RHCE Studyguide

May 29, 2012

Prerequisite skills for RHCT and RHCE

Candidates should possess the following skills, as they may be necessary in order to fulfill requirements of the RHCT and RHCE exams:

use standard command line tools (e.g., ls, cp, mv, rm, tail, cat, etc.) to create, remove, view, and investigate files and directories

use grep, sed, and awk to process text streams and files

use a terminal-based text editor, such as vim or nano, to modify text files

use input/output redirection

operator description
> redirect STDOUT to a file
2> redirect STDERR to a file
&> redirect all output to a file
2>&1 redirect all output to a pipe
  • use » to append instead of overwrite

understand basic principles of TCP/IP networking, including IP addresses, netmasks, and gateways for IPv4 and IPv6

use su to switch user accounts

su - 

use passwd to set passwords


use tar, gzip, and bzip2

# compress (tar/gzip)
tar cvzf .tgz 

# extract (tar/gzip)
tar xvzf .tgz

# compress (tar/bzip)
tar cvjf .tbz 

# extract (tar/bzip)
tar xvjf .tbz

configure an email client on Red Hat Enterprise Linux

echo "message" | mail  -s "subject"
mail  -s "subject" 

use text and/or graphical browser to access HTTP/HTTPS URLs

  • elinks
  • lynx

use lftp to access FTP URLs

RHCT Skills Required

Troubleshooting and Maintenance

boot systems into different run levels for troubleshooting and system maintenance

Requirements for RHCT skills

Grub Boot loader

grub commands

a = append command
c = command line
b = boot into listed kernel
d = delete the current line
e = edit line
o = create next empty line
O = create empty line above

appending runlevel to grub command

Runlevel Description
0 Halts the system
1 Activates SELinux; runs /etc/rc.sysinit, which checks and mounts filesystems; executes all scripts in the /etc/rc1.d directory
single Single-user mode; activates SELinux; runs /etc/rc.sysinit, which checks and mounts filesystems
emergency Emergency boot mode; activates SELinux; mounts only the root (/) filesystem
init=/bin/sh Emergency boot mode; mounts only the root (/) filesystem
2 Multiuser mode with some networking; does not include some NFS functions, the automounter, or CUPS
3 Multiuser mode with networking; boots into a text login console
4 Generally unused; however, the defaults support near-identical settings to runlevel 3
5 Multiuser mode with the X Window; boots into an X-based login screen
6 Reboots the system

Incase init ramdisk missing of deleted

mkinitrd /boot/initrd-`uname -r`.img `uname -r`

troubleshooting boot problems with grub: to find boot loader file

 find /grub/stage1
(hd0,0): Filesystem type is ext3

diagnose and correct misconfigured networking

  1. check /etc/sysconfig/network
  2. check /etc/sysconfig/network-scripts/ifcfg-eth?
  3. service network restart
  4. chkconfig network on
  5. ifconfig -a
  6. ping
  7. netstat -nr
  8. ping
  9. ping

diagnose and correct hostname resolution problems

  1. check /etc/nsswitch.conf
  2. check /etc/resolv.conf
  3. check /etc/hosts
  4. dig @server google.com

configure the X Window System and a desktop environment

install X:

yum groupinstall "x window system"

install gnome:

yum groupinstall "gnome desktop environment"

To start from console / init 3:


init respawn /etc/X11/prefdm -nodaemon to keep X running in runlevel 5

X configuration:

  • /etc/sysconfig/desktop
  • /etc/X11/xinit/xinitrc
  • /etc/X11/xinit/Xclients
  • ~/.xinitrc
  • ~./Xclients

configuring display:

system-config-display [--reconfig]

configuring display (text mode):

Xorg -configure
Xorg -probeonly

(X Font Server) xfs is required:

service xfs start
chkconfig xfs on

For xfs error messages, check:

~/.xsession-errors or /var/log/messages
make sure /tmp and /home are not full

To change desktop environment:

yum install switchdesk

if switchdesk is not available, edit /etc/sysconfig/desktop:


To stop X without a reboot: Drop out to console

init 3
init 5

problems starting xclients, make sure DISPLAY vairable is correct:

 export DISPLAY=localhost:0.0

add new partitions, filesystems, and swap to existing systems

manage partitions
fdisk -l 
partprobe (for system to reread partition table after fdisk writes)


make filesystems:


label filesystems:

e2label /dev/sda6 /usr/local

find device from label:

findfs LABEL=

check/print filesystem info:


manage filesystem settings:


to print details:


add swap

add swap partition through fdisk (id 82), then

# add partition into /etc/fstab
swapon -va

create swap file:

dd if=/dev/zero of= bs=1024 count=
swapon -va
cat /proc/swaps

use standard command-line tools to analyze problems and configure system

df -hT
du -hs 

Installation and Configuration

RHCTs must be able to:

perform network OS installation

at the installation boot:

linux askmethod
linux ks=::/ks.cfg
linux ks=http://someserver/ks.cfg
linux ks=nfs:server:/ks.cfg
linux ks=ftp://server/ks.cfg

implement a custom partitioning scheme

configure printing

yum groupintall "Printing Support"
service cups start
chkconfig cups on

config: /etc/cups/cupsd.conf

Gui tool:


web config (classes):


command line tools:

# print file
# list job queue
# remove job
# list network printers
lpstat -a
# send job to remote printer
lpr -P  

configure the scheduling of tasks using cron and at



yum install vixie-cron
service crond start
chkconfig crond on
  1. if /etc/cron.allow exists, only these users are allowed (/etc/cron.deny is ignored)
  2. if /etc/cron.allow does not exist, everyone allowed except users in /etc/cron.deny
  3. if neither exists, only root allowed
  4. empty /etc/cron.deny means all users allowed (default)

edit user cron:

crontab -e

cron format:
 System crontab (/etc/crontab) has additional User field before command



yum install at
service atd start
chkconfig atd on
  1. if /etc/at.allow exists, only these users are allowed (/etc/at.deny is ignored)
  2. if /etc/at.allow does not exist, everyone allowed except users in /etc/at.deny
  3. if neither exists, only root allowed
  4. empty /etc/at.deny means all users allowed (default)
# add jobs
at now + 1 hour

at 09:00 2009-07-23


# list jobs

remove jobs

attach system to a network directory service, such as NIS or LDAP

redhat configuration tools:

authconfig-tui (commandline util)



yum install ypbind portmap
service ypbind start
chkconfig ypbind on

selinux – enable ypbind daemon to run with NIS:

setsebool -P allow_ypbind=1

to configure client, add the following to /etc/yp.conf:

domain nisdomain server 

 Remember to add the NISDOMAIN=domain variable into /etc/sysconfig/network

and verify the /etc/nsswitch.conf looks like:

password:    files nis
shadow:   files nis
group:   files nis

manage nis passwords:




yum install nss_ldap openldap openldap-clients

configuration: set the following in:

# /etc/ldap.conf
base dc=example,dc=com
ssl start_tls
nss_init, groups_ignoreusers root, ldap
# /etc/openldap/ldap.conf
BASE dc=example,dc=com
URI ldap://

verify settings in /etc/nsswitch.conf:

password:    files ldap
shadow:   files ldap
group:   files ldap

configure autofs

verify service is running:

service autofs start
chkconfig autofs on

verify the following line exists in /etc/nsswitch.conf:

automount: files nisplus

define an autofs-controlled mountpoint called test by adding the following to /etc/auto.master:

/test /etc/auto.test

create /etc/auto.test:

vi /etc/auto.test

reload autofs:

service autofs restart

try accessing:

ls /test/

# redhat defaults
ls /net/
ls /misc/cd

add and manage users, groups, quotas, and File Access Control Lists

 If the /etc/nologin file exists, regular users are not allowed to log into the local console. Any regular user that tries to log in gets to read the contents of /etc/nologin as a message

redhat user/group configuration tool:


manage users

/etc/passwd file format:


/etc/shadow file format:


command line user management:

userdel -r 
  • default account expiration settings in /etc/login.defs

manage groups

/etc/groups file format:


command line group management:




yum install quota

check quotas enabled in kernel:

grep "QUOTA" /boot/config-`uname -r`

add filesystem options to /etc/fstab:


remounting mount points after editing fstab:

mount -o remount 

initiate quota db:
quotacheck -cugm 

enable/disable quotas:


edit quotas:

edquota -u 
edquota -g 

 Remember quota limit in 1KB blocks

grace times:

edquota -ut
edquota -gt

check / reports:

repquota -aug

enable quotas for all users with copied template from me:

edquota -p spun `awk -F: '$3 > 499 {print $1}' /etc/passwd'

access control lists


yum install acl

check default mount options on block:

dumpe2fs /dev/sda2 | grep acl

apply acl to block:

tune2fs -o acl /dev/sda2

 Partitions created on install automatically mounted with acl

edit fstab to add fs option:


remount device:

mount -o remount 

on home dirs:

chmod 701 /home/
setfacl -m mask: 

manage acls:

# set acls
setfacl -m [d:]u:: 
setfacl -m [d:]g:: 

# get acls

# remove acls
setfacl -x u: 
setfacl -x g: 
setfacl --remove-all 
setfacl --remove-default 

configure filesystem permissions for collaboration

create group:

groupadd -g # 

add users to group:

usermod -g  

chown dir:

chown root: 

chmod dir SGID:


install and update packages using rpm


rpm -ivh 


rpm -Uvh 


rpm -Fvh 


rpm -e 

query by filename:

rpm -qf /path/to/file

verify file:

rpm -Vf /path/to/file

query all installed:

rpm -qa

Find out what files have been modified since package install

rpm -qf /etc/inittab
rpm -V -p init-scripts*.rpm

query all files associated

rpm -ql squid | grep ncsa

 while inside the rescue environment, use the –-root option to specify the real location of your root file system (e.g. –-root=/mnt/sysimage).

properly update the kernel package

install new kernel:

yum install kernel
rpm -ivh 

check grub conf has been updated:

less /boot/grub/grub.conf

configure the system to update/install packages from remote repositories using yum or pup

edit the yum repo conf /etc/yum.repos.d/:

name=the name of your repo

modify the system bootloader

  • Main configuration is in /boot/grub/grub.conf
  • see examples in /usr/share/doc/grub-*/menu.lst
  • /boot/grub/grub.conf = default=0 (references system kernel to boot into)

to create new init ram disk:

mkinitrd /boot/initrd-`uname -r`.img `uname -r`

implement software RAID at install-time and run-time

to use software raid, we need two devices/partitions set to “linux raid autodetect”, use fdisk and set partition type to “fd”

create a raid device:

mdadm --create /dev/md0 -a yes --level= --raid-devices=2 /dev/sda7 /dev/sda8

 Watch the -a yes for udev to create device file on reboot

format raid device:

mkfs.ext3 /dev/md0

remove disk from array:

mdadm /dev/md0 --remove 

add disk to array:

mdadm /dev/md0 --add 

fail a disk:

mdadm /dev/md0 --fail 

stop array:

mdadm --stop /dev/md0

check status:

mdadm --detail /dev/md0
cat /proc/mdstat

 Remember to add raid device into /etc/fstab and check mounting device

use /proc/sys and sysctl to modify and set kernel run-time parameters

config in /etc/sysctl.conf

# search for options
sysctl -a | grep 

use scripting to automate system maintenance tasks

 Need to look into what is reqired here ?

configure NTP for time synchronization with a higher-stratum server

Redhat config tool:


config file locate /etc/ntp.conf

configuration server example:

server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org

apply changes after config change:

service ntpd restart
chkconfig ntpd on

verify changes:

ntpq -p

RHCE Skills Required

Troubleshooting and System Maintenance

use the rescue environment provided by first installation CD

boot into rescue mode:

linux rescue
  • when working in non-chrooted environment:
    • mount /dev/hdc /mnt/cdrom to access install dvd
    • rpm commands require -root=/mnt/sysimage

manually make /dev and /proc available in chrooted mode:

mount -o bind /dev /mnt/sysimage/dev
mount -o bind /proc /mnt/sysimage/proc

diagnose and correct boot failures arising from bootloader, module, and filesystem errors

check the following in order:

  • MBR
  • /boot/grub/grub.conf
  • /etc/fstab
  • /etc/inittab
  • /etc/rc.d/rc.sysinit
  • /etc/rc.d/rc?.d
  • /etc/rc.d/init.d/*
  • /etc/rc.d/rc.local

grub errors

  • in general, use the last line before the error message to see where grub error'd out
  • to find correct value for root option, type find /grub/stage1 at the grub command line ( remember that all file names in grub.conf are relative to the root option)
  • check for missing files in kernel and/or initrd lines

kernel errors

  • missing/corrupt initrd file results in: kernel panic - not syncing: vfs: unable to mount root fs on unknown-block
  • invalid root parameter for kernel results in: setuproot: error mounting /proc: No such file or directory

reinstall grub on MBR:


new initrd:

mkinitrd /boot/initrd-`uname -r`.img `uname -r`

corrupt filesystem:


if fsck is unable to locate a superblock, you can specify an alternative one: :

fsck -b  

diagnose and correct problems with network services (see Installation and Configuration below for a list of these services)

check which process on listening on what port:

netstat -ntaupe | grep LIST

add, remove, and resize logical volumes

redhat lvm tool:


create physical volume partition:

Command (m for help) : t
Partition number (1-4)
Partition ID (L to list options): 8e
Command (m for help) : w

create physical volume:


create volume group:


extend volume group:


create logical volume:

lvcreate --size 10G --name  
mkfs.ext3 /dev//
# add to /etc/fstab

extend logical volume:

lvextend --size 12G /dev//
resize2fs /dev//

shrink logical volume:

resize2fs  M
lvreduce --size M 

remove logical volume:


display volumegroup info:


diagnose and correct networking services problems where SELinux contexts are interfering with proper operation

enable/disable SELinux in /etc/sysconfig/selinux:


install setroubleshoot:

yum install setroubleshoot
service setroubleshoot start
chkconfig setroubleshoot on

install selinux management tool:

yum install policycoreutils-gui

redhat selinux management tool:


change selinux status:


launch setroubleshoot gui browser:

sealert -b

list selinux booleans:

getsebool -a

list selinux errors:

sealert -a /var/log/ | less

set selinux boolean:

setsebool -P  = 

list security contexts:

ls -Z 

change security contexts:

# using reference (copy contexts from existing known-good file)
chcon -R --reference  

# manual
chcon -R -u  
chcon -R -t  

Installation and Configuration



yum install httpd mod_ssl
chkconfig httpd on

start/stop apache:

apachectl start/stop/graceful/restart


chcon -R -u system_u 
chcon -R -t httpd_sys_context_t 
chcon -R --reference /var/www 


cd /etc/pki/tls/certs
make httpd.crt ## include passphrase

#decrypt key
openssl rsa -in httpd.key -out decrypted.key
mv decrypted.key ../private/httpd.key

basic config

  • ~user/ requirements
    • UserDir directive
    • chmod 701 homedir
    • change security context on user homedir
    • chmod 705 /home/user/public_html
  • .htaccess requirements
    • AllowOverride All directive
  • NameBasedVitual Hosts requirements
    • NameVirtualHost *:80 NameVirtualHost *:443 to be specified in /etc/httpd/conf/httpd.conf
    • Each virtual host needs = ServerAdmin / DocumentRoot / ServerName / ErrorLog / CustomLog
    • logs are in logs/
httpd -S
httpd -t

host-based security

Ports: 80/443 TCP

Firewall Edit:


hosts are allowed by default and will need to be explicitly denied:

     Order deny,allow
     Deny from
     Deny from somedomain.com

hosts are denied by default and need to be allowed:

     Order allow,deny
     Allow from
     Allow from somedomain.com

user-based security

Web Password file

htpasswd -c /path/to/file 
htpasswd /path/to/file 

Web group file /path/to/groupfile: testgroup: user1 user2

Access configuration users

     AuthType basic
     AuthName "locked site"
     AuthUserFile /path/to/userfile
     Require user user1

Access configuration groups

     AuthType basic
     AuthName "locked site"
     AuthUserFile /path/to/userfile
     AuthGroupFile /path/to/groupfile
     Require group testgroup

verify service functionality

elinks ://address



yum install samba samba-client
service smb start
chkconfig smb on


Enable shared home dirs:

setsebool -P samba_enable_home_dirs=1

Mark directory sharable with samba:

chcon -R -t samba_share_t 

basic config

Redhat samba configuration tool:

yum install system-config-samba

Set samba workgroup/domain:

workgroup = 

if no wins server available, enable:

wins support = yes

security modes:

# check the local pwdb (default)
security = user

# member server of a domain (uses DC as pwdb)
security = domain
password server = 
workgroup = 

# member of active directory domain
security = ads
password server = kerberos.domain.com

# use pwdb on another server thats not a DC
security = 

share options:

# path for share
path =  

# share is visible 
browseable = 

# rw enabled
writeable = 

# this is a shared printer
printable = 

# all users connecting to this share use  as their primary group
group = 

join domain:

net rpc join -U root

fstab example:

///     cifs    user=,pass=    0 0

mount commands:

# root only
mount -o username= "//server/share" 
# users mount command
/sbin/mount.cifs //server/share  -o username=

 /sbin.mount.cifs & /sbin/umount.cifs require a chmod u+s to allow to be used by non-root users

host-based security


protocol port
tcp 139,445
udp 137,138

hosts allow/deny can be used per-server or per-share:

hosts allow =
hosts deny =

user-based security

account maintenance:

# add account (local linux account must exist first, or be translated via /etc/samba/smbusers):
smbpasswd -a 

# enable/disable account:
smbpasswd -e 
smbpasswd -d 

# remove account:
smbpasswd -x 

 service smb reload may be needed after account changes

verify service functionality

list shares:

smbclient -L  -U 

browse shares:

smbclient /// -U 

test allow/deny statements for a host:

testparm /etc/samba/smb.conf  



yum install portmap nfs-utils
service nfs start
chkconfig portmap on
chkconfig nfs on
chkconfig nfslock on
chkconfig netfs on


Support for read-write access:

setsebool -P nfs_export_all_rw=1

basic config

redhat tool:

yum install system-config-nfs

/etc/exportfs format:

 () [() ...]

activate exports:

service nfs restart

host-based security

  • edit /etc/sysconfig/nfs to set static ports, and restart
  • set host / network restrictions per export in /etc/exports

Add the following to /etc/hosts.allow:


firewall config:

# see ports (include ALL tcp-udp ports)
rpcinfo -p

user-based security

use normal file permissions

verify service functionality

list exports:

showmount -e 



yum install vsftpd
service vsftpd start
chkconfig vsftpd on


allow local users to login to ftp and access local home dir:

setsebool -P ftp_home_dir=1

Configure non-standard directory for ftp ro/rw:

chcon -R -t public_content_t 
chcon -R -t public_content_rw_t 

To enable write access for anonymous users, set directory with the following, and enable the following boolean:

chcon -R -t public_content_rw_t 
setsebool -P allow_ftpd_anon_write=1

host-based security

  • use iptables -s !
    to block hosts
protocol port
tcp 21

 ftp data transfers will not work unless ip_conntrack_ftp is added to IPTABLES_MODULES in /etc/sysconfig/iptables-config


vsftpd : 192.168.1.

user-based security

  • allow/deny controlled via /etc/vsftpd/user_list ( users in /etc/vsftpd/ftpusers are always denied via pam)
  • default allow/deny is configured by userlist_deny statement in vsftpd.conf

verify service functionality


Squid Proxy


yum install squid
chkconfig squid on

basic config

vi /etc/squid/squid.conf


# deny sites
acl baddomains dstdomain .microsoft.com
acl baddomains dstdomain .hotmail.com

acl our_network src

http_access deny baddomains
http_access allow out_networks


Allow squid daemon to connect to the network:

setsebool -P squid_connect_any=1

host-based security

firewall config:

protocol ports
tcp 3128

to configure NAT to listen on port 8080:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j REDIRECT --to-ports 3128

allow access from local networks:

acl our_networks src
http_access allow our_networks

user-based security

The following requires a web browser to test

edit the configuration /etc/squid/squid.conf:

# enable the following auth_param options
auth_param basic program /usr/lib/squid/ncsa_auth /usr/etc/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

# change the acl to reflect auth_param
acl  proxy_auth REQUIRED

# finally edit the http_access line
http_access allow 

Allow squid to read htpasswd file:

chmod o+s /usr/etc/passwd

verify service functionality

squid -z
service squid start
HTTP_PROXY=hostname:port elinks



yum install postfix
service sendmail stop
chkconfig sendmail off
alternatives --config mta
service postfix start
chkconfig postfix on

basic config

enable the following in /etc/postfix/main.cf

myhostname = 
mydomain = 
myorigin = $mydomain
inet_interfaces = all
mynetworks =,

mail aliases /etc/aliases:

: ,

 Remember to run newaliases command

vitual aliases hash:/etc/postfix/virtual:

: ,
# enable virtual aliases in main.cf:
virtual_alias_maps = hash:/etc/postfix/virtual

 Remember to postmap hash:/etc/postfix/virtual

outbound address rewriting in hash:/etc/postfix/generic:

@ @
# enable outbound rewriting in main.cf
smtp_generic_maps = hash:/etc/postfix/generic

 Remember to postmap hash:/etc/postfix/generic

host-based security

  • use iptables -s !
    to block hosts
protocol port
tcp 25

user-based security

copy postfix configuration from doc example /usr/share/doc/postfix-*/README_SASL*, and make sure MECH=PAM is configured in /etc/sysconfig/saslauthd

enable saslauthd:

service saslauthd start
chkconfig saslauthd on

restart postfix:

postfix reload

verify service functionality

test smtp:

telnet  25
ehlo me
# check for 250-AUTH ... info



yum install dovecot
service dovecot start
chkconfig dovecot on


enable which protocols are to be used:

protocols = "list of protocols"

create the ssl certificate:

# edit cert settings
vi /etc/pki/dovecot/dovecot-openssl.cnf
service dovecot restart

host-based security

  • use iptables -s !
    to block hosts
protocol port
tcp 143,110,995,993

user-based security

use pam_listfile in /etc/pam.d/dovecot

verify service functionality

test mailbox access:

mutt -f ://@



yum install openssh-server
chkconfig sshd on

host-based security

enable only local network through firewall (iptables):

# first we need to remove last reject rule
cat /etc/sysconfig/iptables
# Copy bottom reject rule to clipboard
iptables -D 
iptables -A  -s -p tcp --dport 22 -j ACCEPT
iptables -A 
service iptables save

firewall config:

protocol ports
tcp 22

tcp_wrappers example:

sshd : 192.168.0.

user-based security

allow/deny user access:

AllowUsers user1 user2 user3@example.com
DenyUsers user4 user5 user6@example.com

verify service functionality

test logging in:

ssh @



yum install bind-chroot caching-nameserver
service named start
chkconfig named on

basic config

copy sample config:

cp -a /var/named/chroot/etc/named.caching-nameserver.conf /var/named/chroot/etc/named.conf

caching-only nameserver:

  • edit listen-on directives (comment out to listen on all interfaces)
  • edit allow-query directives (comment out allow queries from everyone)
  • edit match-clients and match-destinations directives to allow recursive queries from other hosts

slave nameserver:

  • get slave example from /usr/share/doc/bind-*/sample/etc/named.conf

allow named to write in working directory:

setsebool -P named_write_master_zones=1
-host-based security

firewall config:

protocol ports
tcp 53
udp 53

allow-query example:

allow-query {; localnets; };

user-based security


verify service functionality

test query:

dig @ 

test zone transfer:

dig @  axfr



yum install ntp
service ntpd start
chkconfig ntpd on

basic config

host based security

firewall config:

protocal port
udp 123

allow others to sync with us:

restrict mask nomodify notrap

user-based security


verify service

show peers:

ntpq -p

Additional Study Notes

RHCEs must also be able to:

configure hands-free installation using Kickstart

yum install system-config-kickstart
  1. make installation tree available
  2. create kickstart file (use system-config-kickstart to create ks.cfg) and validate (using ksvalidator)
  3. validate kickstart file
  4. make kickstart file available
    • bootable diskette (place in top level directory)
    • bootable cdrom (place in top level directory)
    • network (http, ftp, nfs)
  5. use bootable media and supply appropriate kernel parameter

implement logical volumes at install-time

use iptables to implement packet filtering and/or NAT

 do not use system-config-securitylevel, as it will overwrite your custom iptables rules. the following method seems to be the best way to go:

  1. make changes in /etc/sysconfig/iptables
  2. run /etc/init.d/iptables restart to apply changes

packet filtering

packet filtering example:

-A  -p  -m  [-s[!] ] --dport  -j ACCEPT


enable ip forwarding in /etc/sysctl.conf:

net.ipv4.ip_forward = 1

to test from another machine:

ip route replace default via 

inbound dnat:

iptables -t nat -A PREROUTING -p  --dport  -j DNAT --to-dest :

outbound dnat:

iptables -t nat -A OUTPUT -p  --dport  -j DNAT --to-dest :


iptables -t nat -A POSTROUTING -o  -j MASQUERADE


iptables -t nat -A POSTROUTING -j SNAT --to-source :

use PAM to implement user-level restrictions

module documentation

  • /usr/share/doc/pam-*/txts

module configuration

  • /etc/pam.d
  • /etc/security
module interface description
auth user authentication (e.g. verifies password, set group membership or kerberos tickets, etc.)
account verifies that access is allowed (e.g. expired account?, check group membership, etc.)
password handles password changes
session manages user sessions (e.g. mount home dir, create mailbox, logging, etc.)
control flag description
required must pass, continue testing on failure
requisite must pass, stop testing on failure
sufficient failure is ignored, but if passing so far, return success at this point
optional pass or failure is irrelevant
include include another file

pam_listfile.so example

allow/deny users if listed in /etc/special:

auth required pam_listfile.so onerr=success item=user sense= file=/etc/special


file format:

 :  [except ] [: 

search order:

  1. /etc/hosts.allow
  2. /etc/hosts.deny
  3. allow by default

 searching stops on first match

 Make sure to append “ALL: ALL” into /etc/hosts.deny

installation consoles

Shortcut Console
CTRL-ALT-F1 Text installation display; if you're running in graphical mode, it includes the basic commands to start graphics drivers
CTRL-ALT-F2 Accesses a bash shell prompt; available after the first few installation steps
CTRL-ALT-F3 Lists the log of installation messages; if network problems occur, you may see related messages here
CTRL-ALT-F4 Displays all kernel messages, including detected hardware and drivers
CTRL-ALT-F5 Installation displays partition formatting; nothing is shown here until Anaconda formats the actual partitions
CTRL-ALT-F6 Graphical installation display; active only if you're running the installation program in graphical mode (was formerly available from
CTRL-ALT-F7 Naturally, if you're installing in text mode, nothing is shown in this console


unable to log in

  • password wrong or expired?
  • account locked?
  • shell set to /sbin/nologin, /bin/false, etc.?
  • user and PermitRootLogin no in /etc/ssh/sshd_config?
  • root user and terminal not listed in /etc/securetty?
  • non-root user and /etc/nologin exists?
  • check pam_listfile restrictions

source: http://wiki.unixjournal.org/doku.php?id=rhce