RHEL 7 and CentOS 7


My notes on using RHEL 7 and CentOS 7

firewalld

iptables isn't in root's PATH by default, but you can access it by its full path /sbin/iptables. However, RHEL/CentOS wants you to use firewalld instead and the user friendly firewall-cmd frontend, so you may want to start using this to earn some hipster points 😉. Interestingly enough, firewalld uses iptables behind the scenes to manipulate netfilter in the Linux kernel, but can be changed to use nftables instead.

List all firewall rules

# firewall-cmd --list-all

Open up port 80 (http)

First make sure public is the right zone by running --get-active-zones, then add port 80:

# firewall-cmd --get-active-zones
public
  interfaces: enp0s3
# firewall-cmd --permanet --zone=public --add-port=80/tcp

Add a network interface to an existing zone

If firewalld is running and your interface isn't in any of the zones, then everything on that interface is blocked.

# firewall-cmd  --permanent --zone=public --add-interface enp0s8

Further reading on firewalld, iptables and netfilter

SELinux

Get SELinux status

# sestatus

Create a SELinux profile for a service that's currently blocked

On RHEL/CentOS you've got an audit log of everything processes are trying to do system call wise, see /var/log/audit/audit.log. If you've got a process which doesn't work properly, you can create a SELinux profile in a .pp file based on this log file and then use semodule -i to install this profile.

Here, I'm using mybinary as example:

$ grep mybinary /var/log/audit/audit.log | audit2allow -M mybinary

This creates a mybinary.pp file which can be applied using:

# semodule -i mybinary.pp

Turn off SELinux

# setenforce 0
# sed -i s#SELINUX=enforcing#SELINUX=disabled# /etc/selinux/config 

Good articles on SELinux

Networking

View routing table

There's no /sbin/route, so:

$ ip route list

View interfaces and IP addresses

There's no /sbin/ifconfig, so:

$ ip addr

View network interfaces

$ ip link

View which ports are open/listening

There's no netstat, but ss is there. ss has similar parameters, so to list all processes listening on a port, I do:

$ ss -nutlp

Bring up a network interface without using network-scripts

To persist network interface configuration, you create a file matching your interface, e.g. /etc/sysconfig/network-scripts/ifcfg-enp0s3. However, if you don't want to restart neither the network sub system (systemctl restart network) nor the computer, you can bring it up manually by using ip and dhclient like this:

# ip link set dev enp0s3 up
# dhclient enp0s3 -v

Licensed under CC BY Creative Commons License ~ ✉ torstein.k.johansen @ gmail ~ 🐘 @skybert@hachyderm.io ~ 🐦 @torsteinkrause