LFCE Labs

Hands-on labs for the Linux Foundation Certified Engineer (LFCE) exam. Master iptables firewalls, NFS server configuration, and advanced PAM & OpenSSL security.

These Labs Cover All Major Linux Certifications

LPI Linux Essentials CompTIA Linux+ (XK0-006) LPIC-1 (101 & 102) LPIC-2 (201 & 202) LPIC-3 (300 / 303 / 305 / 306)
RHCSA (EX200) RHCE (EX294) RHCA LFCS LFCE

LFCE Labs - Module 10

iptables firewall management, NFS server & client configuration, and advanced PAM & OpenSSL security — essential LFCE exam skills.

Lab 28: iptables Firewall Configuration
Expert / Terminal + GUI
Scenario: Configure a Linux Host Firewall with iptables
A production web server needs strict firewall rules. You will list existing rules, set default DROP policies, allow SSH (port 22) and HTTP (port 80) traffic, allow established connections, and save the ruleset persistently. iptables mastery is a core LFCE networking objective.

Learning Objectives:

LFCE — Network Admin
  • Inspect: List current iptables rules and chains
  • Policy: Set default DROP policies for INPUT chain
  • Allow: Create ACCEPT rules for SSH, HTTP, and related traffic
  • Persist: Save iptables rules across reboots

📋 Step-by-Step Instructions

  1. Step 1: List Current Rules
    🎯 Goal: View existing firewall rules with line numbers

    💻 sudo iptables -L -n --line-numbers
    💡 Tip: -L lists rules, -n shows numeric addresses, --line-numbers adds rule numbers for easy reference.
  2. Step 2: Set Default DROP Policy
    🎯 Goal: Set INPUT chain default to DROP

    💻 sudo iptables -P INPUT DROP
    ⚠️ Warning: Setting DROP policy without first allowing SSH will lock you out of a remote server. Always add allow rules before or in the same session.
  3. Step 3: Allow SSH Traffic
    🎯 Goal: Accept incoming SSH connections on port 22

    💻 sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    💡 Tip: -A appends a rule. -p tcp --dport 22 matches TCP traffic to port 22.
  4. Step 4: Allow HTTP Traffic
    🎯 Goal: Accept incoming HTTP connections on port 80

    💻 sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    💡 Tip: For HTTPS add port 443 similarly. Multiple -A rules are evaluated top to bottom.
  5. Step 5: Allow Established Connections
    🎯 Goal: Allow traffic for already-established and related connections

    💻 sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    💡 Tip: Without this rule, return traffic from outgoing connections would be dropped by the INPUT DROP policy.
  6. Step 6: Save iptables Rules
    🎯 Goal: Persist rules so they survive a reboot

    💻 sudo iptables-save > /etc/iptables/rules.v4
    🎓 Checkpoint: You configured a DROP-by-default firewall with SSH, HTTP, and stateful rules — a core LFCE networking task.

root@firewall Terminal

Terminal
Firewall Dashboard
Chain Details
Activity Log
root@firewall:~#
Firewall Status
INPUT PolicyACCEPT (default)
SSH (port 22)Not configured
HTTP (port 80)Not configured
Stateful trackingNot configured
Rules savedNo
INPUT Chain Rules
List iptables rules to populate.
Recent Activity
[--:--:--]Lab session started. Ready for commands.
Progress: 0/6 tasks completed
Score: 0/100
🎉 After Completing All Steps:

1. Validate configuration to check firewall rules.
2. Use Firewall Dashboard and Chain Details tab for visual review.
Tip: The LFCE exam tests iptables extensively — know chain order and stateful matching.
Lab 29: NFS Server & Client Configuration
Expert / Terminal + GUI
Scenario: Set Up NFS File Sharing
A team needs shared storage across multiple Linux hosts. You will install the NFS server, create and configure an export directory, export the share, restart the NFS service, mount the share on a client, and verify the mount. NFS configuration is a key LFCE service management objective.

Learning Objectives:

LFCE — Service Config
  • Install: Set up NFS server packages
  • Export: Configure /etc/exports and export shares
  • Service: Manage NFS server via systemctl
  • Mount: Mount NFS shares on client hosts

📋 Step-by-Step Instructions

  1. Step 1: Install NFS Server
    🎯 Goal: Install the NFS kernel server package

    💻 sudo apt install nfs-kernel-server -y
    💡 Tip: On RHEL-based systems use yum install nfs-utils. The LFCE may use either distro.
  2. Step 2: Create Export Directory
    🎯 Goal: Create the shared directory with proper permissions

    💻 sudo mkdir -p /srv/nfs/shared && sudo chmod 777 /srv/nfs/shared
    💡 Tip: Use chmod 777 for lab testing. In production, use no_root_squash sparingly and restrict permissions.
  3. Step 3: Configure /etc/exports
    🎯 Goal: Add the share to the exports file

    💻 Loading...
    ⚠️ Exam Note: Know exports options: rw (read-write), sync (synchronous writes), no_subtree_check (performance).
  4. Step 4: Export the Shares
    🎯 Goal: Apply the exports configuration

    💻 sudo exportfs -arv
    💡 Tip: -a exports all, -r re-exports, -v verbose. Use exportfs -v to verify active exports.
  5. Step 5: Restart NFS Service
    🎯 Goal: Restart and enable the NFS server

    💻 sudo systemctl restart nfs-kernel-server && sudo systemctl enable nfs-kernel-server
    💡 Tip: Always enable services so they start on boot. Check status with systemctl status.
  6. Step 6: Mount on Client
    🎯 Goal: Mount the NFS share on the client

    💻 Loading...
    🎓 Checkpoint: You installed NFS, configured exports, and mounted the share — a core LFCE service configuration task.

root@nfs-server Terminal

Terminal
NFS Dashboard
Exports
Activity Log
root@nfs-server:~#
NFS Server Status
nfs-kernel-serverNot installed
Export directoryNot created
/etc/exportsNot configured
Service statusInactive
Client mountNot mounted
Active Exports
Configure and export shares to populate.
Recent Activity
[--:--:--]Lab session started. Ready for commands.
Progress: 0/6 tasks completed
Score: 0/100
🎉 After Completing All Steps:

1. Validate configuration to check NFS setup.
2. Use NFS Dashboard and Exports tab for visual review.
Tip: NFS + exports + mount is a classic LFCE task — know the options cold.
Lab 30: PAM & OpenSSL Security
Expert / Terminal + GUI
Scenario: Harden Authentication & Generate TLS Certificates
A compliance audit requires stricter authentication and encrypted communications. You will enforce password complexity via PAM, set account lockout after failed attempts, configure password aging, generate a private key, create a self-signed certificate, and verify the certificate. PAM and OpenSSL are key LFCE security objectives.

Learning Objectives:

LFCE — Security
  • PAM: Configure password quality and lockout policies
  • Aging: Set password expiration via chage
  • OpenSSL: Generate private keys and self-signed certificates
  • Verify: Inspect and validate TLS certificates

📋 Step-by-Step Instructions

  1. Step 1: Enforce Password Complexity
    🎯 Goal: Install and configure pam_pwquality for strong passwords

    💻 sudo apt install libpam-pwquality -y
    💡 Tip: After install, configure /etc/security/pwquality.conf with minlen, dcredit, ucredit, etc.
  2. Step 2: Configure Account Lockout
    🎯 Goal: Lock accounts after 5 failed login attempts

    💻 sudo sed -i '1i auth required pam_tally2.so deny=5 unlock_time=900' /etc/pam.d/common-auth
    ⚠️ Exam Note: pam_tally2 locks after deny=5 failures. unlock_time=900 auto-unlocks after 15 minutes.
  3. Step 3: Set Password Aging
    🎯 Goal: Set maximum password age of 90 days for user admin

    💻 sudo chage -M 90 -m 7 -W 14 admin
    💡 Tip: -M 90 = max 90 days, -m 7 = min 7 days between changes, -W 14 = warn 14 days before expiry.
  4. Step 4: Generate RSA Private Key
    🎯 Goal: Create a 2048-bit RSA private key

    💻 openssl genrsa -out /etc/ssl/private/server.key 2048
    💡 Tip: 2048-bit is the minimum for production. Use 4096 for higher security. Keep private keys protected with chmod 600.
  5. Step 5: Create Self-Signed Certificate
    🎯 Goal: Generate a self-signed TLS certificate valid for 365 days

    💻 openssl req -new -x509 -key /etc/ssl/private/server.key -out /etc/ssl/certs/server.crt -days 365 -subj "/CN=webserver.lab.local"
    💡 Tip: -subj sets the Common Name non-interactively. In production, use a CA-signed certificate.
  6. Step 6: Verify the Certificate
    🎯 Goal: Inspect the certificate details

    💻 openssl x509 -in /etc/ssl/certs/server.crt -text -noout
    🎓 Checkpoint: You configured PAM security, password aging, and generated TLS certificates — essential LFCE security tasks.

root@secure Terminal

Terminal
Security Dashboard
Certificates
Activity Log
root@secure:~#
Security Status
pam_pwqualityNot installed
Account lockoutNot configured
Password aging (admin)Not set
RSA private keyNot generated
TLS certificateNot created
Certificate Details
Generate a certificate to view details.
Recent Activity
[--:--:--]Lab session started. Ready for commands.
Progress: 0/6 tasks completed
Score: 0/100
🎉 After Completing All Steps:

1. Validate configuration to check PAM and OpenSSL setup.
2. Use Security Dashboard and Certificates tab for visual review.
Tip: PAM + OpenSSL are tested heavily on LFCE — memorize key options.

Confirm Reset

Are you sure you want to reset this lab? This will:

  • Clear all terminal output
  • Reset all completed tasks
  • Reset all simulated configurations
  • Reset progress to 0%

This action cannot be undone!