<b>domains<\/b>, respectively. Refer to the below image for further details.<\/p>\n<div id=\"attachment_10250\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Blacklist-Urls-Domains.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10250\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Blacklist-Urls-Domains.png\" alt=\"Squid Blacklist Urls Domains\" width=\"576\" height=\"415\" aria-describedby=\"caption-attachment-10250\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10250\" class=\"wp-caption-text\">SquidGuard Blacklist Urls Domains<\/p>\n<\/div>\n<h4>Installing Blacklists<\/h4>\n<p>Installation of the whole\u00a0<b>blacklist<\/b>\u00a0package, or of individual categories, is performed by copying the\u00a0<b>BL<\/b>\u00a0directory, or one of its subdirectories, respectively, to the\u00a0<b>\/var\/lib\/squidguard\/db<\/b>\u00a0directory.<\/p>\n<p>Of course you could have downloaded the\u00a0<b>blacklist<\/b>\u00a0tarball to this directory in the first place, but the approach explained earlier gives you more control over what categories should be blocked (or not) at a specific time.<\/p>\n<p>Next, I will show you how to install the\u00a0<b>anonvpn<\/b>,\u00a0<b>hacking<\/b>, and\u00a0<b>chat<\/b>\u00a0blacklists and how to configure squidGuard to use them.<\/p>\n<p><b>Step 1<\/b>: Copy recursively the\u00a0<b>anonvpn<\/b>,\u00a0<b>hacking<\/b>, and\u00a0<b>chat<\/b>\u00a0directories from\u00a0<b>\/opt\/3rdparty\/BL<\/b>\u00a0to\u00a0<b>\/var\/lib\/squidguard\/db<\/b>.<\/p>\n<pre># cp -a \/opt\/3rdparty\/BL\/anonvpn \/var\/lib\/squidguard\/db\r\n# cp -a \/opt\/3rdparty\/BL\/hacking \/var\/lib\/squidguard\/db\r\n# cp -a \/opt\/3rdparty\/BL\/chat \/var\/lib\/squidguard\/db\r\n<\/pre>\n<p><b>Step 2<\/b>: Use the domains and urls files to create squidguard\u2019s database files. Please note that the following command will work for creating\u00a0<b>.db<\/b>\u00a0files for all the installed blacklists \u2013 even when a certain category has 2 or more subcategories.<\/p>\n<pre># squidGuard -C all\r\n<\/pre>\n<p><b>Step 3<\/b>: Change the ownership of the\u00a0<b>\/var\/lib\/squidguard\/db\/<\/b>\u00a0directory and its contents to the proxy user so that Squid can read the database files.<\/p>\n<pre># chown -R proxy:proxy \/var\/lib\/squidguard\/db\/\r\n<\/pre>\n<p><b>Step 4<\/b>: Configure Squid to use squidGuard. We will use Squid\u2019s\u00a0<b>url_rewrite_program<\/b>\u00a0directive in\u00a0<b>\/etc\/squid\/squid.conf<\/b>\u00a0to tell Squid to use squidGuard as a URL rewriter \/ redirector.<\/p>\n<p>Add the following line to\u00a0<b>squid.conf<\/b>, making sure that\u00a0<b>\/usr\/bin\/squidGuard<\/b>\u00a0is the right absolute path in your case.<\/p>\n<pre># which squidGuard\r\n# echo \"url_rewrite_program $(which squidGuard)\" &gt;&gt; \/etc\/squid\/squid.conf\r\n# tail -n 1 \/etc\/squid\/squid.conf\r\n<\/pre>\n<div id=\"attachment_10251\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Configure-Squid-use-Squidguard.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10251\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Configure-Squid-use-Squidguard-620x129.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Configure-Squid-use-Squidguard-620x129.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Configure-Squid-use-Squidguard.png 689w\" alt=\"Configure SquidGuard for Squid\" width=\"620\" height=\"129\" aria-describedby=\"caption-attachment-10251\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10251\" class=\"wp-caption-text\">Configure Squid to use SquidGuard<\/p>\n<\/div>\n<p><b>Step 5<\/b>: Add the necessary directives to squidGuard\u2019s configuration file (located in\u00a0<b>\/etc\/squidguard\/squidGuard.conf<\/b>).<\/p>\n<p>Please refer to the screenshot above, after the following code for further clarification.<\/p>\n<pre>src localnet {\r\n        ip      192.168.0.0\/24\r\n}\r\n\r\ndest anonvpn {\r\n        domainlist      anonvpn\/domains\r\n        urllist         anonvpn\/urls\r\n}\r\ndest hacking {\r\n        domainlist      hacking\/domains\r\n        urllist         hacking\/urls\r\n}\r\ndest chat {\r\n        domainlist      chat\/domains\r\n        urllist         chat\/urls\r\n}\r\n\r\nacl {\r\n        localnet {\r\n                        pass     !anonvpn !hacking !chat !in-addr all\r\n                        redirect http:\/\/www.lds.org\r\n                }\r\n        default {\r\n                        pass     local none\r\n        }\r\n}\r\n<\/pre>\n<p><b>Step 6<\/b>: Restart Squid and test.<\/p>\n<pre># service squid restart \t\t[sysvinit \/ Upstart-based systems]\r\n# systemctl restart squid.service \t[systemctl-based systems]\r\n<\/pre>\n<p>Open a web browser in a client within local network and browse to a site found in any of the blacklist files (domains or urls \u2013 we will use\u00a0<b>http:\/\/spin.de\/<\/b>\u00a0chat in the following example) and you will be redirected to another URL,\u00a0<b>www.lds.org<\/b>\u00a0in this case.<\/p>\n<p>You can verify that the request was made to the proxy server but was denied (301 http response \u2013\u00a0<b>Moved permanently<\/b>) and was redirected to\u00a0<b>www.lds.org<\/b>\u00a0instead.<\/p>\n<div id=\"attachment_10252\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Squid-Logs.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10252\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Squid-Logs-620x61.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Squid-Logs-620x61.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Squid-Logs.png 924w\" alt=\"Analyze Squid Logs\" width=\"620\" height=\"61\" aria-describedby=\"caption-attachment-10252\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10252\" class=\"wp-caption-text\">Analyze Squid Logs<\/p>\n<\/div>\n<h4>Removing Restrictions<\/h4>\n<p>If for some reason you need to enable a category that has been blocked in the past, remove the corresponding directory from\u00a0<b>\/var\/lib\/squidguard\/db<\/b>\u00a0and comment (or delete) the related\u00a0<b>acl<\/b>\u00a0in the\u00a0<b>squidguard.conf<\/b>\u00a0file.<\/p>\n<p>For example, if you want to enable the domains and urls blacklisted by the\u00a0<b>anonvpn<\/b>\u00a0category, you would need to perform the following steps.<\/p>\n<pre># rm -rf \/var\/lib\/squidguard\/db\/anonvpn\r\n<\/pre>\n<p>And edit the\u00a0<b>squidguard.conf<\/b>\u00a0file as follows.<\/p>\n<div id=\"attachment_10253\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Remove-Squid-Blacklist.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10253\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Remove-Squid-Blacklist-620x246.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Remove-Squid-Blacklist-620x246.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Remove-Squid-Blacklist.png 977w\" alt=\"Remove Domains from Squid Blacklist\" width=\"620\" height=\"246\" aria-describedby=\"caption-attachment-10253\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10253\" class=\"wp-caption-text\">Remove Squid Blacklist<\/p>\n<\/div>\n<p>Please note that parts highlighted in yellow under\u00a0<b>BEFORE<\/b>\u00a0have been deleted in\u00a0<b>AFTER<\/b>.<\/p>\n<h4>Whitelisting Specific Domains and URL\u2019s<\/h4>\n<p>On occasions you may want to allow certain\u00a0<b>URLs<\/b>\u00a0or\u00a0<b>domains<\/b>, but not an entire blacklisted directory. In that case, you should create a directory named\u00a0<b>myWhiteLists<\/b>\u00a0(or whatever name you choose) and insert the desired\u00a0<b>URLs<\/b>\u00a0and\u00a0<b>domains<\/b>\u00a0under\u00a0<b>\/var\/lib\/squidguard\/db\/myWhiteLists<\/b>\u00a0in files named urls and domains, respectively.<\/p>\n<p>Then, initialize the new content rules as before,<\/p>\n<pre># squidGuard -C all\r\n<\/pre>\n<p>and modify the\u00a0<b>squidguard.conf<\/b>\u00a0as follows.<\/p>\n<div id=\"attachment_10254\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Remove-Domains-Urls-in-Squid-Blacklist.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10254\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Remove-Domains-Urls-in-Squid-Blacklist-620x279.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Remove-Domains-Urls-in-Squid-Blacklist-620x279.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Remove-Domains-Urls-in-Squid-Blacklist-1024x461.png 1024w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Remove-Domains-Urls-in-Squid-Blacklist.png 1039w\" alt=\"Remove Domains Urls in Squid Blacklist\" width=\"620\" height=\"279\" aria-describedby=\"caption-attachment-10254\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10254\" class=\"wp-caption-text\">Remove Domains Urls in Squid Blacklist<\/p>\n<\/div>\n<p>As before, the parts highlighted in yellow indicate the changes that need to be added. Note that the\u00a0<b>myWhiteLists<\/b>\u00a0string needs to be first in the row that starts with pass.<\/p>\n<p>Finally, remember to restart Squid in order to apply changes.<\/p>\n<h3>Conclusion<\/h3>\n<p>After following the steps outlined in this tutorial you should have a powerful content filter and URL redirector working hand in hand with your Squid proxy. If you experience any issues during your installation \/ configuration process or have any questions or comments, you may want to refer to\u00a0<a href=\"http:\/\/www.squidguard.org\/Doc\/\" target=\"_blank\" rel=\"noopener\">squidGuard\u2019s web documentation<\/a>\u00a0but always feel free to drop us a line using the form below and we will get back to you as soon as possible.<\/p>\n<h1 class=\"post-title\">Setting Up Email Services (SMTP, Imap and Imaps) and Restricting Access to SMTP \u2013 Part 7<\/h1>\n<p>A\u00a0<b>LFCE<\/b>\u00a0(<b>Linux Foundation Certified Engineer<\/b>\u200b) is a trained professional who has the skills to install, manage, and troubleshoot network services in Linux systems, and is in charge of the design, implementation and ongoing maintenance of the system architecture and user administration.<\/p>\n<div id=\"attachment_10358\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/lfce-7.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10358\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/lfce-7.jpg\" alt=\"Setting Up Postfix Mail Server\" width=\"600\" height=\"400\" aria-describedby=\"caption-attachment-10358\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10358\" class=\"wp-caption-text\">Linux Foundation Certified Engineer \u2013 Part 7<\/p>\n<\/div>\n<p>Introducing The Linux Foundation Certification Program.<\/p>\n<div class=\"post-format\">\n<div class=\"video-container\"><iframe loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/Y29qZ71Kicg\" width=\"720\" height=\"405\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\" data-mce-fragment=\"1\"><\/iframe><\/div>\n<\/div>\n<p>In a previous tutorial we discussed how to install the necessary components of a mail service. If you haven\u2019t installed\u00a0<b>Postfix<\/b>\u00a0and\u00a0<b>Dovecot<\/b>\u00a0yet, please refer to Part 1 of this series for instructions to do so before proceeding.<\/p>\n<h4>Requirement<\/h4>\n<ol>\n<li><a href=\"https:\/\/www.tecmint.com\/installing-network-services-and-configuring-services-at-system-boot\/\">Install Postfix Mail Server and Dovecot \u2013 Part 1<\/a><\/li>\n<\/ol>\n<p>In this post, I will show you how to configure your mail server and how to perform the following tasks:<\/p>\n<ol>\n<li>Configure email aliases<\/li>\n<li>Configure an IMAP and IMAPS service<\/li>\n<li>Configure an smtp service<\/li>\n<li>Restrict access to an smtp server<\/li>\n<\/ol>\n<p><strong>Note<\/strong>: That our setup will only cover a mail server for a local area network where the machines belong to the same domain. Sending email messages to other domains require a more complex setup, including domain name resolution capabilities, that is out of the scope of the LFCE certification.<\/p>\n<p>But first off, let\u2019s start with a few definitions.<\/p>\n<h3>Components Of a Mail Sending, Transport and Delivery Process<\/h3>\n<p>The following image illustrates the process of email transport starting with the sender until the message reaches the recipient\u2019s inbox:<\/p>\n<div id=\"attachment_21303\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Process-of-Email-Transport.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-21303\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Process-of-Email-Transport.png\" alt=\"Process of Email Transport\" width=\"591\" height=\"273\" aria-describedby=\"caption-attachment-21303\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-21303\" class=\"wp-caption-text\">Process of Email Transport<\/p>\n<\/div>\n<p>To make this possible, several things happen behind the scenes. In order for an email message to be delivered from a client application (such as Thunderbird, Outlook, or webmail services such as Gmail or Yahoo! Mail) to his \/ her mail server and from there to the destination server and finally to its intended recipient, a SMTP (Simple Mail Transfer Protocol) service must be in place in each server.<\/p>\n<p>When talking about email services, you will find the following terms mentioned very often:<\/p>\n<h5>Message Transport Agent \u2013 MTA<\/h5>\n<p><b>MTA<\/b>\u00a0(short for\u00a0<b>Mail<\/b>\u00a0or\u00a0<b>Message Transport Agent<\/b>), aka mail relay, is a software that is in charge of transferring email messages from a server to a client (and the other way around as well). In this series, Postfix acts as our MTA.<\/p>\n<h5>Mail User Agent \u2013 MUA<\/h5>\n<p><b>MUA<\/b>, or\u00a0<b>Mail User Agent<\/b>, is a computer program used to access and manage the user\u2019s email inboxes. Examples of MUAs include, but are not limited to, Thunderbird, Outlook, and webmail interfaces such as Gmail, Outlook.com, to name a few. In this series, we will use Thunderbird in our examples.<\/p>\n<h5>Mail Delivery Agent<\/h5>\n<p><b>MDA<\/b>\u00a0(short for\u00a0<b>Message<\/b>\u00a0or\u00a0<b>Mail Delivery Agent<\/b>) is the software part that actually delivers email messages to user\u2019s inboxes. In this tutorial, we will use Dovecot as our MDA. Dovecot will also will handle user authentication.<\/p>\n<h5>Simple Mail Transfer Protocol \u2013 SMTP<\/h5>\n<p>In order for these components to be able to \u201c<b>talk<\/b>\u201d to each other, they must \u201c<b>speak<\/b>\u201d the same \u201c<b>language<\/b>\u201d (or protocol), namely\u00a0<b>SMTP<\/b>\u00a0(<b>Simple Mail Transfer Protocol<\/b>) as defined in the\u00a0<a href=\"https:\/\/www.ietf.org\/rfc\/rfc2821.txt\" target=\"_blank\" rel=\"nofollow noopener\">RFC 2821<\/a>. Most likely, you will have to refer to that RFC while setting up your mail server environment.<\/p>\n<p>Other protocols that we need to take into account are\u00a0<b>IMAP4<\/b>\u00a0(<b>Internet Message Access Protocol<\/b>), which allows to manage email messages directly on the server without downloading them to our client\u2019s hard drive, and\u00a0<b>POP3<\/b>(<b>Post Office Protocol<\/b>), which allows to download the messages and folders to the user\u2019s computer.<\/p>\n<h4>Our Testing Environment<\/h4>\n<p>Our testing environment is as follows:<\/p>\n<h5>Mail Server Setup<\/h5>\n<pre>Mail Server OS\t: \tDebian Wheezy 7.5 \r\nIP Address\t:\t192.168.0.15\r\nLocal Domain\t:\texample.com.ar\r\nUser Aliases\t:\tsysadmin@example.com.ar is aliased to gacanepa@example.com.ar and jdoe@example.com.ar\r\n<\/pre>\n<h5>Client Machine Setup<\/h5>\n<pre>Mail Client OS\t: \tUbuntu 12.04\r\nIP Address\t:\t192.168.0.103\r\n<\/pre>\n<p>On our\u00a0<b>client<\/b>, we have set up elementary DNS resolution adding the following line to the\u00a0<b>\/etc\/hosts<\/b>\u00a0file.<\/p>\n<pre>192.168.0.15 example.com.ar mailserver\r\n<\/pre>\n<h3>Adding Email Aliases<\/h3>\n<p>By default, a message sent to a specific user should be delivered to that user only. However, if you want to also deliver it to a group of users as well, or to a different user, you can create a mail alias or use one of the existing ones in\u00a0<b>\/etc\/postfix\/aliases<\/b>, following this syntax:<\/p>\n<pre>user1: user1, user2\r\n<\/pre>\n<p>Thus, emails sent to\u00a0<b>user1<\/b>\u00a0will be also delivered to\u00a0<b>user2<\/b>. Note that if you omit the word\u00a0<b>user1<\/b>\u00a0after the colon, as in<\/p>\n<pre>user1: user2\r\n<\/pre>\n<p>the messages sent to\u00a0<b>user1<\/b>\u00a0will only be sent to\u00a0<b>user2<\/b>, and not to\u00a0<b>user1<\/b>.<\/p>\n<p>In the above example,\u00a0<b>user1<\/b>\u00a0and\u00a0<b>user2<\/b>\u00a0should already exist on the system. You may want to refer to\u00a0<b>Part 8<\/b>\u00a0of the LFCS series if you need to refresh your memory before adding new users.<\/p>\n<ol>\n<li><a target=\"_blank\">How to Add and Manage Users\/Groups in Linux<\/a><\/li>\n<li><a target=\"_blank\">15 Commands to Add Users in Linux<\/a><\/li>\n<\/ol>\n<p>In our specific case, we will use the following alias as explained before (add the following line in\u00a0<b>\/etc\/aliases<\/b>).<\/p>\n<pre>sysadmin: gacanepa, jdoe\r\n<\/pre>\n<p>And run the following command to create or refresh the aliases lookup table.<\/p>\n<pre>postalias \/etc\/postfix\/aliases\r\n<\/pre>\n<p>So that messages sent to\u00a0<b>sysadmin@example.com.ar<\/b>\u00a0will be delivered to the inbox of the users listed above.<\/p>\n<h3>Configuring Postfix \u2013 The SMTP Service<\/h3>\n<p>The main configuration file for\u00a0<b>Postfix<\/b>\u00a0is\u00a0<b>\/etc\/postfix\/main.cf<\/b>. You only need to set up a few parameters before being able to use the mail service. However, you should become acquainted with the full configuration parameters (which can be listed with\u00a0<b>man 5 postconf<\/b>) in order to set up a secure and fully customized mail server.<\/p>\n<p><strong>Note<\/strong>: That this tutorial is only supposed to get you started in that process and does not represent a comprehensive guide on email services with Linux.<\/p>\n<p>Open\u00a0<b>\/etc\/postfix\/main.cf<\/b>\u00a0file with your choice of editor and do following changes as explained.<\/p>\n<pre># vi \/etc\/postfix\/main.cf\r\n<\/pre>\n<p><b>1<\/b>.\u00a0<b>myorigin<\/b>\u00a0specifies the domain that appears in messages sent from the server. You may see the\u00a0<b>\/etc\/mailname<\/b>\u00a0file used with this parameter. Feel free to edit it if needed.<\/p>\n<pre>myorigin = \/etc\/mailname\r\n<\/pre>\n<div id=\"attachment_10341\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Configure-Myorigin.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10341\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Configure-Myorigin.png\" alt=\"Configure Myorigin in Postfix\" width=\"372\" height=\"108\" aria-describedby=\"caption-attachment-10341\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10341\" class=\"wp-caption-text\">Configure Myorigin<\/p>\n<\/div>\n<p>If the value above is used, mails will be sent as\u00a0<b>user@example.com.ar<\/b>, where user is the user sending the message.<\/p>\n<p><b>2<\/b>.\u00a0<b>mydestination<\/b>\u00a0lists what domains this machine will deliver email messages locally, instead of forwarding to another machine (acting as a relay system). The default settings will suffice in our case (make sure to edit the file to suit your environment).<\/p>\n<div id=\"attachment_10342\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Configure-Mydestination.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10342\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Configure-Mydestination-620x53.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Configure-Mydestination-620x53.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Configure-Mydestination.png 928w\" alt=\"Configure Mydestination\" width=\"620\" height=\"53\" aria-describedby=\"caption-attachment-10342\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10342\" class=\"wp-caption-text\">Configure Mydestination<\/p>\n<\/div>\n<p>Where the\u00a0<b>\/etc\/postfix\/transport<\/b>\u00a0file defines the relationship between domains and the next server to which mail messages should be forwarded. In our case, since we will be delivering messages to our local area network only (thus bypassing any external DNS resolution), the following configuration will suffice.<\/p>\n<pre>example.com.ar    local:\r\n.example.com.ar    local:\r\n<\/pre>\n<p>Next, we need to convert this plain text file to the\u00a0<b>.db<\/b>\u00a0format, which creates the lookup table that Postfix will actually use to know what to do with incoming and outgoing mail.<\/p>\n<pre># postmap \/etc\/postfix\/transport\r\n<\/pre>\n<p>You will need to remember to recreate this table if you add more entries to the corresponding text file.<\/p>\n<p><b>3<\/b>.\u00a0<b>mynetworks<\/b>\u00a0defines the authorized networks Postfix will forward messages from. The default value, subnet, tells Postfix to forward mail from SMTP clients in the same IP subnetworks as the local machine only.<\/p>\n<pre>mynetworks = subnet\r\n<\/pre>\n<div id=\"attachment_10345\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Configure-Mynetworks.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10345\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Configure-Mynetworks.png\" alt=\"Configure Mynetworks in Postfix\" width=\"384\" height=\"57\" aria-describedby=\"caption-attachment-10345\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10345\" class=\"wp-caption-text\">Configure Mynetworks<\/p>\n<\/div>\n<p><b>4<\/b>.\u00a0<b>relay_domains<\/b>\u00a0specifies the destinations to which emails should be sent to. We will leave the default value untouched, which points to mydestination. Remember that we are setting up a mail server for our LAN.<\/p>\n<pre>relay_domains = $mydestination\r\n<\/pre>\n<p>Note that you can use\u00a0<b>$mydestination<\/b>\u00a0instead of listing the actual contents.<\/p>\n<div id=\"attachment_10344\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Configure-Relay-Domains.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10344\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Configure-Relay-Domains.png\" alt=\"Configure Relay Domains in Postfix\" width=\"413\" height=\"57\" aria-describedby=\"caption-attachment-10344\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10344\" class=\"wp-caption-text\">Configure Relay Domains<\/p>\n<\/div>\n<p><b>5<\/b>.\u00a0<b>inet_interfaces<\/b>\u00a0defines which network interfaces the mail service should listen on. The default, all, tells Postfix to use all network interfaces.<\/p>\n<pre>inet_interfaces = all\r\n<\/pre>\n<div id=\"attachment_10343\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Configure-Network-Interfaces.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10343\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Configure-Network-Interfaces.png\" alt=\"Configure Network Interfaces in Postfix\" width=\"343\" height=\"58\" aria-describedby=\"caption-attachment-10343\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10343\" class=\"wp-caption-text\">Configure Network Interfaces<\/p>\n<\/div>\n<p><b>6<\/b>. Finally,\u00a0<b>mailbox_size_limit<\/b>\u00a0and\u00a0<b>message_size_limit<\/b>\u00a0will be used to set the size of each user\u2019s mailbox and the maximum allowed size of individual messages, respectively, in bytes.<\/p>\n<pre>mailbox_size_limit = 51200000\r\nmessage_size_limit = 5120000\r\n<\/pre>\n<h3>Restricting Access to the SMTP Server<\/h3>\n<p>The\u00a0<b>Postfix SMTP<\/b>\u00a0server can apply certain restrictions to each client connection request. Not all clients should be allowed to identify themselves to the mail server using the smtp\u00a0<b>HELO<\/b>\u00a0command, and certainly not all of them should be granted access to send or receive messages.<\/p>\n<p>To implement these restrictions, we will use the following directives in the\u00a0<b>main.cf<\/b>\u00a0file. Though they are self-explanatory, comments have been added for clarification purposes.<\/p>\n<pre># Require that a remote SMTP client introduces itself with the HELO or EHLO command before sending the MAIL command or other commands that require EHLO negotiation.\r\n<b>smtpd_helo_required = yes<\/b>\r\n\r\n# Permit the request when the client IP address matches any network or network address listed in $mynetworks\r\n# Reject the request when the client HELO and EHLO command has a bad hostname syntax\r\n<b>smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname<\/b>\r\n\r\n# Reject the request when Postfix does not represent the final destination for the sender address\r\n<b>smtpd_sender_restrictions = permit_mynetworks, reject_unknown_sender_domain<\/b>\r\n\r\n# Reject the request unless 1) Postfix is acting as mail forwarder or 2) is the final destination\r\n<b>smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination<\/b>\r\n<\/pre>\n<p>The Postfix configuration parameters\u00a0<a href=\"http:\/\/www.postfix.org\/postconf.5.html\" target=\"_blank\" rel=\"noopener\">postconf page<\/a>\u00a0may come in handy in order to further explore the available options.<\/p>\n<h3>Configuring Dovecot<\/h3>\n<p>Right after installing dovecot, it supports out-of-the-box for the\u00a0<b>POP3<\/b>\u00a0and\u00a0<b>IMAP<\/b>\u00a0protocols, along with their secure versions,\u00a0<b>POP3S<\/b>\u00a0and\u00a0<b>IMAPS<\/b>, respectively.<\/p>\n<p>Add the following lines in\u00a0<b>\/etc\/dovecot\/conf.d\/10-mail.conf<\/b>\u00a0file.<\/p>\n<pre># %u represents the user account that logs in\r\n# Mailboxes are in mbox format\r\n<b>mail_location = mbox:~\/mail:INBOX=\/var\/mail\/%u<\/b>\r\n# Directory owned by the mail group and the directory set to group-writable (mode=0770, group=mail)\r\n# You may need to change this setting if postfix is running a different user \/ group on your system\r\n<b>mail_privileged_group = mail<\/b>\r\n<\/pre>\n<p>If you check your home directory, you will notice there is a mail subdirectory with the following contents.<\/p>\n<div id=\"attachment_10346\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Configure-Dovecot.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10346\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Configure-Dovecot.png\" alt=\"Configure Dovecot for Postfix\" width=\"454\" height=\"110\" aria-describedby=\"caption-attachment-10346\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10346\" class=\"wp-caption-text\">Configure Dovecot<\/p>\n<\/div>\n<p>Also, please note that the\u00a0<b>\/var\/mail\/%u<\/b>\u00a0file is where the user\u2019s mails are store on most systems.<\/p>\n<p>Add the following directive to\u00a0<b>\/etc\/dovecot\/dovecot.conf<\/b>\u00a0(note that imap and pop3 imply imaps and pop3s as well).<\/p>\n<pre>protocols = imap pop3\r\n<\/pre>\n<p>And make sure\u00a0<b>\/etc\/conf.d\/10-ssl.conf<\/b>\u00a0includes the following lines (otherwise, add them).<\/p>\n<pre>ssl_cert = &lt;\/etc\/dovecot\/dovecot.pem\r\nssl_key = &lt;\/etc\/dovecot\/private\/dovecot.pem\r\n<\/pre>\n<p>Now let\u2019s restart\u00a0<b>Dovecot<\/b>\u00a0and verify that it listens on the ports related to imap, imaps, pop3, and pop3s.<\/p>\n<pre># netstat -npltu | grep dovecot\r\n<\/pre>\n<div id=\"attachment_10347\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Listening-Ports.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10347\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Listening-Ports-620x147.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Listening-Ports-620x147.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Listening-Ports.png 749w\" alt=\"Check Listening Ports\" width=\"620\" height=\"147\" aria-describedby=\"caption-attachment-10347\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10347\" class=\"wp-caption-text\">Check Listening Ports<\/p>\n<\/div>\n<h3>Setting Up a Mail Client and Sending\/Receving Mails<\/h3>\n<p>On our client computer, we will open\u00a0<b>Thunderbird<\/b>\u00a0and click on\u00a0<b>File<\/b>\u00a0\u2192\u00a0<b>New<\/b>\u00a0\u2192\u00a0<b>Existing mail account<\/b>. We will be prompted to enter the name of the account and the associated email address, along with its password. When we click\u00a0<b>Continue<\/b>, Thunderbird will then try to connect to the mail server in order to verify settings.<\/p>\n<div id=\"attachment_10348\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Configure-Mail-Client.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10348\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Configure-Mail-Client-620x382.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Configure-Mail-Client-620x382.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Configure-Mail-Client.png 634w\" alt=\"Configure Mail Client\" width=\"620\" height=\"382\" aria-describedby=\"caption-attachment-10348\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10348\" class=\"wp-caption-text\">Configure Mail Client<\/p>\n<\/div>\n<p>Repeat the process above for the next account (<b>gacanepa@example.com.ar<\/b>) and the following two inboxes should appear in Thunderbird\u2019s left pane.<\/p>\n<div id=\"attachment_10349\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/User-Mail-Inbox.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10349\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/User-Mail-Inbox.png\" alt=\"User Mail Inbox\" width=\"206\" height=\"88\" aria-describedby=\"caption-attachment-10349\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10349\" class=\"wp-caption-text\">User Mail Inbox<\/p>\n<\/div>\n<p>On our server, we will write an email message to\u00a0<b>sysadmin<\/b>, which is aliased to\u00a0<b>jdoe<\/b>\u00a0and\u00a0<b>gacanepa<\/b>.<\/p>\n<div id=\"attachment_10350\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Send-Mail-from-Commandline.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10350\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Send-Mail-from-Commandline.png\" alt=\"Send Mail from Commandline\" width=\"401\" height=\"109\" aria-describedby=\"caption-attachment-10350\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10350\" class=\"wp-caption-text\">Send Mail from Commandline<\/p>\n<\/div>\n<p>The mail log (<b>\/var\/log\/mail.log<\/b>) seems to indicate that the email that was sent to\u00a0<b>sysadmin<\/b>\u00a0was relayed to\u00a0<b>jdoe@example.com.ar<\/b>\u00a0and\u00a0<b>gacanepa@example.com.ar<\/b>, as can be seen in the following image.<\/p>\n<div id=\"attachment_10351\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Mail-Status-Delivery.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10351\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Mail-Status-Delivery-620x91.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Mail-Status-Delivery-620x91.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Check-Mail-Status-Delivery.png 939w\" alt=\"Check Mail Status Delivery\" width=\"620\" height=\"91\" aria-describedby=\"caption-attachment-10351\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10351\" class=\"wp-caption-text\">Check Mail Status Delivery<\/p>\n<\/div>\n<p>We can verify if the mail was actually delivered to our client, where the IMAP accounts were configured in Thunderbird.<\/p>\n<div id=\"attachment_10352\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Verify-Email-Messages.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10352\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Verify-Email-Messages-620x293.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Verify-Email-Messages-620x293.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Verify-Email-Messages.png 764w\" alt=\"Verify Email Messages\" width=\"620\" height=\"293\" aria-describedby=\"caption-attachment-10352\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10352\" class=\"wp-caption-text\">Verify Email Messages<\/p>\n<\/div>\n<p>Finally, let\u2019s try to send a message from\u00a0<b>jdoe@example.com.ar<\/b>\u00a0to\u00a0<b>gacanepa@example.com.ar<\/b>.<\/p>\n<div id=\"attachment_10353\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Send-Message-to-User.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10353\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2014\/12\/Send-Message-to-User.png\" alt=\"Send Message to User\" width=\"546\" height=\"410\" aria-describedby=\"caption-attachment-10353\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10353\" class=\"wp-caption-text\">Send Message to User<\/p>\n<\/div>\n<p>In the exam you will be asked to work exclusively with command-line utilities. This means you will not be able to install a desktop client application such as\u00a0<strong>Thunderbird<\/strong>, but will be required to use mail instead. We have used Thunderbird in this chapter for illustrative purposes only.<\/p>\n<h3>Conclusion<\/h3>\n<p>In this post we have explained how to set up an\u00a0<b>IMAP<\/b>\u00a0mail server for your local area network and how to restrict access to the\u00a0<b>SMTP<\/b>\u00a0server. If you happen to run into an issue while implementing a similar setup in your testing environment, you will want to check the online documentation of\u00a0<a href=\"http:\/\/www.postfix.org\/documentation.html\" target=\"_blank\" rel=\"nofollow noopener\">Postfix<\/a>\u00a0and\u00a0<a href=\"https:\/\/wiki2.dovecot.org\/\" target=\"_blank\" rel=\"nofollow noopener\">Dovecot<\/a>\u00a0(specially the pages about the main configuration files,\u00a0<a href=\"http:\/\/www.postfix.org\/BASIC_CONFIGURATION_README.html\" target=\"_blank\" rel=\"nofollow noopener\">\/etc\/postfix\/main.cf<\/a>\u00a0and\u00a0<a href=\"https:\/\/wiki2.dovecot.org\/#Dovecot_configuration\" target=\"_blank\" rel=\"nofollow noopener\">\/etc\/dovecot\/dovecot.conf<\/a>, respectively), but in any case do not hesitate to contact me using the comment form below. I will be more than glad to help you.<\/p>\n<h1 class=\"post-title\">How To Setup an Iptables Firewall to Enable Remote Access to Services in Linux \u2013 Part 8<\/h1>\n<div id=\"attachment_10462\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Configure-Iptables-Firewall.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10462\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Configure-Iptables-Firewall-620x292.jpg\" alt=\"Configure Linux Iptables Firewall\" width=\"620\" height=\"292\" aria-describedby=\"caption-attachment-10462\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10462\" class=\"wp-caption-text\">Linux Foundation Certified Engineer \u2013 Part 8<\/p>\n<\/div>\n<p>Introducing The Linux Foundation Certification Program<\/p>\n<div class=\"video-container\"><iframe loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/Y29qZ71Kicg\" width=\"640\" height=\"400\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\" data-mce-fragment=\"1\"><\/iframe><\/div>\n<p>You will recall from\u00a0<a href=\"https:\/\/www.tecmint.com\/installing-network-services-and-configuring-services-at-system-boot\/\" target=\"_blank\" rel=\"noopener\">Part 1 \u2013 About Iptables<\/a>\u00a0of this\u00a0<b>LFCE<\/b>\u00a0(<b>Linux Foundation Certified Engineer\u200b<\/b>) series that we gave a basic description of what a firewall is: a mechanism to manage packets coming into and leaving the network. By \u201cmanage\u201d we actually mean:<\/p>\n<ol>\n<li>To allow or prevent certain packets to enter or leave our network.<\/li>\n<li>To forward other packets from one point of the network to another.<\/li>\n<\/ol>\n<p>based on predetermined criteria.<\/p>\n<p>In this article we will discuss how to implement basic packet filtering and how to configure the firewall with iptables, a frontend to netfilter, which is a native kernel module used for firewalling.<\/p>\n<p>Please note that firewalling is a vast subject and this article is not intended to be a comprehensive guide to understanding all that there is to know about it, but rather as a starting point for a deeper study of this topic. However, we will revisit the subject in\u00a0<b>Part 10<\/b>\u00a0of this series when we explore a few specific use cases of a firewall in Linux.<\/p>\n<p>You can think of a firewall as an international airport where passenger planes come and go almost 24\/7. Based on a number of conditions, such as the validity of a person\u2019s passport, or his \/ her country of origin (to name a few examples) he or she may, or may not, be allowed to enter or leave a certain country.<\/p>\n<p>At the same time, airport officers can instruct people to move from one place of the airport to another if necessary, for example when they need to go through Customs Services.<\/p>\n<p>We may find the airport analogy useful during the rest of this tutorial. Just keep in mind the following relations as we proceed:<\/p>\n<ol>\n<li>Persons = Packets<\/li>\n<li>Firewall = Airport<\/li>\n<li>Country #1 = Network #1<\/li>\n<li>Country #2 = Network #2<\/li>\n<li>Airport regulations enforced by officers = firewall rules<\/li>\n<\/ol>\n<h3>Iptables \u2013 The Basics<\/h3>\n<p>At the low level, it is the kernel itself which \u201c<b>decides<\/b>\u201d what to do with packets based on rules grouped in\u00a0<b>chains<\/b>, or\u00a0<b>sentences<\/b>. These chains define what actions should be taken when a package matches the criteria specified by them.<\/p>\n<p>The first action taken by iptables will consist in deciding what to do with a packet:<\/p>\n<ol>\n<li>Accept it (let it go through into our network)?<\/li>\n<li>Reject it (prevent it from accessing our network)?<\/li>\n<li>Forward it (to another chain)?<\/li>\n<\/ol>\n<p>Just in case you were wondering why this tool is called\u00a0<b>iptables<\/b>, it\u2019s because these chains are organized in tables, with the\u00a0<b>filter table<\/b>\u00a0being the most well know and the one that is used to implement packet filtering with its three default chains:<\/p>\n<p><b>1.<\/b>\u00a0The\u00a0<b>INPUT<\/b>\u00a0chain handles packets coming into the network, which are destined for local programs.<\/p>\n<p><b>2.<\/b>\u00a0The\u00a0<b>OUTPUT<\/b>\u00a0chain is used to analyze packets originated in the local network, which are to be sent to the outside.<\/p>\n<p><b>3.<\/b>\u00a0The\u00a0<b>FORWARD<\/b>\u00a0chain processes the packets which should be forwarded to another destination (as in the case of a router).<\/p>\n<p>For each of these chains there is a default policy, which dictates what should be done by default when packets do not match any of the rules in the chain. You can view the rules created for each chain and the default policy by running the following command:<\/p>\n<pre># iptables -L\r\n<\/pre>\n<p>The available policies are as follows:<\/p>\n<ol>\n<li><b>ACCEPT<\/b>\u00a0\u2192 lets the packet through. Any packet that does not match any rules in the chain is allowed into the network.<\/li>\n<li><b>DROP<\/b>\u00a0\u2192 drops the packet quietly. Any packet that does not match any rules in the chain is prevented from entering the network.<\/li>\n<li><b>REJECT<\/b>\u00a0\u2192 rejects the packet and returns an informative message. This one in particular does not work as a default policy. Instead, it is meant to complement packet filtering rules.<\/li>\n<\/ol>\n<div id=\"attachment_10452\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Iptables-Policies.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10452\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Iptables-Policies-620x340.png\" alt=\"Linux Firewall Policies\" width=\"620\" height=\"340\" aria-describedby=\"caption-attachment-10452\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10452\" class=\"wp-caption-text\">Linux Iptables Policies<\/p>\n<\/div>\n<p>When it comes to deciding which policy you will implement, you need to consider the\u00a0<b>pros<\/b>\u00a0and\u00a0<b>cons<\/b>\u00a0of each approach as explained above \u2013 note that there is no one-size-fits-all solution.<\/p>\n<h4>Adding Rules<\/h4>\n<p>To add a rule to the firewall, invoke the iptables command as follows:<\/p>\n<pre># iptables -A chain_name criteria -j target\r\n<\/pre>\n<p>where,<\/p>\n<ol>\n<li><b>-A<\/b>\u00a0stands for Append (append the current rule to the end of the chain).<\/li>\n<li><b>chain_name<\/b>\u00a0is either INPUT, OUTPUT, or FORWARD.<\/li>\n<li><b>target<\/b>\u00a0is the action, or policy, to apply in this case (ACCEPT, REJECT, or DROP).<\/li>\n<li><b>criteria<\/b>\u00a0is the set of conditions against which the packets are to be examined. It is composed of at least one (most likely more) of the following flags. Options inside brackets, separated by a vertical bar, are equivalent to each other. The rest represents optional switches:<\/li>\n<\/ol>\n<pre><b>[--protocol | -p] protocol<\/b>: specifies the protocol involved in a rule.\r\n<b>[--source-port | -sport] port:[port]<\/b>: defines the port (or range of ports) where the packet originated.\r\n<b>[--destination-port | -dport] port:[port]<\/b>: defines the port (or range of ports) to which the packet is destined.\r\n<b>[--source | -s] address[\/mask]<\/b>: represents the source address or network\/mask.\r\n<b>[--destination | -d] address[\/mask]<\/b>: represents the destination address or network\/mask.\r\n<b>[--state] state<\/b> (preceded by <b>-m<\/b> state): manage packets depending on whether they are part of a state connection, where state can be NEW, ESTABLISHED, RELATED, or INVALID.\r\n<b>[--in-interface | -i] interface<\/b>: specifies the input interface of the packet.\r\n<b>[--out-interface | -o] interface<\/b>: the output interface.\r\n<b>[--jump | -j] target<\/b>: what to do when the packet matches the rule.\r\n<\/pre>\n<h4>Our Testing Environment<\/h4>\n<p>Let\u2019s glue all that in 3 classic examples using the following test environment for the first two:<\/p>\n<pre>Firewall: Debian Wheezy 7.5 \r\nHostname: dev2.gabrielcanepa.com\r\nIP Address: 192.168.0.15\r\n<\/pre>\n<pre>Source: CentOS 7 \r\nHostname: dev1.gabrielcanepa.com\r\nIP Address: 192.168.0.17\r\n<\/pre>\n<p>And this for the last example<\/p>\n<pre>NFSv4 server and firewall: Debian Wheezy 7.5 \r\nHostname: debian\r\nIP Address: 192.168.0.10\r\n<\/pre>\n<pre>Source: Debian Wheezy 7.5 \r\nHostname: dev2.gabrielcanepa.com\r\nIP Address: 192.168.0.15\r\n<\/pre>\n<h6>EXAMPLE 1: Analyzing the difference between the DROP and REJECT policies<\/h6>\n<p>We will define a\u00a0<b>DROP<\/b>\u00a0policy first for input pings to our firewall. That is, icmp packets will be dropped quietly.<\/p>\n<pre># ping -c 3 192.168.0.15\r\n<\/pre>\n<pre># iptables -A INPUT --protocol icmp --in-interface eth0 -j DROP\r\n<\/pre>\n<div id=\"attachment_10453\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Drop-Icmp-in-Firewall.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10453\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Drop-Icmp-in-Firewall-620x172.png\" alt=\"Linux Iptables Block ICMP Ping\" width=\"620\" height=\"172\" aria-describedby=\"caption-attachment-10453\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10453\" class=\"wp-caption-text\">Drop ICMP Ping Request<\/p>\n<\/div>\n<p>Before proceeding with the\u00a0<b>REJECT<\/b>\u00a0part, we will flush all rules from the INPUT chain to make sure our packets will be tested by this new rule:<\/p>\n<pre># iptables -F INPUT\r\n# iptables -A INPUT --protocol icmp --in-interface eth0 -j REJECT\r\n<\/pre>\n<pre># ping -c 3 192.168.0.15\r\n<\/pre>\n<div id=\"attachment_10454\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Reject-Icmp-in-Firewall.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10454\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Reject-Icmp-in-Firewall-620x295.png\" alt=\"Reject ICMP Ping Request in Linux\" width=\"620\" height=\"295\" aria-describedby=\"caption-attachment-10454\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10454\" class=\"wp-caption-text\">Reject ICMP Ping Request in Firewall<\/p>\n<\/div>\n<h6>EXAMPLE 2: Disabling \/ re-enabling ssh logins from dev2 to dev1<\/h6>\n<p>We will be dealing with the\u00a0<b>OUTPUT<\/b>\u00a0chain as we\u2019re handling outgoing traffic:<\/p>\n<pre># iptables -A OUTPUT --protocol tcp --destination-port 22 --out-interface eth0 --jump REJECT\r\n<\/pre>\n<div id=\"attachment_10455\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Disable-SSH-Login-in-Firewall.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10455\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Disable-SSH-Login-in-Firewall-620x116.png\" alt=\"Block SSH Login in Linux Firewall\" width=\"620\" height=\"116\" aria-describedby=\"caption-attachment-10455\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10455\" class=\"wp-caption-text\">Block SSH Login in Firewall<\/p>\n<\/div>\n<h6>EXAMPLE 3: Allowing \/ preventing NFS clients (from 192.168.0.0\/24) to mount NFS4 shares<\/h6>\n<p>Run the following commands in the NFSv4 server \/ firewall to close ports 2049 and 111 for all kind of traffic:<\/p>\n<pre># iptables -F\r\n# iptables -A INPUT -i eth0 -s 0\/0 -p tcp --dport 2049 -j REJECT\r\n# iptables -A INPUT -i eth0 -s 0\/0 -p tcp --dport 111 -j REJECT\r\n<\/pre>\n<div id=\"attachment_10456\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Reject-NFS-Ports-in-Firewall.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10456\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Reject-NFS-Ports-in-Firewall-620x202.png\" alt=\"Block NFS Port in Linux Firewall\" width=\"620\" height=\"202\" aria-describedby=\"caption-attachment-10456\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10456\" class=\"wp-caption-text\">Block NFS Ports in Firewall<\/p>\n<\/div>\n<p>Now let\u2019s open those ports and see what happens.<\/p>\n<pre># iptables -A INPUT -i eth0 -s 0\/0 -p tcp --dport 111 -j ACCEPT\r\n# iptables -A INPUT -i eth0 -s 0\/0 -p tcp --dport 2049 -j ACCEPT\r\n<\/pre>\n<div id=\"attachment_10457\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Open-NFS-Ports-in-Firewall.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10457\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Open-NFS-Ports-in-Firewall-620x106.png\" alt=\"Open NFS Ports in Firewall\" width=\"620\" height=\"106\" aria-describedby=\"caption-attachment-10457\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10457\" class=\"wp-caption-text\">Open NFS Ports in Firewall<\/p>\n<\/div>\n<p>As you can see, we were able to mount the NFSv4 share after opening the traffic.<\/p>\n<h4>Inserting, Appending and Deleting Rules<\/h4>\n<p>In the previous examples we showed how to append rules to the\u00a0<b>INPUT<\/b>\u00a0and\u00a0<b>OUTPUT<\/b>\u00a0chains. Should we want to insert them instead at a predefined position, we should use the\u00a0<b>-I<\/b>\u00a0(uppercase i) switch instead.<\/p>\n<p>You need to remember that rules will be evaluated one after another, and that the evaluation stops (or jumps) when a\u00a0<b>DROP<\/b>\u00a0or\u00a0<b>ACCEPT<\/b>\u00a0policy is matched. For that reason, you may find yourself in the need to move rules up or down in the chain list as needed.<\/p>\n<p>We will use a trivial example to demonstrate this:<\/p>\n<div id=\"attachment_10458\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/List-Iptables-Rules.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10458\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/List-Iptables-Rules-620x137.png\" alt=\"Check Linux Iptables Rules\" width=\"620\" height=\"137\" aria-describedby=\"caption-attachment-10458\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10458\" class=\"wp-caption-text\">Check Rules of Iptables Firewall<\/p>\n<\/div>\n<p>Let\u2019s place the following rule,<\/p>\n<pre># iptables -I INPUT 2 -p tcp --dport 80 -j ACCEPT\r\n<\/pre>\n<p>at position 2) in the INPUT chain (thus moving previous #2 as #3)<\/p>\n<div id=\"attachment_10459\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Iptables-Accept-Rule.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10459\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Iptables-Accept-Rule-620x149.png\" alt=\"Linux Iptables Accept Rule\" width=\"620\" height=\"149\" aria-describedby=\"caption-attachment-10459\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10459\" class=\"wp-caption-text\">Iptables Accept Rule<\/p>\n<\/div>\n<p>Using the setup above, traffic will be checked to see whether it\u2019s directed to port\u00a0<b>80<\/b>\u00a0before checking for port\u00a0<b>2049<\/b>.<\/p>\n<p>Alternatively, you can delete a rule and change the target of the remaining rules to\u00a0<b>REJECT<\/b>\u00a0(using the\u00a0<b>-R<\/b>\u00a0switch):<\/p>\n<pre># iptables -D INPUT 1\r\n# iptables -nL -v --line-numbers\r\n# iptables -R INPUT 2 -i eth0 -s 0\/0 -p tcp --dport 2049 -j REJECT\r\n# iptables -R INPUT 1 -p tcp --dport 80 -j REJECT\r\n<\/pre>\n<div id=\"attachment_10460\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Iptables-Drop-Rule.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10460\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Iptables-Drop-Rule-620x427.png\" alt=\"Linux Iptables Drop Rule\" width=\"620\" height=\"427\" aria-describedby=\"caption-attachment-10460\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10460\" class=\"wp-caption-text\">Iptables Drop Rule<\/p>\n<\/div>\n<p>Last, but not least, you will need to remember that in order for the firewall rules to be persistent, you will need to save them to a file and then restore them automatically upon boot (using the preferred method of your choice or the one that is available for your distribution).<\/p>\n<p>Saving firewall rules:<\/p>\n<pre># iptables-save &gt; \/etc\/iptables\/rules.v4\t\t[On Ubuntu]\r\n# iptables-save &gt; \/etc\/sysconfig\/iptables\t\t[On CentOS \/ OpenSUSE]\r\n<\/pre>\n<p>Restoring rules:<\/p>\n<pre># iptables-restore &lt; \/etc\/iptables\/rules.v4\t\t[On Ubuntu]\r\n# iptables-restore &lt; \/etc\/sysconfig\/iptables\t\t[On CentOS \/ OpenSUSE]\r\n<\/pre>\n<p>Here we can see a similar procedure (saving and restoring firewall rules by hand) using a dummy file called\u00a0<b>iptables.dump<\/b>\u00a0instead of the default one as shown above.<\/p>\n<pre># iptables-save &gt; iptables.dump\r\n<\/pre>\n<div id=\"attachment_10461\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Dump-Iptables-Rules.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10461\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Dump-Iptables-Rules-620x297.png\" alt=\"Save Iptables Rules in Linux\" width=\"620\" height=\"297\" aria-describedby=\"caption-attachment-10461\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10461\" class=\"wp-caption-text\">Dump Linux Iptables<\/p>\n<\/div>\n<p>To make these changes persistent across boots:<\/p>\n<p><b>Ubuntu<\/b>: Install the\u00a0<b>iptables-persistent<\/b>\u00a0package, which will load the rules saved in the\u00a0<b>\/etc\/iptables\/rules.v4<\/b>\u00a0file.<\/p>\n<pre># apt-get install iptables-persistent\r\n<\/pre>\n<p><b>CentOS<\/b>: Add the following 2 lines to\u00a0<b>\/etc\/sysconfig\/iptables-config<\/b>\u00a0file.<\/p>\n<pre>IPTABLES_SAVE_ON_STOP=\"yes\"\r\nIPTABLES_SAVE_ON_RESTART=\"yes\"\r\n<\/pre>\n<p><b>OpenSUSE<\/b>: List allowed ports, protocols, addresses, and so forth (separated by commas) in\u00a0<b>\/etc\/sysconfig\/SuSEfirewall2<\/b>.<\/p>\n<p>For more information refer to the file itself, which is heavily commented.<\/p>\n<h3>Conclusion<\/h3>\n<p>The examples provided in this article, while not covering all the bells and whistles of iptables, serve the purpose of illustrating how to enable and disable traffic incoming or outgoing traffic.<\/p>\n<p>For those of you who are firewall fans, keep in mind that we will revisit this topic with more specific applications in\u00a0<b>Part 10<\/b>\u00a0of this\u00a0<b>LFCE<\/b>\u00a0series.<\/p>\n<p>Feel free to let me know if you have any questions or comments.<\/p>\n<h1 class=\"post-title\">How to Monitor System Usage, Outages and Troubleshoot Linux Servers \u2013 Part 9<\/h1>\n<p>Although Linux is very reliable, wise system administrators should find a way to keep an eye on the system\u2019s behaviour and utilization at all times. Ensuring an uptime as close to\u00a0<b>100%<\/b>\u00a0as possible and the availability of resources are critical needs in many environments. Examining the past and current status of the system will allow us to foresee and most likely prevent possible issues.<\/p>\n<div id=\"attachment_10484\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Monitor-Linux-Servers.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10484\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Monitor-Linux-Servers-620x292.jpg\" alt=\"Monitor Linux Servers\" width=\"620\" height=\"292\" aria-describedby=\"caption-attachment-10484\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10484\" class=\"wp-caption-text\">Linux Foundation Certified Engineer \u2013 Part 9<\/p>\n<\/div>\n<p>Introducing The Linux Foundation Certification Program<\/p>\n<div class=\"post-format\">\n<div class=\"video-container\"><iframe loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/Y29qZ71Kicg\" width=\"640\" height=\"405\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\" data-mce-fragment=\"1\"><\/iframe><\/div>\n<\/div>\n<p>In this article we will present a list of a few tools that are available in most upstream distributions to check on the system status, analyze outages, and troubleshoot ongoing issues. Specifically, of the myriad of available data, we will focus on CPU, storage space and memory utilization, basic process management, and log analysis.<\/p>\n<h3>Storage Space Utilization<\/h3>\n<p>There are 2 well-known commands in Linux that are used to inspect storage space usage:\u00a0<b>df<\/b>\u00a0and\u00a0<b>du<\/b>.<\/p>\n<p>The first one,\u00a0<b>df<\/b>\u00a0(which stands for disk free), is typically used to report overall disk space usage by file system.<\/p>\n<h6>Example 1: Reporting disk space usage in bytes and human-readable format<\/h6>\n<p>Without options,\u00a0<b>df<\/b>\u00a0reports disk space usage in bytes. With the\u00a0<b>-h<\/b>\u00a0flag it will display the same information using MB or GB instead. Note that this report also includes the total size of each file system (in 1-K blocks), the free and available spaces, and the mount point of each storage device.<\/p>\n<pre># df\r\n# df -h\r\n<\/pre>\n<div id=\"attachment_10468\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Disk-Space-Utilization.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10468\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Disk-Space-Utilization-620x146.png\" alt=\"Monitor Linux Disk Space Utilization\" width=\"620\" height=\"146\" aria-describedby=\"caption-attachment-10468\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10468\" class=\"wp-caption-text\">Disk Space Utilization<\/p>\n<\/div>\n<p>That\u2019s certainly nice \u2013 but there\u2019s another limitation that can render a file system unusable, and that is running out of inodes. All files in a file system are mapped to an inode that contains its metadata.<\/p>\n<h6>Example 2: Inspecting inode usage by file system in human-readable format with<\/h6>\n<pre># df -hTi\r\n<\/pre>\n<p>you can see the amount of used and available inodes:<\/p>\n<div id=\"attachment_10470\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Linux-Inode-Disk-Usage.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10470\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Linux-Inode-Disk-Usage.png\" alt=\"Monitor Linux Inode Disk Usage\" width=\"572\" height=\"237\" aria-describedby=\"caption-attachment-10470\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10470\" class=\"wp-caption-text\">Inode Disk Usage<\/p>\n<\/div>\n<p>According to the above image, there are\u00a0<b>146<\/b>\u00a0used inodes (<b>1%<\/b>) in \/home, which means that you can still create 226K files in that file system.<\/p>\n<h6>Example 3: Finding and \/ or deleting empty files and directories<\/h6>\n<p>Note that you can run out of storage space long before running out of inodes, and vice-versa. For that reason, you need to monitor not only the storage space utilization but also the number of inodes used by file system.<\/p>\n<p>Use the following commands to find empty files or directories (which occupy 0B) that are using inodes without a reason:<\/p>\n<pre># find  \/home -type f -empty\r\n# find  \/home -type d -empty\r\n<\/pre>\n<p>Also, you can add the\u00a0<b>-delete<\/b>\u00a0flag at the end of each command if you also want to delete those empty files and directories:<\/p>\n<pre># find  \/home -type f -empty --delete\r\n# find  \/home -type f -empty\r\n<\/pre>\n<div id=\"attachment_10471\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Find-Delete-Empty-Files-in-Linux.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10471\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Find-Delete-Empty-Files-in-Linux.png\" alt=\"Find all Empty Files in Linux\" width=\"447\" height=\"145\" aria-describedby=\"caption-attachment-10471\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10471\" class=\"wp-caption-text\">Find and Delete Empty Files in Linux<\/p>\n<\/div>\n<p>The previous procedure deleted 4 files. Let\u2019s check again the number of used \/ available nodes again in \/home:<\/p>\n<pre># df -hTi | grep home\r\n<\/pre>\n<div id=\"attachment_10472\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-Inode-Usage.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10472\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-Inode-Usage.png\" alt=\"Check Linux Inode Usage\" width=\"530\" height=\"66\" aria-describedby=\"caption-attachment-10472\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10472\" class=\"wp-caption-text\">Check Linux Inode Usage<\/p>\n<\/div>\n<p>As you can see, there are\u00a0<b>142<\/b>\u00a0used inodes now (4 less than before).<\/p>\n<h6>Example 4: Examining disk usage by directory<\/h6>\n<p>If the use of a certain file system is above a predefined percentage, you can use\u00a0<b>du<\/b>\u00a0(short for disk usage) to find out what are the files that are occupying the most space.<\/p>\n<p>The example is given for\u00a0<b>\/var<\/b>, which as you can see in the first image above, is used at its 67%.<\/p>\n<pre># du -sch \/var\/*\r\n<\/pre>\n<div id=\"attachment_10473\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-Disk-Usage-by-Directory.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10473\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-Disk-Usage-by-Directory.png\" alt=\"Find Size of all Directoires in Linux\" width=\"222\" height=\"292\" aria-describedby=\"caption-attachment-10473\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10473\" class=\"wp-caption-text\">Check Disk Space Usage by Directory<\/p>\n<\/div>\n<p><strong>Note<\/strong>: That you can switch to any of the above subdirectories to find out exactly what\u2019s in them and how much each item occupies. You can then use that information to either delete some files if there are not needed or extend the size of the logical volume if necessary.<\/p>\n<p><b>Read Also<\/b><\/p>\n<ol>\n<li><a href=\"https:\/\/www.tecmint.com\/how-to-check-disk-space-in-linux\/\" target=\"_blank\" rel=\"noopener\">12 Useful \u201cdf\u201d Commands to Check Disk Space<\/a><\/li>\n<li><a href=\"https:\/\/www.tecmint.com\/check-linux-disk-usage-of-files-and-directories\/\" target=\"_blank\" rel=\"noopener\">10 Useful \u201cdu\u201d Commands to Find Disk Usage of Files and Directories<\/a><\/li>\n<\/ol>\n<h3>Memory and CPU Utilization<\/h3>\n<p>The classic tool in Linux that is used to perform an overall check of CPU \/ memory utilization and process management is\u00a0<a href=\"https:\/\/www.tecmint.com\/12-top-command-examples-in-linux\/\" target=\"_blank\" rel=\"noopener\">top command<\/a>. In addition, top displays a real-time view of a running system. There other tools that could be used for the same purpose, such as\u00a0<a href=\"https:\/\/www.tecmint.com\/install-htop-linux-process-monitoring-for-rhel-centos-fedora\/\" target=\"_blank\" rel=\"noopener\">htop<\/a>, but I have settled for top because it is installed out-of-the-box in any Linux distribution.<\/p>\n<h6>Example 5: Displaying a live status of your system with top<\/h6>\n<p>To start top, simply type the following command in your command line, and hit Enter.<\/p>\n<pre># top\r\n<\/pre>\n<p>Let\u2019s examine a typical top output:<\/p>\n<div id=\"attachment_10474\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/List-of-Running-Linux-Processes.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10474\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/List-of-Running-Linux-Processes-620x206.png\" alt=\"Show All Running Processes in Linux \" width=\"620\" height=\"206\" aria-describedby=\"caption-attachment-10474\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10474\" class=\"wp-caption-text\">List All Running Processes in Linux<\/p>\n<\/div>\n<p>In rows 1 through 5 the following information is displayed:<\/p>\n<p><b>1.<\/b>\u00a0The current time (8:41:32 pm) and uptime (7 hours and 41 minutes). Only one user is logged on to the system, and the load average during the last 1, 5, and 15 minutes, respectively. 0.00, 0.01, and 0.05 indicate that over those time intervals, the system was idle for 0% of the time (0.00: no processes were waiting for the CPU), it then was overloaded by 1% (0.01: an average of 0.01 processes were waiting for the CPU) and 5% (0.05). If less than 0 and the smaller the number (0.65, for example), the system was idle for 35% during the last 1, 5, or 15 minutes, depending where 0.65 appears.<\/p>\n<p><b>2.<\/b>\u00a0Currently there are 121 processes running (you can see the complete listing in 6). Only 1 of them is running (top in this case, as you can see in the %CPU column) and the remaining 120 are waiting in the background but are \u201csleeping\u201d and will remain in that state until we call them. How? You can verify this by opening a mysql prompt and execute a couple of queries. You will notice how the number of running processes increases.<\/p>\n<p>Alternatively, you can open a web browser and navigate to any given page that is being served by Apache and you will get the same result. Of course, these examples assume that both services are installed in your server.<\/p>\n<p><b>3.<\/b>\u00a0us (time running user processes with unmodified priority), sy (time running kernel processes), ni (time running user processes with modified priority), wa (time waiting for I\/O completion), hi (time spent servicing hardware interrupts), si (time spent servicing software interrupts), st (time stolen from the current vm by the hypervisor \u2013 only in virtualized environments).<\/p>\n<p><b>4.<\/b>\u00a0Physical memory usage.<\/p>\n<p><b>5.<\/b>\u00a0Swap space usage.<\/p>\n<h6>Example 6: Inspecting physical memory usage<\/h6>\n<p>To inspect RAM memory and swap usage you can also use\u00a0<b>free<\/b>\u00a0command.<\/p>\n<pre># free\r\n<\/pre>\n<div id=\"attachment_10475\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-Memory-Usage.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10475\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-Memory-Usage.png\" alt=\"Linux Check Memory Usage\" width=\"601\" height=\"107\" aria-describedby=\"caption-attachment-10475\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10475\" class=\"wp-caption-text\">Check Linux Memory Usage<\/p>\n<\/div>\n<p>Of course you can also use the\u00a0<b>-m<\/b>\u00a0(MB) or\u00a0<b>-g<\/b>\u00a0(GB) switches to display the same information in human-readable form:<\/p>\n<pre># free -m\r\n<\/pre>\n<div id=\"attachment_10476\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/View-Linux-Memory-Usage.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10476\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/View-Linux-Memory-Usage.png\" alt=\"View Linux Memory Usage\" width=\"604\" height=\"108\" aria-describedby=\"caption-attachment-10476\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10476\" class=\"wp-caption-text\">View Linux Memory Usage<\/p>\n<\/div>\n<p>Either way, you need to be aware of the fact that the kernel reserves as much memory as possible and makes it available to processes when they request it. Particularly, the \u201c<b>-\/+ buffers\/cache<\/b>\u201d line shows the actual values after this I\/O cache is taken into account.<\/p>\n<p>In other words, the amount of memory used by processes and the amount available to other processes (in this case,\u00a0<b>232 MB<\/b>\u00a0used and\u00a0<b>270 MB<\/b>\u00a0available, respectively). When processes need this memory, the kernel will automatically decrease the size of the I\/O cache.<\/p>\n<p><b>Read Also<\/b>:\u00a0<a href=\"https:\/\/www.tecmint.com\/check-memory-usage-in-linux\/\" target=\"_blank\" rel=\"noopener\">10 Useful \u201cfree\u201d Command to Check Linux Memory Usage<\/a><\/p>\n<h3>Taking a Closer Look at Processes<\/h3>\n<p>At any given time, there many processes running on our Linux system. There are two tools that we will use to monitor processes closely:\u00a0<b>ps<\/b>\u00a0and\u00a0<b>pstree<\/b>.<\/p>\n<h6>Example 7: Displaying the whole process list in your system with ps (full standard format)<\/h6>\n<p>Using the\u00a0<b>-e<\/b>\u00a0and\u00a0<b>-f<\/b>\u00a0options combined into one (<b>-ef<\/b>) you can list all the processes that are currently running on your system. You can pipe this output to other tools, such as\u00a0<b>grep<\/b>\u00a0(as explained in\u00a0<a href=\"https:\/\/www.tecmint.com\/sed-command-to-create-edit-and-manipulate-files-in-linux\/\" target=\"_blank\" rel=\"noopener\">Part 1 of the LFCS series<\/a>) to narrow down the output to your desired process(es):<\/p>\n<pre># ps -ef | grep -i squid | grep -v grep\r\n<\/pre>\n<div id=\"attachment_10477\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Monitor-Linux-Processes.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10477\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Monitor-Linux-Processes.png\" alt=\"Monitoring Processes in Linux\" width=\"576\" height=\"159\" aria-describedby=\"caption-attachment-10477\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10477\" class=\"wp-caption-text\">Monitoring Processes in Linux<\/p>\n<\/div>\n<p>The process listing above shows the following information:<\/p>\n<p>owner of the process, PID, Parent PID (the parent process), processor utilization, time when command started, tty (the ? indicates it\u2019s a daemon), the cumulated CPU time, and the command associated with the process.<\/p>\n<h6>Example 8: Customizing and sorting the output of ps<\/h6>\n<p>However, perhaps you don\u2019t need all that information, and would like to show the owner of the process, the command that started it, its PID and PPID, and the percentage of memory it\u2019s currently using \u2013 in that order, and sort by memory use in descending order (note that ps by default is sorted by PID).<\/p>\n<pre># ps -eo user,comm,pid,ppid,%mem --sort -%mem\r\n<\/pre>\n<p>Where the minus sign in front of %mem indicates sorting in descending order.<\/p>\n<div id=\"attachment_10478\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Monitor-Linux-Processes-by-Memory-Utilization.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10478\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Monitor-Linux-Processes-by-Memory-Utilization.png\" alt=\"Monitor Linux Processes by Memory Usage\" width=\"489\" height=\"321\" aria-describedby=\"caption-attachment-10478\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10478\" class=\"wp-caption-text\">Monitor Linux Process Memory Usage<\/p>\n<\/div>\n<p>If for some reason a process starts taking too much system resources and it\u2019s likely to jeopardize the overall functionality of the system, you will want to stop or pause its execution passing one of the following signals using the\u00a0<a href=\"https:\/\/www.tecmint.com\/how-to-kill-a-process-in-linux\/\" target=\"_blank\" rel=\"noopener\">kill<\/a>\u00a0program to it. Other reasons why you would consider doing this is when you have started a process in the foreground but want to pause it and resume in the background.<\/p>\n<table border=\"0\" cellspacing=\"0\">\n<tbody>\n<tr>\n<td align=\"center\" bgcolor=\"#999999\" height=\"18\"><b>Signal name<\/b><\/td>\n<td align=\"center\" bgcolor=\"#999999\"><b>Signal number<\/b><\/td>\n<td align=\"center\" bgcolor=\"#999999\"><b>Description<\/b><\/td>\n<\/tr>\n<tr class=\"alt\">\n<td align=\"left\" height=\"18\">\u00a0SIGTERM<\/td>\n<td>15<\/td>\n<td align=\"left\">\u00a0Kill the process gracefully.<\/td>\n<\/tr>\n<tr>\n<td align=\"left\" height=\"18\">\u00a0SIGINT<\/td>\n<td>2<\/td>\n<td align=\"left\">\u00a0This is the signal that is sent when we press Ctrl + C. It aims to interrupt the process, but the process may ignore it.<\/td>\n<\/tr>\n<tr class=\"alt\">\n<td align=\"left\" height=\"18\">\u00a0SIGKILL<\/td>\n<td>9<\/td>\n<td align=\"left\">\u00a0This signal also interrupts the process but it does so unconditionally (use with care!) since a process cannot ignore it.<\/td>\n<\/tr>\n<tr>\n<td align=\"left\" height=\"20\">\u00a0SIGHUP<\/td>\n<td>1<\/td>\n<td align=\"left\">\u00a0Short for \u201cHang UP\u201d, this signals instructs daemons to reread its configuration file without actually stopping the process.<\/td>\n<\/tr>\n<tr class=\"alt\">\n<td align=\"left\" height=\"18\">\u00a0SIGTSTP<\/td>\n<td>20<\/td>\n<td align=\"left\">\u00a0Pause execution and wait ready to continue. This is the signal that is sent when we type the Ctrl + Z key combination.<\/td>\n<\/tr>\n<tr>\n<td align=\"left\" height=\"18\">\u00a0SIGSTOP<\/td>\n<td>19<\/td>\n<td align=\"left\">\u00a0The process is paused and doesn\u2019t get any more attention from the CPU cycles until it is restarted.<\/td>\n<\/tr>\n<tr class=\"alt\">\n<td align=\"left\" height=\"20\">\u00a0SIGCONT<\/td>\n<td>18<\/td>\n<td align=\"left\">\u00a0This signal tells the process to resume execution after having received either SIGTSTP or SIGSTOP. This is the signal that is sent by the shell when we use the fg or bg commands.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h6>Example 9: Pausing the execution of a running process and resuming it in the background<\/h6>\n<p>When the normal execution of a certain process implies that no output will be sent to the screen while it\u2019s running, you may want to either start it in the background (appending an ampersand at the end of the command).<\/p>\n<pre>process_name &amp;\r\n<\/pre>\n<p>or,<br \/>\nOnce it has started running in the foreground, pause it and send it to the background with<\/p>\n<pre>Ctrl + Z\r\n<\/pre>\n<pre># kill -18 PID\r\n<\/pre>\n<div id=\"attachment_10479\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Kill-Running-Linux-Process.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10479\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Kill-Running-Linux-Process-620x164.png\" alt=\"Terminate Process in Linux\" width=\"620\" height=\"164\" aria-describedby=\"caption-attachment-10479\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10479\" class=\"wp-caption-text\">Kill Process in Linux<\/p>\n<\/div>\n<h6>Example 10: Killing by force a process \u201cgone wild\u201d<\/h6>\n<p>Please note that each distribution provides tools to gracefully stop \/ start \/ restart \/ reload common services, such as\u00a0<b>service<\/b>\u00a0in SysV-based systems or\u00a0<b>systemctl<\/b>\u00a0in systemd-based systems.<\/p>\n<p>If a process does not respond to those utilities, you can kill it by force by sending it the SIGKILL signal to it.<\/p>\n<pre># ps -ef | grep apache\r\n# kill -9 3821\r\n<\/pre>\n<div id=\"attachment_10480\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Kill-Linux-Process-Forcefully.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10480\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Kill-Linux-Process-Forcefully-620x197.png\" alt=\"Forcefully Kill Linux Process\" width=\"620\" height=\"197\" aria-describedby=\"caption-attachment-10480\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10480\" class=\"wp-caption-text\">Forcefully Kill Linux Process<\/p>\n<\/div>\n<h3>So.. What Happened \/ Is Happening?<\/h3>\n<p>When there has been any kind of outage in the system (be it a power outage, a hardware failure, a planned or unplanned interruption of a process, or any abnormality at all), the logs in\u00a0<b>\/var\/log<\/b>\u00a0are your best friends to determine what happened or what could be causing the issues you\u2019re facing.<\/p>\n<pre># cd \/var\/log\r\n<\/pre>\n<div id=\"attachment_10481\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/View-Linux-Logs.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10481\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/View-Linux-Logs-620x64.png\" alt=\"Monitor Linux Log Files\" width=\"620\" height=\"64\" aria-describedby=\"caption-attachment-10481\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10481\" class=\"wp-caption-text\">View Linux Logs<\/p>\n<\/div>\n<p>Some of the items in\u00a0<b>\/var\/log<\/b>\u00a0are regular text files, others are directories, and yet others are compressed files of rotated (historical) logs. You will want to check those with the word error in their name, but inspecting the rest can come in handy as well.<\/p>\n<h6>Example 11: Examining logs for errors in processes<\/h6>\n<p>Picture this scenario. Your LAN clients are unable to print to network printers. The first step to troubleshoot this situation is going to\u00a0<b>\/var\/log\/cups<\/b>\u00a0directory and see what\u2019s in there.<\/p>\n<p>You can use the\u00a0<b>tail<\/b>\u00a0command to display the last 10 lines of the error_log file, or\u00a0<b>tail -f error_log<\/b>\u00a0for a real-time view of the log.<\/p>\n<pre># cd \/var\/log\/cups\r\n# ls\r\n# tail error_log\r\n<\/pre>\n<div id=\"attachment_10482\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Monitor-Linux-Logs-in-Real-Time.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10482\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Monitor-Linux-Logs-in-Real-Time-620x245.jpg\" alt=\"Linux View Logfile In Real Time\" width=\"620\" height=\"245\" aria-describedby=\"caption-attachment-10482\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10482\" class=\"wp-caption-text\">Monitor Log Files in Real Time<\/p>\n<\/div>\n<p>The above screenshot provides some helpful information to understand what could be causing your issue. Note that following the steps or correcting the malfunctioning of the process still may not solve the overall problem, but if you become used right from the start to check on the logs every time a problem arises (be it a local or a network one) you\u2019ll be definitely on the right track.<\/p>\n<h6>Example 12: Examining the logs for hardware failures<\/h6>\n<p>Although hardware failures can be tricky to troubleshoot, you should check the\u00a0<b>dmesg<\/b>\u00a0and messages logs and grep for related words to a hardware part presumed faulty.<\/p>\n<p>The image below is taken from\u00a0<b>\/var\/log\/messages<\/b>\u00a0after looking for the word error using the following command:<\/p>\n<pre># less \/var\/log\/messages | grep -i error\r\n<\/pre>\n<p>We can see that we\u2019re having a problem with two storage devices:\u00a0<b>\/dev\/sdb<\/b>\u00a0and\u00a0<b>\/dev\/sdc<\/b>, which in turn cause an issue with the RAID array.<\/p>\n<div id=\"attachment_10483\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Troubleshooting-Problems-in-Linux.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10483\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Troubleshooting-Problems-in-Linux-620x112.png\" alt=\"Troubleshoot Linux Server\" width=\"620\" height=\"112\" aria-describedby=\"caption-attachment-10483\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10483\" class=\"wp-caption-text\">Troubleshooting Linux Problems<\/p>\n<\/div>\n<h3>Conclusion<\/h3>\n<p>In this article we have explored some of the tools that can help you to always be aware of your system\u2019s overall status. In addition, you need to make sure that your operating system and installed packages are updated to their latest stable versions. And never, ever, forget to check the logs! Then you will be headed in the right direction to find the definitive solution to any issues.<\/p>\n<p>Feel free to leave your comments, suggestions, or questions -if you have any- using the form below.<\/p>\n<h1 class=\"post-title\">How to Turn a Linux Server into a Router to Handle Traffic Statically and Dynamically \u2013 Part 10<\/h1>\n<p>As we have anticipated in previous tutorials of this\u00a0<b>LFCE<\/b>\u00a0(<b>Linux Foundation Certified Engineer<\/b>) series, in this article we will discuss the routing of IP traffic statically and dynamically with specific applications.<\/p>\n<div id=\"attachment_10887\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Configure-Linux-as-Router.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10887\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Configure-Linux-as-Router-620x293.jpg\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Configure-Linux-as-Router-620x293.jpg 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Configure-Linux-as-Router-520x245.jpg 520w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Configure-Linux-as-Router.jpg 720w\" alt=\"Configure Linux as Router\" width=\"620\" height=\"293\" aria-describedby=\"caption-attachment-10887\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10887\" class=\"wp-caption-text\">Linux Foundation Certified Engineer \u2013 Part 10<\/p>\n<\/div>\n<h5>Introducing The Linux Foundation Certification Program<\/h5>\n<div class=\"post-format\">\n<div class=\"video-container\"><iframe loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/Y29qZ71Kicg\" width=\"640\" height=\"405\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\" data-mce-fragment=\"1\"><\/iframe><\/div>\n<\/div>\n<p>First things first, let\u2019s get some definitions straight:<\/p>\n<ol>\n<li>In simple words, a\u00a0<b>packet<\/b>\u00a0is the basic unit that is used to transmit information within a network. Networks that use TCP\/IP as network protocol follow the same rules for transmission of data: the actual information is split into packets that are made of both data and the address where it should be sent to.<\/li>\n<li><b>Routing<\/b>\u00a0is the process of \u201c<b>guiding<\/b>\u201d the data from source to destination inside a network.<\/li>\n<li><b>Static routing<\/b>\u00a0requires a manually-configured set of rules defined in a routing table. These rules are fixed and are used to define the way a packet must go through as it travels from one machine to another.<\/li>\n<li><b>Dynamic routing<\/b>, or\u00a0<b>smart routing<\/b>\u00a0(if you wish), means that the system can alter automatically, as needed, the route that a packet follows.<\/li>\n<\/ol>\n<h3>Advanced IP and Network Device Configuration<\/h3>\n<p>The\u00a0<b>iproute<\/b>\u00a0package provides a set of tools to manage networking and traffic control that we will use throughout this article as they represent the replacement of legacy tools such as\u00a0<a href=\"https:\/\/www.tecmint.com\/ifconfig-command-examples\/\" target=\"_blank\" rel=\"noopener\">ifconfig<\/a>\u00a0and\u00a0<b>route<\/b>.<\/p>\n<p>The central utility in the\u00a0<b>iproute<\/b>\u00a0suite is called simply ip. Its basic syntax is as follows:<\/p>\n<pre># ip object command\r\n<\/pre>\n<p>Where\u00a0<b>object<\/b>\u00a0can be only one of the following (only the most frequent objects are shown \u2013 you can refer to man\u00a0<b>ip<\/b>\u00a0for a complete list):<\/p>\n<ol>\n<li><b>link<\/b>: network device.<\/li>\n<li><b>addr<\/b>: protocol (IP or IPv6) address on a device.<\/li>\n<li><b>route<\/b>: routing table entry.<\/li>\n<li><b>rule<\/b>: rule in routing policy database.<\/li>\n<\/ol>\n<p>Whereas\u00a0<b>command<\/b>\u00a0represents a specific action that can be performed on object. You can run the following command to display the complete list of commands that can be applied to a particular object:<\/p>\n<pre># ip object help\r\n<\/pre>\n<p>For example,<\/p>\n<pre># ip link help\r\n<\/pre>\n<div id=\"attachment_10874\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/ip-command.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10874\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/ip-command.png\" alt=\"IP Command Help\" width=\"557\" height=\"307\" aria-describedby=\"caption-attachment-10874\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10874\" class=\"wp-caption-text\">IP Command Help<\/p>\n<\/div>\n<p>The above image shows, for example, that you can change the status of a network interface with the following command:<\/p>\n<pre># ip link set interface {up | down}\r\n<\/pre>\n<p>For such more examples of \u2018<b>ip<\/b>\u2018 command, read\u00a0<a href=\"https:\/\/www.tecmint.com\/ip-command-examples\/\" target=\"_blank\" rel=\"noopener\">10 Useful \u2018ip\u2019 Commands to Configure IP Address<\/a><\/p>\n<h6>Example 1: Disabling and enabling a network interface<\/h6>\n<p>In this example, we will disable and enable\u00a0<b>eth1<\/b>:<\/p>\n<pre># ip link show\r\n# ip link set eth1 down\r\n# ip link show\r\n<\/pre>\n<div id=\"attachment_10875\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Disable-eth0-Interface.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10875\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Disable-eth0-Interface-620x361.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Disable-eth0-Interface-620x361.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Disable-eth0-Interface.png 644w\" alt=\"Disable eth0 Interface in Linux\" width=\"620\" height=\"361\" aria-describedby=\"caption-attachment-10875\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10875\" class=\"wp-caption-text\">Disable eth0 Interface<\/p>\n<\/div>\n<p>If you want to re-enable eth1,<\/p>\n<pre># ip link set eth1 up\r\n<\/pre>\n<p>Instead of displaying all the network interfaces, we can specify one of them:<\/p>\n<pre># ip link show eth1\r\n<\/pre>\n<p>Which will return all the information for eth1.<\/p>\n<h6>Example 2: Displaying the main routing table<\/h6>\n<p>You can view your current main routing table with either of the following 3 commands:<\/p>\n<pre># ip route show\r\n# route -n\r\n# netstat -rn\r\n<\/pre>\n<div id=\"attachment_10876\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-Linux-Route-Table.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10876\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-Linux-Route-Table-620x237.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-Linux-Route-Table-620x237.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-Linux-Route-Table.png 635w\" alt=\"Check route in Linux\" width=\"620\" height=\"237\" aria-describedby=\"caption-attachment-10876\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10876\" class=\"wp-caption-text\">Check Linux Route Table<\/p>\n<\/div>\n<p>The first column in the output of the three commands indicates the target network. The output of\u00a0<b>ip route<\/b>\u00a0show (following the keyword\u00a0<b>dev<\/b>) also presents the network devices that serve as physical gateway to those networks.<\/p>\n<p>Although nowadays the\u00a0<b>ip command<\/b>\u00a0is preferred over route, you can still refer to man\u00a0<b>ip-route<\/b>\u00a0and\u00a0<b>man route<\/b>\u00a0for a detailed explanation of the rest of the columns.<\/p>\n<h6>Example 3: Using a Linux server to route packets between two private networks<\/h6>\n<p>We want to route\u00a0<b>icmp<\/b>\u00a0(ping) packets from dev2 to dev4 and the other way around as well (note that both client machines are on different networks). The name of each NIC, along with its corresponding IPv4 address, is given inside square brackets.<\/p>\n<p>Our test environment is as follows:<\/p>\n<pre><b>Client 1<\/b>: CentOS 7 [enp0s3: 192.168.0.17\/24] - dev1\r\n<b>Router<\/b>: Debian Wheezy 7.7 [eth0: 192.168.0.15\/24, eth1: 10.0.0.15\/24] - dev2\r\n<b>Client 2<\/b>: openSUSE 13.2 [enp0s3: 10.0.0.18\/24] - dev4\r\n<\/pre>\n<p>Let\u2019s view the routing table in dev1 (CentOS box):<\/p>\n<pre># ip route show\r\n<\/pre>\n<p>and then modify it in order to use its\u00a0<b>enp0s3<\/b>\u00a0NIC and the connection to 192.168.0.15 to access hosts in the 10.0.0.0\/24 network:<\/p>\n<pre># ip route add 10.0.0.0\/24 via 192.168.0.15 dev enp0s3\r\n<\/pre>\n<p>Which essentially reads, \u201cAdd a route to the 10.0.0.0\/24 network through the enp0s3 network interface using 192.168.0.15 as gateway\u201d.<\/p>\n<div id=\"attachment_10877\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Route-Network-in-Linux.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10877\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Route-Network-in-Linux-620x319.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Route-Network-in-Linux-620x319.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Route-Network-in-Linux.png 644w\" alt=\"Route Network in Linux\" width=\"620\" height=\"319\" aria-describedby=\"caption-attachment-10877\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10877\" class=\"wp-caption-text\">Route Network in Linux<\/p>\n<\/div>\n<p>Likewise in dev4 (openSUSE box) to ping hosts in the 192.168.0.0\/24 network:<\/p>\n<pre># ip route add 192.168.0.0\/24 via 10.0.0.15 dev enp0s3\r\n<\/pre>\n<div id=\"attachment_10878\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Network-Routing-in-Linux.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10878\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Network-Routing-in-Linux-620x234.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Network-Routing-in-Linux-620x234.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Network-Routing-in-Linux.png 641w\" alt=\"Network Routing in Linux\" width=\"620\" height=\"234\" aria-describedby=\"caption-attachment-10878\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10878\" class=\"wp-caption-text\">Network Routing in Linux<\/p>\n<\/div>\n<p>Finally, we need to enable forwarding in our Debian router:<\/p>\n<pre># echo 1 &gt; \/proc\/sys\/net\/ipv4\/ip_forward\r\n<\/pre>\n<p>Now let\u2019s ping:<\/p>\n<div id=\"attachment_10879\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-Network-Routing.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10879\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-Network-Routing.png\" alt=\"Check Network Routing\" width=\"581\" height=\"154\" aria-describedby=\"caption-attachment-10879\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10879\" class=\"wp-caption-text\">Check Network Routing<\/p>\n<\/div>\n<p>and,<\/p>\n<div id=\"attachment_10880\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Confirm-Network-Routing.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10880\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Confirm-Network-Routing.png\" alt=\"Route Ping Status\" width=\"513\" height=\"152\" aria-describedby=\"caption-attachment-10880\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10880\" class=\"wp-caption-text\">Route Ping Status<\/p>\n<\/div>\n<p>To make these settings persistent across boots, edit\u00a0<b>\/etc\/sysctl.conf<\/b>\u00a0on the router and make sure the\u00a0<b>net.ipv4.ip_forward<\/b>\u00a0variable is set to true as follows:<\/p>\n<pre>net.ipv4.ip_forward = 1\r\n<\/pre>\n<p>In addition, configure the NICs on both clients (look for the configuration file within\u00a0<b>\/etc\/sysconfig\/network<\/b>\u00a0on openSUSE and\u00a0<b>\/etc\/sysconfig\/network-scripts<\/b>\u00a0on CentOS \u2013 in both cases it\u2019s called\u00a0<b>ifcfg-enp0s3<\/b>).<\/p>\n<p>Here\u2019s the configuration file from the openSUSE box:<\/p>\n<pre>BOOTPROTO=static\r\nBROADCAST=10.0.0.255\r\nIPADDR=10.0.0.18\r\nNETMASK=255.255.255.0\r\nGATEWAY=10.0.0.15\r\nNAME=enp0s3\r\nNETWORK=10.0.0.0\r\nONBOOT=yes\r\n<\/pre>\n<h6>Example 4: Using a Linux server to route packages between a private networks and the Internet<\/h6>\n<p>Another scenario where a Linux machine can be used as router is when you need to share your Internet connection with a private LAN.<\/p>\n<pre><b>Router<\/b>: Debian Wheezy 7.7 [eth0: Public IP, eth1: 10.0.0.15\/24] - dev2\r\n<b>Client<\/b>: openSUSE 13.2 [enp0s3: 10.0.0.18\/24] - dev4\r\n<\/pre>\n<p>In addition to set up packet forwarding and the static routing table in the client as in the previous example, we need to add a few iptables rules in the router:<\/p>\n<pre># iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\r\n# iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT\r\n# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT\r\n<\/pre>\n<p>The first command adds a rule to the\u00a0<b>POSTROUTING<\/b>\u00a0chain in the nat (Network Address Translation) table, indicating that the eth0 NIC should be used for outgoing packages.<\/p>\n<p><b>MASQUERADE<\/b>\u00a0indicates that this NIC has a dynamic IP and that before sending the package to the \u201c<b>wild wild world<\/b>\u201d of the Internet, the private source address of the packet has to be changed to that of the public IP of the router.<\/p>\n<p>In a LAN with many hosts, the router keeps track of established connections in\u00a0<b>\/proc\/net\/ip_conntrack<\/b>\u00a0so it knows where to return the response from the Internet to.<\/p>\n<p>Only part of the output of:<\/p>\n<pre># cat \/proc\/net\/ip_conntrack\r\n<\/pre>\n<p>is show in the following screenshot.<\/p>\n<div id=\"attachment_10881\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Route-Packages-in-Linux.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10881\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Route-Packages-in-Linux.png\" alt=\"Route Packages in Linux\" width=\"507\" height=\"23\" aria-describedby=\"caption-attachment-10881\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10881\" class=\"wp-caption-text\">Route Packages in Linux<\/p>\n<\/div>\n<p>Where the origin (private IP of openSUSE box) and destination (Google DNS) of packets is highlighted. This was the result of running:<\/p>\n<pre># curl www.tecmint.com\r\n<\/pre>\n<p>on the openSUSE box.<\/p>\n<p>As I\u2019m sure you can already guess, the router is using Google\u2019s 8.8.8.8 as nameserver, which explains why the destination of outgoing packets points to that address.<\/p>\n<p><strong>Note<\/strong>: That incoming packages from the Internet are only accepted is if they are part of an already established connection (command #2), while outgoing packages are allowed \u201c<b>free exit<\/b>\u201d (command #3).<\/p>\n<p>Don\u2019t forget to make your iptables rules persistent following the steps outlined in\u00a0<a href=\"https:\/\/www.tecmint.com\/configure-iptables-firewall\/\" target=\"_blank\" rel=\"noopener\">Part 8 \u2013 Configure Iptables Firewall<\/a>\u00a0of this series.<\/p>\n<h3>Dynamic Routing with Quagga<\/h3>\n<p>Nowadays, the tool most used for dynamic routing in Linux is\u00a0<b>quagga<\/b>. It allows system administrators to implement, with a relatively low-cost Linux server, the same functionality that is provided by powerful (and costly) Cisco routers.<\/p>\n<p>The tool itself does not handle the routing, but rather modifies the kernel routing table as it learns new best routes to handle packets.<\/p>\n<p>Since it\u2019s a fork of zebra, a program whose development ceased a while ago, it maintains for historical reasons the same commands and structure than zebra. That is why you will see a lot of reference to zebra from this point on.<\/p>\n<p>Please note that it is not possible to cover dynamic routing and all the related protocols in a single article, but I am confident that the content presented here will serve as a starting point for you to build on.<\/p>\n<h5>Installing Quagga in Linux<\/h5>\n<p>To install quagga on your chosen distribution:<\/p>\n<pre># aptitude update &amp;&amp; aptitude install quagga \t\t\t\t[On Ubuntu]\r\n# yum update &amp;&amp; yum install quagga \t\t\t\t\t[CentOS\/RHEL]\r\n# zypper refresh &amp;&amp; zypper install quagga \t\t\t\t[openSUSE]\r\n<\/pre>\n<p>We will use the same environment as with Example #3, with the only difference that eth0 is connected to a main gateway router with IP 192.168.0.1.<\/p>\n<p>Next, edit\u00a0<b>\/etc\/quagga\/daemons<\/b>\u00a0with,<\/p>\n<pre>zebra=1\r\nripd=1\r\n<\/pre>\n<p>Now create the following configuration files.<\/p>\n<pre># \/etc\/quagga\/zebra.conf\r\n# \/etc\/quagga\/ripd.conf\r\n<\/pre>\n<p>and add these lines (replace for a hostname and password of your choice):<\/p>\n<pre>service quagga restart\r\nhostname    \tdev2\r\npassword    \tquagga\r\n<\/pre>\n<pre># service quagga restart\r\n<\/pre>\n<div id=\"attachment_10882\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Start-Guagga-Service.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10882\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Start-Guagga-Service-620x111.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Start-Guagga-Service-620x111.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Start-Guagga-Service.png 805w\" alt=\"Install Quagga in Linux\" width=\"620\" height=\"111\" aria-describedby=\"caption-attachment-10882\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10882\" class=\"wp-caption-text\">Start Quagga Service<\/p>\n<\/div>\n<p><strong>Note<\/strong>: That\u00a0<b>ripd.conf<\/b>\u00a0is the configuration file for the Routing Information Protocol, which provides the router with the information of which networks can be reached and how far (in terms of amount of hops) they are.<\/p>\n<p>Note that this is only one of the protocols that can be used along with quagga, and I chose it for this tutorial due to easiness of use and because most network devices support it, although it has the disadvantage of passing credentials in plain text. For that reason, you need to assign proper permissions to the configuration file:<\/p>\n<pre># chown quagga:quaggavty \/etc\/quagga\/*.conf\r\n# chmod 640 \/etc\/quagga\/*.conf \r\n<\/pre>\n<h6>Example 5: Setting up quagga to route IP traffic dynamically<\/h6>\n<p>In this example we will use the following setup with two routers (make sure to create the configuration files for\u00a0<b>router #2<\/b>\u00a0as explained previously):<\/p>\n<div id=\"attachment_10883\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Configure-Guagga.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10883\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Configure-Guagga.png\" alt=\"Configure Quagga in Linux\" width=\"513\" height=\"191\" aria-describedby=\"caption-attachment-10883\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10883\" class=\"wp-caption-text\">Configure Quagga<\/p>\n<\/div>\n<p><strong>Important<\/strong>: Don\u2019t forget to repeat the following setup for both routers.<\/p>\n<p>Connect to zebra (listening on port\u00a0<b>2601<\/b>), which is the logical intermediary between the router and the kernel:<\/p>\n<pre># telnet localhost 2601\r\n<\/pre>\n<p>Enter the password that was set in the\u00a0<b>\/etc\/quagga\/zebra.conf<\/b>\u00a0file, and then enable configuration:<\/p>\n<pre>enable\r\nconfigure terminal\r\n<\/pre>\n<p>Enter the IP address and network mask of each NIC:<\/p>\n<pre>inter eth0\r\nip addr 192.168.0.15\r\ninter eth1\r\nip addr 10.0.0.15\r\nexit\r\nexit\r\nwrite\r\n<\/pre>\n<div id=\"attachment_10884\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Configure-Router.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10884\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Configure-Router.png\" alt=\"Configure Router in Linux\" width=\"451\" height=\"412\" aria-describedby=\"caption-attachment-10884\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10884\" class=\"wp-caption-text\">Configure Router<\/p>\n<\/div>\n<p>Now we need to connect to the\u00a0<b>RIP<\/b>\u00a0daemon terminal (port 2602):<\/p>\n<pre># telnet localhost 2602\r\n<\/pre>\n<p>Enter username and password as configured in the\u00a0<b>\/etc\/quagga\/ripd.conf<\/b>\u00a0file, and then type the following commands in bold (comments are added for the sake of clarification):<\/p>\n<pre><b>enable<\/b> turns on privileged mode command.\r\n<b>configure terminal<\/b> changes to configuration mode. This command is the first step to configuration\r\n<b>router rip<\/b> enables RIP.\r\n<b>network 10.0.0.0\/24<\/b> sets the RIP enable interface for the 10.0.0.0\/24 network. \r\n<b>exit<\/b>\r\n<b>exit<\/b>\r\n<b>write<\/b> writes current configuration to configuration file.\r\n<\/pre>\n<div id=\"attachment_10885\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Enable-Router.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10885\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Enable-Router.png\" alt=\"Enable Router in Linux\" width=\"435\" height=\"192\" aria-describedby=\"caption-attachment-10885\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10885\" class=\"wp-caption-text\">Enable Router<\/p>\n<\/div>\n<p><strong>Note<\/strong>: That in both cases the configuration is appended to the lines that we added previously (<b>\/etc\/quagga\/zebra.conf<\/b>\u00a0and\u00a0<b>\/etc\/quagga\/ripd.conf<\/b>).<\/p>\n<p>Finally, connect again to the zebra service on both routers and note how each one of them has \u201c<b>learned<\/b>\u201d the route to the network that is behind the other, and which is the next hop to get to that network, by running the command\u00a0<b>show ip route<\/b>:<\/p>\n<pre># show ip route\r\n<\/pre>\n<div id=\"attachment_10886\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-IP-Routing-Table.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10886\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-IP-Routing-Table-620x232.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-IP-Routing-Table-620x232.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-IP-Routing-Table.png 952w\" alt=\"Check IP Routing Table in Linux\" width=\"620\" height=\"232\" aria-describedby=\"caption-attachment-10886\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10886\" class=\"wp-caption-text\">Check IP Routing<\/p>\n<\/div>\n<p>If you want to try different protocols or setups, you may want to refer to the\u00a0<a href=\"http:\/\/www.nongnu.org\/quagga\/\" target=\"_blank\" rel=\"nofollow noopener\">Quagga project site<\/a>\u00a0for further documentation.<\/p>\n<h3>Conclusion<\/h3>\n<p>In this article we have explained how to set up static and dynamic routing, using a Linux box router(s). Feel free to add as many routers as you wish, and to experiment as much as you want. Do not hesitate to get back to us using the contact form below if you have any comments or questions.<\/p>\n<h1 class=\"post-title\">How to Setup a Network Repository to Install or Update Packages \u2013 Part 11<\/h1>\n<p>Installing, updating, and removing (when needed) installed programs are key responsibilities in a system administrator\u2019s daily life. When a machine is connected to the Internet, these tasks can be easily performed using a package management system such as\u00a0<b>aptitude<\/b>\u00a0(or\u00a0<b>apt-get<\/b>),\u00a0<b>yum<\/b>, or\u00a0<b>zypper<\/b>, depending on your chosen distribution, as explained in\u00a0<a href=\"https:\/\/www.tecmint.com\/linux-package-management\/\" target=\"_blank\" rel=\"noopener\">Part 9 \u2013 Linux Package Management<\/a>\u00a0of the\u00a0<strong>LFCE<\/strong>\u00a0(<b>Linux Foundation Certified Engineer<\/b>) series. You can also download standalone\u00a0<b>.deb<\/b>\u00a0or\u00a0<b>.rpm<\/b>\u00a0files and install them with\u00a0<b>dpkg<\/b>\u00a0or\u00a0<b>rpm<\/b>, respectively.<\/p>\n<div id=\"attachment_10911\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Network-Repository-in-Linux.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10911\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Network-Repository-in-Linux-620x293.jpg\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Network-Repository-in-Linux-620x293.jpg 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Network-Repository-in-Linux-520x245.jpg 520w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Network-Repository-in-Linux.jpg 720w\" alt=\"Setup Yum Local Repository in CentOS 7\" width=\"620\" height=\"293\" aria-describedby=\"caption-attachment-10911\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10911\" class=\"wp-caption-text\">Linux Foundation Certified Engineer \u2013 Part 11<\/p>\n<\/div>\n<h6>Introducing The Linux Foundation Certification Program<\/h6>\n<div class=\"post-format\">\n<div class=\"video-container\"><iframe loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/Y29qZ71Kicg\" width=\"640\" height=\"405\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\" data-mce-fragment=\"1\"><\/iframe><\/div>\n<\/div>\n<p>However, when a machine does not have access to the world wide web, another methods are necessary. Why would anyone want to do that? The reasons range from saving Internet bandwidth (thus avoiding several concurrent connections to the outside) to securing packages compiled from source locally, and including the possibility of providing packages that for legal reasons (for example, software that is restricted in some countries) cannot be included in official repositories.<\/p>\n<p>That is precisely where network repositories come into play, which is the central topic of this article.<\/p>\n<h5>Our Testing Environment<\/h5>\n<pre><strong>Network Repository Server<\/strong>:\tCentOS 7 [enp0s3: 192.168.0.17] - dev1\r\n<strong>Client Machine<\/strong>:\t\t\tCentOS 6.6 [eth0: 192.168.0.18] - dev2\r\n<\/pre>\n<h3>Setting Up a Network Repository Server on CentOS 7<\/h3>\n<p>As a first step, we will handle the installation and configuration of a\u00a0<strong>CentOS 7<\/strong>\u00a0box as a repository server [IP address\u00a0<b>192.168.0.17<\/b>] and a\u00a0<strong>CentOS<\/strong>\u00a06.6 machine as client. The setup for openSUSE is almost identical.<\/p>\n<p>For CentOS 7, follow the below articles that explains a step-by-step instructions of CentOS 7 installation and how to setup a static IP address.<\/p>\n<ol>\n<li><a href=\"https:\/\/www.tecmint.com\/centos-7-installation\/\" target=\"_blank\" rel=\"noopener\">Installation of CentOS 7.0 with Screenshots<\/a><\/li>\n<li><a href=\"https:\/\/www.tecmint.com\/configure-network-interface-in-rhel-centos-7-0\/\" target=\"_blank\" rel=\"noopener\">How to Configure Network Static IP Address on CentOS 7<\/a><\/li>\n<\/ol>\n<p>As for Ubuntu, there is a great article on this site that explains, step by step, how to set up your own, private repository.<\/p>\n<ol>\n<li><a href=\"https:\/\/www.tecmint.com\/setup-local-repositories-in-ubuntu\/\" target=\"_blank\" rel=\"noopener\">Setup Local Repositories with \u2018apt-mirror\u2019 in Ubuntu<\/a><\/li>\n<\/ol>\n<p>Our first choice will be the way in which clients will access the repository server \u2013\u00a0<b>FTP<\/b>\u00a0and\u00a0<b>HTTP<\/b>\u00a0are the most well used. We will choose the latter as the\u00a0<b>Apache<\/b>\u00a0installation was covered in\u00a0<a href=\"https:\/\/www.tecmint.com\/installing-network-services-and-configuring-services-at-system-boot\/\" target=\"_blank\" rel=\"noopener\">Part 1 \u2013 Installing Apache<\/a>\u00a0of this LFCE series. This will also allow us to display the package listing using a web browser.<\/p>\n<p>Next, we need to create directories to store the\u00a0<b>.rpm<\/b>\u00a0packages. We will create subdirectories within\u00a0<b>\/var\/www\/html\/repos<\/b>\u00a0accordingly. For our convenience, we may also want to create other subdirectories to host packages for different versions of each distribution (of course we can still add as many directories as needed later) and even different architectures.<\/p>\n<h4>Setting Up the Repository<\/h4>\n<p>An important thing to take into consideration when setting up your own repository is that you will need a considerable amount of available disk space (<b>~20 GB<\/b>). If you don\u2019t, resize the filesystem where you\u2019re planning on storing the repository\u2019s contents, or even better add an extra dedicated storage device to host the repository.<\/p>\n<p>That being said, we will begin by creating the directories that we will need to host the repository:<\/p>\n<pre># mkdir -p \/var\/www\/html\/repos\/centos\/6\/6\r\n<\/pre>\n<p>After we have created the directory structure for our repository server, we will initialize in\u00a0<b>\/var\/www\/html\/repos\/centos\/6\/6<\/b>\u00a0the database that keeps tracks of packages and their corresponding dependencies using\u00a0<strong>createrepo<\/strong>.<\/p>\n<p>Install\u00a0<b>createrepo<\/b>\u00a0if you haven\u2019t already done so:<\/p>\n<pre># yum update &amp;&amp; yum install createrepo\r\n<\/pre>\n<p>Then initialize the database,<\/p>\n<pre># createrepo \/var\/www\/html\/repos\/centos\/6\/6\r\n<\/pre>\n<div id=\"attachment_10912\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Createrepo-Repository-Initialize.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10912\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Createrepo-Repository-Initialize-620x232.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Createrepo-Repository-Initialize-620x232.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Createrepo-Repository-Initialize-1024x383.png 1024w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Createrepo-Repository-Initialize.png 1032w\" alt=\"Createrepo Repository Initialization\" width=\"620\" height=\"232\" aria-describedby=\"caption-attachment-10912\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10912\" class=\"wp-caption-text\">Createrepo Repository Initialization<\/p>\n<\/div>\n<h4>Updating the Repository<\/h4>\n<p>Assuming that the repository server has access to the Internet, we will pull an online repository to get the latest updates of packages. If that is not the case, you can still copy the entire contents of the Packages directory from a\u00a0<b>CentOS 6.6<\/b>\u00a0installation DVD.<\/p>\n<p>In this tutorial we will assume the first case. In order to optimize our download speed, we will choose a\u00a0<b>CentOS 6.6<\/b>\u00a0mirror from a location near us. Go to\u00a0<a href=\"https:\/\/centos.org\/download\/mirrors\/\" target=\"_blank\" rel=\"nofollow noopener\">CentOS download mirror<\/a>and pick the one that is closer to your location (Argentina in my case):<\/p>\n<div id=\"attachment_10913\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Select-CentOS-Download-Mirror.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10913\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Select-CentOS-Download-Mirror.png\" alt=\"Select CentOS Download Mirror\" width=\"574\" height=\"413\" aria-describedby=\"caption-attachment-10913\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10913\" class=\"wp-caption-text\">Select CentOS Download Mirror<\/p>\n<\/div>\n<p>Then, navigate to the\u00a0<b>os<\/b>\u00a0directory inside the highlighted link and then choose the appropriate architecture. Once there, copy the link in the address bar and download the contents to the dedicated directory in the repository server:<\/p>\n<div id=\"attachment_10914\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Download-CentOS-Mirror.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10914\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Download-CentOS-Mirror.png\" alt=\"Download CentOS Mirror\" width=\"534\" height=\"228\" aria-describedby=\"caption-attachment-10914\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10914\" class=\"wp-caption-text\">Download CentOS Mirror<\/p>\n<\/div>\n<pre># rsync -avz rsync:\/\/centos.ar.host-engine.com\/6.6\/os\/x86_64\/ \/var\/www\/html\/repos\/centos\/6\/6\/ \r\n<\/pre>\n<p>In case that the chosen repository turns out to be offline for some reason, go back and choose a different one. No big deal.<\/p>\n<p>Now is the time when you may want to relax and maybe watch an episode of your favourite TV show, because mirroring the online repository may take quite a while.<\/p>\n<p>Once the download has completed, you can verify the usage of disk space with:<\/p>\n<pre># du -sch \/var\/www\/html\/repos\/centos\/6\/6\/*\r\n<\/pre>\n<div id=\"attachment_10915\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-CentOS-Mirror-Size.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10915\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-CentOS-Mirror-Size.png\" alt=\"Check CentOS Mirror Size\" width=\"555\" height=\"277\" aria-describedby=\"caption-attachment-10915\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10915\" class=\"wp-caption-text\">Check CentOS Mirror Size<\/p>\n<\/div>\n<p>Finally, update the repository\u2019s database.<\/p>\n<pre># createrepo --update \/var\/www\/html\/repos\/centos\/6\/6\r\n<\/pre>\n<p>You may also want to launch your web browser and navigate to the\u00a0<b>repos\/centos\/6\/6<\/b>\u00a0directory so as to verify that you can see the contents:<\/p>\n<div id=\"attachment_10916\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Verify-CentOS-Packages.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10916\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Verify-CentOS-Packages-439x450.png\" sizes=\"auto, (max-width: 439px) 100vw, 439px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Verify-CentOS-Packages-439x450.png 439w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Verify-CentOS-Packages.png 529w\" alt=\"Verify CentOS Packages\" width=\"439\" height=\"450\" aria-describedby=\"caption-attachment-10916\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10916\" class=\"wp-caption-text\">Verify CentOS Packages<\/p>\n<\/div>\n<p>And you\u2019re ready to go \u2013 now it\u2019s time to configure the client.<\/p>\n<h3>Configuring the Client Machine<\/h3>\n<p>You can add the configuration files for custom repositories in the\u00a0<b>\/etc\/yum.repos.d<\/b>\u00a0directory. Configuration files need to end in\u00a0<b>.repo<\/b>\u00a0and follow the same basic structure.<\/p>\n<pre>[repository_name]\r\nDescription\r\nURL\r\n<\/pre>\n<p>Most likely, there will be already other\u00a0<b>.repo<\/b>\u00a0files in\u00a0<b>\/etc\/yum.repos.d<\/b>. To properly test your repository, you can either delete those configuration files (not really recommended, since you may need them later) or rename them, as I did, by appending\u00a0<b>.orig<\/b>\u00a0to each file name:<\/p>\n<pre># cd \/etc\/yum.repos.d\r\n# for i in $(ls *.repo); do mv $i $i.orig; done\r\n<\/pre>\n<div id=\"attachment_10917\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Backup-Yum-Repositories.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10917\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Backup-Yum-Repositories-620x95.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Backup-Yum-Repositories-620x95.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Backup-Yum-Repositories-1024x157.png 1024w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Backup-Yum-Repositories.png 1194w\" alt=\"Backup Yum Repositories\" width=\"620\" height=\"95\" aria-describedby=\"caption-attachment-10917\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10917\" class=\"wp-caption-text\">Backup Yum Repositories<\/p>\n<\/div>\n<p>In our case, we will name our configuration file as\u00a0<b>tecmint.repo<\/b>\u00a0and insert the following lines:<\/p>\n<pre>[tecmint]\r\nname=Example repo for Part 11 of the LFCE series on Tecmint.com\r\nbaseurl=http:\/\/192.168.0.17\/repos\/centos\/6\/6\/\r\ngpgcheck=1\r\ngpgkey=http:\/\/mirror.centos.org\/centos\/RPM-GPG-KEY-CentOS-6\r\n<\/pre>\n<p>In addition, we have enabled GPG signature-checking for all packages in our repository.<\/p>\n<h4>Using the Repository<\/h4>\n<p>Once the client has been properly configured, you can issue the usual\u00a0<b>yum<\/b>\u00a0commands to query the repository. Note how\u00a0<strong>yum info subversion<\/strong>\u00a0indicates that the information about the package is coming from our newly created repository:<\/p>\n<pre># yum info subversion\r\n<\/pre>\n<div id=\"attachment_10918\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-Yum-Repository-Info.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-10918\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-Yum-Repository-Info-468x450.png\" sizes=\"auto, (max-width: 468px) 100vw, 468px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-Yum-Repository-Info-468x450.png 468w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-Yum-Repository-Info.png 659w\" alt=\"Check Yum Repository Info\" width=\"468\" height=\"450\" aria-describedby=\"caption-attachment-10918\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10918\" class=\"wp-caption-text\">Check Yum Repository Info<\/p>\n<\/div>\n<p>Or you can install or update an already installed package:<\/p>\n<pre># yum { install | update } package\r\n<\/pre>\n<p>For example,<\/p>\n<pre># yum update &amp;&amp; yum install subversion\r\n<\/pre>\n<div id=\"attachment_10919\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Yum-Install-Package.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10919\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Yum-Install-Package.png\" alt=\"Yum Install Package\" width=\"536\" height=\"390\" aria-describedby=\"caption-attachment-10919\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-10919\" class=\"wp-caption-text\">Yum Install Package<\/p>\n<\/div>\n<h4>Keeping the Repository Up-to-date<\/h4>\n<p>To make sure our repository is always current, we need to synchronize it with the online repositories on a periodic basis. We can use\u00a0<b>rsync<\/b>\u00a0for this task as well (as explained in\u00a0<a href=\"https:\/\/www.tecmint.com\/creating-and-managing-raid-backups-in-linux\/\" target=\"_blank\" rel=\"noopener\">Part 6<\/a>\u00a0of the LFCS series.<\/p>\n<p><b>rsync<\/b>\u00a0allows us to synchronize two directories, one local and one remote). Run the\u00a0<b>rsync<\/b>\u00a0command that was used to initially download the repository through a cron job and you\u2019re good to go. Remember to set the cron job to a time of the day when the update will not cause a negative impact in the available bandwidth.<\/p>\n<p>For example, if you want to update your repository every day beginning at\u00a0<b>2:30 AM<\/b>:<\/p>\n<pre>30 2 * * * rsync -avz rsync:\/\/centos.ar.host-engine.com\/6.6\/os\/x86_64\/ \/var\/www\/html\/repos\/centos\/6\/6\/ \r\n<\/pre>\n<p><strong>Important<\/strong>: Make sure to execute above command on the CentOS 7 server to keep your repository.<\/p>\n<p>Of course, you can put that line inside a script to do more complex and customized tasks before or after performing the update. Feel free to experiment and tell me about the results.<\/p>\n<h3>Conclusion<\/h3>\n<p>You should never underestimate the importance of a local or network repository given the many benefits it brings as I explained in this article. If you can afford the disk space, this is definitely the way to go. I look forward to hearing from you and don\u2019t hesitate to let me know if you have any questions.<\/p>\n<h1 class=\"post-title\">How to Audit Network Performance, Security, and Troubleshooting in Linux \u2013 Part 12<\/h1>\n<p>A sound analysis of a computer network begins by understanding what are the available tools to perform the task, how to pick the right one(s) for each step of the way, and last but not least, where to begin.<\/p>\n<p>This is the last part of the\u00a0<b>LFCE<\/b>\u00a0(<b>Linux Foundation Certified Engineer<\/b>) series, here we will review some well-known tools to examine the performance and increase the security of a network, and what to do when things aren\u2019t going as expected.<\/p>\n<div id=\"attachment_11024\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Audit-Linux-Systems.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-11024\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Audit-Linux-Systems-620x293.jpg\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Audit-Linux-Systems-620x293.jpg 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Audit-Linux-Systems-520x245.jpg 520w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Audit-Linux-Systems.jpg 720w\" alt=\"Audit Linux Systems\" width=\"620\" height=\"293\" aria-describedby=\"caption-attachment-11024\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-11024\" class=\"wp-caption-text\">Linux Foundation Certified Engineer \u2013 Part 12<\/p>\n<\/div>\n<h5>Introducing The Linux Foundation Certification Program<\/h5>\n<div class=\"post-format\">\n<div class=\"video-container\"><iframe loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/Y29qZ71Kicg\" width=\"640\" height=\"405\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\" data-mce-fragment=\"1\"><\/iframe><\/div>\n<\/div>\n<p>Please note that this list does not pretend to be comprehensive, so feel free to comment on this post using the form at the bottom if you would like to add another useful utility that we could be missing.<\/p>\n<h4>What Services are Running and Why?<\/h4>\n<p>One of the first things that a system administrator needs to know about each system is what services are running and why. With that information in hand, it is a wise decision to disable all those that are not strictly necessary and shun hosting too many servers in the same physical machine.<\/p>\n<p>For example, you need to disable your\u00a0<b>FTP<\/b>\u00a0server if your network does not require one (there are more secure methods to share files over a network, by the way). In addition, you should avoid having a web server and a database server in the same system. If one component becomes compromised, the rest run the risk of getting compromised as well.<\/p>\n<h4>Investigating Socket Connections with ss<\/h4>\n<p><b>ss<\/b>\u00a0is used to dump socket statistics and shows information similar to\u00a0<a href=\"https:\/\/www.tecmint.com\/20-netstat-commands-for-linux-network-management\/\" target=\"_blank\" rel=\"noopener\">netstat<\/a>, though it can display more TCP and state information than other tools. In addition, it is listed in\u00a0<b>man netstat<\/b>\u00a0as replacement for netstat, which is obsolete.<\/p>\n<p>However, in this article we will focus on the information related to network security only.<\/p>\n<h6>Example 1: Showing ALL TCP ports (sockets) that are open on our server<\/h6>\n<p>All services running on their default ports (i.e. http on 80, mysql on 3306) are indicated by their respective names. Others (obscured here for privacy reasons) are shown in their numeric form.<\/p>\n<pre># ss -t -a\r\n<\/pre>\n<div id=\"attachment_11016\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/ss-Command.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-11016\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/ss-Command-620x110.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/ss-Command-620x110.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/ss-Command-1024x181.png 1024w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/ss-Command.png 1202w\" alt=\"Linux ss Command\" width=\"620\" height=\"110\" aria-describedby=\"caption-attachment-11016\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-11016\" class=\"wp-caption-text\">Check All Open TCP Ports<\/p>\n<\/div>\n<p>The first column shows the\u00a0<b>TCP<\/b>\u00a0state, while the second and third column display the amount of data that is currently queued for reception and transmission. The fourth and fifth columns show the source and destination sockets of each connection.<br \/>\nOn a side note, you may want to check\u00a0<a href=\"https:\/\/tools.ietf.org\/html\/rfc793\" target=\"_blank\" rel=\"nofollow noopener\">RFC 793<\/a>\u00a0to refresh your memory about possible TCP states because you also need to check on the number and the state of open TCP connections in order to become aware of (D)DoS attacks.<\/p>\n<h6>Example 2: Displaying ALL active TCP connections with their timers<\/h6>\n<pre># ss -t -o\r\n<\/pre>\n<div id=\"attachment_11017\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Display-all-Active-Connections.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-11017\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Display-all-Active-Connections-620x74.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Display-all-Active-Connections-620x74.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Display-all-Active-Connections-1024x123.png 1024w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Display-all-Active-Connections.png 1203w\" alt=\"Display all Active Connections\" width=\"620\" height=\"74\" aria-describedby=\"caption-attachment-11017\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-11017\" class=\"wp-caption-text\">Check all Active Connections<\/p>\n<\/div>\n<p>In the output above, you can see that there are 2 established SSH connections. If you notice the value of the second field of\u00a0<b>timer<\/b>:, you will notice a value of\u00a0<b>36<\/b>\u00a0minutes in the first connection. That is the amount of time until the next keepalive probe will be sent.<\/p>\n<p>Since it\u2019s a connection that is being kept alive, you can safely assume that is an inactive connection and thus can kill the process after finding out its\u00a0<b>PID<\/b>.<\/p>\n<div id=\"attachment_11018\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Kill-Active-Process.jpeg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-11018\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Kill-Active-Process-620x249.jpeg\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Kill-Active-Process-620x249.jpeg 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Kill-Active-Process-1024x411.jpeg 1024w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Kill-Active-Process.jpeg 1198w\" alt=\"Linux Kill Active Process\" width=\"620\" height=\"249\" aria-describedby=\"caption-attachment-11018\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-11018\" class=\"wp-caption-text\">Kill Active Process<\/p>\n<\/div>\n<p>As for the second connection, you can see that it\u2019s currently being used (as indicated by on).<\/p>\n<h6>Example 3: Filtering connections by socket<\/h6>\n<p>Suppose you want to filter TCP connections by socket. From the server\u2019s point of view, you need to check for connections where the source port is 80.<\/p>\n<pre># ss -tn sport = :80\r\n<\/pre>\n<p>Resulting in..<\/p>\n<div id=\"attachment_11019\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Filter-Connections-by-Socket.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-11019\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Filter-Connections-by-Socket-620x51.png\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Filter-Connections-by-Socket-620x51.png 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Filter-Connections-by-Socket-1024x84.png 1024w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Filter-Connections-by-Socket.png 1210w\" alt=\"Filter Connections by Socket\" width=\"620\" height=\"51\" aria-describedby=\"caption-attachment-11019\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-11019\" class=\"wp-caption-text\">Filter Connections by Socket<\/p>\n<\/div>\n<h4>Protecting Against Port Scanning with NMAP<\/h4>\n<p>Port scanning is a common technique used by crackers to identify active hosts and open ports on a network. Once a vulnerability is discovered, it is exploited in order to gain access to the system.<\/p>\n<p>A wise sysadmin needs to check how his or her systems are seen by outsiders, and make sure nothing is left to chance by auditing them frequently. That is called \u201c<b>defensive port scanning<\/b>\u201d.<\/p>\n<h6>Example 4: Displaying information about open ports<\/h6>\n<p>You can use the following command to scan which ports are open on your system or in a remote host:<\/p>\n<pre># nmap -A -sS [IP address or hostname]\r\n<\/pre>\n<p>The above command will scan the host for\u00a0<b>OS<\/b>\u00a0and\u00a0<b>version<\/b>\u00a0detection, port information, and traceroute (<b>-A<\/b>). Finally,\u00a0<b>-sS<\/b>\u00a0sends a\u00a0<b>TCP SYN<\/b>\u00a0scan, preventing nmap to complete the 3-way TCP handshake and thus typically leaving no logs on the target machine.<\/p>\n<p>Before proceeding with the next example, please keep in mind that\u00a0<a href=\"https:\/\/nmap.org\/book\/legal-issues.html\" target=\"_blank\" rel=\"nofollow noopener\">port scanning is not an illegal activity<\/a>. What IS illegal is using the results for a malicious purpose.<\/p>\n<p>For example, the output of the above command run against the main server of a local university returns the following (only part of the result is shown for sake of brevity):<\/p>\n<div id=\"attachment_11020\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-Open-Ports.jpeg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-11020\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-Open-Ports-620x292.jpeg\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-Open-Ports-620x292.jpeg 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-Open-Ports-1024x483.jpeg 1024w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-Open-Ports-520x245.jpeg 520w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-Open-Ports-720x340.jpeg 720w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Check-Open-Ports.jpeg 1107w\" alt=\"Check Open Ports in Linux\" width=\"620\" height=\"292\" aria-describedby=\"caption-attachment-11020\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-11020\" class=\"wp-caption-text\">Check Open Ports<\/p>\n<\/div>\n<p>As you can see, we discovered several anomalies that we should do well to report to the system administrators at this local university.<\/p>\n<p>This specific port scan operation provides all the information that can also be obtained by other commands, such as:<\/p>\n<h6>Example 5: Displaying information about a specific port in a local or remote system<\/h6>\n<pre># nmap -p [port] [hostname or address]\r\n<\/pre>\n<h6>Example 6: Showing traceroute to, and finding out version of services and OS type, hostname<\/h6>\n<pre># nmap -A [hostname or address]\r\n<\/pre>\n<h6>Example 7: Scanning several ports or hosts simultaneously<\/h6>\n<p>You can also scan several ports (range) or subnets, as follows:<\/p>\n<pre># nmap -p 21,22,80 192.168.0.0\/24 \r\n<\/pre>\n<p><strong>Note<\/strong>: That the above command scans ports 21, 22, and 80 on all hosts in that network segment.<\/p>\n<p>You can check the\u00a0<b>man page<\/b>\u00a0for further details on how to perform other types of port scanning.\u00a0<a href=\"https:\/\/www.tecmint.com\/nmap-command-examples\/\" target=\"_blank\" rel=\"noopener\">Nmap<\/a>\u00a0is indeed a very powerful and versatile network mapper utility, and you should be very well acquainted with it in order to defend the systems you\u2019re responsible for against attacks originated after a malicious port scan by outsiders.<\/p>\n<h4>Reporting Usage and Performance on Your Network<\/h4>\n<p>Although there are several available tools to analyze and troubleshoot network performance, two of them are very easy to learn and user friendly.<\/p>\n<p>To install both of them on\u00a0<b>CentOS<\/b>, you will need to\u00a0<a href=\"https:\/\/www.tecmint.com\/how-to-enable-epel-repository-for-rhel-centos-6-5\/\" target=\"_blank\" rel=\"noopener\">enable the EPEL repository<\/a>\u00a0first.<\/p>\n<h5>1. nmon utility<\/h5>\n<p><a href=\"https:\/\/www.tecmint.com\/nmon-analyze-and-monitor-linux-system-performance\/\" target=\"_blank\" rel=\"noopener\">nmon<\/a>\u00a0is a system tuner and benchmark tool. As such, it can display the CPU, memory, network, disks, file systems, NFS, top processes, and resources (Linux version &amp; processors). Of course, we\u2019re mainly interested in the network performance feature.<\/p>\n<p>To install nmon, run the following command on your chosen distribution:<\/p>\n<pre># yum update &amp;&amp; yum install nmon \t\t\t\t[On CentOS]\r\n# aptitude update &amp;&amp; aptitude install nmon \t\t[On Ubuntu]\r\n# zypper refresh &amp;&amp; and zypper install nmon \t\t[On openSUSE]\r\n<\/pre>\n<div id=\"attachment_11021\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Install-Nmon-Tool.jpeg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-11021\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Install-Nmon-Tool-620x210.jpeg\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Install-Nmon-Tool-620x210.jpeg 620w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Install-Nmon-Tool-1024x347.jpeg 1024w, https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Install-Nmon-Tool.jpeg 1217w\" alt=\"Install Nmon Tool\" width=\"620\" height=\"210\" aria-describedby=\"caption-attachment-11021\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-11021\" class=\"wp-caption-text\">Network Reporting Usage and Performance<\/p>\n<\/div>\n<p>Make it a habit to look at the network traffic in real time to ensure that your system is capable of supporting normal loads and to watch out for unnecessary traffic or suspicious activity.<\/p>\n<h5>Vnstat Utility<\/h5>\n<p><a href=\"https:\/\/www.tecmint.com\/vnstat-php-frontend-for-monitoring-network-bandwidth\/\" target=\"_blank\" rel=\"noopener\">vnstat<\/a>\u00a0is a console-based network traffic monitor that keeps a log of hourly (daily or monthly as well) network traffic for the selected interface(s).<\/p>\n<pre># yum update &amp;&amp; yum install vnstat\t\t\t\t[On CentOS]\r\n# aptitude update &amp;&amp; aptitude install vnstat\t\t[On Ubuntu]\r\n# zypper refresh &amp;&amp; and zypper install vnstat\t\t[On openSUSE]\r\n<\/pre>\n<p>After installing the package, you need to enable the monitoring daemon as follows:<\/p>\n<pre># service vnstat start \t\t\t\t\t[On SysV-based systems (Ubuntu)]\r\n# systemctl start vnstat \t\t\t\t[On systemd-based systems (CentOS \/ openSUSE)]\r\n<\/pre>\n<p>Once you have installed and enabled\u00a0<b>vnstat<\/b>, you can initialize the database to record traffic for\u00a0<b>eth0<\/b>\u00a0(or other NIC) as follows:<\/p>\n<pre># vnstat -u -i eth0\r\n<\/pre>\n<p>As I have just installed vnstat in the machine that I\u2019m using to write this article, I still haven\u2019t gathered enough data to display usage statistics:<\/p>\n<div id=\"attachment_11022\" class=\"wp-caption aligncenter\">\n<p><a href=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Vnstat-Tool.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-11022\" src=\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/01\/Vnstat-Tool.png\" alt=\"Linux Network Traffic Monitor\" width=\"357\" height=\"84\" aria-describedby=\"caption-attachment-11022\" data-lazy-loaded=\"true\" \/><\/a><\/p>\n<p id=\"caption-attachment-11022\" class=\"wp-caption-text\">Network Traffic Monitor<\/p>\n<\/div>\n<p>The\u00a0<b>vnstatd<\/b>\u00a0daemon will continue running in the background and collecting traffic data. Until it collects enough data to produce output, you can refer to\u00a0<a href=\"http:\/\/humdi.net\/vnstat\/\" target=\"_blank\" rel=\"nofollow noopener\">the project\u2019s web site<\/a>\u00a0to see what the traffic analysis looks like.<\/p>\n<h4>Transferring Files Securely Over the Network<\/h4>\n<p>If you need to ensure security while transferring or receiving files over a network, and specially if you need to perform that operation over the Internet, you will want to resort to 2 secure methods for file transfers (don\u2019t even think about doing it over plain FTP!).<\/p>\n<h6>Example 8: Transferring files with scp (secure copy)<\/h6>\n<p>Use the\u00a0<b>-P<\/b>\u00a0flag if SSH on the remote hosts is listening on a port other than the default 22. The\u00a0<b>-p<\/b>\u00a0switch will preserve the permissions of\u00a0<b>local_file<\/b>\u00a0after the transfer, which will be made with the credentials of\u00a0<b>remote_user<\/b>on\u00a0<b>remote_hosts<\/b>. You will need to make sure that\u00a0<b>\/absolute\/path\/to\/remote\/directory<\/b>\u00a0is writeable by this user.<\/p>\n<pre># scp -P XXXX -p local_file remote_user@remote_host:\/absolute\/path\/to\/remote\/directory\r\n<\/pre>\n<h6>Example 9: Receiving files with scp (secure copy)<\/h6>\n<p>You can also download files with\u00a0<b>scp<\/b>\u00a0from a remote host:<\/p>\n<pre># scp remote_user@remote_host:myFile.txt \/absolute\/path\/to\/local\/directory\r\n<\/pre>\n<p>Or even between two remote hosts (in this case, copy the file\u00a0<b>myFile.txt<\/b>\u00a0from\u00a0<b>remote_host1<\/b>\u00a0to\u00a0<b>remote_host2<\/b>):<\/p>\n<pre># scp remote_user1@remote_host1:\/absolute\/path\/to\/remote\/directory1\/myFile.txt remote_user1@remote_host2:\/absolute\/path\/to\/remote\/directory2\/\r\n<\/pre>\n<p>Don\u2019t forget to use the\u00a0<b>-P<\/b>\u00a0switch if SSH is listening on a port other than the default 22.<\/p>\n<p>You can read more about\u00a0<a href=\"https:\/\/www.tecmint.com\/scp-commands-examples\/\" target=\"_blank\" rel=\"noopener\">SCP commands<\/a>.<\/p>\n<h6>Example 10: Sending and receiving files with SFTP<\/h6>\n<p>Unlike SCP, SFTP does not require previously knowing the location of the file that we want to download or send.<\/p>\n<p>This is the basic syntax to connect to a remote host using\u00a0<b>SFTP<\/b>:<\/p>\n<pre># sftp -oPort=XXXX username@host\r\n<\/pre>\n<p>Where\u00a0<b>XXXX<\/b>\u00a0represents the port where SSH is listening on host, which can be either a hostname or its corresponding IP address. You can disregard the\u00a0<b>-oPort<\/b>\u00a0flag if SSH is listening on its default port (22).<\/p>\n<p>Once the connection is successful, you can issue the following commands to send or receive files:<\/p>\n<pre>get -Pr [remote file or directory] # Receive files\r\nput -r [local file or directory] # Send files\r\n<\/pre>\n<p>In both cases, the\u00a0<b>-r<\/b>\u00a0switch is used to recursively receive or send files, respectively. In the first case, the\u00a0<b>-P<\/b>option will also preserve the original file permissions.<\/p>\n<p>To close the connection, simply type \u201c<b>exit<\/b>\u201d or \u201c<b>bye<\/b>\u201d. You can read more about\u00a0<a href=\"https:\/\/www.tecmint.com\/sftp-command-examples\/\" target=\"_blank\" rel=\"noopener\">sftp command<\/a>.<\/p>\n<h3>Summing Up<\/h3>\n<p>You may want to complement what we have covered in this article with what we\u2019ve already learned in other tutorials of this series, for example\u00a0<a href=\"https:\/\/www.tecmint.com\/configure-iptables-firewall\/\" target=\"_blank\" rel=\"noopener\">Part 8: How To Setup an Iptables Firewall<\/a>.<\/p>\n<p>If you know your systems well, you will be able to easily detect malicious or suspicious activity when the numbers show unusual activity without an apparent reason. You will also be able to plan ahead for network resources if you\u2019re expecting a sudden increase in their use.<\/p>\n<p>As a final note, remember to shut down the ports that are not strictly needed, or change the default to a higher number (~20000) to avoid common port scans to detect them.<\/p>\n<p>As always, don\u2019t hesitate to let us know if you have any questions or concerns about this article.<\/p>\n<p><a href=\"https:\/\/www.tecmint.com\/installing-network-services-and-configuring-services-at-system-boot\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>LFCE: Installing Network Services and Configuring Automatic Startup at Boot \u2013 Part 1 A\u00a0Linux Foundation Certified Engineer\u00a0(LFCE) is prepared to install, configure, manage, and troubleshoot network services in Linux systems, and is responsible for the design and implementation of system architecture. Linux Foundation Certified Engineer \u2013 Part 1 Introducing The Linux Foundation Certification Program. In &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/04\/03\/lfce-linux-foundation-certified-engineer\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;LFCE (Linux Foundation Certified Engineer)&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-13519","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/13519","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=13519"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/13519\/revisions"}],"predecessor-version":[{"id":13521,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/13519\/revisions\/13521"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=13519"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=13519"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=13519"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}