Skip to content
Henryk Paluch edited this page Apr 1, 2024 · 2 revisions

Alma Linux 8

Alma Linux 8 is clone of original RHEL/CentOS 8.

I'm unable to use current version 9, because it no longer works on AMD Opteron Generation 2 (G2) CPU (RHEL 9 requires x86-64-v2).

Testing

curl -fLO https://ftp.linux.cz/pub/linux/almalinux/8/isos/x86_64/AlmaLinux-8.9-x86_64-minimal.iso

Problem:

To build RPMS we have to install

sudo dnf install rpmdevtools rpm-build yum-utils
# typical tools used for building:
sudo dnf install gcc make cmake gcc-c++ bison flex automake autoconf libtool

Then run as non-privileged user:

rpmdev-setuptree

Example downloading source package and unpacking tree:

cd
yumdownloader --source selinux-policy-targeted
rpm -ivh selinux-policy-3.14.3-128.el8_9.1.src.rpm 
sudo yum-builddep selinux-policy-targeted
rpmbuild -bp ~/rpmbuild/SPECS/selinux-policy.spec 
# see ~/rpmbuild/BUILD

Example building Midnight Commander RPM:

cd
yumdownloader --source mc
rpm -ivh mc-4.8.19-9.el8.src.rpm
sudo yum-builddep mc

 Problem:  No matching package to install: 'aspell-devel'

dnf search -v --repo '*' aspell-devel

  aspell-devel.i686 : Libraries and header files for Aspell development
  Repo        : powertools
  Matched from:
  Provide    : aspell-devel = 12:0.60.6.1-22.el8

# tried just --repo powertools but there was enother missing dependency:
sudo dnf install --repo '*' aspell-devel
sudo yum-builddep mc

# this command will rebuild both src.rpm and arch.rpm:
rpmbuild -ba ~/rpmbuild/SPECS/mc.spec

# rpms stored to ~/rpmbuild/SRPMS/ and ~/rpmbuild/RPMS/x86_64/

Or you can enable powertools (and its deps) repo permamently with:

sudo dnf config-manager --enable powertools

Firewalld

Firewalld (CLI firewall-cmd) has its own logic that makes things difficult:

First - log at least unicast rejects (rejected access to single IP address)

firewall-cmd --set-log-denied=unicast

Task:

  • restrict SSH access to single IP address
  • allow other (for example http) for all IP addresses

There are 2 choices

Let's try new zone:

firewall-cmd --new-zone=trusted-ssh --permanent
# replace 192.168.X.Y/32 with allowed client IP
firewall-cmd --zone=trusted-ssh --add-source=192.168.X.Y/32 --permanent
firewall-cmd --permanent --zone=trusted-ssh --add-service=ssh
firewall-cmd --zone=trusted-ssh --list-all --permanent

# Removed empty entries:
trusted-ssh (active)
  target: default
  icmp-block-inversion: no
  sources: 192.168.X.Y/32
  services: ssh
  forward: no
  masquerade: no

# now we have to remove ssh from public
firewall-cmd --permanent --zone=public --remove-service=ssh
firewall-cmd --permanent --list-all

public
  target: default
  icmp-block-inversion: no
  services: cockpit dhcpv6-client

# now ensure that you have backup connection and run:
firewall-cmd --reload
firewall-cmd --get-active-zone

public
  interfaces: eth0
trusted-ssh
  sources: 192.168.X.Y/32

To see real rules you can try this command:

# very long output:
nft list ruleset

Example adding logging rule:

Here is an experimental rule to log all incoming connections from remote to this host:

# for IPv4
firewall-cmd --direct --add-rule ipv4 filter INPUT  0 -m conntrack \
  --ctstate NEW,UNTRACKED  -j LOG --log-prefix "INPUT " --log-level 4
# for IPv6
firewall-cmd --direct --add-rule ipv6 filter INPUT  0 -m conntrack \
 --ctstate NEW,UNTRACKED  -j LOG --log-prefix "INPUTv6 " --log-level 4

Use dmesg to see logged packets. Note: logs also UDP stuff (because connection tracking is watching also these - for example for NAT support)

Experimental rule to track all outgoing connections (noisy!):

# for IPv4
firewall-cmd --direct --add-rule ipv4 filter OUTPUT  0 -m conntrack \
   --ctstate NEW,UNTRACKED  -j LOG --log-prefix "OUTPUT " --log-level 4
# for IPv6
firewall-cmd --direct --add-rule ipv6 filter OUTPUT  0 -m conntrack \
   --ctstate NEW,UNTRACKED  -j LOG --log-prefix "OUTPUTv6 " --log-level 4

Troubleshooting:

Clone this wiki locally