|
|
vyos相关
9 C _5 @* `" s1 d; u# F" Xvyos配置文件/config/config.boot 老的config.boot.neutron
/ J) G- ^- X, u" M) uipsec VPN配置文件cat /etc/ipsec.conf
; \8 ^" `% A) H& d6 N$ A% G: j重启ipsec vpn服务 。 sudo ipsec restart
7 |1 ?# `& k6 w5 X! ]! W9 p6 y1 y! usudo ipsec statusall
8 n! `$ b! W# e+ o
& J' I$ X: w% D9 t& `' M" Bvyos 南基新建账户删除账户* f& C5 J& Z' X) J$ b
set system login user syn_4a authentication plaintext-password Acc@1234
6 x! G7 }8 b5 |5 wset system login user syn_4a level admin* G% P. n$ }" q0 ^
commit
- c! v9 r0 l, v5 xsave
* H* p! W# x( [$ P3 y7 v* j. M; q7 g% z
configure
3 `9 R1 d% ]6 I/ z: ]delete system login user syn_4a
) u5 Y n& z5 {" dcommit1 n h9 x$ \ S, J; `6 S2 K7 h
save
1 l4 Y5 c; x1 `- q; v————————
8 X8 \1 u J# M. V1 H, L# e7 ^$ Lvyos show 命令应用+ E, p% b, C4 o" h
/opt/vyatta/bin/vyatta-op-cmd-wrapper show vrrp
- a3 H2 Z3 x6 {7 U$ U, _' U1 y) J; m& m+ v1 D6 Y/ Z
增加路由
. y" E' E1 g- Q; M% Q, _7 Xvi /config/scripts/vyatta-postconfig-bootup.script
& v6 Y$ [1 y% O% i. H* k. ?3 Y4 J
3 h, d' z. |9 [9 n, g) Q, b
! l6 Y: r7 I$ @0 S, F% _& @' f i
第二种方式& B- B8 R+ E6 D( L6 Z$ S
: n" f8 S y# Q% ?1 f
cat /etc/rc.local
: H% {% j+ i- z; r* @ + D/ i0 |7 a+ Z: v% a- P
) V- ~& [3 w: }* h9 q7 V
vyos 防火墙
6 P* w' b* a5 ~vyos防火墙主要是针对物理服务器,firewall 规则不能有特殊符号,端口范围1-65535 show configuration中看到的。
7 \0 {0 w5 P. h9 f6 y1 o" x0 P7 Pshow firewall
" `- I$ o; v2 Z( O" {4 J# G4 N) S1 Q
开启nat. a6 @! v) Y( {5 W% M" x1 x
首先kill -9 python /usr/sbin/confproxy
' r8 e! E P2 V0 `+ T0 T+ g3 wconfigure 1 t8 [6 \1 o8 o( f3 }/ L K
set vpn ipsec nat-traversal enable
7 R1 A% a+ r5 r. F* U& Xcommit9 M* p' k0 [' I |! Y4 x: O) d
. \/ h7 r1 O9 Rset vpn ipsec site-to-site peer 182.150.35.163 tunnel 1 allow-nat-networks enable 4 o& [! Z* `/ {" s
commit& @2 W' @5 T% |6 c
3 _7 O2 _" j6 E, c: a" N
手动加载配置文件+ L, S1 @; _8 l& V2 M: a& U$ P
/config/scripts/config.boot.neutron.load
( I* B4 Z! q. G- o J4 t3 `重启服务& T9 m+ s0 C! D; S7 [
/etc/unit.d/confproxy start
) }! y% |* O2 w0 r0 H
% e5 _# B% r. apat带宽
) o- @2 I9 s/ \' }; F如果 要修改 ,可以 按照北基的方式修改,也可以在/etc/neutron/pat/下创建以router_id文件里面配置速率。配置某个router 的 pat 速率( u2 n8 b0 t7 }5 t* m: {* O, [6 C
1 N- d2 x. o3 S5 lneutron vyos模版文件' x% @. W( s- H& r: l: C
/etc/neutron/vyos/
# g( S8 j2 x" F6 X/ h% G2 b查看配置信息
7 e3 @6 B9 T% w6 T+ vshow configuration
" x# A5 Y0 u5 H( S o1 K, R$ h; v( h8 P! P1 C3 D! r
sudo vi config.boot.neutron + N: x) |$ L, [! V
cat config.boot.neutron ) }9 G! l% m( `% N/ r& H4 H+ f
configure 8 Z# v2 U C- G
load /confi/config.boot.neutron
0 D" C5 u$ h( ^, d9 m* c" Y8 c0 load /config/config.boot.neutron. Z! Q* L3 z: L9 X" I
commit. J4 g( B% s3 S5 K
exit
! y1 a& }6 I( m' g exit W* a2 `0 C* M1 V% ^
* `! \7 S9 K4 b- A1 A0 p' V% pshow configuration 3 L8 D% {5 E9 V7 l' {
show vpn ipsec status
' V2 G* N5 d0 ~( j/ |1 R: D+ eshow vpn ipsec sa
; m5 q5 w1 ]0 Q0 s/ mshow vpn ike sa
- R# `* _$ N7 A7 h7 i0 B7 `/ r$ w( F" Z! k# i
删除vyos 网卡
2 z" Z g( K4 kip link del eth2.221
7 y" ?( x% q w3 D
" D, t3 A, L" ^ `8 U" }清除NFV会话 T7 h; ?( r8 c8 s1 ~
conntrack -F
) z9 X( k4 |# i! J, l修改会话连接数time-out时间/ e2 ^, |+ v w7 |8 {- y! ~* Z4 l
vi /config/scripts/vyos_init.py
( ~- X+ N! A( a) }( P修改为 time-wait 600
D% m+ e6 I @$ Q! Hconntrack {! j. F) G5 g1 _ b1 i! E6 N2 o
expect-table-size 50000000
4 I: q# N0 K6 M, q$ O& K hash-size 50000000
2 V. J: }' g" A$ I log {
. |1 k h% ?" H" ]$ j icmp {6 d0 ?, c0 F1 v: K3 O7 h
destroy$ t7 D& G6 c/ l8 S; H
new
& n) u% Y S" g& h. H, a update" l" f; `, b! ]% h1 \* P5 t
}! B$ \. T1 B2 Z) T# j
tcp { H% u0 @0 V" y; I0 D' X8 U# p
destroy
" ~! V, @- _: ]. y new8 ~* O/ P, @! O4 U- }
update {- Q- b& }( w( D! T2 u& n
close-wait6 U& t; j1 B$ C `- y, n$ m
established" I! `7 b+ r. z3 n
fin-wait% R; a" Z" L0 ~# J- }
last-ack: ]- V% x8 G: O. n0 x5 `
syn-received
' {/ H# P1 c8 N+ G/ G time-wait! h/ t5 n/ Y4 ?' m4 s) U
}
1 @) h8 b" c* H% _ u }! [3 Z$ n$ p8 Y
udp {
- ]7 R3 H1 _6 O7 T- t destroy
, b& [! s# Z+ a! P$ k& } new
! n% A% t' Y& [; j- Q update1 S% r4 p- V5 H, e$ H" e
}, e( K" y& E3 Y0 |
}
% M4 F5 q R6 I& W table-size 50000000( C/ g& n* V: a* I8 a4 [' J9 k
timeout {
6 J) C1 e" |. c( g6 a4 E& S icmp 30! `: W7 [9 b' X" U7 b1 F2 ^% C( [
other 600
7 C% _8 c7 ] }4 y% k tcp {# u8 x9 N; S. {& `3 w
close 10' ^1 ~$ d. b" [
close-wait 180
5 C8 d3 r Y+ j8 U) y; p established 432000
* s5 w9 B" z9 y2 @' P fin-wait 3600- j2 l/ _/ f" r* c' Y% _. L
last-ack 30* }3 S0 l' g, H3 ?5 ^! S
syn-recv 60* Z; E9 P# j+ X& o4 [" w
syn-sent 120' E& Y8 l7 |, M2 n
time-wait 600
# L" |, _5 M4 ?0 o }
% H" R" M. v& o5 E9 a1 O# O }
7 z- M3 Y. D* }+ e) x6 { }
$ ]- t0 O. N! [+ j ] Xvi /config/config.default.boot
) _5 g0 h+ f0 I3 z, ^3 ?* P修改为 time-wait 600
: g2 u7 z6 ~; ~3 Q0 jsystem {& A2 y) b! b/ I2 U n( U
config-management {
$ R* F" T5 B4 B* x+ C, }1 X t commit-revisions 20* m2 S# ]6 p! w# D
}1 m1 ^ V$ l: v
conntrack {" i+ _% s) N" ]1 j
expect-table-size 50000000
+ m) p% F+ w! s& N hash-size 50000000
! t1 Q: ?- U" [, c4 \! ]3 s1 Y2 X log {: z1 h% t. L5 Q
icmp {
8 u! _8 d: B, v' F. p6 c3 s destroy4 k/ s; F# K7 b% \
new# ^0 T' q7 Y% v) O$ Y B
update7 Y( h0 d" e' E) C: ^+ L0 ~
}- T. M0 M. _5 n7 {5 |' f; z
tcp {
! Q! O b H4 j3 P# e destroy
8 w2 s* c {; E7 I new: {7 G/ }2 S5 y* ^8 q
update {
) O6 S' P8 b8 J/ H) i8 D, \5 o close-wait
" }6 Y% f7 v Y% R6 r, }! C established
% k. p8 b4 G+ k% f fin-wait% |- z# o: Y* L
last-ack$ U' q! w0 U. C# E/ D1 {' g
syn-received
/ I8 V0 J6 K' \ U6 {5 i time-wait1 M7 g) n# B! z5 _! e+ J% ?
}( y$ ]( p1 v0 t, W4 t* l. s
}, P& E0 I' i- X! W% B8 B9 U8 n
udp {+ B0 E( `( q! B# i2 P: i4 X
destroy
+ N& O$ _4 E5 F4 j: c new
. [# f/ n' q, O: o% g update
- ^2 G8 ]; z9 L1 ^ }
0 j3 U% h+ x( r/ f/ B% ]6 m }
* t3 A* u# T' ~6 U0 e table-size 50000000
) h+ n8 ?9 L; P5 u, q/ ~ timeout {+ L6 P3 ?. o! v% t8 e0 j- ]
icmp 30
! X/ B; a% U$ S; u' H1 ^/ y0 S0 o other 600! Y* I# i5 I/ z
tcp {1 v% E% e) p% I" G# ]
close 100 [( i" d4 S. d5 H2 q( D' J2 t) E8 Y
close-wait 180
3 }, @7 [) \0 v; K established 432000
* r H p. u# ?1 d# b fin-wait 3600
, D% }' o( ]8 m- E last-ack 30
5 R# ]" x+ C% X syn-recv 60- V+ B* U% [' L; ^- F
syn-sent 120
: w/ H, G' Q6 g" [" U5 X0 M time-wait 600
' M# F: m0 l# b. B; U }
! n" A. v! [% A, Y; M$ P }# ~& X7 k- f0 P+ `$ \
}, g0 q1 ?8 Y8 ~3 d
|
|
发表于 2018-11-1 16:22:33