Building LAMP Server #3 – Install OS

This will cover installing several common Linux distributions in preparation for use as a LAMP stack. Since the purpose of this machine will be to act as a server, we will focus on setting up headless (no desktop) installations.

Estimated time (this post only): 40 minutes
* varies slightly by distro

Why a Headless Installation?

I get asked this question so often, I think it is worth mentioning here. Whether Windows or Linux, I do not recommend installing a desktop on a server unless absolutely necessary (also known as a headless install). This frees up RAM and CPU cycles for more important tasks and makes the system more stable. If you have the resources to spare and prefer GUI tools, feel free to install a desktop on your server, but here we will cover headless installations only. It is also a good way to learn Linux if you are unfamiliar with it.

Which Distro Do I Want?

Most web servers hosting Internet websites run CentOS or Ubuntu. CentOS has ruled this market for years, but Ubuntu is quickly gaining popularity. So if you are developing for shared hosts, you will most likely want to focus on these two distros. Fedora is a good alternative to CentOS, while Debian can be used as an alternative to Ubuntu. OpenSUSE only has a small share of the web server market, but is also increasing in popularity. I only recommend Arch Linux for advanced users and those looking to really learn Linux.

Installing Operating System

This focuses on CentOS, but Fedora Server 25 is similar. Fedora uses "dnf" rather than "yum". You can type "yum" on Fedora and it will automatically call dnf, but you should get used to typing "dnf" instead of "yum".

Download the minimal ISO from one of the CentOS mirrors or via Torrent as desired. If installing to a physical machine, burn the ISO to DVD. If installing to a virtual machine, mount the ISO:

Boot to the DVD or start the VM to begin installation. First, configure the network settings. The following screenshots will work for a VirtualBox installation configured as in the previous post (change the host, domain, and IP settings as needed):

CentOS does not enable network adapters by default, so be sure to enable them. The second adapter in the screenshots is the host-only adapter mentioned in the last post. Setting this to a static IP is highly recommended. Your network settings may differ. Those shown should work well for VirtualBox virtual machines if no other VMs are running.

Setup your timezone. You should not enable the NTP client (Network Time) if running as a virtual machine (let VirtualBox set the VM clock):

Change the automatic partitioning! CentOS/Fedora allocates most of the drive to a partition for the /home directory. This may be fine if you install programs to /home, which is not in keeping with the Filesystem Hierarchy Standard. But it is recommended that you allocate more space for directories reserved for software installations. Since most of our programs will be built from source, this means /opt. (It is a pet peeve of mine that most Linux guides have you disregarding these standards.) The following screenshots will show an example of how to set this up:

Unless you need to change them, ignore the "Security Policy" and other options on this page and just begin the installation. During installation you should set a root password. A separate user is also recommended unless you plan to setup Active Directory or LDAP support later (not covered in this guide series). When creating this user be sure to check the box "Make this user administrator" to automatically set them up as a sudo user (having the ability to run administrator commands via sudo).

After installation you may need to eject the DVD or unmount the ISO to boot to the hard drive.

Download the latest Ubuntu Server LTS image. I recommend using BitTorrent so you can help them save a few bucks on bandwidth for their website host. If installing to a physical machine, burn the ISO to DVD. If installing to a virtual machine, mount the ISO:

Boot to the DVD or start the VM to begin installation. The install process is very simple. Basically just go with defaults (assuming you are using a standard US keyboard, etc.) until you reach the section on partitioning. I prefer setting up a separate partition for /opt, which is where most of the software on a server is likely to be installed, but most of the options you are given will create a single partition. The following screenshots show how to properly create a manual partition table with LVM (change your configuration as needed):

You probably don’t want to enable any automatic updates; I usually recommend against it for servers. The only optional software you should install for now is the SSH server (otherwise just go with default options):

Download the latest Debian DVD images. I recommend using BitTorrent so you can help them save a few bucks on bandwidth for their website host. If installing to a physical machine, burn the ISOs to DVD. If installing to a virtual machine, mount the ISO (Debian currently is distributed as three ISOs, so just mount the first one for now and the others later when prompted):

Boot to the DVD or start the VM to begin installation. Choose the graphical installation option to make things a little easier. The install process is very simple. Basically just do what it says until you reach the section on partitioning. Setting up a custom partitioning scheme during Debian installation can be a little confusing, even with the graphical installer. I prefer setting up a separate partition for /opt, which is where most of the software on a server is likely to be installed. The following screenshots show how to do this (change your configuration as needed):

After the initial installation, you will be presented with a screen to install additional packages, such as a desktop. Since we want a headless installation, but we do want SSH, change the options as in the following screenshot (options may vary depending on the DVD images used):

Download openSUSE Leap DVD image. I recommend not using Tumbleweed for servers since it is a rolling release. If installing to a physical machine, burn the ISO to DVD. If installing to a virtual machine, mount the ISO:

Boot to the DVD or start the VM to begin installation. When you get to the step about partitioning, change the defaults to allocate a partition for /opt and maybe delete the one for /home. This is how I usually setup Linux servers since very little gets saved to the /home directory if you follow the Filesystem Hierarchy Standard. The following is how I setup my 100 GiB drive in my openSUSE virtual machine:

On the "Clock and Time Zone" page, if this is a virtual machine, you may want to click the "Other Settings" button and disable the NTP client (enabled by default).

On the "Desktop Selection" page, choose the option "Server (Text Mode):"

Next you should configure a new user. I recommend not using the same password for the root user or logging in automatically:

On the final page, you may want to enable the firewall and SSH:

Unlike the other distros I cover, Arch Linux does not include an installer. So this is not for the faint of heart. I will simplify the process as much as possible. For more information, you can check out the installation guide on the Arch Linux wiki. For the most part, I will be following the instructions in this article with a few modifications.

Download the Arch Linux ISO. I recommend using the BitTorrent download method. If installing to a physical machine, burn the ISO to DVD. If installing to a virtual machine, mount the ISO:

Boot to the DVD or start the VM. In my case, I was able to skip setting up the network interface since Arch Linux detected the proper default route automatically.

You will need to partition the hard drive from the command line before you do anything else. I had a 100 GB drive and wanted to use LVM, 20 GB for the root partition, 500 MB for the boot partition, and I needed over 4 GB for the swap partition (since I had 4 GiB RAM allocated). The rest I wanted to go to a partition mounted to /opt. The following commands allowed me to do this:

fdisk /dev/sda
o
n
p
1
<Enter>
+500M
n
p
2
<Enter>
<Enter>
t
2
8e
w
pvcreate /dev/sda2
vgcreate vg1 /dev/sda2
lvcreate -L 20G -n root vg1
lvcreate -L 4G -n swap vg1
lvcreate -l 100%FREE -n opt vg1
mkfs.ext2 /dev/sda1
mkfs.ext4 /dev/vg1/root
mkfs.ext4 /dev/vg1/opt
mkswap /dev/vg1/swap
swapon /dev/vg1/swap
mount /dev/vg1/root /mnt
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot
mkdir /mnt/opt
mount /dev/vg1/opt /mnt/opt

You can now finally start installing Arch Linux to the hard drive. Note that you may need to change things like the locale and/or time zone:

pacstrap /mnt base base-devel
genfstab -U /mnt >> /mnt/etc/fstab
arch-chroot /mnt /bin/bash
sed -i 's/#en_US.UTF-8/en_US.UTF-8/g' /etc/locale.gen
locale-gen
echo 'LANG=en_US.UTF-8' >> /etc/locale.conf
ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime
echo 'arch-lamp' | tee /etc/hostname
echo '127.0.1.1       arch-lamp.localdomain   arch-lamp' | tee -a /etc/hosts
sed -i 's/^HOOKS=".*/HOOKS="base udev autodetect modconf block lvm2 filesystems keyboard fsck"/g' /etc/mkinitcpio.conf
mkinitcpio -p linux
passwd
[Enter new root password]
pacman -S grub
grub-install --target=i386-pc /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg
exit
umount -R /mnt
reboot

Don’t forget to remove the install disc or unmount the ISO to ensure you boot to the new installation.

Sudo

Sudo allows a standard user to run commands as root. It is highly recommended that you use this rather than logging in directly as root.

Sudo is installed and configured by default, so we can skip that step. But you may want to test it after logging in with:

sudo ls /

Debian (as of this writing) does not install sudo by default, so this is the first thing we need to address. So instead of logging in as the normal user, log in as root using the password you configured during install.

First, you must install sudo:

apt-get install sudo

You may be prompted to re-insert the installation disc. Do so as needed. The default Debian installation of sudo allows sudo access to all users of the "sudo" group (not "wheel" like other distros use). So, to make your normal username capable of running commands via sudo, do (replace "username" with the name of the user you setup):

adduser username sudo
logout

Now you can log back in as your normal user and test sudo with:

sudo ls /

Log in as the user created during installation. OpenSUSE installs sudo but doesn’t configure it the same way as other distros, so for now whenever you type "sudo" you may be prompted to enter the root password rather than your user password. Let’s fix that first…

You may prefer to use nano over vi to make text editing simpler, so install it and then run visudo with nano:

sudo su
zypper install nano
export EDITOR=nano
visudo

Scroll down to find the following lines:

Defaults targetpw   # ask for the password of the target user i.e. root
ALL     ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!

Comment (add a pound sign and space) to both lines so it reads:

# Defaults targetpw   # ask for the password of the target user i.e. root
# ALL     ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!

Scroll down to find the following line and un-comment it (remove the pound sign and first space):

# %wheel ALL=(ALL) ALL

Now use CTRL+X to save the file and exit. Then do the following (replace "username" with your normal username):

usermod -G wheel username
exit
logout

Now log back in as your normal user and make sure sudo is setup properly by doing the following (it should ask for your password and not root’s):

sudo ls /

After installation, log in as the root user with the password you created earlier. Now to configure sudo:

export EDITOR=nano
visudo

Scroll down to find the following line and un-comment it (remove the pound sign and first space):

# %wheel ALL=(ALL) ALL

Now create a new username for yourself as a member of that group:

useradd -m username
passwd username
usermod -a -G wheel username
logout

Now you can log in with this new username. Whenever you need to run administrator commands as that user, simply preface them with "sudo". As a simple test to make sure this is working, run the following to show the files in the root directory:

sudo ls /

Configure Network Adapters

I’ve noticed several times that even when you enable all network adapters during installation, CentOS doesn’t always actually enable them. You can use nmtui to enable any disabled adapters. Just run the following command and use the arrow keys and Enter to enable any disabled adapters (those without asterisks beside them):

sudo nmtui

Before doing anything else, I recommend installing a simple text editor. By default, CentOS uses vi, which is very powerful but possibly intimidating to new users. So do:

sudo yum install nano

CentOS does not include the host name you chose during installation in the hosts file. Although this shouldn’t be needed, it can cause issues with some software (like Apache). So do:

sudo nano /etc/hosts

Edit the file to include the local host name as well as the host+domain. Then use CTRL+X to exit nano and save the file. Following is an example of what the file contents may look like:

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
127.0.1.1   lamp lamp.localdomain
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6 lamp lamp.localdomain

You could probably skip adding the second loopback address (127.0.1.1), but this has been the recommended method for years due to a bug with IPv4 in Linux.

If you need to change network settings you will either need to learn to use nmcli or install nmtui with:

sudo dnf install NetworkManager-tui

Fedora does not include the host name you chose during installation in the hosts file. Although this shouldn’t be needed, it can cause issues with some software (like Apache). So do:

sudo nano /etc/hosts

Edit the file to include the local host name as well as the host+domain. Then use CTRL+X to exit nano and save the file. Following is an example of what the file contents may look like:

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
127.0.1.1   lamp lamp.localdomain
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6 lamp lamp.localdomain

You could probably skip adding the second loopback address (127.0.1.1), but this has been the recommended method for years due to a bug with IPv4 in Linux.

You shouldn’t need to alter the hosts file if you set everything correctly during installation since Ubuntu and Debian automatically add an entry for the host name you set. Let’s see what adapters are enabled and their current IP addresses:

ip addr

As you can see, in my case only the primary interface was enabled by default. So I did the following:

sudo nano /etc/network/interfaces

I then added the following to that file (change to match your configuration):

auto enp0s8
iface enp0s8 inet static
  address 192.168.56.104
  netmask 255.255.255.0
  network 192.168.56.0
  broadcast 192.168.56.255

Restart the network service:

sudo /etc/init.d/networking restart

You shouldn’t need to alter the hosts file if you set everything correctly during installation since Ubuntu and Debian automatically add an entry for the host name you set. Let’s see what adapters are enabled and their current IP addresses:

ip addr

As you can see, in my case only the primary interface was enabled by default. So I did the following:

sudo nano /etc/network/interfaces

I then added the following to that file (change to match your configuration):

auto eth1
iface eth1 inet static
  address 192.168.56.104
  netmask 255.255.255.0
  network 192.168.56.0
  broadcast 192.168.56.255

Restart the network service:

sudo /etc/init.d/networking restart
sudo reboot

You may not need to do the reboot, but there is a bug in Debian where if your first interface is set up for DHCP, it may not automatically obtain a new IP after restarting the network service. Hopefully this gets fixed soon.

One of the nice things about openSUSE is the handy YaST tool. Many users may not be aware that there is a terminal version of this tool for headless installations. To launch it:

sudo yast

Just use your tab and enter keys (or the Alt shortcuts designated by the highlighted characters). In my case, the second network adapter was not configured and I wanted to give it a static IP accessible via the VirtualBox host-only network:

You should also use this tool to edit the host name and add it to the loopback hosts entries as follows. Note that I did not check the "Assign Hostname to Loopback IP" option in "Network Settings" but added it separately (this is safer, especially if using IPv6):

Now exit YaST (usually with F9).

First, get the name(s) of your network interface(s):

ip link

I wanted to set the first interface with a dynamic IP address and the second with a static one. First, create netctl profiles for the interfaces (note that I didn’t need a gateway or DNS for the secondary interface, but you could add them if need be):

printf "Interface=enp0s3\nConnection=ethernet\nIP=dhcp" | sudo tee /etc/netctl/enp0s3
printf "Interface=enp0s8\nConnection=ethernet\nIP=static\nAddress=('192.168.56.106/24')\nExcludeAuto=no\nPriority=2" | sudo tee /etc/netctl/enp0s8

The following may seem odd, but it seems to be the only way guaranteed to get the netctl special systemd units to start automatically and with the correct settings (assuming of course you set up your profiles correctly above):

sudo netctl start enp0s3
sudo netctl start enp0s8
sudo pacman -S ifplugd
sudo netctl enable enp0s3
sudo netctl enable enp0s8
sudo systemctl start netctl-ifplugd@enp0s3.service
sudo systemctl start netctl-ifplugd@enp0s8.service
sudo systemctl enable netctl-ifplugd@enp0s3.service
sudo systemctl enable netctl-ifplugd@enp0s8.service
sudo systemctl stop netctl-ifplugd@enp0s3.service
sudo systemctl stop netctl-ifplugd@enp0s8.service
sudo systemctl disable netctl@enp0s3
sudo systemctl disable netctl@enp0s8
sudo netctl stop-all
sudo reboot

After restarting, you can check that the interfaces are both running with the correct IP addresses via:

ip addr

Updates and SSH

At this point, it is a good idea to update all packages and lock down remote access so you can use SSH.

Install all updates and reboot. Installation of deltarpm is optional but will save disk space. Replace "yum" with "dnf" for Fedora:

sudo yum install deltarpm
sudo yum update
sudo reboot

It is optional, but recommended, that you disable the ability to log in directly as the root user now that you have another administrator account setup. You may wish to skip this if you are less concerned with security and/or are concerned that you may screw up your sudo configuration in the future:

sudo passwd -l root

As an additional security measure, you should restrict access from members of the "wheel" group to the local network. So do:

sudo nano /etc/security/access.conf

Scroll to the bottom of this file and add a line such as the following (this is in keeping with the virtual machine settings as shown previously, but change the subnet to match your network):

-:wheel:ALL EXCEPT LOCAL 192.168.56.0/24

After saving the above file, make sure SSH will comply with those restrictions by doing:

sudo nano /etc/pam.d/sshd

Insert the following line immediately after the first line "#%PAM-1.0" (this placement is important):

auth       required     pam_access.so

Install all updates and reboot:

sudo apt-get update && sudo apt-get upgrade
sudo reboot

It is optional, but recommended, that you disable the ability to log in directly as the root user now that you have another administrator account setup. You may wish to skip this if you are less concerned with security and/or are concerned that you may screw up your sudo configuration in the future:

sudo passwd -l root

As an additional security measure, you should restrict access from members of the "sudo" group to the local network. So do:

sudo nano /etc/security/access.conf

Scroll to the bottom of this file and add a line such as the following (this is in keeping with the virtual machine settings as shown previously, but change the subnet to match your network):

-:sudo:ALL EXCEPT LOCAL 192.168.56.0/24

After saving the above file, make sure SSH will comply with those restrictions by doing:

sudo nano /etc/pam.d/sshd

Un-comment (remove the pound) the following line:

# account  required     pam_access.so

Debian users may wish to remove the discs as an installation source. If you don’t, you will be swapping discs every time you install new packages. To do so just run the following:

sudo sed -i 's/deb cdrom:/# deb cdrom:/g' /etc/apt/sources.list

Install all updates and reboot:

sudo zypper update
sudo reboot

It is optional, but recommended, that you disable the ability to log in directly as the root user now that you have another administrator account setup. You may wish to skip this if you are less concerned with security and/or are concerned that you may screw up your sudo configuration in the future:

sudo passwd -l root

As an additional security measure, you should restrict access from members of the "wheel" group to the local network. So do:

sudo nano /etc/security/access.conf

Scroll to the bottom of this file and add a line such as the following (this is in keeping with the virtual machine settings as shown previously, but change the subnet to match your network):

-:wheel:ALL EXCEPT LOCAL 192.168.56.0/24

After saving the above file, make sure SSH will comply with those restrictions by doing:

sudo nano /etc/pam.d/sshd

Insert the following line immediately after the first line "#%PAM-1.0" (this placement is important):

auth       required     pam_access.so

Install all updates and reboot:

sudo pacman -Syu
sudo reboot

It is optional, but recommended, that you disable the ability to log in directly as the root user now that you have another administrator account setup. You may wish to skip this if you are less concerned with security and/or are concerned that you may screw up your sudo configuration in the future:

sudo passwd -l root

As an additional security measure, you should restrict access from members of the "wheel" group to the local network. So do:

sudo nano /etc/security/access.conf

Scroll to the bottom of this file and add a line such as the following (this is in keeping with the virtual machine settings as shown previously, but change the subnet to match your network):

-:wheel:ALL EXCEPT LOCAL 192.168.56.0/24

After saving the above file, make sure SSH will comply with those restrictions by doing (first install OpenSSH):

sudo pacman -S openssh
sudo systemctl start sshd
sudo systemctl enable sshd
sudo nano /etc/pam.d/sshd

Insert the following line immediately after the first line "#%PAM-1.0" (this placement is important):

auth       required     pam_access.so

If all went well, you should be able to use any SSH client to connect to this new server. I highly recommend this as opposed to typing commands directly on the server console, mainly because you can copy/paste commands from this guide into the SSH client. On Windows, I like the Bitvise SSH Client (totally free as of this writing). But there are many others you can use (Google is your friend). Just point them to the IP address of this new server and use the username/password you just configured.

Firewall

Important note on firewall: there have been ongoing bugs where conflicts between firewalld and Network Manager will cause firewall zone settings to be lost (especially with multiple adapters) on reboot. This means all adapters will be in the default zone after reboot. This was fixed in both Fedora and CentOS a couple months ago, so it is important that all packages be up to date as mentioned earlier.

If you have multiple network adapters (as I have setup in VirtualBox), you may want to place your local adapter in a separate firewall zone so you can limit which services are accessible to the Internet. First, check which adapters are in which zones:

firewall-cmd --get-active-zones

As you can see, CentOS places all adapters in the "public" zone (Fedora uses the zone "FedoraServer" as the default). Let’s move our local adapter ("enp0s8" in this example) to the "work" zone:

sudo firewall-cmd --zone=work --add-interface=enp0s8 --permanent
sudo reboot

The reason we are rebooting at this point is to ensure the change truly is permanent. This is where the bug shows up in CentOS if you didn’t install updates. Check that the change really worked by once again running:

firewall-cmd --get-active-zones

Enable HTTP/HTTPS for the "work" zone (or whatever zone you assigned your adapter to) and check that the desired services are enabled:

sudo firewall-cmd --zone=work --add-service=http --add-service=https --permanent
sudo firewall-cmd --reload
sudo firewall-cmd --zone=work --list-all

By default, the firewall is installed but not enabled. Let’s create rules to allow SSH, HTTP, and HTTPS from the local network (default rules will block all other incoming connections) and enable the firewall. Change IP range and ports as required:

sudo ufw allow proto tcp from 192.168.56.0/24 to any port 22 comment 'ssh'
sudo ufw allow proto tcp from 192.168.56.0/24 to any port 80,443,8080:8090 comment 'web app'
sudo ufw enable

By default, only a basic iptables firewall is installed. But you can install the Uncomplicated Firewall that Ubuntu uses:

sudo apt-get install ufw

Let’s create rules to allow SSH, HTTP, and HTTPS from the local network (default rules will block all other incoming connections) and enable the firewall. Change IP range and ports as required:

sudo ufw allow proto tcp from 192.168.56.0/24 to any port 22
sudo ufw allow proto tcp from 192.168.56.0/24 to any port 80,443,8080:8090
sudo ufw enable

This is another thing easiest done with YaST:

sudo yast

By default, even though you enabled the firewall during installation, no adapters are assigned to firewall zones. In my case, I wanted my first adapter assigned to the external zone and the second to the internal zone, as follows:

That was good enough for my VirtualBox installation since the internal zone is only accessible from the host and is completely unprotected while the external zone is locked down by default and I didn’t need to allow anyone on the Internet to access the VM. You can add/remove services as needed here also though.

"The Arch Way" of keeping things as simple as possible encourages us not to use a frontend for iptables like other distros do. So let’s clear any existing iptables rules (there shouldn’t be any) and set it up from scratch. Note that I’m limiting some rules to a specific interface (for example, we don’t want to open SSH to the public interface). These steps are based on an article from the Arch Linux wiki:

sudo iptables-restore < /etc/iptables/empty.rules
sudo iptables -N TCP
sudo iptables -N UDP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A TCP -i enp0s8 -p tcp --dport 22 -j ACCEPT
sudo iptables -P INPUT DROP

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -p 41 -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
sudo iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
sudo iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
sudo iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
sudo iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
sudo iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable

sudo iptables -A TCP -i enp0s8 -p tcp --dport 80 -j ACCEPT
sudo iptables -A TCP -i enp0s8 -p tcp --dport 443 -j ACCEPT
sudo iptables -A UDP -p udp --dport 53 -j ACCEPT

Now export the rules to a file and check them:

sudo su - -c "iptables-save > /etc/iptables/iptables.rules"
sudo nano /etc/iptables/iptables.rules

When I did this with the current version of iptables, I noticed it had automatically created a rule I hadn’t added:

-A INPUT -p ipv6 -j ACCEPT

Since these rules only affect IPv4, I assume this refers to IPv6 tunnels in IPv4, in which case this rule would allow all such incoming packets. Since I had no need for this functionality, I deleted the rule:

sudo iptables -D INPUT -p ipv6 -j ACCEPT

Once you have everything set up the way you want, save the rules again if you made any changes:

sudo su - -c "iptables-save > /etc/iptables/iptables.rules"

Now we should setup iptables for IPv6. Start by copying the IPv4 rules:

sudo cp /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules

Several changes need to be made for IPv6 compatibility. In this example, the following commands should fix the rules correctly:

sudo sed -i 's/icmp-port-unreachable/icmp6-adm-prohibited/g' /etc/iptables/ip6tables.rules
sudo sed -i 's/icmp-proto-unreachable/icmp6-adm-prohibited/g' /etc/iptables/ip6tables.rules
sudo sed -i '/-p icmp/d' /etc/iptables/ip6tables.rules
sudo systemctl start ip6tables
sudo ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 128 -m conntrack --ctstate NEW -j ACCEPT
sudo ip6tables -t raw -A PREROUTING -m rpfilter -j ACCEPT
sudo ip6tables -t raw -A PREROUTING -j DROP
sudo su - -c "ip6tables-save > /etc/iptables/ip6tables.rules"

Now restart both services and set them to start after reboot:

sudo systemctl restart iptables
sudo systemctl restart ip6tables
sudo systemctl enable iptables
sudo systemctl enable ip6tables

Packages For Building Software

There are a few basic packages you will need for building various applications. Experienced users may wonder why I’m not using CheckInstall or FPM for everything in order to simply installation/uninstallation. First, this is a test server and not a production machine. Second, since we are going to install everything to /opt, uninstallation is usually as simple as deleting the directory (i.e. /opt/apache). Third, I am designing this guide with those who are not Linux experts in mind, so why go through the complexity of creating packages and setting up local repos, etc.?

It is recommended that you enable the EPEL repository for installing some packages that may not be available in the default repos and ensure it is enabled and then install a few basic packages (replace "sudo" with "dnf" for Fedora):

sudo rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum repolist
sudo yum install kernel-devel gcc wget dkms bzip2
sudo apt-get install make gcc wget bzip2 linux-headers-$(uname -r)
sudo zypper install make gcc wget bzip2 kernel-devel
sudo pacman -S make gcc wget bzip2 linux-headers

You should install the latest version of Perl at this point. Of all the distros I’m covering, only Arch Linux and Fedora maintain the latest version in official repositories. Ubuntu maintains fairly recent versions as well. So you can skip the following for Arch Linux, Fedora, and (maybe) Ubuntu. Find the latest non-development version number on the CPAN website and change as needed:

cd ~
wget http://www.cpan.org/src/5.0/perl-5.24.1.tar.gz
tar -xzf perl-5.24.1.tar.gz
rm perl-5.24.1.tar.gz
cd perl-5.24.1
./Configure -des -Dprefix=/opt/perl
make
make test
sudo make install
cd ..
sudo mv perl-5.24.1 /usr/local/src/
export PATH=/opt/perl/bin:$PATH
echo 'PATH=/opt/perl/bin:$PATH' | sudo tee -a /etc/profile
perl -v

The last command will verify that you are using the correct version of Perl.

VirtualBox Guest Additions

If this is a virtual machine installed under VirtualBox, it is recommended that you now install the VirtualBox Guest Additions as follows (if not, skip to the next article in this series):

Mount it and run the installer:

sudo mkdir -p /media/cdrom
sudo mount /dev/cdrom /media/cdrom
sudo sh /media/cdrom/VBoxLinuxAdditions.run
sudo reboot

You may receive an error about the missing X.Org (desktop). This is expected since this is a headless install. Just ignore it. You now have everything you need for a basic Linux server.

Leave a Reply