– Operasyonel mod ve Konfigurasyon mod
ilk defa login oldugunuzda operasyonel mod da olacaksiniz ve ‘?’ yazarsiniz kullanabiliceginiz bütün komutlari görebilirsiniz:
ubnt@ubnt:~$ ? add delete ping6 reset terminal clear disconnect reboot restart traceroute configure generate release set traceroute6 connect initial-setup remove show undebug copy no rename shutdown debug ping renew telnet ubnt@ubnt:~$ show ? arp flow-accounting nat table bridge hardware ntp tech-support configuration history openvpn ubnt date host pppoe-server users debugging incoming queueing version dhcp interfaces reboot vpn dhcpv6 ip route-map vrrp disk ipv6 shutdown webproxy dns lldp snmp zebra file log switch firewall login system ubnt@ubnt:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 - u/u eth1 - u/D eth2 - u/D eth3 - u/D eth4 - u/D eth5 - u/D eth6 - u/D lo 127.0.0.1/8 u/u
Konfigurasyonu degistirmek icin konfigurasyon moda giris yapmalisiniz.
ubnt@ubnt:~$ configure
ubnt@ubnt#
‘?’ veya tab ile kullanabileceginiz komutlari görebilirsiniz:
ubnt@ubnt# show ?
interfaces service system
ubnt@ubnt# show ?
Possible completions:
interfaces Network interfaces
service Services
system System parameters
eth0 üzerinde ip adresini duzenlemek:
ubnt@ubnt# set interfaces ethernet eth0 address ?
Possible completions:
IP address and prefix length
IPv6 address and prefix length
dhcp Dynamic Host Configuration Protocol
dhcpv6 Dynamic Host Configuration Protocol for IPv6
ubnt@ubnt# set interfaces ethernet eth0 address 10.1.1.80/23
ubnt@ubnt# set interfaces ethernet eth0 description "production LAN"
Bu degisikler sadece “calisan” konfigurasyonda etkilidir, ama “aktif” konfigurasyonda degisiklikler etkin degildir. Bu ikisi arasindaki farkliliklari gormek icin “compare” komutunu kullanabilirsiniz:
ubnt@ubnt# compare
+address 10.1.1.2/24
+description "production LAN"
Ve hersey yolunda ise degisiklikleri aktif etmek icin “commit” komutunu kullanin:
ubnt@ubnt# commit
commit komutundan sonra hata almadiginizi varsayiyorum, artik degisikler etkin haldedir. Ama save komutunu kullanmazsaniz yeniden basladiginizda aktif olan konfigurasyonunuzu kaybedersiniz.Bunun icin “save” komutunu kullanin ve boota konfigurasyonu yazdirin.
ubnt@ubnt# save
Saving configuration to '/config/config.boot'...
Done
ubnt@ubnt# exit
exit
ubnt@ubnt:~$
ubnt@ubnt:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 10.1.1.80/23 u/u production LAN
eth1 - u/D
eth2 - u/D
eth3 - u/D
eth4 - u/D
eth5 - u/D
eth6 - u/D
lo 127.0.0.1/8 u/u
::1/128
ubnt@ubnt:~$ ping 10.1.0.1
PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data.
64 bytes from 10.1.0.1: icmp_req=1 ttl=64 time=0.460 ms
64 bytes from 10.1.0.1: icmp_req=2 ttl=64 time=0.407 ms
^C
--- 10.1.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.407/0.433/0.460/0.033 ms
Ilk olarak gerekli set komutu ile bir firewall kurali olusturacagiz.
ubnt@ubnt# set firewall name TEST default-action drop
ubnt@ubnt# set firewall name TEST enable-default-log
ubnt@ubnt# set firewall name TEST rule 10 description "allow icmp"
ubnt@ubnt# set firewall name TEST rule 10 action accept
ubnt@ubnt# set firewall name TEST rule 10 protocol icmp
commit yazmadan once kurali gorebiliriz compare:
ubnt@ubnt# compare
+name TEST {
+ default-action drop
+ enable-default-log
+ rule 10 {
+ action accept
+ description "allow icmp"
+ protocol icmp
+ }
+}
Simdi discard komutu ile yazdigimiz firewall kuralini geri alalim ve edit komutu ile firewall kurali yazalim.
ubnt@ubnt# discard
Changes have been discarded
ubnt@ubnt# compare
No changes between working and active configurations
Eger farkettiyseniz ayricalikli modda calisirken # ile bu modda oldugunuzu anlayabilirsiniz yani en ust seviye modundasiniz. Simdi edit seviyesi ile firewall kuralimizi olusturmak icin devam edelim.
ubnt@ubnt# edit firewall name TEST
ubnt@ubnt# set default-action drop
ubnt@ubnt# set enable-default-log
Simdi edit(düzenlemek istedigimiz zaman kullandigimiz komut) rule 10
ubnt@ubnt# edit rule 10
Using the “?” or tab completion will just show options for the given edit level
ubnt@ubnt# set ?
action disable ipsec p2p source time
description fragment limit protocol state
destination icmp log recent tcp
ubnt@ubnt# set description "allow icmp"
ubnt@ubnt# set action accept
ubnt@ubnt# set protocol icmp
Simdi compare komutu size edit seviyesindeki karsilastirmalari gosterecektir.
ubnt@ubnt# compare
+action accept
+description "allow icmp"
+protocol icmp
up komutu ile edit seviyesinin uzerine cikabilirsiniz.
ubnt@ubnt# up
ubnt@ubnt# compare
+default-action drop
+enable-default-log
+rule 10 {
+ action accept
+ description "allow icmp"
+ protocol icmp
+}
ubnt@ubnt# up
ubnt@ubnt# compare
+name TEST {
+ default-action drop
+ enable-default-log
+ rule 10 {
+ action accept
+ description "allow icmp"
+ protocol icmp
+ }
+}
Herhangi bir duzenleme seviyesinden en ust seviyeyi gormek icin top komutunu kullanabilirsiniz.
ubnt@ubnt# top
ubnt@ubnt# compare
+name TEST {
+ default-action drop
+ enable-default-log
+ rule 10 {
+ action accept
+ description "allow icmp"
+ protocol icmp
+ }
+}
En kullanisli komutlar edit , copy ve rename “dir.Diyelimki asagidaki gibi bir frewall kuralimiz var ve biz bunda kopyalayarak bir degisiklik yapmak istiyoruz.
ubnt@ubnt# show firewall
name WAN1_LOCAL {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action drop
state {
invalid enable
}
}
rule 30 {
action accept
destination {
port 22
}
protocol tcp
}
}
ubnt@ubnt# edit firewall
ubnt@ubnt# copy name WAN1_LOCAL to name WAN2_LOCAL
ubnt@ubnt# commit
ubnt@ubnt# top
ubnt@ubnt# show firewall
name WAN1_LOCAL {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action drop
state {
invalid enable
}
}
rule 30 {
action accept
destination {
port 22
}
protocol tcp
}
}
name WAN2_LOCAL {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action drop
state {
invalid enable
}
}
rule 30 {
action accept
destination {
port 22
}
protocol tcp
}
}
rename komutu da edit komutu ile ayni sekilde calisir.
ubnt@ubnt# edit firewall
ubnt@ubnt# rename name W
WAN1_LOCAL WAN2_LOCAL
ubnt@ubnt# rename name WAN2_LOCAL to name WAN2_IN
ubnt@ubnt# commit
ubnt@ubnt# top
ubnt@ubnt# show firewall name
name WAN1_LOCAL {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action drop
state {
invalid enable
}
}
rule 30 {
action accept
destination {
port 22
}
protocol tcp
}
}
name WAN2_IN {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action drop
state {
invalid enable
}
}
rule 30 {
action accept
destination {
port 22
}
protocol tcp
}
}
ubnt@ubnt#
– Config yönetimini kullanmak:
Yukarida anlattigim gibi save ile diske yazdirirsiniz, Ama ayni zamanda uzak bir sunucuya config dosyanizin yedegini alabilirsiniz.Su sekilde(tftp servisinin uzak sunucuya kurulu oldugunu varsiyorum):
ubnt@RTR# save ?
Possible completions:
Save to system config file
Save to file on local machine
scp://:@/ Save to file on remote machine
ftp://:@/ Save to file on remote machine
tftp:/// Save to file on remote machine
ubnt@RTR# save tftp://10.1.0.15/rtr-config.boot Saving configuration to 'tftp://10.1.0.15/rtr-config.boot'... ######################################################################## 100.0% Done
Ama bu sadece yedek konfigurasyon. Eger yeniden baslatirsam hala /config/config.boot acilacaktir.
Peki otomatik olarak her commit komutundan sonra uzak sunucuya yedeklemesini istersem ne yapmaliyim?
ubnt@RTR# set system config-management commit-archive location ?
Possible completions:
Uniform Resource Identifier
Detailed information:
"scp://:@/
ubnt@RTR# set system config-management commit-archive location tftp://10.1.0.15/RTR ubnt@RTR# commit Archiving config... tftp://10.1.0.15/RTR OK
Uzak tftp sunucusunda her commit icin ayri ayri olarak bir kopyanin kaydedildigini ve bunlarin farkli router ismi & tarihi oldugunu göreceksiniz:
stig@uffda:/tftpboot/RTR$ ls -l total 8 -rw------- 1 nobody nogroup 908 Aug 17 17:19 config.boot-RTR.20120817_171932 -rw------- 1 nobody nogroup 874 Aug 17 17:20 config.boot-RTR.20120818_002046
– commit-revisions
Ama uzak sunucuya yedekleme yerine config dosyasinin yerel diskte birden fazla revizyonlari saklamakta isteyebilirsiniz:
ubnt@RTR# set system config-management commit-revisions 50 ubnt@RTR# commit
Example:
ubnt@RTR# set system login user joe authentication plaintext-password secret
ubnt@RTR# commit
ubnt@RTR# save; exit
Saving configuration to '/config/config.boot'...
Done
exit
ubnt@RTR:~$ show system commit
0 2012-08-17 18:32:13 by ubnt via cli
commit
1 2012-08-17 18:31:52 by ubnt via cli
commit
2 2012-08-17 18:31:51 by root via init
commit
Simdi revizyon 0″da neler degistigine göz atalim:
ubnt@RTR:~$ show system commit diff 0
+user joe {
+ authentication {
+ encrypted-password $1$CWVzYggs$NyJXxC3S572rfm6pY8ZMO.
+ plaintext-password ""
+ }
+ level admin
+}
Eger revizyon 0″daki butun konfigurasyonu görmek isterseniz:
ubnt@RTR:~$ show system commit file 0
Peki commit komutlarima yorum /bilgi ekleyebilirmiyim?
ubnt@RTR# set system login user joe level operator
ubnt@RTR# commit comment "change joe from admin to op"
ubnt@RTR# save; exit
Saving configuration to '/config/config.boot'...
Done
exit
Simdi “show system commit ile bilgi/yorumlari da görebiliriz.
ubnt@RTR:~$ show system commit
0 2012-08-17 18:44:41 by ubnt via cli
change joe from admin to op
1 2012-08-17 18:34:01 by ubnt via cli
commit
2 2012-08-17 18:32:13 by ubnt via cli
commit
3 2012-08-17 18:31:52 by ubnt via cli
commit
4 2012-08-17 18:31:51 by root via init
commit
– commit-confirm
Router üzerinde uzaktan calisirken, bazi degisikler yaparken (mesela firewall kurali veya nat kurali) baglantimiz kopabilir.Bu durumlarda yaptiginiz konfigurasyonun siz onay verene kadar etkin olmamasi cok da yerinde bir fikirdir.Mesela su sekilde:
ubnt@RTR:~$ configure
ubnt@RTR# set firewall name WAN_IN rule 50 action drop
ubnt@RTR# set firewall name WAN_IN rule 50 destination address 172.16.0.0/16
ubnt@RTR# commit-confirm
commit confirm will be automatically reboot in 10 minutes unless confirmed
Proceed?
Simdi hersey yolunda ise:
ubnt@RTR# confirm
Kac dakika beklemesini gerektigini de yazabilirsiniz, Ama confirm komutunu yazmayi unutursaniz kötü süprizlerle karsilsabilirsiniz:
ubnt@RTR# commit-confirm 1
commit confirm will be automatically reboot in 1 minutes unless confirmed
Proceed?
ubnt@RTR#
Broadcast message from root@RTR (Mon Aug 20 14:00:06 2012):
The system is going down for reboot NOW!
INIT: Switching to runlevel: 6
INIT: Stopping routing services...zebra...done.
Removing all Quagga Routes.