For my setup, I also added the Red Hat VM to the Windows 2008 r2 Active Directory Domain.  You may choose not to do this, but your steps may be different that what I outline here.  I have NOT setup any UNIX schema in Active Directory or installed any 3rd party software on the Domain Controllers.  The AD schema is how it comes out of the box (for the purposes of this article)

Please note, this tutorial assumes you have root privileges and that SELinux is NOT in enforcing mode.

Packages

Here are the packages that I installed during this process.  I am not 100% sure they are all required, but I’m pretty sure they are  Feel free to test.  This setup is currently in testing, and if I move it to production, I will definitely outline which packages are actually required.

• httpd-2.2.15-15.el6_2.1.x86_64
• mod_auth_kerb-5.4-9.el6.x86_64
• mod_authz_ldap-0.26-15.el6.x86_64
• openldap-clients-2.4.23-26.el6_3.2.x86_64
• openldap-2.4.23-26.el6_3.2.x86_64

• samba-winbind-clients-3.5.10-125.el6.x86_64
• samba-client-3.5.10-125.el6.x86_64
• samba-common-3.5.10-125.el6.x86_64
• samba-winbind-3.5.10-125.el6.x86_64
• samba-3.5.10-125.el6.x86_64

Step 1

After we have all of our packages install, we need to update the [global] section of /etc/samba/smb.conf

client ntlmv2 auth = yes
client use spnego principal = no
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab

The first two lines are for Network Level Authentication, which is the more secure / modern way of connection to Windows 2008 server systems.  This is required for adding the webserver to the domain.  If your domain does not implement ntlvm2 authentication, then you should probably leave this line out.

The second two lines are for designating a keytab file for kerberos.  I’m not 100% sure this step is required, or is the best setup, but seems to work.

Also, we want to add the following to /etc/openldap/ldap.conf

REFERRALS off

This is required to ignore referral results from our ldap searches, which is how Apache will determine if a user is authorized or not.

Step 2

Next, let’s add our system to Active Directory using the authconfig-tui command.  Be mindful of the choices and how they may affect your setup.  Naturally, you must have an account on the domain that has permissions to add hosts.  Also, DNS must be setup properly on your CentOS / RHEL 6 machine.

Options:

1. User Information
   1. Use Winbind
2. Authentication
   1. Use Shadow Passwords
   2. Use Winbind Authentication
   3. Local Authorization is sufficient
3. Security Model: ads
4. Domain: EXAMPLE
5. Domain Controllers: DC1.EXAMPLE.COM
6. ADS Realm: EXAMPLE.COM
7. Template Shell: /sbin/nologin
8. Select Join Domain
   1. Enter just username, no domain
   2. Enter Password
   3. Save
   4. Select OK

You can and should enter more than one domain controller if available.  Unlike a Windows machine, Linux will only use whichever Domain Controller(s) you specify.  Please note the ALL CAPS for steps 4-6.

After the machine has been added to the domain, you should run the following command to tell winbind to use our default domain for identify / authenticating AD users:

authconfig –update –enablewinbindusedefaultdomain

Step 3

Setup Kerberos keytab for Apache’s user.

Here’s the deal:  Apache will need an AD user that has read access to directory structure in order to use the LDAP search function to limit users by id or group (or whatever else).  So, we must setup a new (or use an existing) user in AD.  I’m going to leave that part up to you to figure out, as I write Linux tutorials, not Windows .  Anyway, note the new username and password.

Now, we need get a kerberos ticket for our AD user:

kinit mydomainuser

Next, create the keytab entry:

net ads keytab add HTTP -U mydomainuser

And finally, let’s give our apache user read privileges to our keytab file:

chmod g+r /etc/krb5.keytab && chgrp apache /etc/krb5.keytab

Step 4

Finally, it’s time to setup our Apache config.  This is the trickiest part, and may take some patience to get nailed down correctly.

Add the following to a VirtualHost or your default config for Apache:

LogLevel debug
 <Directory />
 AuthType Kerberos
 KrbMethodNegotiate On
 AuthName "EXAMPLE.COM Domain Login"
 KrbMethodK5Passwd On
 KrbAuthRealms EXAMPLE.COM
 Krb5KeyTab /etc/krb5.keytab
 KrbLocalUserMapping on
 require valid-user

 AuthLDAPURL "ldap://dc1.example.com/dc=example,dc=com?sAMAccountName?sub?(objectClass=*)"
 AuthLDAPBindDN mydomainuser@example.com
 AuthLDAPBindPassword myPassW0rd
 require ldap-group CN=Domain Users,CN=Users,DC=example,DC=com
 </Directory>

Okay, a little about this section.  The first line LogLevel debug is an apache directive that will give us more useful information in our error log for troubleshooting.  I recommend using this as it will tell you where the problem may be during this ironing-out process.

Next, the Directory / line in html brackets tells us which directory our authentication statements apply to.  ”/” is equal to the document root of the webserver, default /var/www/html or of the virtual host.

The next section is our Kerberos section.  This are the settings for EXAMPLE.COM (note the CAPS).  Of special note, the KrbLocalUserMapping on line tells apache that we’re going to trim the @EXAMPLE.COM portion of the name Kerberos gives us, which is important for the next section.

Finally, we have our LDAP section.  This is where things get sticky.  The first line is our ldap search string.  Here, we’re connecting to our domain controller, and searching for sAMAccountName in the specified location.  To the best of my knowledge, sAMAccountName is what our Kerberos section above gives us.

The next two lines should be self explanatory.

The last line tells Apache that we need to require a group from the ldap search output.  In our example, we want only users that are part of the “Domain Users” group to be able to access the webpage.  This can be any group, but it must be the exact dn from AD.  Note, spaces don’t seem to affect this line.  How do you get this line?  We’ll, that’s the tricky part.

I recommond using the following command

ldapsearch -H ldap://dc1.example.com -b “dc=example,dc=com” -W “domain users” > /root/ldapsearch.out

The console will appear to just sit there after entering that command, but it’s actually waiting for the password of the domain user we requested the ticket for earlier.  After you enter your password, press return.  The search should return all objects that have a reference of domain users.  Then, you should be able to search the output results (using vi  or less) for Domain Users, using the ‘/’ key

Want to have Apache use LDAP over TLS?  Check here:  http://people.adams.edu/~cdmiller/posts/Apache2-mod-authnz-ldap-TLS/

Sources:

Big thank you to the following pages that I used to sort through this madness:

http://blogs.freebsdish.org/tmclaugh/2010/07/15/mod_auth_kerb-ad-and-ldap-authorization/

http://www.tuxevara.de/2012/06/apache-authnz_ldap-and-active-directory/

http://www.microhowto.info/howto/configure_apache_to_use_kerberos_authentication.html

http://acksyn.org/?p=460

http://sl.mvps.org/docs/LinuxApacheKerberosAD.htm

Resources:

http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-install/The-Keytab-File.html

http://kb.iu.edu/data/aumh.html

After registering and downloading the appropriate file from VMWare, you’re left with a file that ends in .gz.  No, this is not an executable, this is a gzipped tar file, named outside of the regular conventions.  This should have been my first indication I was headed for a mild amount of hair pulling.

Step 1

Untar the archive:  tar zxvf <filename>

Now, cd into the directory that was just created.

Step 2 (optional)

I was installing this software in a test environment, and while I had internet connection, ping was disabled on my network.  This is the case for many production networks, so it baffles my mind why VMware would include a provision to test network connectivity with ping inside their install script.  If you environment does not have ICMP ping enabled, but your CentOS machine does indeed have internet access, you should modify the vmware-install.pl as follows:

# Determine if internet connection is available.
  if ( ( ! $install_rhel55_local ) && ( scalar(@install) > 0 ) ) {
      my $internetConnect = `ping -c 10 -W 4 www.vmware.com | grep -c "64 bytes"`;
      if ( $internetConnect ne '') {
        $internet_available = 1;
      }
  }

Step 3

Here’s where I’m going to deviate from what I actually do in hopes to save you some time.  The install script attempts to download a bunch of packages from cpan, which is some sort of perl repository.  The install script will most likely download the needed sources from cpan to meet it’s own dependencies, but cpan has no ability to resolve it’s own dependencies.  Trying to make and install these sources in cpan itself also won’t tell you why they won’t compile and install.  Also, even though VMware released an x86_64 file for vSphere CLI, it actually requires quite a few .i686 packages to run the applications.

I submit to you my list of dependencies to both build the cpan source files, and actually run the compiled vSphere CLI binaries:

yum install openssl-devel gcc libxml2-dev libxml2-devel perl-UUID e2fsprogs make uuid-dev uuid libuuid e2fsprogs-devel libuuid-devel glibc.i686 zlib.i686 zlib-devel.i686 ncurses-libs.i686 libstdc++.i686 libxml2.i686

Please note, not all of these may be required, as I more or less haphazardly picked a couple of them.  In-fact, I’m not sure they’re all actually packages, just some stuff I typed in

Step 4

Run the install script.  This may or may not actually complete for you, as I described above, this is a little out of order from what I did.  Since all of the dependencies have been met at this point, it should proceed without issue.

Step 5 (optional)

Okay, let’s say that the install still didn’t complete because cpan still decided it couldn’t build those sources into libraries / binaries.  If that is the case, go into each directory in /root/.cpan/build/ and run the following command

perl Makefile.PL && make && make install

Please note, if you have used cpan before, there may be other libraries that you don’t need to do this for.  Just like at the date stamp for each, and it should tell you which ones you need.  I only had to do this for like 6 or 7 libraries, so it shouldn’t take that long.  Also, if you run the install script multiple times, you’ll have multiple instances of each library source with a bunch of random characters at the end of the directory name.  You only need to run the command for each library once.

Also, make sure each library actually installs.  If you hit one that gives you an error, skip along to the next and come back to it.  I believe some of the libraries are dependent upon some others that you will have also downloaded.

Step 6 (optional)

If you had to perform step 5, then you just need to re-run VMware’s install script.

Okay, that should be it.  Let me know if there are any issues or questions, and I’ll try to help you out.  Thanks for reading.

nmap

This is a very robust yet lightweight network tool.  I typically use this tool for port and subnet scanning, but it packs a ton of features and is worth looking into if you’ve never heard of it.  I use it on a weekly basis.  Please note, this tool may not be appropriate for environments that have very tight security policies as it has the potential to be used maliciously.

telnet

This tool is fairly common, but is not installed by default on many distros, especially if you work from minimal installs like I do.  It’s great for testing TCP connectivity to certain ports on remote hosts.  My favorite usage is telnet google.com 80

This will tell you if you’re able to connect to webpages on the internet.  Typing GET at the blank prompt will confirm a valid connection by downloading the html response from the page.  Very useful for checking port connectivity inside your firewall as well.

ethtool

Use this to mine information from your network interfaces.  Most common usage is ethtool eth0 which will show you the physical link-state of the adapter and various other settings.  This tool can also be used to perform operations such as flashing a device’s firmware or having an interface blink so a technician in the data center can positively ID it.

logwatch

This is a great utility that will parse your log files for you, aggregate information, and display the information in an easy to read format.

mlocate

mlocate is the name of the package which installs locate and updatedb.  The updatedb command indexes the filenames and paths of all files on your system.  The locate command lets you quickly search that index for a file string.  Much faster than using find, and much less complicated syntax for beginners.

mutt

This is a simple command line mail client.  It can be used to compose email much like a desktop mail client, however I mainly use it to email attachments to remote systems as the mail command does not allow for such an operation.

Common usage: echo “this is the body of the email” | mutt -s “Subject goes here” -a myfile.txt — user@example.com

This should work as long as you have a MTA running, such as postfix or sendmail.

vim

vim is an enhanced version of the vi editor.  It allows for color highlighting as well as using your arrow keys in insert mode.  I recommend using vi / vim because it’s available on nearly any *nix system by default.  That Solaris box you have to log into once a year might not have NANO when you need to edit some configuration file.  Do yourself a favor and learn the use vi / vim.

system-config-network (RHEL/CentOS/Fedora)

This is a handy tool for configuring networking on the above mentioned distros.  It’s a little more beginner friendly than editing the network config files manually.

system-config-firewall-tui (RHEL/CentOS/Fedora)

Same idea as the system-config-network command above, but in this case is used for configuring your system’s firewall.  Can make complicated firewall rules much easier to implement for beginners.

policycoreutils-python (RHEL/CentOS/Fedora)

I frankly don’t know why this software isn’t installed by default, even on standard spins of these distributions.  It’s essential for managing basic SELinux contexts and policies.  If you’re running a system with SELinux enabled in enforcing mode, you need this tool to make permanent changes to SELinux contexts.  The chcon command, which works will in a pinch, will not enable your filesystem’s contexts to survive a filesystem relabel.  This can occur after booting a system into rescue mode or disabling / reenabling SELinux.  The time to find out your SELinux contexts weren’t permanent isn’t after rescuing a broken production system.

Eventually, this code is going to be included in a backup client I am developing that will interface with glusterfs and Amazon S3 storage.

Currently, this code is tested to run on Python v2.7.4 on a Fedora 18 machine. With all three python files, and any number of properly defined job xml files in the jobs.d/ directory, these scripts are currently functional.

seed_files.py

This is the controller file for taking the first backup.

#!/usr/bin/python

# Create first full backup

import os, stat, time, seed_functions

def printHello():
  print "hello";

#--- This part of the script does the heavy lifting.
def seedMain(myFindPath,myJobId,myFullTempPath,myTargetMetaPath,myTargetTarFilePath,myExcludeFiles):
  #---execute the first backup for the job.
  seed_functions.findFiles(myFullTempPath,myFindPath,myExcludeFiles);
  seed_functions.storeMetaData(myFullTempPath,myTargetMetaPath);
  seed_functions.mkTarFile(myFullTempPath,myTargetTarFilePath);
  print "Job completed successfully";

#--- If this is being run as a script, set temporary variables
if __name__ == '__main__':
  myFindPath = '/home/myuser/findfiles';
  myJobId = str('106');
  myTempPath = '/tmp/';
  myTempFileList = 'files.tmp';
  myFullTempPath = os.path.join(myTempPath,myTempFileList); 
  myTargetPath = '/home/target1/';
  myTargetMeta = 'job'+myJobId+'.meta';
  myTargetTarFile = 'job'+myJobId+'.tar';
  myTargetMetaPath = myTargetPath+myTargetMeta;
  myTargetTarFilePath = myTargetPath+myTargetTarFile;

  #---Path names below should be absolute path names (start with / ) and should not end with '/'
  myExlcudeFiles = list();
  myExlcudeFiles.append('/home/myuser/findfiles/dontbackup');
  myExlcudeFiles.append('/home/myuser/findfiles/somebigfiles');
  myExlcudeFiles.append('*.adf');
  myExlcudeFiles.append('badfilez*');
  
  seedMain(myFindPath,myJobId,myFullTempPath,myTargetMetaPath,myTargetTarFilePath,myExcludeFiles);

#myJdate = seed_functions.getJulianDate();

seed_functions.py
This is the file that does the actual real work

#!/usr/bin/python

#Shared Functions and Classes
import os, sys, stat, time, glob
from datetime import datetime

def getJulianDate():
#--- This function returns an interger value of today's Julian Date 
#--- preceded by two digit year.  IE: 01JAN2013 -> 13001
  nowtime =  str(datetime.now());
  (year, month, day) = nowtime.split('-');
  day = int(day[:2]);
  month = int(month);
  year = int(year);
  t = time.mktime((year, month, day, 0, 0, 0, 0, 0, 0));
  jdate = (year % 2000) * 1000;
  jdate = jdate + time.gmtime(t)[7];
  return jdate;


import re
def findFiles(filepath,myFindPath,excludeFiles):
#--- Variables: fileListPath = string, myFindPath = string, excludeFiles = list() of strings)
#--- This function writes/overwrites the file @ 'fileListPath' which should be absolute path.
#--- The file @ fileListPath is a list of files found within myFindPath.
#--- myFindPath is desgined to be an absolute directory path.
#--- excludeFiles is a list() of absolute paths which should be excluded during the finding operation.
  with open(filepath, 'w') as ftemp:
    #--- Generate list of files that shouldn't be added
    #removeExcludedFiles();
    for dirname, dirnames, filenames in os.walk(myFindPath):
      #--- Remove exlcuded directories
      for badfile in dirnames:
        if os.path.join(myFindPath,dirname,badfile) in excludeFiles:
          dirnames.remove(badfile);

      #--- Gather the other directories
      for subdirname in dirnames:
	  #--- we just want to add empty directories
	  if os.path.islink(os.path.join(dirname, subdirname)) or not os.listdir(os.path.join(dirname, subdirname)):
	    ftemp.write(os.path.join(dirname, subdirname)+'\n');

      #--- Add files to the list.
      for filename in filenames:
	  #--- check to see if the file is a regular file or a link:
	  if os.path.islink(os.path.join(dirname, filename)) or os.path.isfile(os.path.join(dirname, filename)):
            #if not filename in myWildList:
	      ftemp.write(os.path.join(dirname, filename)+'\n');

  ftemp.closed;	

def storeMetaData(fileListPath, fileMetaPath):
#---This function creates an output file with
#---Filename and absolute path of fileMetaPath
#---File format is:
#---  /path/to/file ::: modified datetime ::: seconds since 1970 ::: md5 hash
  with open(fileMetaPath, 'w') as fmeta:
    myFileList = open(fileListPath, 'r');
    for filez in myFileList:
      #--- create an array to append information.
      myFileMeta = list();
      #--- Append absolute path and file name as first item
      myFileMeta.append(os.path.abspath(filez.strip()));
      #--- Get file meta information from os.stat()
      myStat = os.stat(filez.strip());
      #---Append human readable date/time stamp.
      myFileMeta.append(time.ctime(myStat.st_mtime));
      #---Append unix timestamp for easy comparison in the future.
      myFileMeta.append(myStat.st_mtime);
      if not os.path.isdir(filez.strip()):
        myHash = md5(filez.strip());
      else:
        myHash = "---None: directory";
      myFileMeta.append(myHash);
      metaDataString = str(myFileMeta[0]+":::"+myFileMeta[1]+":::"+str(myFileMeta[2])+":::"+str(myFileMeta[3]));
      fmeta.write(metaDataString+'\n');
    myFileList.closed;
  fmeta.closed;

import hashlib,os
def md5(filename):
    ''' function to get md5 of file '''
    d = hashlib.md5();
    try:
        d.update(open(filename).read());
    except Exception,e:
        print e;
    else:
        return d.hexdigest();

import tarfile
def mkTarFile(fileList, tarOutPath):
    thisTarOut = tarOutPath+".lzo"
    thisFileList = "-T "+fileList
    os.system("tar {options} {tarfile} {filex} &> /dev/null".format(options="cpvfa", tarfile=thisTarOut, filex=thisFileList));

#--------
#--- Not yet impemented functions below:
#--------

def findFiles2(fileListPath,myFindPath,excludeFiles):
#--- This function is for testing purposes only
  with open(fileListPath, 'w') as ftemp:
   for dirname, dirnames, filenames in os.walk(myFindPath):
    for subdirname in dirnames:
	#--- we just want to add empty directories
	if not os.listdir(os.path.join(dirname, subdirname)):
		ftemp.write(os.path.join(dirname, subdirname)+'\n');
    for filename in filenames:
	#--- check to see if the file is a regular file or a link:
	if os.path.islink(os.path.join(dirname, filename)) or os.path.isfile(os.path.join(dirname, filename)):
		ftemp.write(os.path.join(dirname, filename)+'\n');
  ftemp.closed;

def removeExcludedFiles():
    #--- Not implemented yet.
    myWildList = list();
    wildMatch = re.compile("^\*");
    wildMatch2 = re.compile(".*\*");
    print "Excluding the following"
    for badfile in excludeFiles:
      print badfile;
      result = wildMatch.match(badfile);
      if not result:
        result2 = wildMatch2.match(badfile);
        print result2;
      if result or result2:
        myWildList.append(badfile);
    print myWildList;

start_seeds.py
This is near completion; it parses the jobs in jobs.d/, verifies them, and runs them.

#!/usr/bin/python
import os, re
import xml.etree.ElementTree as ET
import seed_files



def readConfFile():
  #--- Future feature to read a specified jobs.d from config file.
  jobdir = 'jobs.d';
  return jobdir;

def findJobs(jobdir):
  myJobList = list();
  confMatch = re.compile(".*\.xml$");
  for dirname, dirnames, filenames in os.walk(jobdir):
    for jobid in filenames:
      result = confMatch.match(jobid);
      if result:
        myJobList.append(os.path.join(jobdir,jobid));
  return myJobList;

def checkPath(pathText):
  confMatch = re.compile("^\/");
  result = confMatch.match(pathText);
  confMatch2 = re.compile("^\/$");
  result2 = confMatch2.match(pathText);
  if result2:
    exit('Path cannot be / ');
  if not result:
    exit('Directory path must be absolute path: '+pathText);
  if os.path.isdir(pathText) or os.path.ismount(pathText):
    print 'Path seems valid: ',pathText;
  else:
    exit('Invalid path: '+pathText);

def parseJobs(myFoundJobs):
  print "Found the following config files: ",myFoundJobs;
  print "------------------------------------------------";
  myJobList = list();
  for myJob in myFoundJobs:
    mySubList = list();
    print "Parsing and testing: ",myJob;
    tree = ET.parse(myJob);
    root = tree.getroot();

    for child in root:
      #--- Validate backup path is valide.
      #----future feature: master excludes in config file
      if child.tag == 'backupdir':
        print "Checking Backup Directory";
        checkPath(child.text);
      if child.tag == 'backuptarget':
        print "Checking Backup Target"
        checkPath(child.text);

      #--- Create another sublist for excluded directories.
      if child.tag == 'exclude':
        myExcludeList = list();
        for subchild in child:
	  myExcludeList.append(subchild.text);
        mySubList.append(myExcludeList);

      #--- Since it's not a sublist, we append directly
      elif not child.tag == 'exclude':
        mySubList.append(child.text);
    print "------------------------------------------------";
    myJobList.append(mySubList);

  #--- Ensure some jobs were actually found.
  if myJobList.__len__() == 0:
    exit('Exit on Error: No Jobs Found!');
  #--- If we didn't exit above, we returned the parsed job list
  return myJobList;

def performBackup(myJobList):
  for job in myJobList:
    #--- job[0]:  JobID
    #--- job[1];  Backup Path
    #--- job[2]:  Backup Target
    #--- job[3]:  temp directory
    #--- job[4]:  Excluded directories
    myJobId = job[0];
    myFindPath = job[1];
    myTarget = job[2];
    myTempPath = job[3];
    myExcludes = job[4];
    myTargetPath = os.path.join(myTarget,str('job'+myJobId),'master');
    myTempFileList = 'backup_job'+myJobId+'.tmp';
    myFullTempPath = os.path.join(myTargetPath,myTempFileList); 
    myTargetMeta = 'job'+myJobId+'_master.meta';
    myTargetTarFile = 'job'+myJobId+'_master_seed.tar';
    myTargetMetaPath = os.path.join(myTargetPath,myTargetMeta);
    myTargetTarFilePath = os.path.join(myTargetPath,myTargetTarFile);

    if os.path.exists(os.path.join(myTarget,str('job'+myJobId))):
      print os.path.join(myFindPath,str('job'+myJobId));
      exit('Critical Error on JobID: '+myJobId+'\n This job directory already exists!  Exiting to preserve data!');
    else:
      os.makedirs(os.path.join(myTarget,str('job'+myJobId)));
    if os.path.exists(myTargetPath):
      exit('Critical Error on JobID: '+myJobId+'\n This job directory already exists!  Exiting to preserve data!');
    else:
      os.makedirs(myTargetPath);

    myExcludeFiles = list();
    for excludes in myExcludes:
      myExcludeFiles.append(excludes);
    myExcludeFiles.append(myTarget);
    print "------------------------------------------------";
    print "Starting Job: ",myJobId;
    seed_files.seedMain(myFindPath,myJobId,myFullTempPath,myTargetMetaPath,myTargetTarFilePath,myExcludeFiles);



#--- Execute the script.
myJobList = list();
jobdir = readConfFile();
myFoundJobs = findJobs(jobdir);
myJobList = parseJobs(myFoundJobs);
print "Number of jobs: ",myJobList.__len__();
#promptContinue() #--- Let user review backup jobs, prompt for continue.
performBackup(myJobList);

job103.xml
Job file in jobs.d/ directory

<?xml version="1.0"?>
<data>
  <jobid>103</jobid>
  <backupdir>/home/myuser/files</backupdir>
  <backuptarget>/offsitenfs/client1/target2</backuptarget>
  <temppath>/tmp</temppath>
  <exclude>
    <directory>/home/myuser/files/badfolder1</directory>
    <directory>/home/myuser/files/music/badfolder2</directory>
  </exclude>
</data>

/sbin/iptables-save > /root/iptables.saved

This will create a text file in the /root directory containing lines that will be parsed by iptables when used with the  iptables-restore command.

Next, add the following script to your system:

#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables
# Required-Start: mountkernfs $local_fs
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Set up iptables rules
### END INIT INFO
/sbin/iptables-restore < /root/iptables.saved
case "$1" in
 *)
 echo "iptables loaded from file"
 ;;
esac
exit 0

Save that script to /etc/init.d/iptables

Next, run update-rc.d iptables defaults

You should now see SXXiptables in /etc/rc2.d/ and other run level directories, where XX is a number.

Fedora 18, like many other fresh distros, utilizes GRUB2.  However, Fedora 18 is the only distro I have personally encountered this problem of not booting after a successful install.  This problem seems to be related to older hardware, or devices that lack the ability / video memory to use the highly graphical GRUB2 boot screen.  There is no science in my previous statement, just an educated guess.

Most particularly, I have encountered this problem on HP Proliant G4 device, as well as in Virtual Box on a Windows host.

Symptoms:  After successful installation, GRUB2 will briefly flash after post, and then the video output will go black or stop.  The system will never continue booting.

Resolution:  Boot the system with installation media and instead of selecting “Install,” select “Troubleshooting”.  On the following screen, select “Rescue System.”

Continue with the default options, which includes automatically detecting and mounting the system’s root directory to /mnt/sysimage/

After you a dropped to a shell, run chroot /mnt/sysimage to change the root of the system to the freshly installed system.  Next, we need to update our GRUB2 config file to disable the graphical mode.  That is achieve by peforming the following:

echo “GRUB_TERMINAL=console” >> /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg

These two commands will reinstall GRUB2 with the new argument GRUB_TERMINAL=console; unlike legacy GRUB, simply editing a text file is not enough, you must run the grub2-mkconfig command as described above.

Now, exit out of the chroot environment with the simple “exit” command, and reboot the system.  If everything went correctly, you should now see the GRUB2 menu in solid black and white (how Linux on a server should be).  Unfortunately, it’s now time to make yourself a cup of tea, because we have to wait for SELinux to relabel the filesystem.  While it doesn’t take forever, it does take about 3 or 4 minutes.