Vyatta Bootcamp 1.1.1

Vyatta
10 2011, 1.1.1
1
1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2 ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3 ? . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
3
3
4
2
2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
5
7
3
3.1 . . . . . . . . . . . .
3.2 DNS . . . . . . . . . . . . . . . . .
3.3
3.4 . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
9
. 9
. 9
. 10
. 10
4
4.1 . . . . . . . . . .
4.2 DHCP . . . . . . . . . . . . .
4.3 NAT . . . . . . . . . . . . . .
4.4 PPTP
4.5 . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
11
12
12
13
15
15
.
.
.
.
.
19
19
19
20
20
21
.
.
.
.
.
.
.
23
23
24
25
25
26
26
27
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
5
5.1 . . . . . . . . . . . . . . . .
5.2 . . . . . . . . . . . .
5.3
5.4 . .
5.5 . . . . . . . . . . . . . . . .
6
6.1 . . . . . . . . .
6.2 .
6.3 . . . . . . . . . . .
6.4 NAT . . . . . . . . . . . . . . . . . . .
6.5 . . . . . . . . .
6.6
6.7 . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1

1.1
Cisco (Fedia) . , .
, ,
, .
AntiCisco.
6.2 .
, .
CC-BY-SA, ,
,
.
daniil@baturin.org, ,
Vyatta.

.
< > .
[ ] .
1.2
Vyatta : http:
//vyatta.org/downloads.
: Core, Subscription Plus. , (, TACACS+, IPS ..).
. ,
. :
Live CD iso , , Xen ;
3
VMware ESX 4 Template VMWare ESX Server 4;

VMware ESX 3 Template VMWare ESX Server 3;
Citrix XenServer Template Citrix XenServer;
Virtualization iso Xen;
KVM VirtualBox,
.
1.3
(http://vyatta.org/forum), ]]vyatta Freenode.

, IRC ,
, .
http://vyatta.org/documentation
http://anticisco.ru.
2

2.1
Vyatta .
, .
Juniper Networks, Cisco.
. ,
. :
set system name-server 192.0.2.1
set , system name-server , 192.0.2.1 .
:
set ;
delete .
: . , configure. exit.
: $, #.
, .
, commit.
discard.

commit comment "<COMMENT TEXT>"
, .
commit-confirm [MINUTES]
, ( )
confirm,
.
5
save.
.
1: .
Ctrl-A ;
Ctrl-E ;
Ctrl-W ;
Ctrl-U ;
Ctrl-K ;
Alt-B ;
Alt-F ;
Ctrl-C (, );
Q ( , );
Ctrl-L .
.
2: . Tab ( ),
.
3: ( show ip route)
run. ,
run show ip route
4: , .
,
show service nat
5: ,
. :
set service nat rule 10 type destination
set service nat rule 10 source address 192.168.0.0/24
edit service nat rule 10

set type destination
set source address 192.168.0.0/24
6: top
up .
7: .
:
6
|more ;
|no-more ;
|match <KEYWORD> , KEYWORD. , .
;
|no-match <KEYWORD> , KEYWORD;
|count .
,
NAT:
show service nat|match rule|count
8: ? .
, Ctrl-V, ?.
9: ,
.
(, openvpn-option), \" . :
set openvpn-option "--push \"route 192.168.1.0 255.255.255.0\" "
2.2
(
, route-map ). ,
. , -
.

.
.
description, (
"").
comment. ,
comment protocols static route 192.168.42.0/24 "Route to remote office"
commit
static {
/* Route to remote office */
route 192.168.42.0/24 {
next-hop 192.168.42.1 {
}
}
, "" .

.
copy rename. , ,
- , .
,
. , NAT,
. :
vyatta@vyatta# show service nat
rule 10 {
destination {
port http
}
inbound-interface eth0
inside-address {
address 10.91.17.100
port http
}
protocol tcp
type destination
}
[edit]
vyatta@vyatta# edit service nat
[edit service nat]
vyatta@vyatta# copy rule 10 to rule 20
[edit service nat]
vyatta@vyatta# commit
[edit service nat]
vyatta@vyatta# set rule 20 destination port https
vyatta@vyatta# set rule 20 inside-address port https

Vyatta Debian GNU/Linux, . . ,
/etc commit .
,
. ,
, /etc/rc.local
, UNIX .
8
3

.
,
.
.
set system host-name <NAME>
,
.
3.1
. UTC.
.
set system time-zone <REGION/CITY>
, Europe/Moscow. .
, ,
, .
NTP-
set system ntp server <HOSTNAME>
[012].vyatta.pool.ntp.org.1
3.2
DNS
DNS-
set system name-server <IPADDRESS>
1
, , . - , . :
http://kellyherrell.wordpress.com/2010/09/29/vyatta-network-os-officially-everywhere/
.
example.com, host
host.example.com. :
set system domain-name example.com
3.3
.
:
Telnet;
SSH;
-.
Telnet :
set service telnet
, :
set service telnet port <NUMBER>
SSH :
set service ssh
, , Telnet.
.
- :
set service https
3.4
vyatta,
. . :
, ;
;
.
:
edit system login user <NAME>
set authentication plaintext-password <PASSWORD>
set full-name "<FULL NAME>"
plaintext-password , ,
. .
(, ),
encrypted-password <HASH>.
set level operator .
operator admin.
10
4

. ,
, :
DHCP;
;
;
;
.
LAN
192.168.1.0/24
eth0.20
192.168.1.1/24
Internet
eth0.10
192.168.2.1/24
eth1
192.0.2.61/24
DMZ
192.168.2.0/24
. 4.1:
, 192.0.2.1.
VLAN: ( 20, 192.168.1.0/24) (
10, 192.168.2.0/24).
11
4.1
eth0 , eth1 .
:
configure
set interfaces ethernet eth1 address 192.0.2.61/24
commit
DHCP, dhcp:
set interfaces ethernet eth1 address dhcp
. VLAN.
:
edit interfaces ethernet eth0
set vif 10 address 192.168.2.1/24
set vif 20 address 192.168.1.1/24
commit
, :
# show interfaces ethernet eth0
duplex auto
smp_affinity auto
speed auto
vif 10 {
address 192.168.2.1/24
}
vif 20 {
address 192.168.1.1/24
}
:
set protocols static route 0.0.0.0/0 next-hop 192.0.2.1
4.2
DHCP
. :
edit service dhcp-server shared-network-name LAN
set authoritative #
edit subnet 192.168.1.0/24
set start 192.168.1.100 stop 192.168.1.200 #
set default-router 192.168.1.1 #
set dns-server 192.0.2.250 # DNS-
top
edit service dhcp-server shared-network-name DMZ
set authoritative
12
edit subnet 192.168.2.0/24

set start 192.168.2.100 stop 192.168.2.200
set default-router 192.168.2.1
set dns-server 192.0.2.250
192.168.2.50.
MAC- 00:aa:bb:cc:dd:ee. :
edit service dhcp-server shared-network-name DMZ
edit subnet 192.168.2.0/24
set static-mapping Server ip-address 192.168.2.50
set static-mapping Server mac-address 00:aa:bb:cc:dd:ee
:
# show service dhcp-server
shared-network-name DMZ {
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.0.2.250
start 192.168.2.100 {
stop 192.168.2.200
}
static-mapping Server {
ip-address 192.168.2.50
mac-address 00:aa:bb:cc:dd:ee
}
}
}
shared-network-name LAN {
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.0.2.250
start 192.168.1.100 {
stop 192.168.1.200
}
}
}
4.3
NAT
: ,
.
:
13
set outbound-interface eth1

set type masquerade
set description "LAN to the Internet"
:
set outbound-interface eth1
set type masquerade
set description "DMZ to the Internet"
.
80 25.
set destination port http
set protocol tcp
set inbound-interface eth1
set inside-address address 192.168.2.50
set inside-address port http
set type destination
25 port.
:
# show service nat
rule 10 {
description "LAN to the Internet"
outbound-interface eth1
source {
address 192.168.1.0/24
}
type masquerade
}
rule 20 {
description "DMZ to the Internet"
outbound-interface eth1
source {
address 192.168.2.0/24
}
type masquerade
}
rule 30 {
destination {
port http
}
inside-address {
address 192.168.2.50
port http
14
}
protocol tcp
type destination
}
rule 40 {
destination {
port smtp
}
inside-address {
address 192.168.2.50
port smtp
}
protocol tcp
type destination
}
, , http 80.
cat /etc/services
4.4
PPTP

, PPTP. , , .
edit vpn pptp remote-access
set client-ip-pool start 192.168.3.1
set client-ip-pool stop 192.168.3.50
set dns-servers server-1 192.168.2.50
set authentication mode local
set authentication local-users username User password 2WsX3EdC
.
4.5
, .
. . :
;
HTTP ( TCP/80)
SMTP (TCP/25);
15
PPTP ( TCP/1723
GRE);
,
;
SMTP (TCP/25)
;
.
. : , .
:
in ;
out ;
local .
: ,
, (192.168.2.0/24)
(192.168.1.0/24) . , ,
Inet-Local, Inet-Router, DMZ-LAN Local-Inet.
Inet-Local
TCP/80 TCP/25,
, .
edit firewall name Inet-Local
set rule 10 action accept
set rule 10 state established enable
set rule 10 state related enable
set rule 20 destination port http
set rule 20 protocol tcp
set rule 30 destination port smtp
. Vyatta . : new
, established , related ,
( , ,
FTP, ) invalid .
,
, ,
.
16
Inet-Router
edit firewall name Inet-Router
set rule 10 state established enable
set rule 10 state related enable
set rule 20 destination port 1723
, : PPTP, GRE, ? , related

, .
DMZ-LAN
edit firewall name DMZ-LAN
set default-action accept
set rule 10 action drop
set rule 10 destination address 192.168.1.0/24
set rule 10 state new enable
,
. default-action.
, ,
. drop.
Local-Inet
,
, .
SMTP- ,
.
edit firewall name Local-Inet
set default-action accept
set
set
set
set
rule
rule
rule
rule
10
10
10
10
action drop
destination port smtp
source address !192.168.2.50
protocol tcp
source address. ! ,
, , SMTP , 192.168.2.50.
17

Inet-Local in .
set interfaces ethernet eth1 firewall in name Inet-Local
Inet-Router local .
set interfaces ethernet eth1 firewall local name Inet-Router
DMZ-LAN in ,
.
set interfaces ethernet eth0 vif 10 firewall in name DMZ-LAN
Local-Inet out .
set interfaces ethernet eth1 firewall out name Local-Inet
.
18
5

5.1
, .
:
(working);
(active);
.
, ,
. ( )
. : ( commit) .
, , ,
.
.
/opt/vyatta/etc/config/.
, ,
. /opt/vyatta/config/active ( )
/opt/vyatta/config/tmp/* ( ). , , service telnet
port service/telnet/port.
node.val.
, .
5.2

show|no-more. , ,
.
. ,
, /opt/vyatta/etc/config/config.boot. save
,
save config-2011.04.01
19
.

load <FILE NAME>
, URL ,
load ftp://example.com/config.txt
, URL.
,
save tftp://192.0.2.1/config.boot
, ,
( ),
/opt/vyatta/etc/config.boot.default. , , .
5.3
. Cisco
.

show configuration commands|match <KEYWORD>
, KEYWORD , , service ssh.
# run show configuration commands |match "service ssh"
set service ssh port 22
set service ssh protocol-version v2
merge.
,
( )
merge /path/to/file
(
, ), .
5.4
6.2 commit. :
set system config-management commit-archive location <URL>
:
20
# show system config-management

commit-archive {
location ftp://10.91.17.5/pub/configs
}
, , ,

config.boot-yourhostname.yyyymmdd_hhmmss.
TFTP, FTP SCP.
5.5
6.2 commit ,
.
:
set system config-management commit-revisions <NUMBER>

show system commit
. :
# run show system commit
0
2011-04-01 00:20:36 by
1
2011-04-01 00:08:30 by
2
2011-04-01 00:03:16 by
3
2011-04-01 00:01:52 by
vyatta via cli

user1 via cli
user2 via cli
user3 via cli
,

show system commit file <NUMBER>

show system commit diff <NUMBER>
:
# run show system commit diff 0
@@ -110,7 +110,7 @@
console {
}
domain-name baturin.org
host-name dut1
+
host-name r1
login {
user vyatta {
authentication {
@@ -121,8 +121,6 @@
}
21
name-server 10.91.17.10
ntp {
server 0.vyatta.pool.ntp.org {
}
}
+, , , -.
22
6

Vyatta ,
, . , , ( CLI) ,
Linux.
6.1
, . () ,
.
show log, .
show log tail
.
show log all
.
:
[ ] []: []
,
Apr 1 06:39:30 vyatta vyatta-zebra[1923]: interface vtun6 index 602
deleted
, ,
(, PPPoE).
$show interfaces pppoe pppoe0 log
Wed Mar 24 14:43:46 NOVT 2011: PPP interface pppoe0 created
Wed Mar 24 14:44:01 NOVT 2011: Stopping PPP daemon for pppoe0
Wed Mar 24 14:44:02 NOVT 2011: Starting PPP daemon for pppoe0
Serial connection established.
q.
23
6.2

show system connections
:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address
Foreign Address
tcp
0
0 0.0.0.0:179
0.0.0.0:*
tcp
0
0 10.55.6.3:179
10.55.6.4:59153
tcp
0
0 0.0.0.0:1723
0.0.0.0:*
tcp
0
0 90.188.xxx.xxx:9755
0.0.0.0:*
tcp
0
0 90.188.xxx.xxx:9756
0.0.0.0:*
tcp
0
0 0.0.0.0:222
0.0.0.0:*
tcp
0
0 90.188.xxx.xxx:1723
95.191.xx.xx:30279
tcp
0
0 90.188.xxx.xxx:1723
92.125.xx.xxx:50556
tcp
0
0 90.188.xxx.xxx:1723
95.191.xx.xx:32393
tcp
0
0 90.188.xxx.xxx:1723
95.191.xx.xx:32023
State
LISTEN
SYN_RECV
LISTEN
LISTEN
LISTEN
LISTEN
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
tcp udp , , TCP UDP .

,
show interfaces <type> <name> capture

( , TCP
).
# run show interfaces ethernet eth0 capture
Capturing traffic on eth0 ...
0.000000 00:1b:11:79:53:98 -> 01:80:c2:00:00:00 STP Conf.
Root = 32768/00:1b:11:79:53:98 Cost = 0 Port = 0x8001
0.504377 10.91.19.1 -> 10.91.19.5 SSH Encrypted response packet len=160
0.504506 10.91.19.5 -> 10.91.19.1 TCP 34550 > 22 [ACK]
Seq=1 Ack=161 Win=501 Len=0 TSV=185862671 TSER=532169015
0.661132 10.91.19.5 -> 205.188.7.50 AIM Keep Alive
port PORTNUMBER not port PORTNUMBER
, , (, 22 SSH
). , VPN-
: CLI.
sudo tshark -i pppX
. Wireshark ( Ethereal),
, ,
. , , .
24
6.3

show firewall statistics
, ,
show firewall detail
$show firewall statistics
IPv4 Firewall "InternetToLocal":
Active on (eth1,IN)
rule packets
bytes
action source
destination
---- ------------------------------1
172.75M
78.48G
ACCEPT 0.0.0.0/0
0.0.0.0/0
10
0
0
ACCEPT 0.0.0.0/0
0.0.0.0/0
20
548.49K
30.16M
ACCEPT 0.0.0.0/0
0.0.0.0/0
25
222
11.37K
ACCEPT 0.0.0.0/0
0.0.0.0/0
------------------------------------------------------------ ,
.

clear firewall <RULESET_NAME>
- , disable (set firewall <RULESET_NAME> rule <NUMBER>
disable).
6.4
NAT
.

show nat translations
,
show nat statistics

clear nat counters rule <NUMBER>
# run show nat statistics
Type Codes: SRC - source, DST - destination, MASQ - masquerade
rule count
type
IN
OUT
---- ------------------ --------10
571K
MASQ
pppoe0
20
4023K
MASQ
pppoe0
150
548K
DST
pppoe0
155
222
DST
pppoe0
disable:
set service nat rule <NUMBER> disable
25
6.5
, Ethernet, . ,
show interfaces ethernet ethX statistics
.
clear interfaces ethernet ethX counters

show interfaces ethernet ethX physical
(
, , ),
. bus-info ,
,
.
( , )
show interfaces ethernet ethX identify
, . , .
6.6

debug <PROTOCOL>
, ,
debug ospf events
,
show debugging <PROTOCOL>
.
no debug <PROTOCOL>
26
6.7
- ,
, :
: show system processes;
: show system kernel-messages;
: show system boot-messages;
: show system memory. quagga
;
: show system storage
PCI: show hardware pci.
27

Vyatta Bootcamp 1.1.1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Vyatta Bootcamp 1.1.1

Uploaded by

Copyright:

Available Formats

Vyatta

VMware ESX 4 Template VMWare ESX Server 4;

(http://vyatta.org/forum), ]]vyatta Freenode.

edit service nat rule 10

edit subnet 192.168.2.0/24

set outbound-interface eth1

, : PPTP, GRE, ? , related

# show system config-management

vyatta via cli

tcp udp , , TCP UDP .

You might also like