Debian's LInux iptables command usage

Linux:~# lsb_release -a

No LSB modules are available.

Distributor ID: Debian

Description:    Debian GNU/Linux 5.0.9 (lenny)

Release:        5.0.9

Codename:       lenny

---

Iptables provides packet filtering, network address translation (NAT) and other packet mangling.

Two of the most common uses of iptables is to provide firewall support and NAT.

Configuring iptables manually is challenging for the uninitiated. Fortunately, there are many configuration tools (wizards) available to assist: e.g., fwbuilder, bastille, ferm (wiki page), ufw (Uncomplicated Firewall, from Ubuntu).

Viewing current configuration

See what rules are already configured. Issue this command:

 iptables -L

The output will be similar to this:

 Chain INPUT (policy ACCEPT)
 target     prot opt source               destination

 Chain FORWARD (policy ACCEPT)
 target     prot opt source               destination

 Chain OUTPUT (policy ACCEPT)
 target     prot opt source               destination

This allows anyone access to anything from anywhere.

Storing iptables rules in a file

Note: there is a package designed to help with this: iptables-persistent

Let's tighten that up a bit by creating a test iptables file:

 editor /etc/iptables.test.rules

In this file enter some basic rules:

*filter

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allows SSH connections 
# The --dport number is the same as in /etc/ssh/sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Now you should read up on iptables rules and consider whether ssh access 
# for everyone is really desired. Most likely you will only allow access from certain IPs.

# Allow ping
#  note that blocking other types of icmp packets is considered a bad idea by some
#  remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp:
#  https://security.stackexchange.com/questions/22711
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

That may look complicated, but look at each section at a time. You will see that it simply shuts all ports except the ones we have allowed - which in this case are ports 80 and 443 (the standard web browser ports) and the SSH port defined earlier.

Activate these new rules:

 iptables-restore < /etc/iptables.test.rules

And see the difference:

 iptables -L

Now the output tells us that only the ports defined above are open. All the others are closed.

Once you are happy, save the new rules to the master iptables file:

 iptables-save > /etc/iptables.up.rules

To make sure the iptables rules are started on a reboot we'll create a new file:

 editor /etc/network/if-pre-up.d/iptables

Add these lines to it:

 #!/bin/sh
 /sbin/iptables-restore < /etc/iptables.up.rules

The file needs to be executable so change the permissions:

 chmod +x /etc/network/if-pre-up.d/iptables

Note: This HOWTO had been contributed by user Geejay to wiki.openvz.org as a part of installing container howto.

Configuring a new Cisco switch via a Neighbor Switch

Configuring a new Cisco switch via a Neighbor Switch

Cisco admins, here's an awesome trick. If you're not installing Cisco switches, you can stop reading here. Otherwise, it may be of interest. If a new switch is connected to the network and you need to configure it, but don't have a console connection. . . read on.

When you plug a new Cisco switch into the network, it will acquire an IP address via DHCP, by default. From there, this command list should allow you to access it without a console connection. Log in to one of the other Catalyst switches already running on the network.

cluster run - this command enables clustering.

show cdp neighbors (Optional) – If CDP is running (you could turn it on temporarily) and you’ve chosen to start from a switch that is connected to the new switch, you should see a neighbor named “Switch”. This isn’t really a necessary step, but it’s useful to know things are working.

cluster enable WORD – The cluster commands require you to be in configuration mode. You must give the cluster a name.

show cluster candidates – Get out of configuration mode (or prefix this command with do) and see if you can see the new switch as a cluster member candidate. Remember it should be called “Switch”.

cluster member mac-address H.H.H – Back in configuration mode, this will add the new switch as a member of this cluster. The mac-address should be part of the information shown in the previous step.

show cluster members (Optional) – Exit out of configuration mode. This command should list the command switch (the one you are on), and a member switch. The member switch is the device you are planning to configure and should be designated as member 1.

 rcommand 1 – This will log you into the new switch. You shouldn’t need a password. Configure the the new switch.

no cluster member 1 – Log off the new (and now configured) switch and remove it from the cluster. This step may not be really necessary, but better safe than sorry. It will remove the new switch from the temporary cluster.

no cluster enable – This will remove the cluster and end the process.

 At this point, you should be able to SSH or telnet into the new switch. The mistake I’ve made most often at this point is forgetting to set an enable password. Without both login (whether telnet or AAA) and enable passwords, the switch won’t let you in.

If an enable password has already been set, you’ll have to add “password the_enable_password” to the command “cluster member mac-address H.H.H”. And if you're nervous about how easy it is to configure a neighbor switch from, say, a compromised or rogue switch, consider "no cluster run" in all of your switch configurations.

关于ESXI通过网络映射串口

对于N7K这种模拟器，通常只能输出到串口，如果是在VMware workstation上我们可以通过Named Pipe TCP Proxy映射到本地的一个tcp端口，但受限于个人电脑的性能，我们通常会在ESXI上部署试验平台，这时N7K这种依赖串口输出的模拟器就会遇到一个问题，怎么连接到串口？经过我搜寻各种资料和测试，已经找到了设置方法，下面跟大家分享一下： 1.添加串行，注意标识的地方；   2.开启防火墙策略。   3.在个人电脑上 telnet x.x.x.x 2001  （x.x.x.x为esxi地址）就ok了。

linux下IPTABLES配置详解

如果你的IPTABLES基础知识还不了解,建议先去看看.

开始配置

我们来配置一个filter表的防火墙.

(1)查看本机关于IPTABLES的设置情况

[root@tp ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target       prot opt source                 destination         

Chain FORWARD (policy ACCEPT)
target       prot opt source                 destination         

Chain OUTPUT (policy ACCEPT)
target       prot opt source                 destination         

Chain RH-Firewall-1-INPUT (0 references)
target       prot opt source                 destination        
ACCEPT       all    --    0.0.0.0/0              0.0.0.0/0          
ACCEPT       icmp --    0.0.0.0/0              0.0.0.0/0             icmp type 255
ACCEPT       esp    --    0.0.0.0/0              0.0.0.0/0          
ACCEPT       ah     --    0.0.0.0/0              0.0.0.0/0          
ACCEPT       udp    --    0.0.0.0/0              224.0.0.251           udp dpt:5353
ACCEPT       udp    --    0.0.0.0/0              0.0.0.0/0             udp dpt:631
ACCEPT       all    --    0.0.0.0/0              0.0.0.0/0             state RELATED,ESTABLISHED
ACCEPT       tcp    --    0.0.0.0/0              0.0.0.0/0             state NEW tcp dpt:22
ACCEPT       tcp    --    0.0.0.0/0              0.0.0.0/0             state NEW tcp dpt:80
ACCEPT       tcp    --    0.0.0.0/0              0.0.0.0/0             state NEW tcp dpt:25
REJECT       all    --    0.0.0.0/0              0.0.0.0/0             reject-with icmp-host-prohibited
可以看出我在安装linux时,选择了有防火墙,并且开放了22,80,25端口.

如果你在安装linux时没有选择启动防火墙,是这样的

[root@tp ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target       prot opt source                 destination         

Chain FORWARD (policy ACCEPT)
target       prot opt source                 destination         

Chain OUTPUT (policy ACCEPT)
target       prot opt source                 destination  

什么规则都没有.

(2)清除原有规则.

不管你在安装linux时是否启动了防火墙,如果你想配置属于自己的防火墙,那就清除现在filter的所有规则.

[root@tp ~]# iptables -F        清除预设表filter中的所有规则链的规则
[root@tp ~]# iptables -X        清除预设表filter中使用者自定链中的规则

我们在来看一下

[root@tp ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target       prot opt source                 destination         

Chain FORWARD (policy ACCEPT)
target       prot opt source                 destination         

Chain OUTPUT (policy ACCEPT)
target       prot opt source                 destination      

什么都没有了吧,和我们在安装linux时没有启动防火墙是一样的.(提前说一句,这些配置就像用命令配置IP一样,重起就会失去作用),怎么保存.

[root@tp ~]# /etc/rc.d/init.d/iptables save

这样就可以写到/etc/sysconfig/iptables文件里了.写入后记得把防火墙重起一下,才能起作用.

[root@tp ~]# service iptables restart

现在IPTABLES配置表里什么配置都没有了,那我们开始我们的配置吧

(3)设定预设规则

[root@tp ~]# iptables -p INPUT DROP

[root@tp ~]# iptables -p OUTPUT ACCEPT

[root@tp ~]# iptables -p FORWARD DROP
上面的意思是,当超出了IPTABLES里filter表里的两个链规则(INPUT,FORWARD)时,不在这两个规则里的数据包怎么处理呢,那就是DROP(放弃).应该说这样配置是很安全的.我们要控制流入数据包

而对于OUTPUT链,也就是流出的包我们不用做太多限制,而是采取ACCEPT,也就是说,不在着个规则里的包怎么办呢,那就是通过.

可以看出INPUT,FORWARD两个链采用的是允许什么包通过,而OUTPUT链采用的是不允许什么包通过.

这样设置还是挺合理的,当然你也可以三个链都DROP,但这样做我认为是没有必要的,而且要写的规则就会增加.但如果你只想要有限的几个规则是,如只做WEB服务器.还是推荐三个链都是DROP.

注:如果你是远程SSH登陆的话,当你输入第一个命令回车的时候就应该掉了.因为你没有设置任何规则.

怎么办,去本机操作呗!

(4)添加规则.

首先添加INPUT链,INPUT链的默认规则是DROP,所以我们就写需要ACCETP(通过)的链

为了能采用远程SSH登陆,我们要开启22端口.

[root@tp ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT

[root@tp ~]# iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT (注:这个规则,如果你把OUTPUT 设置成DROP的就要写上这一部,好多人都是望了写这一部规则导致,始终无法SSH.在远程一下,是不是好了.

其他的端口也一样,如果开启了web服务器,OUTPUT设置成DROP的话,同样也要添加一条链:

[root@tp ~]# iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT ,其他同理.)

如果做了WEB服务器,开启80端口.

[root@tp ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
如果做了邮件服务器,开启25,110端口.

[root@tp ~]# iptables -A INPUT -p tcp --dport 110 -j ACCEPT
[root@tp ~]# iptables -A INPUT -p tcp --dport 25 -j ACCEPT
如果做了FTP服务器,开启21端口

[root@tp ~]# iptables -A INPUT -p tcp --dport 21 -j ACCEPT

[root@tp ~]# iptables -A INPUT -p tcp --dport 20 -j ACCEPT

如果做了DNS服务器,开启53端口

[root@tp ~]# iptables -A INPUT -p tcp --dport 53 -j ACCEPT

如果你还做了其他的服务器,需要开启哪个端口,照写就行了.

上面主要写的都是INPUT链,凡是不在上面的规则里的,都DROP

允许icmp包通过,也就是允许ping,

[root@tp ~]# iptables -A OUTPUT -p icmp -j ACCEPT (OUTPUT设置成DROP的话)

[root@tp ~]# iptables -A INPUT -p icmp -j ACCEPT    (INPUT设置成DROP的话)

允许loopback!(不然会导致DNS无法正常关闭等问题)

IPTABLES -A INPUT -i lo -p all -j ACCEPT (如果是INPUT DROP)
IPTABLES -A OUTPUT -o lo -p all -j ACCEPT(如果是OUTPUT DROP)

下面写OUTPUT链,OUTPUT链默认规则是ACCEPT,所以我们就写需要DROP(放弃)的链.

减少不安全的端口连接

[root@tp ~]# iptables -A OUTPUT -p tcp --sport 31337 -j DROP

[root@tp ~]# iptables -A OUTPUT -p tcp --dport 31337 -j DROP

有些些特洛伊木马会扫描端口31337到31340(即黑客语言中的 elite 端口)上的服务。既然合法服务都不使用这些非标准端口来通信,阻塞这些端口能够有效地减少你的网络上可能被感染的机器和它们的远程主服务器进行独立通信的机会

还有其他端口也一样,像:31335、27444、27665、20034 NetBus、9704、137-139（smb）,2049(NFS)端口也应被禁止,我在这写的也不全,有兴趣的朋友应该去查一下相关资料.

当然出入更安全的考虑你也可以包OUTPUT链设置成DROP,那你添加的规则就多一些,就像上边添加

允许SSH登陆一样.照着写就行了.

下面写一下更加细致的规则,就是限制到某台机器

如:我们只允许192.168.0.3的机器进行SSH连接

[root@tp ~]# iptables -A INPUT -s 192.168.0.3 -p tcp --dport 22 -j ACCEPT

如果要允许,或限制一段IP地址可用 192.168.0.0/24 表示192.168.0.1-255端的所有IP.

24表示子网掩码数.但要记得把 /etc/sysconfig/iptables 里的这一行删了.

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 因为它表示所有地址都可以登陆.

或采用命令方式:

[root@tp ~]# iptables -D INPUT -p tcp --dport 22 -j ACCEPT

然后保存,我再说一边,反是采用命令的方式,只在当时生效,如果想要重起后也起作用,那就要保存.写入到/etc/sysconfig/iptables文件里.

[root@tp ~]# /etc/rc.d/init.d/iptables save

这样写 !192.168.0.3 表示除了192.168.0.3的ip地址

其他的规则连接也一样这么设置.

在下面就是FORWARD链,FORWARD链的默认规则是DROP,所以我们就写需要ACCETP(通过)的链,对正在转发链的监控.

开启转发功能,(在做NAT时,FORWARD默认规则是DROP时,必须做)

[root@tp ~]# iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

[root@tp ~]# iptables -A FORWARD -i eth1 -o eh0 -j ACCEPT

丢弃坏的TCP包

[root@tp ~]#iptables -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP

处理IP碎片数量,防止攻击,允许每秒100个

[root@tp ~]#iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT

设置ICMP包过滤,允许每秒1个包,限制触发条件是10个包.

[root@tp ~]#iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT

我在前面只所以允许ICMP包通过,就是因为我在这里有限制.

二,配置一个NAT表放火墙

1,查看本机关于NAT的设置情况

[root@tp rc.d]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target       prot opt source                 destination         

Chain POSTROUTING (policy ACCEPT)
target       prot opt source                 destination        
SNAT         all    --    192.168.0.0/24         anywhere              to:211.101.46.235

Chain OUTPUT (policy ACCEPT)
target       prot opt source                 destination    

我的NAT已经配置好了的(只是提供最简单的代理上网功能,还没有添加防火墙规则).关于怎么配置NAT,参考我的另一篇文章

当然你如果还没有配置NAT的话,你也不用清除规则,因为NAT在默认情况下是什么都没有的

如果你想清除,命令是

[root@tp ~]# iptables -F -t nat

[root@tp ~]# iptables -X -t nat

[root@tp ~]# iptables -Z -t nat

2,添加规则

添加基本的NAT地址转换,(关于如何配置NAT可以看我的另一篇文章),

添加规则,我们只添加DROP链.因为默认链全是ACCEPT.

防止外网用内网IP欺骗

[root@tp sysconfig]# iptables -t nat -A PREROUTING -i eth0 -s 10.0.0.0/8 -j DROP
[root@tp sysconfig]# iptables -t nat -A PREROUTING -i eth0 -s 172.16.0.0/12 -j DROP
[root@tp sysconfig]# iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.0/16 -j DROP
如果我们想,比如阻止MSN,QQ,BT等的话,需要找到它们所用的端口或者IP,(个人认为没有太大必要)

例：

禁止与211.101.46.253的所有连接

[root@tp ~]# iptables -t nat -A PREROUTING    -d 211.101.46.253 -j DROP

禁用FTP(21)端口

[root@tp ~]# iptables -t nat -A PREROUTING -p tcp --dport 21 -j DROP

这样写范围太大了,我们可以更精确的定义.

[root@tp ~]# iptables -t nat -A PREROUTING    -p tcp --dport 21 -d 211.101.46.253 -j DROP

这样只禁用211.101.46.253地址的FTP连接,其他连接还可以.如web(80端口)连接.

按照我写的,你只要找到QQ,MSN等其他软件的IP地址,和端口,以及基于什么协议,只要照着写就行了.

最后：

drop非法连接
[root@tp ~]# iptables -A INPUT     -m state --state INVALID -j DROP
[root@tp ~]# iptables -A OUTPUT    -m state --state INVALID -j DROP
[root@tp ~]# iptables-A FORWARD -m state --state INVALID -j DROP
允许所有已经建立的和相关的连接
[root@tp ~]# iptables-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@tp ~]# iptables-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

[root@tp ~]# /etc/rc.d/init.d/iptables save

这样就可以写到/etc/sysconfig/iptables文件里了.写入后记得把防火墙重起一下,才能起作用．

[root@tp ~]# service iptables restart

别忘了保存，不行就写一部保存一次．你可以一边保存，一边做实验，看看是否达到你的要求，

上面的所有规则我都试过，没有问题．

写这篇文章，用了我将近１个月的时间．查找资料，自己做实验，希望对大家有所帮助．如有不全及不完善的地方还请提出.

因为本篇文章以配置为主.关于IPTABLES的基础知识及指令命令说明等我会尽快传上,当然你可以去网上搜索一下,还是很多的.

OpenvSwitch概念和原理

1 什么是OpenvSwitch

OpenvSwitch，简称OVS是一个虚拟交换软件，主要用于虚拟机VM环境，作为一个虚拟交换机，支持Xen/XenServer, KVM, and VirtualBox多种虚拟化技术。

在这种某一台机器的虚拟化的环境中，一个虚拟交换机（vswitch）主要有两个作用：传递虚拟机VM之间的流量，以及实现VM和外界网络的通信。

整个OVS代码用C写的。目前有以下功能：

    Standard 802.1Q VLAN model with trunk and access ports
    NIC bonding with or without LACP on upstream switch
    NetFlow, sFlow(R), and mirroring for increased visibility
    QoS (Quality of Service) configuration, plus policing
    GRE, GRE over IPSEC, VXLAN, and LISP tunneling
    802.1ag connectivity fault management
    OpenFlow 1.0 plus numerous extensions
    Transactional configuration database with C and Python bindings
    High-performance forwarding using a Linux kernel module

2 OpenvSwitch的组成

    ovs-vswitchd：守护程序，实现交换功能，和Linux内核兼容模块一起，实现基于流的交换flow-based switching。
    ovsdb-server：轻量级的数据库服务，主要保存了整个OVS的配置信息，包括接口啊，交换内容，VLAN啊等等。ovs-vswitchd会根据数据库中的配置信息工作。
    ovs-dpctl：一个工具，用来配置交换机内核模块，可以控制转发规则。
    ovs-vsctl：主要是获取或者更改ovs-vswitchd的配置信息，此工具操作的时候会更新ovsdb-server中的数据库。
    ovs-appctl：主要是向OVS守护进程发送命令的，一般用不上。
    ovsdbmonitor：GUI工具来显示ovsdb-server中数据信息。
    ovs-controller：一个简单的OpenFlow控制器
    ovs-ofctl：用来控制OVS作为OpenFlow交换机工作时候的流表内容。

3 OpenvSwitch和其他vswitch

这里其他的vswitch,包括VMware vNetwork distributed switch以及思科的Cisco Nexus 1000V。

VMware vNetwork distributed switch以及思科的Cisco Nexus 1000V这种虚拟交换机提供的是一个集中式的控制方式，。而OVS则是一个独立的vswitch，他运行在每个实现虚拟化的物理机器上，并提供远程管 理。OVS提供了两种在虚拟化环境中远程管理的协议：一个是OpenFlow,通过流表来管理交换机的行为，一个是OVSDB management protocol，用来暴露sietch的port状态。

    (二)-概念及工作流程1

1 vswitch、Bridge、Datapath

在网络中，交换机和桥都是同一个概念，OVS实现了一个虚拟机的以太交换机，换句话说，OVS也就是实现了一个以太桥。那么，在OVS中，给一个交换机，或者说一个桥，用了一个专业的名词，叫做DataPath！

要了解，OVS如何工作，首先需要知道桥的概念。

网桥也叫做桥接器，连接两个局域网的设备，网桥工作在数据链路层，将两个LAN连接，根据MAC地址来转发帧，可以看成一个“低层的路由器”（路由器工作在网络层，根据IP地质进行转发）。

1.1 网桥的工作原理

网桥处理包遵循以下几条规则：

    在一个接口上接收到的包不会再往那个接口上发送此包。
    每个接收到的包都要学习其源MAC地址。
    如果数据包是多播或者广播包（通过2层MAC地址确定）则要向接收端口以外的所有端口转发，如果上层协议感兴趣，则还会递交上层处理。
    如果数据包的地址不能再CAM表中找到，则向接收端口以外的其他端口转发。
    如果CAM表中能找到，则转发给相应端口，如果发送和接收都是统一端口，则不发送。

注意，网桥是以混杂模式工作的。关于网桥更多，请查阅相关资料。
2 OVS中的bridge

上面，说到，一个桥就是一个交换机。在OVS中，

ovs-vsctl add-br brname(br-int)

root@Compute2:~# ifconfig
      br-int    Link encap:Ethernet  HWaddr 1a:09:56:ea:0b:49  
      inet6 addr: fe80::1809:56ff:feea:b49/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:1584 errors:0 dropped:0 overruns:0 frame:0
      TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0 
      RX bytes:316502 (316.5 KB)  TX bytes:468 (468.0 B)

当我们创建了一个交换机（网桥）以后，此时网络功能不受影响，但是会产生一个虚拟网卡，名字就是brname，之所以会产生一个虚拟网卡，是为了实现接下 来的网桥（交换机）功能。有了这个交换机以后，我还需要为这个交换机增加端口(port)，一个端口，就是一个物理网卡，当网卡加入到这个交换机之后，其 工作方式就和普通交换机的一个端口的工作方式类似了。

ovs-vsctl add-port brname port

这里要特别注意，网卡加入网桥以后，要按照网桥的工作标准工作，那么加入的一个端口就必须是以混杂模式工作，工作在链路层，处理2层的帧，所以这个port就不需要配置IP了。（你没见过哪个交换的端口有IP的吧）

那么接下来你可能会问，通常的交换机不都是有一个管理接口，可以telnet到交换机上进行配置吧，那么在OVS中创建的虚拟交换机有木有这种呢，有的！ 上面既然创建交换机brname的时候产生了一个虚拟网口brname,那么，你给这个虚拟网卡配置了IP以后，就相当于给交换机的管理接口配置了IP， 此时一个正常的虚拟交换机就搞定了。

ip address add 192.168.1.1/24 dev brname

最后，我们来看看一个br的具体信息：

root@Compute2:~# ovs-vsctl show
bc12c8d2-6900-42dd-9c1c-30e8ecb99a1b
Bridge "br0"
    Port "eth0"
        Interface "eth0"
    Port "br0"
        Interface "br0"
            type: internal
ovs_version: "1.4.0+build0"

首先，这里显示了一个名为br0的桥（交换机），这个交换机有两个接口,一个是eth0，一个是br0，上面说到，创建桥的时候会创建一个和桥名字一样的 接口，并自动作为该桥的一个端口，那么这个虚拟接口的作用，一方面是可以作为交换机的管理端口，另一方面也是基于这个虚拟接口，实现了桥的功能。

    概念及工作流程2

    这一部分我以一个简单的例子，说明在虚拟化环境中OpenvSwitch的典型工作流程。

前面已经说到，OVS主要是用来在虚拟化环境中。虚拟机之间一个虚拟机和外网之间的通信所用，如下是一个典型的结构图：

那么，通常情况下的工作流程如下：

 

    1 VM实例instance产生一个数据包并发送至实例内的虚拟网络接口VNIC，图中就是instance中的eth0.
    2 这个数据包会传送到物理节点上的VNIC接口，如图就是vnet接口。
    3 数据包从vnet NIC出来，到达桥（虚拟交换机）br100上.
    4 数据包经过交换机的处理，从物理节点上的物理接口发出，如图中物理节点上的eth0.
    5 数据包从eth0出去的时候，是按照物理节点上的路由以及默认网关操作的，这个时候该数据包其实已经不受你的控制了。

CHECKPOINT COMMAND LINE REFERENCE

CHECKPOINT COMMAND LINE REFERENCE

       CP-->general ; FW-->firewall ; FWM-->management

    CP COMMANDS
    cpstat fw -f policy (WiKi) --> To see the policy/Conn./Traffic/Interface in&out
    cpstat os -f perf (WiKi) --> To see Free Memory status
    cphaprob stat / cphaprob -a if --> To Check HA Cluster / Interface status
    cphaprob syncstat --> Shows the sync status
    cphaprob list --> Shows a status in list form
    cphastart/stop --> Stops clustering on the specfic node
    cp_conf sic (WiKi) --> SIC stuff
    cpconfig (WiKi) --> config util
    cplic print (WiKi) --> prints the license
    cprestart --> Restarts all Checkpoint Services
    cpstop --> Stops all Checkpoint Services
    cpstart --> Starts all Checkpoint Services
    cpstop -fwflag -proc --> Stops all checkpoint Services but keeps policy active in kernel
    cpwd_admin list --> List checkpoint processes
    cpstat -f all polsrv --> Show VPN Policy Server Stats
    cpstat (WiKi) --> Shows the status of the firewall
    cpstat -f multi_cpu os (WiKi) --> Shows processors load/stats
   
    FW COMMANDS
    fw tab -t sam_blocked_ips --> Block IPS via SmartTracker
    fw tab -t connections -s --> Show connection stats
    fw tab -t connections -f --> Show connections with IP instead of HEX
    fw tab -t fwx_alloc -f --> Show fwx_alloc with IP instead of HEX
    fw tab -t peers_count -s --> Shows VPN stats
    fw tab -t userc_users -s --> Shows VPN stats
    fw checklic --> Check license details
    fw ctl get int [global kernel parameter] --> Shows the current value of a global kernel parameter
    fw ctl set int [global kernel parameter] [value] --> Sets the current value of a global keneral parameter. Only Temp ; Cleared after reboot.
    fw ctl arp --> Shows arp table
    fw ctl install --> Install hosts internal interfaces
    fw ctl ip_forwarding --> Control IP forwarding
    fw ctl pstat --> System Resource stats
    fw ctl uninstall --> Uninstall hosts internal interfaces
    fw exportlog .o --> Export current log file to ascii file
    fw fetch --> Fetch security policy and install
    fw fetch "CMA IP or localhost" --> Installs (on gateway) the last installed policy
    fw lichosts --> Display protected hosts
    fw log -f --> Tail the current log file
    fw log -s -e --> Retrieve logs between times
    fw logswitch --> Rotate current log file
    fw lslogs --> Display remote machine log-file list
    fw monitor --> Packet sniffer
    fw printlic -p --> Print current Firewall modules
    fw printlic --> Print current license details
    fw putkey --> Install authenication key onto host
    fw stat -l --> Long stat list, shows which policies are installed
    fw stat -s --> Short stat list, shows which policies are installed
    fw ver -k --> Returns version, patch info and Kernal info
    fwstart --> Starts the firewall
    fwstop --> Stop the firewall
    fwm lock_admin -v --> View locked admin accounts
    fwm dbexport -f user.txt --> used to export users into user.txt , can also use dbimport
    fwm_start --> starts the management processes
    fwm -p --> Print a list of Admin users
    fwm .a --> Adds an Admin
    fwm .r --> Delete an administrator
    fw ver /fw stat --> To See Firewall Version/stats
    fw tab .t connections -s --> Number of connections on the FW,(normal max is 25000)
    fw unloadlocal --> To Uninstall the policy which affected access to FW
     

Creating Serial Console Access in VMware ESXi v5.5

1. Power off the VM. 2. Right-click the VM and configure the virtual serial port settings. 2.1 Choose Edit Settings > Add. 2.2 Choose Device Type > Serial port, and Next. 2.3 In "Serial Port Output", select "Connect via Network", and Next. 3. Select the Server (VM listens for connection) option. 3.1 Enter the Port URI: telnet://:[portnumber] 3.2 Select "Connect at power on" 3.3 Under I/O mode, select"Yield CPU on poll", and Next. 4.Configure the security settings for the virtual serial port. 4.1 Select the ESXi host. 4.2 Click the Configuration tab and click Security Profile in Software section. 4.3 To the right of Firewall section, click Properties 4.4 Scroll down and Select "VM serial port connected over Network", check it and OK. 5. Power on the VM. 6. telnet ESXi_host_IP [portnumber] to access VM serial console. # VM Enable serial console, Ubuntu 14.04 # 1. configure grub 1.1 edit /etc/default/grub and add the following lines GRUB_CMDLINE_LINUX='console=tty0 console=ttyS0,115200n8' GRUB_TERMINAL=serial GRUB_SERIAL_COMMAND="serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1" 1.2 update grub sudo update-grub 2. ttyS0.conf 2.1 Add /etc/init/ttyS0.conf # ttyS0 - getty # # This service maintains a getty on ttyS0 from the point the system is # started until it is shut down again. start on stopped rc or RUNLEVEL=[12345] stop on runlevel [!12345] respawn exec /sbin/getty -L 115200 ttyS0 vt102 2.1 start getty sudo start ttyS0 # CSR1000v enable serial console # Router> enable Router# configure terminal Router(config)# platform console serial Router(config)# end Router# copy system:running-config nvram:startup-config Router# reload packet@Burnaby:~$ telnet 192.168.255.2 10001 Trying 192.168.255.2... Connected to 192.168.255.2. Escape character is '^]'. Router>en Router#show version Cisco IOS XE Software, Version 03.13.00a.S - Extended Support Release Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(3)S0a, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2014 by Cisco Systems, Inc. Compiled Wed 03-Sep-14 13:29 by mcpre Cisco IOS-XE software, Copyright (c) 2005-2014 by cisco Systems, Inc. All rights reserved.  Certain components of Cisco IOS-XE software are licensed under the GNU General Public License ("GPL") Version 2.0.  The software code licensed under GPL Version 2.0 is free software that comes with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such GPL code under the terms of GPL Version 2.0.  For more details, see the documentation or "License Notice" file accompanying the IOS-XE software, or the applicable URL provided on the flyer accompanying the IOS-XE software. ROM: IOS-XE ROMMON Router uptime is 3 minutes Uptime for this control processor is 5 minutes System returned to ROM by reload System image file is "bootflash:packages.conf" Last reload reason: Reload Command This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to [email protected]. License Level: ax License Type: Default. No valid license found. Next reload license Level: ax cisco CSR1000V (VXE) processor (revision VXE) with 794724K/6147K bytes of memory. Processor board ID 9EDI16UX6ZT 3 Gigabit Ethernet interfaces 32768K bytes of non-volatile configuration memory. 2506272K bytes of physical memory. 7774207K bytes of virtual hard disk at bootflash:. Configuration register is 0x2102 Router#