|
|
vyos相关
% ~$ M& i+ |6 Q! V2 @- uvyos配置文件/config/config.boot 老的config.boot.neutron7 `6 ?2 e' y x& @( E
ipsec VPN配置文件cat /etc/ipsec.conf4 R# C8 K; U5 y q, }4 }
重启ipsec vpn服务 。 sudo ipsec restart
* r1 d) c# _* [: csudo ipsec statusall
. |" g' A8 M# a! S n4 D
b& E# w$ W% rvyos 南基新建账户删除账户
1 N) [, m3 p& r6 n- I7 K+ O3 E9 iset system login user syn_4a authentication plaintext-password Acc@1234
2 N3 p8 r: C4 ^+ Zset system login user syn_4a level admin' \+ z9 j; z. e% c
commit
) ^8 c, \& g% E3 c( V, `- p j) Fsave4 b4 ~' x% q5 W$ L6 q/ Q
+ g7 v5 u8 F3 j2 ]' U( x; P) w& @: Tconfigure
1 W4 M+ |' p8 T4 Cdelete system login user syn_4a
- `) _5 I n/ i( }( n. qcommit0 ~+ N0 [* L$ x: D! G; m! U
save! E; D" q& Z) z$ _- p; n
————————
2 N* |( m8 F1 nvyos show 命令应用
7 Y) F" g5 Z$ N3 t# T# @7 s" r/opt/vyatta/bin/vyatta-op-cmd-wrapper show vrrp / E9 S9 N; \3 y a% I) Q* C' z( w G6 \
: ^3 J! v3 |8 h增加路由
$ A; _8 l+ M) x' [vi /config/scripts/vyatta-postconfig-bootup.script
9 o7 q. P1 ^8 s5 E
0 b+ `: O/ W; h9 m2 U * b! |7 V- I F. T
- g. y( o2 Z7 J# B4 u+ M8 p; A& w第二种方式
# }6 a% N& C2 c+ G( B
. k( j! y+ j: G8 |1 i5 ^" lcat /etc/rc.local
% h# O4 K1 }- Q+ ~% _
7 q. {# R2 }' e# R
J9 r7 N. P1 z# {6 {0 T5 [1 Svyos 防火墙
: c- x. J& o+ ?( avyos防火墙主要是针对物理服务器,firewall 规则不能有特殊符号,端口范围1-65535 show configuration中看到的。
; o$ v' f8 O5 {* S7 V% jshow firewall/ W) W- b: [6 I7 |! ?- q. U
' Y8 a6 W7 |* e) g
开启nat
1 y2 U# R9 U' @7 l* H7 B2 a首先kill -9 python /usr/sbin/confproxy, }4 r/ M* \1 G. W$ ~
configure
% r3 q: K, k7 K+ ?; bset vpn ipsec nat-traversal enable
1 Q. Y7 j/ d; R$ j$ Kcommit
1 w& H- g2 x$ s. i9 T
$ w3 \# z* m( o: }set vpn ipsec site-to-site peer 182.150.35.163 tunnel 1 allow-nat-networks enable
& O3 N/ s! @. B4 p+ M. x$ ^# fcommit
9 e6 i* j& ?" U; ?; A
) n" s6 D$ `. G2 M手动加载配置文件0 }: C% p7 F! Y6 _1 t
/config/scripts/config.boot.neutron.load
9 ?3 P! K# ^5 l; h) h重启服务/ B) _3 q( U) E! ~" c! }$ d1 ?- u/ P- W, R
/etc/unit.d/confproxy start* s0 E, T, p" s1 N
5 H. M2 M1 s8 T- ~2 n5 ?3 Y
pat带宽
z+ h, ]2 V& }& l, r如果 要修改 ,可以 按照北基的方式修改,也可以在/etc/neutron/pat/下创建以router_id文件里面配置速率。配置某个router 的 pat 速率7 k+ @" U6 b% f7 O: [
7 |$ d; w5 c D! m) t5 d$ g; xneutron vyos模版文件- _( h: F2 v5 o" J1 G
/etc/neutron/vyos/& L' F" V& l0 A. s6 k( {
查看配置信息
, y- }: p9 R" ?- m, Z" }: sshow configuration8 J$ T, m# z) q' K% d
. Y) u9 R0 H" M* u
sudo vi config.boot.neutron
2 g: _, E' W5 e q' O) j' r cat config.boot.neutron
) g- e: d7 r, k configure 7 S# F" g2 |" @2 k) l( o0 {
load /confi/config.boot.neutron
; m4 R7 p4 O; v0 load /config/config.boot.neutron% y) U5 ~; Y# L; s' E
commit
: [3 ]; v& d- O& b exit
; ]. E5 C$ c8 h( c% e& [ exit2 x- V7 e- U" V
+ `' q& j& H* x) j7 h2 e' ]
show configuration / P5 B2 D6 q- ^1 t; j
show vpn ipsec status h- z* A1 G u8 M& m/ _/ u h
show vpn ipsec sa- o/ e; l! `1 v5 n
show vpn ike sa
2 A7 b0 L" z( i. y& e; C' I
. B+ z7 Y4 G3 E3 m删除vyos 网卡
' k( r0 A. L; D5 W9 y2 d5 e( Vip link del eth2.221. x1 H6 Y8 d& E4 G& F
" F9 K) [# }" I* f0 N& t
清除NFV会话( d5 G$ j& U. w& H u, V
conntrack -F 0 M* L+ w7 Z0 c- |
修改会话连接数time-out时间
" Z9 `' n, ^/ @vi /config/scripts/vyos_init.py4 ]9 g: ^- {+ b% \5 g( k
修改为 time-wait 600
% I$ N t P/ Pconntrack {
2 R0 o4 \2 b: e! E; A expect-table-size 500000009 m1 g O# T' u. F
hash-size 50000000
- e- J2 l1 o$ V) C# m log { p% U- R( e& J' m4 t) X5 |
icmp {4 c7 f. H6 ^4 o t3 e4 x. u
destroy
# n" Z4 `0 m% |% G! s$ { new
8 J L3 }, [8 ^0 n. } update
3 @% |7 c8 z5 i" T# ` }
0 E4 C; Y6 X. i. @& ]' ?: s tcp {- y0 R5 Y" ?- ~
destroy
$ w+ h, v/ w _+ J new( u3 r" K0 W* d+ d x; t( r
update {
& t6 w, p- X2 m7 E* t! R close-wait( t) |. `! M2 T6 g7 s0 o8 ~$ {6 w% d& k
established3 y" \; B. F( Q
fin-wait
$ }% @5 m% o, K8 Q last-ack( N% s8 `& S P8 e/ A. D% L
syn-received
& r; \+ B+ h/ E. R/ ?5 J time-wait6 U5 c) t+ v& A, X
}
# b+ T# ?6 M( [4 n }
+ {8 R% `. `1 ~5 g0 | udp {
+ a- v% n- d" p& L+ J+ W$ S7 t destroy/ ^& h* O6 P0 {4 E# k2 a4 s7 m( A
new
' s+ ~, N O' l$ d update2 c0 `' v1 j1 Z' V. v2 @
}
# z7 q! E8 B& B( A( ? }' _/ z8 L" i9 m2 o- q* k
table-size 50000000' F5 V$ u+ m9 |4 B5 Y8 P
timeout {: T2 Z5 m/ ~- X6 h
icmp 30
& @6 C* G5 \: n- o other 600
& S5 |, p' J% O tcp {" W; a* }4 x% G* G
close 10
& R) }7 \ A0 ? v" w7 H( h close-wait 180
+ l9 ~9 }0 w) ^5 K/ j6 {& P established 432000
( K3 E5 |+ [" N9 i! D6 B# s fin-wait 3600( G2 E0 j$ n4 Q3 d- U9 c
last-ack 30
9 Z& Y8 ~1 @3 G7 E9 c syn-recv 60' C3 f/ b' s& _) [# [9 z* N+ y" E
syn-sent 120 Z: C- P- V Z! {! f# i
time-wait 600
& f0 Q9 E" G7 j4 N }
, [& B( g* G( @4 i: u0 I }
* p/ e0 p' B0 @7 r3 V }" D4 t) ~* e$ J. W: f9 F
vi /config/config.default.boot$ z# v7 b" s5 o/ m; f7 ]& `
修改为 time-wait 6003 m$ B$ Z! @, o& G
system {
: z5 r; \9 ~" o9 a( y3 `9 l9 a config-management {' ?4 K4 P' G( H, ]% p( Z
commit-revisions 20$ H* p) O, W' k D7 S
}3 H& o: H1 J, [) N, g3 _
conntrack {
' c, `2 W% v! f! N$ F# y expect-table-size 50000000/ K9 _7 R1 ?9 y; ?1 D
hash-size 50000000
- r( `! {' U' ~' I- Q V+ S log {% M( C" R4 q7 |/ s& m& _' Q
icmp {' d, ^* j2 A) n
destroy; P. N8 F- D. r5 R: L" Y) P
new
- A4 c: n a4 C, @ update
- k. i# e: |( d+ v7 j }
2 V1 {. I% Z3 m' }: \ tcp {: ~+ k+ I) R, I( ?+ }$ Z- Z
destroy0 o5 R: g9 E6 N* E2 G* Z) p L
new
. E0 v7 [0 t3 H% K& r update {
: e; c: u. T, P4 Q, P) N close-wait
) P' c: w$ n( h& R4 T established
2 O( m9 b6 H( ?) C: [7 w5 G0 P fin-wait: _/ v9 l3 K2 ^' P1 q# Q
last-ack4 g7 V( F9 j$ Y2 W9 U. S
syn-received
8 h7 T6 u: q& P# F time-wait
' I0 g1 u# l$ w% e1 {9 Y }$ U0 C' q) b) E6 V: _
}
- g7 n: b0 ^, B5 {4 N# w5 j% @- E' r udp {
' s) K/ h+ d4 W w destroy# c' c2 @ @/ a0 D! O6 P
new
# [% R6 A0 m1 [% a0 B+ S update" C, U5 t7 S0 P4 j
}; T8 i5 e( w* T! S8 y& e7 l, O3 c4 d
}
2 d" t7 D \, k" U' F+ B table-size 50000000" w# |4 \2 L' P6 r
timeout {: P e- K7 o( L; j+ q, a* y9 O! u
icmp 30
) A) Q2 H2 T/ A, g* o7 z; W other 600; G1 x' [) W4 h
tcp {
- |& f& S' g" X3 \2 ~ close 10
/ o8 N4 x% S0 s7 D! B. J8 S close-wait 180
& K- }/ j1 M& {0 e) q established 432000' A) O' V* z. ^) e
fin-wait 36000 K* j- d3 B) L/ U" @! r1 v
last-ack 30: E9 v, K& C# D8 i! |
syn-recv 60
- U$ W% r- @' f' M3 h4 ~ syn-sent 120) I% `* P6 c) ~2 S
time-wait 6001 ?" J5 j: P$ o, Q
}! }! @* {$ O4 Z/ u3 o4 l4 b
}! J5 Z0 Z2 p1 S, w
}
' [2 T. R: i& P& ` w) W |
|
发表于 2018-11-1 16:22:33