网络操作系统VyOS安装与初步使用
前言
VyOS是一个基于Debian的网络操作系统,是Vyatta的社区fork。通过这套系统,能在x86平台提供路由,防火墙和V**的功能。本文就对它的安装进行介绍,并进行简单的使用。
功能及详细特性
这个系统提供了和其他诸如Cisco的IOS,Juniper的JUNOS类似的操作方式,熟悉传统路由器的人也能很快上手。不同于其他商业方案,它是一套完全开源的方案,使用GPL协议开源。
有趣的是,它提供了一种基于镜像的安装方式,这使得在同一机器上存在多个版本的软件成为可能。
这个项目的第一个版本释放于2013年,目前还在持续活跃中。相对其他项目——像Juniper管理下的opencontrail,它有完整的使用与安装文档,更提供了API文档供开发者参考。
以下是详细的特性列表:
支持的平台
32-bit x86
64-bit x86
KVM (virtio drivers included)
Xen HVM (including XenServer and EC2)
VMWare (open-vm-tools included)
Hyper-V (drivers included)
VirtualBox (guest additions not included)
(默认情况下支持串口的终端是启用的)
路由相关
BGP (IPv4 and IPv6)
OSPFv2
OSPFv3 (incomplete)
RIP
RIPng
Policy-based routing
网络接口
Ethernet
802.1q VLAN, QinQ
NIC bonding
Bridges, STP (no RSTP or other extensions)
Port mirroring and redirection
Dummy interfaces (analogous to multiple loopbacks)
Pseudo-ethernet (aka MAC VLAN)
802.11 wireless (client and access point)
Some wireless modems (not very good support)
PPPoE
防火墙与NAT
Stateful firewall
Network/address/port groups (IPv4 only for now)
Zone-based firewall
Source and destination NAT
V**
Site-to-site IPsec (with pre-shared key or x.509 authentication)
VTI (Virtual Tunnel Interfaces)
OpenV** (client, server, site-to-site)
GRE, IPIP, IPIP6, IP6IP6 tunnels
VXLAN
Unmanaged L2TPv3
L2TP/IPsec and PPTP remote access V**
DMV** (experimental)
网络服务
DHCP server and relay
Caching DNS server
Web proxy with some URL filtering support (no HTTPS filtering)
Telnet and SSH for remote management
IGMP proxy
QoS support
高可用
VRRP (IPv4 only for now)
Conntrack sync
WAN failover and load balancing
IPv6支持
IPv6 routing (static and dynamic)
Router advertisment
DHCPv6 client and server/relay
IPv6 firewall
系统维护
Task scheduler
SNMP
Configuration versioning and remote archiving
Event handling
Remote syslog
安装
安装时确保留有2G剩余空间,内存至少为512M。
下载一个200多MB的ISO文件,这里我使用虚拟机安装:
下载地址:http://mirror.vyos.net/iso/release/1.1.6/vyos-1.1.6-amd64.iso
启动虚拟机后,稍等一会,会进入livecd登录的登录界面,登录账户vyos,密码也为vyos。
vyos@vyos:~$
VyOS提供了两种安装方式,一种是类似传统Linux系统的安装方式,另一种是基于镜像的安装方式。后者可以让多个版本的镜像同时存在于单一设备上,方便升级或是回滚到旧的版本。
使用基于镜像的安装:
vyos@vyos:~$ install image
Welcome to the VyOS install program. This script
will walk you through the process of installing the
VyOS image to a local hard drive.
Would you like to continue? (Yes/No) [Yes]:
这里可以直接回车,继续安装过程。
Partition (Auto/Parted/Skip) [Auto]:
Install the image on? [sda]:
This will destroy all data on /dev/sda.
Continue? (Yes/No) [No]: Yes
How big of a root partition should I create? (1000MB - 2147MB) [2147]MB:
如果不做任何自定义设置,请直接回车。这里它查出来的设备只有sda,选择自动分区,注意如果有遗留数据请做好备份。这里我选择了全部空间作为root分区。
如果提示选择config. boot,直接使用默认的即可:
Which one should I copy to sda? [/config/config.boot]:
设置用户密码(为了安全性请使用更复杂的密码):
Enter password for administrator account
Enter password for user 'vyos': vyos
Retype password for user 'vyos': vyos
安装grub(继续使用默认值):
Which drive should GRUB modify the boot partition on? [sda]:
脚本执行完成后,就算安装好了。卸载iso 文件并重启虚拟机,使用之前设置的密码登录vyos。
vyos@vyos:~$ reboot
Proceed with reboot? (Yes/No) [No] Yes
初步使用
在VyOS中存在两种终端模式:操作模式与配置模式。操作模式中可以像一般的Linux系统一样执行普通的任务。而配置模式则是用来执行配置路由,V**这类的任务。
VyOS也支持自动补全,使用tab键即可。
在使用自动补全时,可能会遇到在一页内无法全部显示所有内容的问题,为此,它提供了分页显示的功能:
vyos@vyos:~$ show [tab]
Possible completions:
arp Show Address Resolution Protocol (ARP) information
bridge Show bridging information
cluster Show clustering information
configuration Show running configuration
conntrack Show conntrack entries in the conntrack table
conntrack-sync
Show connection syncing information
date Show system date and time
dhcp Show Dynamic Host Configuration Protocol (DHCP) information
dhcpv6 Show status related to DHCPv6
disk Show status of disk device
dns Show Domain Name Server (DNS) information
file Show files for a particular image
firewall Show firewall information
flow-accounting
Show flow accounting statistics
hardware Show system hardware details
history show command history
host Show host information
incoming Show ethernet input-policy information
: q
vyos@vyos:~$
当内容超过一页的时候,会自动分页并给出一个“:”提示符。
为了方便操作,CLI提供了快捷键。按q可以退出分页模式,空格是定位到下一页,b则是定位到前一页。
要进入配置模式,则需输入configure
vyos@vyos:~$ configure
vyos@vyos:~#
可以看到提示符由$改为#。
想退出配置模式只需输入exit
vyos@vyos:~# exit
exit
vyos@vyos:~$
下面是一个为含有两个接口的设备配置NAT的例子:
进入配置模式:
vyos@vyos$ configure
vyos@vyos#
启用ssh:
set service ssh port '22'
网络接口的设置:
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description 'OUTSIDE'
set interfaces ethernet eth1 address '192.168.0.1/24'
set interfaces ethernet eth1 description 'INSIDE'
为inside网络设置SNAT:
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address '192.168.0.0/24'
set nat source rule 100 translation address masquerade
设置dhcp:
set service dhcp-server disabled 'false'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router '192.168.0.1'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 dns-server '192.168.0.1'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 domain-name 'internal-network'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease '86400'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 start 192.168.0.9 stop '192.168.0.254'
设置DNS:
set service dns forwarding cache-size '0'
set service dns forwarding listen-on 'eth1'
set service dns forwarding name-server '8.8.8.8'
set service dns forwarding name-server '8.8.4.4'
为outside这个接口设置防火墙规则:
set firewall name OUTSIDE-IN default-action 'drop'
set firewall name OUTSIDE-IN rule 10 action 'accept'
set firewall name OUTSIDE-IN rule 10 state established 'enable'
set firewall name OUTSIDE-IN rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL default-action 'drop'
set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 30 action 'drop'
set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 30 recent count '4'
set firewall name OUTSIDE-LOCAL rule 30 recent time '60'
set firewall name OUTSIDE-LOCAL rule 30 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 31 action 'accept'
set firewall name OUTSIDE-LOCAL rule 31 destination port '22'
set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 31 state new 'enable'
应用防火墙规则:
set interfaces ethernet eth0 firewall in name 'OUTSIDE-IN'
set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'
保存配置并退出配置模式即可:
vyos@vyos# commit
vyos@vyos# save
Saving configuration to '/config/config.boot'...
Done
vyos@vyos# exit
vyos@vyos$
结语
VyOS作为一个完全开源的路由,V**和防火墙平台,远离目前的各大厂商的纷争,文档也相当详细,虽然还差对MPLS等支持,但实在是一个不错的工具。
本文介绍了VyOS的安装与简单的使用,希望能助力各位研究者的研究。