VyOS部署

最新推荐文章于 2024-09-14 14:06:12 发布

期待未来的男孩

最新推荐文章于 2024-09-14 14:06:12 发布

阅读量1.2k

点赞数 1

分类专栏：路由交换文章标签：网络

本文链接：https://blog.csdn.net/u012391293/article/details/125823803

版权

路由交换专栏收录该内容

76 篇文章 13 订阅

订阅专栏

本文详细介绍了VyOS社区的技术规格要求，包括处理器、内存和存储空间的最小与推荐配置。步骤涵盖了从下载安装开始，到自动分区、创建文件系统、GRUB安装，以及SSH、命令行界面和配置模式的使用。重点展示了配置接口、路由、NAT、NTP和防火墙设置等关键部分。

摘要由CSDN通过智能技术生成

下载

VyOS Community

技术规格

如果 VyOS 部署在独立的 ESXi 或 vCenter 上，则可保证一流的性能，前提是您满足生产用途的最低技术要求。

最小规格

处理器	内存	存储空间
1 VCPU	512 MB	4 GB

推荐规格

处理器	内存	存储空间
1 VCPU	1G	10 GB

部署

以IOS版本安装为例

在这里插入图片描述

安装

默认账号：vyos/vyos

vyos@vyos:~$ install image
Welcome to the VyOS install program.  This script
will walk you through the process of installing the
VyOS image to a local hard drive.
Would you like to continue? (Yes/No) [Yes]: Yes
Probing drives: OK
Looking for pre-existing RAID groups...none found.
The VyOS image will require a minimum 2000MB root.
Would you like me to try to partition a drive automatically
or would you rather partition it manually with parted?  If
you have already setup your partitions, you may skip this step

Partition (Auto/Parted/Skip) [Auto]:

I found the following drives on your system:
 sda    4294MB

Install the image on? [sda]:

This will destroy all data on /dev/sda.
Continue? (Yes/No) [No]: Yes

How big of a root partition should I create? (2000MB - 4294MB) [4294]MB:

Creating filesystem on /dev/sda1: OK
Done!
Mounting /dev/sda1...
What would you like to name this image? [1.2.0-rolling+201809210337]:
OK.  This image will be named: 1.2.0-rolling+201809210337
Copying squashfs image...
Copying kernel and initrd images...
Done!
I found the following configuration files:
    /opt/vyatta/etc/config.boot.default
Which one should I copy to sda? [/opt/vyatta/etc/config.boot.default]:

Copying /opt/vyatta/etc/config.boot.default to sda.
Enter password for administrator account
Enter password for user 'vyos':
Retype password for user 'vyos':
I need to install the GRUB boot loader.
I found the following drives on your system:
 sda    4294MB

Which drive should GRUB modify the boot partition on? [sda]:

Setting up grub: OK
Done!

SSH

set service ssh port '22'

命令行界面

操作模式

操作模式允许命令执行操作系统任务并查看系统和服务状态，而配置模式允许修改系统配置。

vyos@vyos:~$ s[tab]
set   show

显示可能的 show 命令的示例：

vyos@vyos:~$ show [tab]
Possible completions:
  arp           Show Address Resolution Protocol (ARP) information
  bridge        Show bridging information
  cluster       Show clustering information
  configuration Show running configuration
  conntrack     Show conntrack entries in the conntrack table
  conntrack-sync
                Show connection syncing information
  date          Show system date and time
  dhcp          Show Dynamic Host Configuration Protocol (DHCP) information
  dhcpv6        Show status related to DHCPv6
  disk          Show status of disk device
  dns           Show Domain Name Server (DNS) information
  file          Show files for a particular image
  firewall      Show firewall information
  flow-accounting
                Show flow accounting statistics
  hardware      Show system hardware details
  history       show command history
  host          Show host information
  incoming      Show ethernet input-policy information
: q

配置模式

要进入配置模式，请使用以下命令：configure

vyos@vyos:~$ configure
[edit]
vyos@vyos:~#

注意从到的提示更改。要退出配置模式，请键入。$``#``exit

vyos@vyos:~# exit
exit
vyos@vyos:~$

vyos@vRouter-PRD01# edit interfaces ethernet eth0
[edit interfaces ethernet eth0]
vyos@vRouter-PRD01# sh
 address 10.232.3.250/23
 description OUTSIDE
 firewall {
     in {
         name OUTSIDE-LOCAL
     }
     out {
         name LOCAL-OUTSIDE
     }
 }
 hw-id 00:50:56:a2:ac:40
vyos@vRouter-PRD01# set address
Possible completions:
   <x.x.x.x/x>          IPv4 address and prefix length
   <h:h:h:h:h:h:h:h/x>  IPv6 address and prefix length
   dhcp                 Dynamic Host Configuration Protocol
   dhcpv6               Dynamic Host Configuration Protocol for IPv6
   10.232.3.250/23

编辑配置

set:使用此命令可以设置参数的值或创建新元素。

delete:要删除配置条目，请使用该命令，此操作还会删除您在命令中指定的当前级别下的所有子级别。

commit:对配置执行的任何更改在配置模式下使用命令提交之前不会生效。

save:使用此命令可在重新启动时保留配置更改。

exit [discard]:存在未提交的更改时，无法退出配置模式。

commit-confirm :使用此命令可临时提交更改并设置可用于验证的分钟数。

copy:复制配置元素。

vyos@router# show firewall name FromWorld
 default-action drop
 rule 10 {
     action accept
     source {
         address 203.0.113.0/24
     }
 }
[edit]
vyos@router# edit firewall name FromWorld
[edit firewall name FromWorld]
vyos@router# copy rule 10 to rule 20

rename:重命名配置元素。

vyos@router# rename rule 10 to rule 5
[edit firewall name FromWorld]
vyos@router# commit
[edit firewall name FromWorld]

comment “comment text”:将注释作为注释添加到配置节点。

vyos@vyos# comment firewall all-ping "Yes I know this VyOS is cool"
vyos@vyos# commit
vyos@vyos# show
 firewall {
     /* Yes I know this VyOS is cool */
     all-ping enable
     broadcast-ping disable
     ...
 }

run:通过使用该命令可以访问这些命令。通过此命令，您将可以访问可从操作模式访问的所有内容。

配置

Firewall — VyOS 1.4.x (sagitta) documentation

配置接口

#配置外网接口
set interfaces ethernet eth0 address '10.232.3.250/23'
set interfaces ethernet eth0 description 'OUTSIDE'

#配置内网接口
set interfaces ethernet eth1 address '172.16.240.2/29'
set interfaces ethernet eth1 description 'INSIDE1'

配置路由

#指定静态路由
set protocols static route 0.0.0.0/0 next-hop 10.232.3.253 distance 1

NAT

PAT

set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '172.16.240.0/24'
set nat source rule 10 translation address 'masquerade'

vyos@vRouter-PRD01# run sh  nat source translations
Pre-NAT              Post-NAT             Prot  Timeout
172.16.240.5         172.16.240.5         icmp  29
172.16.240.12        10.232.3.250         icmp  29
[edit]

1:1 NAT

set nat destination rule 2000 description '1-to-1 NAT example'
set nat destination rule 2000 destination address '192.0.2.30'
set nat destination rule 2000 inbound-interface 'eth1'
set nat destination rule 2000 translation address '192.168.1.10'
set nat source rule 2000 description '1-to-1 NAT example'
set nat source rule 2000 outbound-interface 'eth1'
set nat source rule 2000 source address '192.168.1.10'
set nat source rule 2000 translation address '192.0.2.30'

DNAT

set nat destination rule 12 description 'Port Forward: HTTP to 192.168.0.100'
set nat destination rule 12 destination port '80'
set nat destination rule 12 inbound-interface 'eth0'
set nat destination rule 12 protocol 'tcp'
set nat destination rule 12 translation address '192.168.0.100'



set nat destination rule 12 description 'Port Forward: SSH to 172.16.240.3'
set nat destination rule 12 destination port '10022'
set nat destination rule 12 inbound-interface 'eth0'
set nat destination rule 12 protocol 'tcp'
set nat destination rule 12 translation address '172.16.240.3'

NTP

set system ntp server 10.232.3.222

vyos@vyos# run show ntp
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*10.232.3.222    114.118.7.161    2 u  372 1024  377    0.210   -2.518   0.693

Firewall

set firewall all-ping 'enable'
set firewall ip-src-route 'enable'
set firewall log-martians 'enable'

set firewall name INSIDE1-OUTSIDE rule 20 action 'accept'
set firewall name INSIDE1-OUTSIDE rule 20 protocol 'all'
set firewall name INSIDE1-OUTSIDE rule 20 state new 'enable'
set firewall name LOCAL-OUTSIDE rule 10 action 'accept'
set firewall name LOCAL-OUTSIDE rule 10 protocol 'all'
set firewall name LOCAL-OUTSIDE rule 10 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 31 action 'accept'
set firewall name OUTSIDE-LOCAL rule 31 destination port '22'
set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 31 state new 'enable'


set interfaces ethernet eth0 firewall in name 'OUTSIDE-LOCAL'
set interfaces ethernet eth0 firewall out name 'LOCAL-OUTSIDE'
set interfaces ethernet eth1 firewall in name 'INSIDE1-OUTSIDE'

vyos@vRouter-PRD01# set firewall name OUTSIDE-LOCAL rule 31 state
Possible completions:
   established          Established state
   invalid              Invalid state
   new                  New state
   related              Related state

ESTABLISHED,NEW,RELATED,INVALID.

注意:TCP/IP 标准描述下，UDP及ICPM数据包是没有连接状态的，但在state模块的描述下，任何数据包都有连接状态。

ESTABLISHED:与TCP数据包的关系，首先在防火墙上执行ssh client,并且对网络上的ssh服务器提出服务请求，而这时送出的第一个数据包就是服务请求的数据包，如果实个数据包能成功的穿防火墙，那么接下来，ssh server与ssh client之间的所有ssh数据包的状态都会是ESTABLISHED。

与UDP数据包的关系：假设我们在防火墙主机上用firefox诮用程序浏览网页(通过域名方式)，而浏览网页的动作需要DNS服务器的帮助才能完成，因些firefox会送出一个udp数据包给DNS SERVER，以请求名称解析服务，如果这个数据包能够成功的穿越防火墙，那么接下来的dns server与firefox之间的所有数据包的状态都是ESTABLISHED.

NEW:首先我们知道，NEW与协议无关，其所指的是每一条连接的第一个数据包，假如我们使用ssh client连接ssh server时，这个连接中的第一个数据包的状态就是NEW.

RELATED:RELATED状态的数据包是指被动产生的数据包。而且这个连接是不属于现在任何连接的。RELATED状态的数据包与协议无关，只要回应回来的数据包是因为本机送出一个数据包导致别一个连接的产生，而这一条新连接上的所有数据包都是属于RELATED状态的数据包。

基于Zone的防火墙策略

# 配置接口加入安全区域。一个区域可以有多个接口。但是一个接口只能是一个区域的成员。
 set zone-policy zone <name> interface <interfacenames>
#将zone定义为local zone。local区域没有接口，只应用于路由器本身。
 set zone-policy zone <name> local-zone
#设置Zone默认操作
 set zone-policy zone <name> default-action [drop | reject]
#设置Zone描述
 set zone-policy zone <name> description
 Set a meaningful description.
#设置Zone规则
 set zone-policy zone <Destination Zone> from <Source Zone> firewall name <rule-set>
 set zone-policy zone <name> from <name> firewall name <rule-set>
 set zone-policy zone <name> from <name> firewall ipv6-name <rule-set>
 set zone-policy zone DMZ from LAN firewall name LANv4-to-DMZv4
 set zone-policy zone LAN from DMZ firewall name DMZv4-to-LANv4

HA-VRRP

set high-availability vrrp group 1 address 10.232.3.248/23
set high-availability vrrp group 1 interface 'eth0'
set high-availability vrrp group 1 peer-address '10.232.3.250'
set high-availability vrrp group 1 vrid '1'


vyos@vyos# run sh vrrp
  Name  Interface      VRID  State      Priority  Last Transition
------  -----------  ------  -------  ----------  -----------------
     1  eth0              1  MASTER          100  2m31s