Here we will cover how to install Linux, focusing on a variety of different distributions for use as a LAMP server.
Estimated time (this post only): 45 minutes
* varies by distro
Contents
Why Not Install a Desktop Environment?
A web server does not need a desktop and installing one only consumes resources and possibly introduces stability issues. Also, by using SSH to remotely manage the server, you can simply copy/paste commands from this guide, simplifying the entire process.
Which Distro Do I Want?
Most web servers on the Internet run CentOS or Ubuntu. So if you are developing for shared hosts, you will most likely want to focus on these two distros. CentOS is based on Red Hat Enterprise Linux which is based on Fedora, so while CentOS may be more stable, Fedora often contains newer packages. Ubuntu is based on Debian. OpenSUSE only has a small share of the web server market, but is increasing in popularity. I only recommend Arch Linux for advanced users. Of the top one million web servers, less than 2% run Windows, so we won’t even bother with looking at a WAMP stack (the Windows variant of a LAMP stack).
Should I Use LVM and What File System Should I Use?
I highly recommend using LVM because it allows you to expand file systems across multiple disks (much like Dynamic Disks in Windows).
As for which file system to use for the individual partitions, that’s a little more complicated. In simplest terms, I recommend Ext3/4 for the boot partition and either Ext4, XFS, or BtrFS for other partitions. Ext4 has been around forever, but many distributions are migrating to BtrFS or XFS as the default. RedHat variants (like CentOS and Fedora) have dropped official support for BtrFS due to its slow development. XFS isn’t quite as efficient as Ext4 and BtrFS at handling small files. Personally I recommend BtrFS for most partitions or XFS if your distribution doesn’t support BtrFS by default.
Installing Operating System
Important: I will be covering both UEFI and non-UEFI systems. If installing on a physical machine with UEFI enabled or a virtual machine with UEFI support, you will need to create an additional EFI System Partition at least 100 MiB in size (some guides suggest as much as 500+ MiB, so you may need to allocate more). See this article if you want more information.
Download your desired ISO (DVD image). Get the minimal CentOS ISO from their website or a Torrent (recommended). If installing to a physical machine, burn the ISO to DVD. If installing to a virtual machine, mount the ISO:
Depending on your version of CentOS and VirtualBox, you may not have mouse support when running the installer, so use the arrow keys, tab key, page up/down keys, etc. if necessary.
Boot to the DVD or start the VM to begin installation. First, configure the network settings. The following screenshots will work for a VirtualBox installation configured as in the previous post. CentOS does not enable network adapters by default, so be sure to enable them. The second adapter in the screenshots is the host-only adapter mentioned in the last post. Setting this to a static IP is highly recommended. Your network settings may differ.
Setup your timezone. You should not enable the NTP client (Network Time) if running as a virtual machine (let VirtualBox set the VM clock):
Change the automatic partitioning. CentOS allocates most of the drive to a partition for the /home
directory. This is inefficient for a server, since very little should be kept there. It is recommended that you allocate more space for directories reserved for software installations. You could just allocate everything to the root directory, but if the file system became corrupt on root, you would lose everything. This is how I set up my 300 GiB drive. If this is a non-UEFI system, leave out the EFI partitition.
Unless you need to change them, ignore the other options on this page and just begin the installation. During installation you should set a root password. A separate user is also recommended unless you plan to setup Active Directory or LDAP support later (not covered in this guide series). When creating this user be sure to check the box "Make this user administrator" to automatically set them up as a sudo user (having the ability to run administrator commands via sudo).
After installation you may need to eject the DVD or unmount the ISO to boot to the hard drive.
Download your desired ISO (DVD image). Get the Fedora Server ISO from their website or a Torrent (recommended). If installing to a physical machine, burn the ISO to DVD. If installing to a virtual machine, mount the ISO:
Boot to the DVD or start the VM to begin installation. First, configure the network settings. The following screenshots will work for a VirtualBox installation configured as in the previous post. The second adapter in the screenshots is the host-only adapter mentioned in the last post. Setting this to a static IP is highly recommended. Your network settings may differ.
Set your timezone. You should not enable the NTP client (Network Time) if running as a virtual machine (let VirtualBox set the VM clock):
Change the automatic partitioning! You could just allocate everything to the root directory, but if the file system became corrupt on root, you would lose everything. This is how I set up my 300 GiB drive for this guide. (As with CentOS, skip the EFI partition if this is not a UEFI system.)
Unless you need to change them, ignore the other options on this page and just begin the installation. During installation you should set a root password. A separate user is also recommended unless you plan to setup Active Directory or LDAP support later (not covered in this guide series). When creating this user be sure to check the box "Make this user administrator" to automatically set them up as a sudo user (having the ability to run administrator commands via sudo).
After installation you may need to eject the DVD or unmount the ISO to boot to the hard drive.
Download the latest Ubuntu Server LTS image from their website or via BitTorrent (recommended). If installing to a physical machine, burn the ISO to DVD. If installing to a virtual machine, mount the ISO as in the CentOS instructions.
Boot to the DVD or start the VM to begin installation. The server ISO uses a text-based installation method so use the tab and arrow keys. You may need to manually configure one or more network interfaces. The following is what I did for a virtual machine as described previously:
Here’s how I set up my 300 GiB virtual disk:
Be sure to select the option to install SSH server and set your user account and host name to whatever you want.
Since this installation will not include a GUI, all you need is the smaller CD image from their website or via BitTorrent. Most users will want the amd64 version. Burn the ISO to CD if you need a physical disc or just mount in your virtual machine. Although you could download the full set of DVD images, I recommend only downloading the CD image or the first DVD image. The reason for this is the package manager will look for the discs every time you install a new package rather than looking online first if it knows you have the full DVD set, which can get annoying because you will be constantly swapping discs/images.
Boot to the disc or start the VM to begin installation. Choose the graphical installation option to make things a little easier. The install process is very simple. Just do what it says until you reach the section on partitioning. Following is how I configured my partitions.
If installing from the CD image rather than the DVD image, be sure to select the option for enabling a network mirror for downloading software packages! After the initial installation, you will be presented with a screen to install additional packages, such as a desktop. We don’t want a desktop environment, but we do want SSH, so change the options as in the following screenshot (your choices may vary, but this is all you need for now):
Download the openSUSE Leap DVD image from their website directly or via BitTorrent. I recommend not using Tumbleweed for servers since it is a rolling release. If installing to a physical machine, burn the ISO to DVD. If installing to a virtual machine, mount the ISO.
Boot to the DVD or start the VM to begin installation. Be sure to choose the "Server" option as the system role.
When you get to the step about partitioning, change the defaults to allocate partitions for where we will be installing our compiled software. The following is how I setup my 300 GiB drive in a virtual machine.
On the "Clock and Time Zone" page, if this is a virtual machine, you may want to click the "Other Settings" button and disable the NTP client (enabled by default).
Next you should configure a new user. I recommend not using the same password for the root user or logging in automatically.
On the final page, you may want to enable the firewall and SSH.
Unlike the other distros I cover, Arch Linux does not include an installer. So this is not for the faint of heart. I will simplify the process as much as possible. For more information, you can check out the installation guide on the Arch Linux wiki.
Very important: if installing under VirtualBox I recommend not enabling the EFI option for the virtual machine. UEFI installation under VirtualBox can get very messy. There are a lot of workarounds documented elsewhere and with a bit of trial-and-error you may get it to boot. With every version of Arch I’ve found I had to use a different method to get it to work. One thing that may avoid many errors in that setup may be to not use LVM for partitioning, which is the method I will cover here.
Download the Arch Linux ISO. I recommend using the BitTorrent download method. If installing to a physical machine, burn the ISO to DVD. If installing to a virtual machine, mount the ISO.
Boot to the DVD or start the VM. In my case, I was able to skip setting up the network interface since Arch Linux detected the proper default route automatically.
You will need to partition the hard drive from the command line before you do anything else. For the sake of consistency I partitioned this system the same as the others with a 300 GiB drive.
If you have UEFI enabled, you need to first create an ESP partition (skip this if using traditional BIOS):
fdisk /dev/sda n p 1 <Enter> +512M t ef w pacman -Sy dosfstools mkfs.vfat -F32 /dev/sda1
Now create other partitions. If using UEFI, do something like:
fdisk /dev/sda n p 2 <Enter> +1G n p 3 <Enter> +30G n e <Enter> <Enter> n <Enter> +4G n <Enter> +100G n <Enter> <Enter> w mkfs.ext4 /dev/sda2 mkfs.btrfs /dev/sda3 mkfs.btrfs /dev/sda6 mkfs.btrfs /dev/sda7 mkswap /dev/sda5 swapon /dev/sda5 mkdir /mnt mount /dev/sda3 /mnt mkdir /mnt/boot mount /dev/sda2 /mnt/boot mkdir -p /mnt/usr/local mount /dev/sda6 /mnt/usr/local mkdir /mnt/opt mount /dev/sda7 /mnt/opt
If this is a non-UEFI system:
fdisk /dev/sda n p 1 <Enter> +1G n p 2 <Enter> <Enter> t 2 8e w pvcreate /dev/sda2 vgcreate vg1 /dev/sda2 lvcreate -L 30G -n root vg1 lvcreate -L 4G -n swap vg1 lvcreate -L 100G -n usr-local vg1 lvcreate -l 100%FREE -n opt vg1 mkfs.ext4 /dev/sda1 mkfs.btrfs /dev/vg1/root mkfs.btrfs /dev/vg1/usr-local mkfs.btrfs /dev/vg1/opt mkswap /dev/vg1/swap swapon /dev/vg1/swap mkdir /mnt mount /dev/vg1/root /mnt mkdir /mnt/boot mount /dev/sda1 /mnt/boot mkdir -p /mnt/usr/local mount /dev/vg1/usr-local /mnt/usr/local mkdir /mnt/opt mount /dev/vg1/opt /mnt/opt
You can now finally start installing Arch Linux to the hard drive. Note that you may need to change things like the locale and/or time zone depending on your location:
pacman -Syy pacman -S reflector cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.bak reflector -c "US" -f 12 -l 10 -n 12 --save /etc/pacman.d/mirrorlist
If something went wrong with Reflector, do the following to restore the original mirrorlist:
cp /etc/pacman.d/mirrorlist.bak /etc/pacman.d/mirrorlist
Continue, setting the timezone to whatever yours is from the previous list.
pacstrap /mnt base base-devel linux linux-firmware vim nano genfstab -U /mnt >> /mnt/etc/fstab arch-chroot /mnt /bin/bash timedatectl list-timezones timedatectl set-timezone America/New_York hwclock --systohc --utc pacman -Syy pacman -S reflector cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.bak reflector -c "US" -f 12 -l 10 -n 12 --save /etc/pacman.d/mirrorlist
If something went wrong with Reflector, do the following to restore the original mirrorlist:
cp /etc/pacman.d/mirrorlist.bak /etc/pacman.d/mirrorlist
Now edit the locale.gen file:
nano /etc/locale.gen
Uncomment (remove the pound sign) the line for your preferred locale. In the United States, English-speaking users would change "#en_US.UTF-8 UTF-8" to "en_US.UTF-8 UTF-8" then:
locale-gen echo LANG=en_US.UTF-8 > /etc/locale.conf export LANG=en_US.UTF-8
Now choose a hostname and set it up as follows (change "arch-lamp" to whatever you want):
echo arch-lamp > /etc/hostname touch /etc/hosts nano /etc/hosts
Add the following to the file then save and exit:
127.0.0.1 localhost ::1 localhost 127.0.1.1 arch-lamp
Now set the root password:
passwd [Enter new root password]
Time to install Grub. For UEFI systems do:
pacman -S grub efibootmgr mkdir /boot/efi mount /dev/sda1 /boot/efi grub-install --target=x86_64-efi --bootloader-id=arch --efi-directory=/boot/efi grub-mkconfig -o /boot/grub/grub.cfg
For non-UEFI systems:
pacman -S grub grub-install /dev/sda grub-mkconfig -o /boot/grub/grub.cfg
Do a bit of cleanup and reboot. Don’t forget to remove the install disc or unmount the ISO to ensure you boot to the new installation.
umount -R /hostlvm exit umount -R /mnt reboot
Don’t forget to remove the install disc or unmount the ISO to ensure you boot to the new installation.
Sudo
Sudo allows a standard user to run commands as root. It is highly recommended that you use this rather than logging in directly as root.
Sudo is installed and configured by default, so we can skip that step. But you may want to test it after logging in with:
sudo ls /
Debian (as of this writing) does not install sudo by default, so this is the first thing we need to address. So instead of logging in as the normal user, log in as root using the password you configured during install.
First, you must install sudo:
apt install sudo
You may be prompted to re-insert the installation disc. Do so as needed. The default Debian installation of sudo allows sudo access to all users of the "sudo" group (not "wheel" like other distros use). So, to make your normal username capable of running commands via sudo, do (replace "username" with the name of the user you setup):
adduser username sudo logout
Now you can log back in as your normal user and test sudo with:
sudo ls /
Log in as the user created during installation. OpenSUSE installs sudo but doesn’t configure it the same way as other distros, so for now whenever you type "sudo" you may be prompted to enter the root password rather than your user password. Let’s fix that first…
You may prefer to use nano over vi to make text editing simpler, so install it and then run visudo with nano:
sudo su zypper install nano export EDITOR=nano visudo
Scroll down to find the following lines:
Defaults targetpw # ask for the password of the target user i.e. root ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
Comment (add a pound sign and space) to both lines so it reads:
# Defaults targetpw # ask for the password of the target user i.e. root # ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
Scroll down to find the following line and un-comment it (remove the pound sign and first space):
# %wheel ALL=(ALL) ALL
Now use CTRL+X to save the file and exit. Then do the following (replace "username" with your normal username):
usermod -G wheel username exit logout
Now log back in as your normal user and make sure sudo is setup properly by doing the following (it should ask for your password and not root’s):
sudo ls /
After installation, log in as the root user with the password you created earlier. Now to configure sudo:
export EDITOR=nano visudo
Scroll down to find the following line and un-comment it (remove the pound sign and first space):
# %wheel ALL=(ALL) ALL
Now create a new username for yourself as a member of that group (replace "username" with the name of your new user):
useradd -m username passwd username usermod -a -G wheel username logout
Now you can log in with this new username. Whenever you need to run administrator commands as that user, simply preface them with "sudo". As a simple test to make sure this is working, run the following to show the files in the root directory:
sudo ls /
Configure Network Adapters
I’ve noticed several times that even when you enable all network adapters during installation, CentOS doesn’t always actually enable them. You can use nmtui to enable any disabled adapters. Just run the following command and use the arrow keys and Enter to enable any disabled adapters (those without asterisks beside them):
sudo nmtui
I recommend installing a simple text editor. The latest version of CentOS has nano installed by default, but just to be sure:
sudo dnf install nano
CentOS does not include the host name you chose during installation in the hosts file. So do:
sudo nano /etc/hosts
Edit the file to include the local host name as well as the host+domain. Then use CTRL+X to exit nano and save the file. Following is an example of what the file contents may look like:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 127.0.1.1 lamp lamp.localdomain ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 lamp lamp.localdomain
If you need to change network settings you will either need to learn to use nmcli or install nmtui with:
sudo dnf install NetworkManager-tui
Fedora does not include the host name you chose during installation in the hosts file. So do:
sudo nano /etc/hosts
Edit the file to include the local host name as well as the host+domain. Then use CTRL+X to exit nano and save the file. Following is an example of what the file contents may look like:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 127.0.1.1 lamp lamp.localdomain ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 lamp lamp.localdomain
Ubuntu uses NetPlan to manage network interfaces. For CLI installations, this means using the networkd renderer. If you forgot to set the IP address(es) during installation or something was changed, you may need to do something like the following.
First, obtain a list of the interfaces with:
ip link
This showed me an interface named enp0s3 and another named enp0s8. The latter was the one I needed to assign a static IP to, so I created a new configuration file specifically for this interface by doing:
sudo nano /etc/netplan/99-enp0s8.yaml
In this new file I typed the following to force this interface to always use the static IP address I desired:
network: version: 2 renderer: networkd ethernets: enp0s8: dhcp4: no addresses: [192.168.56.103/24]
I didn’t need DNS or a default gateway, so this was enough for my setup (see the above link if you need to configure more). To apply the new settings, I simply did:
sudo netplan --debug apply
You shouldn’t need to alter the hosts file if you set everything correctly during installation since Debian automatically adds an entry for the host name you set. Let’s see what adapters are enabled and their current IP addresses (note if you’re using an older version of Debian before they updated systemd, the interface names will be "ethx" where x is a number; this may sound simpler, but there are good reasons for this change):
ip addr
As you can see, in my case only the primary interface was enabled by default. So I did the following:
sudo nano /etc/network/interfaces
I then added the following to that file (change to match your configuration):
auto enp0s8 iface enp0s8 inet static address 192.168.56.104 netmask 255.255.255.0 network 192.168.56.0 broadcast 192.168.56.255
Restart the network service:
sudo /etc/init.d/networking restart
For some reason, some versions of Debian do not re-enable interfaces setup for DHCP when restarting the networking service, so do:
sudo ip link set dev enp0s3 up sudo dhclient -r sudo dhclient
One of the nice things about openSUSE is the handy YaST tool. Many users may not be aware that there is a terminal version of this tool for CLI installations. To launch it:
sudo yast
Just use your tab and enter keys (or the Alt shortcuts designated by the highlighted characters). In my case, the second network adapter was not configured and I wanted to give it a static IP accessible via the VirtualBox host-only network:
You should also use this tool to edit the host name and add it to the loopback hosts entries as follows:
Now exit YaST (usually with F9).
First, get the name(s) of your network interface(s):
ip link
I wanted to set the first interface with a dynamic IP address and the second with a static one. First, create network configuration files for the interfaces (note that I didn’t need a gateway or DNS for the secondary interface, but you could add them if need be):
sudo nano /etc/systemd/network/10-mainif.network
Enter the following to make enp0s3 a DHCP client interface.
[Match] Name=enp0s3 [Network] DHCP=yes
Save and quit, then create a config file for the second interface.
sudo nano /etc/systemd/network/20-secondif.network
Enter the following to make enp0s8 a static IP interface.
[Match] Name=enp0s8 [Address] Address=192.168.56.106/24
Now restart the systemd-networkd services and test everything by doing:
sudo systemctl restart systemd-networkd sudo systemctl restart systemd-resolved sudo systemctl enable systemd-networkd sudo systemctl enable systemd-resolved ping google.com -c 3
Assuming everything worked (capitalization is import in the .network files) reboot and test again.
sudo reboot ping google.com -c 3
Updates
At this point, it is a good idea to update all packages:
It is recommended that you enable the EPEL repository for installing some packages that may not be available in the default repos, ensure it is enabled, and then install a few basic packages:
sudo rpm -ivh \ https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm dnf repolist
If you have limited disk space or bandwidth, you should enable delta RPMs. This was easy with yum, but now with dnf delta RPMs aren’t available by default. The following may or may not work (but it won’t hurt to try):
sudo dnf install drpm sudo nano /etc/dnf/dnf.conf
Add the following line to this file:
deltarpm=1
Install updates and reboot:
sudo dnf update sudo reboot
As of Fedora 26+, the EPEL repository is no longer officially supported (it conflicts with the official Fedora repo), so we won’t be adding it as we did with CentOS.
If you have limited disk space or bandwidth, you should enable delta RPMs. The following may or may not work (but it won’t hurt to try):
sudo dnf install drpm sudo nano /etc/dnf/dnf.conf
Add the following line to this file:
deltarpm=1
Install updates and reboot:
sudo dnf update sudo reboot
Install all updates and reboot:
sudo su -c "apt update && apt upgrade && apt install linux-image-generic" reboot
You may wish to remove the discs as an installation source. If you don’t, you will be swapping discs every time you install new packages. This isn’t necessary if you installe from the minimal CD, only if you used the DVD images.
sudo sed -i 's/deb cdrom:/# deb cdrom:/g' /etc/apt/sources.list sudo apt update
Install all updates and reboot. Installation of debdelta is optional but will save download time and disk space:
sudo apt install debdelta sudo su -c "apt update && debdelta-upgrade && apt upgrade" sudo reboot
It is recommended that you add the Packman repo, since the official SUSE repos don’t always contain the needed or packages (or contain older versions). I’m using a mirror in Germany, but you can check the list of mirrors and choose another if you wish. Change the SUSE version to match what you are running.
sudo zypper ar ftp://ftp.fau.de/packman/suse/openSUSE_Leap_15.2/ Packman
If the Packman mirror you add doesn’t work for some reason, do the following before trying another one:
sudo zypper rr Packman
Install all updates and reboot:
sudo zypper update sudo reboot
Install all updates and reboot:
sudo pacman -Syu sudo reboot
SSH
Now setup SSH securely for remote access:
It is optional, but recommended, that you disable the ability to log in directly as the root user now that you have another administrator account setup.
sudo passwd -dl root
As an additional security measure, you should restrict access from members of the "wheel" group to the local network. So do:
sudo nano /etc/security/access.conf
Add the following line (this is in keeping with the virtual machine settings as shown previously, but change the subnet to match your network):
-:wheel:ALL EXCEPT LOCAL 192.168.56.0/24
After saving the above file, make sure SSH will comply with those restrictions by doing:
sudo nano /etc/pam.d/sshd
Insert the following line immediately after the first line "#%PAM-1.0" (this placement is important):
auth required pam_access.so
As an additional security measure, you should restrict access from members of the "sudo" group to the local network. So do:
sudo nano /etc/security/access.conf
Scroll to the bottom of this file and add a line such as the following (this is in keeping with the virtual machine settings as shown previously, but change the subnet to match your network):
-:sudo:ALL EXCEPT LOCAL 192.168.56.0/24
After saving the above file, make sure SSH will comply with those restrictions by doing:
sudo nano /etc/pam.d/sshd
Un-comment (remove the pound) the following line:
# account required pam_access.so
It is optional, but recommended, that you disable the ability to log in directly as the root user now that you have another administrator account setup.
sudo passwd -dl root
As an additional security measure, you should restrict access from members of the "sudo" group to the local network. So do:
sudo nano /etc/security/access.conf
Scroll to the bottom of this file and add a line such as the following (this is in keeping with the virtual machine settings as shown previously, but change the subnet to match your network):
-:sudo:ALL EXCEPT LOCAL 192.168.56.0/24
After saving the above file, make sure SSH will comply with those restrictions by doing:
sudo nano /etc/pam.d/sshd
Un-comment (remove the pound) the following line:
# account required pam_access.so
It is optional, but recommended, that you disable the ability to log in directly as the root user now that you have another administrator account setup.
sudo passwd -dl root
As an additional security measure, you should restrict access from members of the "wheel" group to the local network. So do:
sudo nano /etc/security/access.conf
Scroll to the bottom of this file and add a line such as the following (this is in keeping with the virtual machine settings as shown previously, but change the subnet to match your network):
-:wheel:ALL EXCEPT LOCAL 192.168.56.0/24
After saving the above file, make sure SSH will comply with those restrictions by doing (first install OpenSSH):
sudo pacman -S openssh sudo systemctl start sshd sudo systemctl enable sshd sudo nano /etc/pam.d/sshd
Insert the following line immediately after the first line "#%PAM-1.0" (this placement is important):
auth required pam_access.so
You can now use any SSH client to connect to the server. I highly recommend this as opposed to typing commands directly on the server console, partly because you can copy/paste commands from this guide into the SSH client. On Windows, I like the Bitvise SSH Client (free as of this writing), particularly for its built-in SFTP transfer client. Or you could use PuTTY or another client. Just point them to the IP address of this new server and use the username/password you just configured (if using VirtualBox as in the previous post, point to the IP address of the host-only adapter).
Important: When copying/pasting commands in this guide into an SSH terminal, you may be prompted for your password for sudo. So if copying multiple lines at a time, you may want to copy/paste one line at a time.
Firewall
Important note on firewall: there were previously bugs where conflicts between firewalld and Network Manager would cause firewall zone settings to be lost (especially with multiple adapters) on reboot. This means all adapters would be in the default zone after reboot. This was fixed in both Fedora and CentOS in 2017, so it is important that all packages be up to date as mentioned earlier.
If you have multiple network adapters (as I have setup in VirtualBox), you may want to place your local adapter in a separate firewall zone so you can limit which services are accessible to the Internet. First, check which adapters are in which zones:
firewall-cmd --get-active-zones
As you can see, CentOS places all adapters in the "public" zone (Fedora uses the zone "FedoraServer" as the default). Let’s move our local adapter ("enp0s8" in this example) to the "work" zone:
sudo firewall-cmd --zone=work --add-interface=enp0s8 --permanent sudo reboot
The reason we are rebooting at this point is to ensure the change truly is permanent. This is where the bug shows up if you didn’t install updates. Check that the change really worked by once again running:
firewall-cmd --get-active-zones
Enable HTTP/HTTPS for the "work" zone (or whatever zone you assigned your adapter to) and check that the desired services are enabled:
sudo firewall-cmd --zone=work --add-service=http --add-service=https --permanent sudo firewall-cmd --reload sudo firewall-cmd --zone=work --list-all
By default, the firewall is installed but not enabled. Let’s create a rule to allow SSH from the local network (default rules will block all other incoming connections) and enable the firewall. Change IP range as required. We will be creating additional rules later.
sudo ufw allow from 192.168.56.0/24 to any app OpenSSH sudo ufw enable
By default, only a basic iptables firewall is installed. But you can install the Uncomplicated Firewall that Ubuntu uses:
sudo apt install ufw
Let’s create a rule to allow SSH from the local network (default rules will block all other incoming connections) and enable the firewall. Change IP range as required.
sudo ufw allow from 192.168.56.0/24 to any app OpenSSH sudo ufw enable
Depending on your version of openSUSE the CLI version of YaST may not support modifying the firewall as it did in previous versions, so you will need to set up the firewall in a similar way as mentioned for CentOS. So first, do the following:
ip link ip address
In my case, under VirtualBox, I was able to determine that eth0 was my NAT interface and eth1 was my host-only interface. Could have found the same information via YaST.
Now let’s check which interfaces are assigned to which zones (by default they are all in the public zone):
sudo firewall-cmd --get-active-zones
Now check which services are enabled for every zone:
sudo firewall-cmd --list-all
If you need a list of all the default zones:
sudo firewall-cmd --get-zones
In my case I wanted eth0 assigned to the public zone and eth1 to the work zone:
sudo firewall-cmd --zone=public --add-interface=eth0 --permanent sudo firewall-cmd --zone=work --add-interface=eth1 --permanent sudo firewall-cmd --reload sudo firewall-cmd --get-active-zones
Now open up services on your trusted zones. For my example:
sudo firewall-cmd --zone=work --add-service=http --add-service=https --add-service=ssh --permanent sudo firewall-cmd --reload sudo firewall-cmd --zone=work --list-all
If you don’t need remote SSH access and/or don’t trust your firewall to block it, you should remove that from the public zone:
sudo firewall-cmd --zone=public --remove-service=ssh --permanent sudo firewall-cmd --reload
If you need to move an interface to another zone, you can do so easily. For example, let’s say you want to move eth1 to the internal zone:
sudo firewall-cmd --zone=internal --change-interface=eth1 --permanent sudo firewall-cmd --reload
"The Arch Way" of keeping things as simple as possible encourages us not to use a frontend for iptables like other distros do. So let’s clear any existing iptables rules (there shouldn’t be any) and set it up from scratch. Note that I’m limiting some rules to a specific interface (for example, we don’t want to open SSH to the public interface). These steps are based on an article from the Arch Linux wiki:
sudo iptables-restore < /etc/iptables/empty.rules sudo iptables -N TCP sudo iptables -N UDP sudo iptables -P FORWARD DROP sudo iptables -P OUTPUT ACCEPT sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT sudo iptables -A TCP -i enp0s8 -p tcp --dport 22 -j ACCEPT sudo iptables -P INPUT DROP sudo iptables -A INPUT -i lo -j ACCEPT sudo iptables -A INPUT -p 41 -j ACCEPT sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP sudo iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT sudo iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP sudo iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP sudo iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable sudo iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset sudo iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable sudo iptables -A TCP -i enp0s8 -p tcp --dport 80 -j ACCEPT sudo iptables -A TCP -i enp0s8 -p tcp --dport 443 -j ACCEPT sudo iptables -A UDP -p udp --dport 53 -j ACCEPT
Now export the rules to a file and check them:
sudo su - -c "iptables-save > /etc/iptables/iptables.rules" sudo nano /etc/iptables/iptables.rules
When I did this with the current version of iptables, I noticed it had automatically created a rule I hadn’t added:
-A INPUT -p ipv6 -j ACCEPT
Since these rules only affect IPv4, I assume this refers to IPv6 tunnels in IPv4, in which case this rule would allow all such incoming packets. Since I had no need for this functionality, I deleted the rule:
sudo iptables -D INPUT -p ipv6 -j ACCEPT
Once you have everything set up the way you want, save the rules again if you made any changes:
sudo su - -c "iptables-save > /etc/iptables/iptables.rules"
Now we should setup iptables for IPv6. Start by copying the IPv4 rules:
sudo cp /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules
Several changes need to be made for IPv6 compatibility. In this example, the following commands should fix the rules correctly:
sudo sed -i 's/icmp-port-unreachable/icmp6-adm-prohibited/g' /etc/iptables/ip6tables.rules sudo sed -i 's/icmp-proto-unreachable/icmp6-adm-prohibited/g' /etc/iptables/ip6tables.rules sudo sed -i '/-p icmp/d' /etc/iptables/ip6tables.rules sudo systemctl start ip6tables sudo ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 128 -m conntrack --ctstate NEW -j ACCEPT sudo ip6tables -t raw -A PREROUTING -m rpfilter -j ACCEPT sudo ip6tables -t raw -A PREROUTING -j DROP sudo su - -c "ip6tables-save > /etc/iptables/ip6tables.rules"
Now restart both services and set them to start after reboot:
sudo systemctl restart iptables sudo systemctl restart ip6tables sudo systemctl enable iptables sudo systemctl enable ip6tables
VirtualBox Guest Additions
If this is a virtual machine installed under VirtualBox, it is recommended that you install the VirtualBox Guest Additions. If running under another hypervisor like Hyper-V, chances are your distribution already contains the guest services installed automatically (though I still find it helpful on some distributions to install the Linux Integration Services, especially for dynamic memory allocation). There are a few basics we need to ensure are installed for the VirtualBox Guest Additions:
sudo dnf install make gcc wget dkms bzip2 tar kernel-devel-$(uname -r)
sudo apt install make gcc wget dkms bzip2 tar linux-headers-$(uname -r)
sudo zypper install make gcc wget dkms bzip2 tar kernel-default-devel=$(uname -r | sed 's/-default.*//g')
sudo pacman -S make gcc wget dkms bzip2 tar linux-headers=$(uname -r | sed 's/-ARCH.*//g')
Mount it and run the installer:
sudo mkdir -p /media/cdrom sudo mount /dev/cdrom /media/cdrom sudo sh /media/cdrom/VBoxLinuxAdditions.run sudo reboot
You may receive an error about the missing X.Org (desktop). This is expected. Just ignore it. If you already have a version of the Guest Additions installed, the installer will warn you. In this case, you should remove the existing version using your package manager before doing the above installation. Here are some common examples (the Guest Additions don’t exist in the official CentOS/Fedora repos):
sudo apt remove --purge virtualbox-guest-dkms sudo apt autoremove sudo reboot
sudo zypper remove virtualbox-guest-kmp-default virtualbox-guest-tools sudo reboot
sudo pacman -R virtualbox-guest-dkms sudo pacman -R $(pacman -Qdtq) sudo reboot
Test that it is installed and running with:
lsmod | grep vboxguest
Final Notes
When pasting long lines into nano (as we will be doing), it may insert line breaks automatically. I ran into this issue with openSUSE and Arch Linux. To prevent this do:
nano ~/.nanorc
Make sure this file contains at least the following line (more information on this page):
set nowrap
Now do the same for the root user as follows:
sudo nano /root/.nanorc
You now have everything you need for a basic Linux server.