Professional Documents
Culture Documents
10 2011, 1.1.1
1
1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2 ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3 ? . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
3
3
4
2
2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
5
7
3
3.1 . . . . . . . . . . . .
3.2 DNS . . . . . . . . . . . . . . . . .
3.3
3.4 . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
9
. 9
. 9
. 10
. 10
4
4.1 . . . . . . . . . .
4.2 DHCP . . . . . . . . . . . . .
4.3 NAT . . . . . . . . . . . . . .
4.4 PPTP
4.5 . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
11
12
12
13
15
15
.
.
.
.
.
19
19
19
20
20
21
.
.
.
.
.
.
.
23
23
24
25
25
26
26
27
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
5
5.1 . . . . . . . . . . . . . . . .
5.2 . . . . . . . . . . . .
5.3
5.4 . .
5.5 . . . . . . . . . . . . . . . .
6
6.1 . . . . . . . . .
6.2 .
6.3 . . . . . . . . . . .
6.4 NAT . . . . . . . . . . . . . . . . . . .
6.5 . . . . . . . . .
6.6
6.7 . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1
1.1
Cisco (Fedia) . , .
, ,
, .
AntiCisco.
6.2 .
, .
CC-BY-SA, ,
,
.
daniil@baturin.org, ,
Vyatta.
.
< > .
[ ] .
1.2
Vyatta : http:
//vyatta.org/downloads.
: Core, Subscription Plus. , (, TACACS+, IPS ..).
. ,
. :
Live CD iso , , Xen ;
3
1.3
2
2.1
Vyatta .
, .
Juniper Networks, Cisco.
. ,
. :
set system name-server 192.0.2.1
set , system name-server , 192.0.2.1 .
:
set ;
delete .
: . , configure. exit.
: $, #.
, .
, commit.
discard.
commit comment "<COMMENT TEXT>"
, .
commit-confirm [MINUTES]
, ( )
confirm,
.
5
save.
.
1: .
Ctrl-A ;
Ctrl-E ;
Ctrl-W ;
Ctrl-U ;
Ctrl-K ;
Alt-B ;
Alt-F ;
Ctrl-C (, );
Q ( , );
Ctrl-L .
.
2: . Tab ( ),
.
3: ( show ip route)
run. ,
run show ip route
4: , .
,
show service nat
5: ,
. :
set service nat rule 10 type destination
set service nat rule 10 source address 192.168.0.0/24
|more ;
|no-more ;
|match <KEYWORD> , KEYWORD. , .
;
|no-match <KEYWORD> , KEYWORD;
|count .
,
NAT:
show service nat|match rule|count
8: ? .
, Ctrl-V, ?.
9: ,
.
(, openvpn-option), \" . :
set openvpn-option "--push \"route 192.168.1.0 255.255.255.0\" "
2.2
(
, route-map ). ,
. , -
.
.
.
description, (
"").
comment. ,
comment protocols static route 192.168.42.0/24 "Route to remote office"
commit
static {
/* Route to remote office */
route 192.168.42.0/24 {
next-hop 192.168.42.1 {
}
}
, "" .
.
copy rename. , ,
- , .
,
. , NAT,
. :
vyatta@vyatta# show service nat
rule 10 {
destination {
port http
}
inbound-interface eth0
inside-address {
address 10.91.17.100
port http
}
protocol tcp
type destination
}
[edit]
vyatta@vyatta# edit service nat
[edit service nat]
vyatta@vyatta# copy rule 10 to rule 20
[edit service nat]
vyatta@vyatta# commit
[edit service nat]
vyatta@vyatta# set rule 20 destination port https
vyatta@vyatta# set rule 20 inside-address port https
Vyatta Debian GNU/Linux, . . ,
/etc commit .
,
. ,
, /etc/rc.local
, UNIX .
8
3
.
,
.
.
set system host-name <NAME>
,
.
3.1
. UTC.
.
set system time-zone <REGION/CITY>
, Europe/Moscow. .
, ,
, .
NTP-
set system ntp server <HOSTNAME>
[012].vyatta.pool.ntp.org.1
3.2
DNS
DNS-
set system name-server <IPADDRESS>
1
, , . - , . :
http://kellyherrell.wordpress.com/2010/09/29/vyatta-network-os-officially-everywhere/
.
example.com, host
host.example.com. :
set system domain-name example.com
3.3
.
:
Telnet;
SSH;
-.
Telnet :
set service telnet
, :
set service telnet port <NUMBER>
SSH :
set service ssh
, , Telnet.
.
- :
set service https
3.4
vyatta,
. . :
, ;
;
.
:
edit system login user <NAME>
set authentication plaintext-password <PASSWORD>
set full-name "<FULL NAME>"
plaintext-password , ,
. .
(, ),
encrypted-password <HASH>.
set level operator .
operator admin.
10
4
. ,
, :
DHCP;
;
;
;
.
LAN
192.168.1.0/24
eth0.20
192.168.1.1/24
Internet
eth0.10
192.168.2.1/24
eth1
192.0.2.61/24
DMZ
192.168.2.0/24
. 4.1:
, 192.0.2.1.
VLAN: ( 20, 192.168.1.0/24) (
10, 192.168.2.0/24).
11
4.1
eth0 , eth1 .
:
configure
set interfaces ethernet eth1 address 192.0.2.61/24
commit
DHCP, dhcp:
set interfaces ethernet eth1 address dhcp
. VLAN.
:
edit interfaces ethernet eth0
set vif 10 address 192.168.2.1/24
set vif 20 address 192.168.1.1/24
commit
, :
# show interfaces ethernet eth0
duplex auto
smp_affinity auto
speed auto
vif 10 {
address 192.168.2.1/24
}
vif 20 {
address 192.168.1.1/24
}
:
set protocols static route 0.0.0.0/0 next-hop 192.0.2.1
4.2
DHCP
. :
edit service dhcp-server shared-network-name LAN
set authoritative #
edit subnet 192.168.1.0/24
set start 192.168.1.100 stop 192.168.1.200 #
set default-router 192.168.1.1 #
set dns-server 192.0.2.250 # DNS-
top
edit service dhcp-server shared-network-name DMZ
set authoritative
12
4.3
NAT
: ,
.
:
edit service nat rule 10
set source address 192.168.1.0/24
13
}
protocol tcp
type destination
}
rule 40 {
destination {
port smtp
}
inbound-interface eth1
inside-address {
address 192.168.2.50
port smtp
}
protocol tcp
type destination
}
, , http 80.
cat /etc/services
4.4
PPTP
, PPTP. , , .
edit vpn pptp remote-access
set client-ip-pool start 192.168.3.1
set client-ip-pool stop 192.168.3.50
set dns-servers server-1 192.168.2.50
set authentication mode local
set authentication local-users username User password 2WsX3EdC
.
4.5
, .
. . :
;
HTTP ( TCP/80)
SMTP (TCP/25);
15
PPTP ( TCP/1723
GRE);
,
;
SMTP (TCP/25)
;
.
. : , .
:
in ;
out ;
local .
: ,
, (192.168.2.0/24)
(192.168.1.0/24) . , ,
Inet-Local, Inet-Router, DMZ-LAN Local-Inet.
Inet-Local
TCP/80 TCP/25,
, .
edit firewall name Inet-Local
set rule 10 action accept
set rule 10 state established enable
set rule 10 state related enable
set rule 20 action accept
set rule 20 destination port http
set rule 20 protocol tcp
set rule 30 action accept
set rule 30 destination port smtp
set rule 30 protocol tcp
. Vyatta . : new
, established , related ,
( , ,
FTP, ) invalid .
,
, ,
.
16
Inet-Router
edit firewall name Inet-Router
set rule 10 action accept
set rule 10 state established enable
set rule 10 state related enable
set rule 20 action accept
set rule 20 destination port 1723
set rule 20 protocol tcp
rule
rule
rule
rule
10
10
10
10
action drop
destination port smtp
source address !192.168.2.50
protocol tcp
source address. ! ,
, , SMTP , 192.168.2.50.
17
Inet-Local in .
set interfaces ethernet eth1 firewall in name Inet-Local
Inet-Router local .
set interfaces ethernet eth1 firewall local name Inet-Router
DMZ-LAN in ,
.
set interfaces ethernet eth0 vif 10 firewall in name DMZ-LAN
Local-Inet out .
set interfaces ethernet eth1 firewall out name Local-Inet
.
18
5
5.1
, .
:
(working);
(active);
.
, ,
. ( )
. : ( commit) .
, , ,
.
.
/opt/vyatta/etc/config/.
, ,
. /opt/vyatta/config/active ( )
/opt/vyatta/config/tmp/* ( ). , , service telnet
port service/telnet/port.
node.val.
, .
5.2
show|no-more. , ,
.
. ,
, /opt/vyatta/etc/config/config.boot. save
,
save config-2011.04.01
19
.
load <FILE NAME>
, URL ,
load ftp://example.com/config.txt
, URL.
,
save tftp://192.0.2.1/config.boot
, ,
( ),
/opt/vyatta/etc/config.boot.default. , , .
5.3
. Cisco
.
show configuration commands|match <KEYWORD>
, KEYWORD , , service ssh.
# run show configuration commands |match "service ssh"
set service ssh port 22
set service ssh protocol-version v2
merge.
,
( )
merge /path/to/file
(
, ), .
5.4
6.2 commit. :
set system config-management commit-archive location <URL>
:
20
5.5
6.2 commit ,
.
:
set system config-management commit-revisions <NUMBER>
show system commit
. :
# run show system commit
0
2011-04-01 00:20:36 by
1
2011-04-01 00:08:30 by
2
2011-04-01 00:03:16 by
3
2011-04-01 00:01:52 by
,
show system commit file <NUMBER>
show system commit diff <NUMBER>
:
# run show system commit diff 0
@@ -110,7 +110,7 @@
console {
}
domain-name baturin.org
host-name dut1
+
host-name r1
login {
user vyatta {
authentication {
@@ -121,8 +121,6 @@
}
21
name-server 10.91.17.10
ntp {
server 0.vyatta.pool.ntp.org {
}
server 1.vyatta.pool.ntp.org {
}
server 2.vyatta.pool.ntp.org {
+, , , -.
22
6
Vyatta ,
, . , , ( CLI) ,
Linux.
6.1
, . () ,
.
show log, .
show log tail
.
show log all
.
:
[ ] []: []
,
Apr 1 06:39:30 vyatta vyatta-zebra[1923]: interface vtun6 index 602
deleted
, ,
(, PPPoE).
$show interfaces pppoe pppoe0 log
Wed Mar 24 14:43:46 NOVT 2011: PPP interface pppoe0 created
Wed Mar 24 14:44:01 NOVT 2011: Stopping PPP daemon for pppoe0
Wed Mar 24 14:44:02 NOVT 2011: Starting PPP daemon for pppoe0
Serial connection established.
q.
23
6.2
show system connections
:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address
Foreign Address
tcp
0
0 0.0.0.0:179
0.0.0.0:*
tcp
0
0 10.55.6.3:179
10.55.6.4:59153
tcp
0
0 0.0.0.0:1723
0.0.0.0:*
tcp
0
0 90.188.xxx.xxx:9755
0.0.0.0:*
tcp
0
0 90.188.xxx.xxx:9756
0.0.0.0:*
tcp
0
0 0.0.0.0:222
0.0.0.0:*
tcp
0
0 90.188.xxx.xxx:1723
95.191.xx.xx:30279
tcp
0
0 90.188.xxx.xxx:1723
92.125.xx.xxx:50556
tcp
0
0 90.188.xxx.xxx:1723
95.191.xx.xx:32393
tcp
0
0 90.188.xxx.xxx:1723
95.191.xx.xx:32023
State
LISTEN
SYN_RECV
LISTEN
LISTEN
LISTEN
LISTEN
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
6.3
show firewall statistics
, ,
show firewall detail
$show firewall statistics
IPv4 Firewall "InternetToLocal":
Active on (eth1,IN)
rule packets
bytes
action source
destination
---- ------------------------------1
172.75M
78.48G
ACCEPT 0.0.0.0/0
0.0.0.0/0
10
0
0
ACCEPT 0.0.0.0/0
0.0.0.0/0
20
548.49K
30.16M
ACCEPT 0.0.0.0/0
0.0.0.0/0
25
222
11.37K
ACCEPT 0.0.0.0/0
0.0.0.0/0
------------------------------------------------------------ ,
.
clear firewall <RULESET_NAME>
- , disable (set firewall <RULESET_NAME> rule <NUMBER>
disable).
6.4
NAT
.
show nat translations
,
show nat statistics
clear nat counters rule <NUMBER>
# run show nat statistics
Type Codes: SRC - source, DST - destination, MASQ - masquerade
rule count
type
IN
OUT
---- ------------------ --------10
571K
MASQ
pppoe0
20
4023K
MASQ
pppoe0
150
548K
DST
pppoe0
155
222
DST
pppoe0
disable:
set service nat rule <NUMBER> disable
25
6.5
, Ethernet, . ,
show interfaces ethernet ethX statistics
.
clear interfaces ethernet ethX counters
show interfaces ethernet ethX physical
(
, , ),
. bus-info ,
,
.
( , )
show interfaces ethernet ethX identify
, . , .
6.6
debug <PROTOCOL>
, ,
debug ospf events
,
show debugging <PROTOCOL>
.
no debug <PROTOCOL>
26
6.7
- ,
, :
: show system processes;
: show system kernel-messages;
: show system boot-messages;
: show system memory. quagga
;
: show system storage
PCI: show hardware pci.
27