Connectivity Made Easy Page 2 of 26 InnGate 3 Command Line Interface Reference
This is a reference guide of the commands available in the Command Line Interface. Many of the commands have direct GUI feature equivalents accessible via the web-based Admin GUI and the purpose of these features for setting up the InnGate 3 is discussed in the main Administrators Manual. This document is intended for system and network administrators who will be configuring and administrating the InnGate 3.
Copyright 2002 - 2010 Advanced Network Technology Laboratories Pte Ltd. All rights reserved. Connectivity Made Easy Page 3 of 26 TRADEMARKS AND ACKNOWLEDGEMENTS The following trademarks and acknowledgments apply to the following: The InnGate system and TruConnect technology are products and technologies of Advanced Network Technology Laboratories Pte Ltd, (ANTlabs). Windows and Microsoft are registered trademarks of Microsoft Corporation. Solaris is a registered trademark of Sun Microsystems. All other products mentioned in this manual are trademarks of their respective owners.
DISCLAIMER No part of this manual may be copied, distributed, transmitted, transcribed, stored in a retrieval system or translated into any human or computer language, in any form or by any means, electronic or otherwise, without the express written permission of ANTlabs.
The software and accompanying written materials (including instructions for use and this document) are provided as is without warranty of any kind.
ANTlabs does not warrant, guarantee or make any representations regarding the use, or the results of the use, of the software or written materials in terms of correctness, accuracy, reliability, trend or otherwise. ANTlabs reserves the right to make changes without further notice to any products described herein to improve reliability, function or design. This documentation is copyrighted and may not be altered without written consent from ANTlabs.
ANTlabs reserves the right to prosecute companies or individuals who make, distribute or use illegal copies of this software system and its accompanying documentation.
Release Date: J uly 2010 Document Reference No: IG3-CLI
This manual is intended for administrators who will be responsible for the installation and configuration of the InnGate.
This manual details the commands accessible via the Command Line Interface.
Administrators are expected to have a good working knowledge of networks and TCP/IP. Knowledge of the operating environment and characteristics of the systems used in the deployed networks are also useful.
RELATED DOCUMENTATION
You may refer to the ANTlabs homepage at http:/ / www.antlabs.com/ for other related materials and documents released by ANTlabs.
FEEDBACK AND COMMENTS
ANTlabs welcomes all comments and suggestions on the quality and usefulness of this document. Our users feedback is an important component of the information used for improvement of this document.
Please include in your feedback:
Name Title Company Department E-Mail Postal Address Telephone Number Document Title & Release No Document Reference No. Comments/Feedback
Also, please include the chapter, section and/or page number when referring to specific portions of the document.
Send your comments via email to documentation@antlabs.com Connectivity Made Easy Page 6 of 26 Chapter 1 INTRODUCTION
1.1 Overview This documentation provides a reference for the various commands that are available to aid in configuring the InnGate.
Many of the commands have direct feature equivalents accessible via the web admin and the purpose of these features for setting up the InnGate is discussed in the main Administrators Manual. This document only provides a reference guide for the command usage in the CLI.
Each category of associated commands is described in individual chapters. The various categories are as follows:
1. NETWORK SERVICE COMMANDS Commands related to setting up the InnGate for operation on the network. See Chapter 2.
2. SYSTEM SECURITY COMMANDS Commands that manage system security such as the administrator account details like username, password, etc. See Chapter 3.
3. STATUS AND LOG COMMANDS Commands that show the operational status, various system settings and historical logs. See Chapter 4.
4. SYSTEM COMMANDS System commands manage various system functions such as optimization, services, database, etc. See Chapter 5.
In addition, the CLI also supports a subset of the Unix Shell commands which are listed in 5.8.
The InnGate features 2 levels of CLI access; operator mode and supervisor mode (see Section 3.3). Commands available in the operator mode are a subset of those in the supervisor mode.
1.2 Command Syntax The basic command syntax is as follows:
command keywor d [ opt i on <ar gument s>]
Connectivity Made Easy Page 7 of 26 Some keywords are common throughout the majority of commands and are described in the table below. The keywords apply to most commands except the show command, where the syntax is different. Also, some system commands like shut down, r eboot and passwor d do not have any options.
Keywords Description show View the existing configurations. show conf i g View the existing configurations in command syntax. set Modify the existing configurations. enabl e Enable a feature that is already set. di sabl e Disable a feature, retaining the value set (if any). del et e Delete the logged reports (This keyword is specific to the commands in reports section).
Connectivity Made Easy Page 8 of 26 Chapter 2 NETWORK SERVICE COMMANDS
2.1 dns Using this command, the parameters of the DNS, like the parent DNS to be used by the InnGate for name resolutions can be configured.
This command is only available in supervisor mode (see Section 3.3).
Usage: dns show dns show conf i g dns set par ent addr ess
Example: dns show dns show conf i g dns set par ent 162. 21. 83. 88
Using the keyword set , a comma-separated list of DNS values can be specified and the command will update the DNS configurations to the new value(s).
Set Options Description par ent Configure the IP address of the parent DNS
2.2 email Parameters of the SMTP server can be configured with this command.
This command is only available in supervisor mode (see Section 3.3).
Usage: emai l show emai l show conf i g emai l set [ admi n_emai l emai l ] [ f or war d_t o_i p i p ] emai l enabl e/ di sabl e [ syst em_emai l ] [ f or war d_t o_i p]
Example: emai l show emai l show conf i g emai l di sabl e syst em_emai l emai l enabl e f or war d_t o_i p emai l set admi n_emai l admi n@ant l abs. com f or war d_t o_i p 207. 125. 222. 21
Connectivity Made Easy Page 9 of 26 The InnGate has its own SMTP server and therefore does not require any external server. However, email forwarding to and external SMTP servce is possible. The IP address of the external SMTP server can be specified using the f or war d_t o_i p option with keyword set .
Set Options Description admi n_emai l Postmasters email account. f or war d_t o_i p IP address of the external SMTP server.
Enable/ Disable Options syst em_emai l Enable/disable use of system administrators email (in place of postmasters email). f or war d_t o_i p Enable/disable email forwarding to the external SMTP server.
2.3 inetd The InnGate FTP and Telnet services are configured with this command. By default, FTP and Telnet access is enabled.
This command is only available in supervisor mode (see Section 3.3).
Usage: i net d show [ f t p/ t el net ] i net d show conf i g i net d enabl e/ di sabl e f t p/ t el net
Example: i net d show i net d show f t p i net d show t el net i net d show conf i g i net d di sabl e f t p i net d enabl e t el net
Enable/ Disable Options Description f t p Enable/disable FTP access. t el net Enable/disable Telnet access.
2.4 ip Using this command, the upstream interface of the InnGate can be configured.
This command is only available in supervisor mode (see Section 3.3).
Usage: i p show [ devi ce1 devi ce2 . . . ] i p show conf i g i p set devi ce_name [ i p i p ] [ net mask nm ] Connectivity Made Easy Page 10 of 26 [ gat eway gw ]
Example: i p show i p show WAN_01 i p show def aul t i p show conf i g i p set WAN_01 i p 211. 183. 5. 163 net mask 255. 255. 255. 224 gat eway 211. 183. 5. 15
Set Options Description i p Set the ip address of the Ethernet device. net mask Set the netmask address of the Ethernet device. gat eway Set the gateway address of the Ethernet device. dhcp Enable/disable the dhcp hostname lookup.
2.5 ntpd Using this command, the NTP server can be configured. This allows the InnGate to synchronize its time to this configured NTP server.
This command is only available in supervisor mode (see Section 3.3).
Usage: nt pd show nt pd show conf i g nt pd set ser ver addr ess nt pd di sabl e ser ver
Example: nt pd show nt pd show conf i g nt pd set ser ver 192. 453. 22. 34 nt pd di sabl e ser ver
The NTP server is enabled automatically when the ip address is set using the set keyword. When the NTP server is disabled or set to an empty value, NTP IP address will be set to the default value (127.127.1.0).
Set Options Description ser ver Set the IP address of the NTP server.
Disable Options ser ver Disable the NTP server. The default value (127.127.1.0) will be set.
Connectivity Made Easy Page 11 of 26 2.6 netpx_conf This command allows you to configure a port forwarding service which can be useful if you want to allow upstream access to downstream services.
For example, there may be a downstream host running an FTP service that needs to be accessible to upstream users. But because the downstream network might be a private network that is not visible to the upstream, there will be no way for the upstream user to connect to the FTP service. For a downstream private network, upstream users will only see the WAN IP of the InnGate and not the individual downstream hosts. Port forwarding allows you to assign a Port Number on the InnGates WAN interface so that a user connecting to the InnGates WAN IP + Port Number will actually have their traffic forwarded to the downstream service.
Port forwarding can also be used as a means to conserve public IP addresses; as opposed to assigning a public IP for each downstream service host.
To setup the net proxy, you will need to perform the following steps:
1. Setup the proxy environment Configure the interface to listen for incoming connections and general connection settings.
2. Create the proxy entries Configure the entries for the hosts which require the proxy service.
3. Create action filters Configure filters that perform an action when the filter criteria match the incoming connection attempt.
The command syntax is first discussed here with subsequent examples to illustrate its use according to the steps above.
Usage: net px_conf <obj ect > <command>
Wher e obj ect : = { env | pr oxy_r ul e | f i l t er | sessi on } command( env) : = { get <key . . . > | set <key> <val ue> | l i st } key : = { pr oxy_devi ce | t cp_t i meout | udp_t i meout | t cp_max_conn | udp_max_conn | f i l t er _act i on } command( pr oxy_r ul e) : = { l i st <t ype> | cl ear <t ype> | del et e <t ype> <por t > | add <t ype> <por t > <t ar get _host > <t ar get _por t > <devi ce> } Connectivity Made Easy Page 12 of 26 command( f i l t er ) : = { l i st <t ype> | i nser t <f i l t er _spec1> | append <f i l t er _spec1> | updat e <f i l t er _spec1>| del et e <t ype> <posi t i on> | del et e_f i r st <f i l t er _spec2> | del et e_al l <f i l t er _spec2> command( sessi on) : = { l i st <t ype> } f i l t er _spec1 : = <t ype> <posi t i on> <act i on> <snet > <spor t > <t por t > f i l t er _spec2 : = <t ype> <act i on> <snet > <spor t > <t por t > t ype : = { t cp | udp }
Note: When specifying an IP address for the source network snet , you may use CIDR format (e.g. 192. 168. 123. 50/ 24 where / 24 is the subnet mask prefix).
Example (netpx_conf env):
net px_conf env l i st net px_conf env set t cp_t i meout 30 net px_conf env get pr oxy_devi ce t cp_t i meout
The above commands allow you to list/store/retrieve the proxy environment variables and their associated settings. The environment variables are explained here:
Variables Description pr oxy_devi ce The interface on which to listen for incoming connections. t cp_t i meout Timeout (in seconds) for TCP connection attempts. udp_t i meout Timeout (in seconds) for UDP connection attempts. Max TCP Connect i ons Maximum number of TCP connections allowed. Max UDP Connect i ons Maximum number of UDP connections allowed. f i l t er _act i on The action applied on receipt of an incoming connection attempt.
Example (netpx_conf session):
net px_conf sessi on l i st t cp Connectivity Made Easy Page 13 of 26
The above command lists the current active TCP net proxy sessions.
Example (netpx_conf proxy_rule):
net px_conf pr oxy_r ul e l i st t cp
The above command lists the rules applied to TCP proxy connections.
net px_conf pr oxy_r ul e add t cp 92 10. 68. 12. 24 23 et h1 net px_conf pr oxy_r ul e del et e t cp 92
The first of the two above commands adds an entry to listen for incoming TCP connections on port 92 and forward them to the host with IP address 10. 68. 12. 24 on port 23 (telnet) which can be found on the network accessible through interface et h1. The second command deletes the entry just created.
net px_conf pr oxy_r ul e cl ear udp
The above command clears all UDP connections entries currently applied.
Example (netpx_conf filter):
net px_conf f i l t er l i st t cp
The above command lists all the filters currently applied to TCP proxy connections. An example of the output generated by the above command is shown here:
Fi l t er 1: Act i on : ACCEPT Sour ce Net wor k : 123. 123. 123. 0/ 24 Sour ce Por t : ANY Tar get Por t : ANY Fi l t er 2: Act i on : ACCEPT Sour ce Net wor k : 10. 12. 10. 1 Sour ce Por t : 30 Tar get Por t : 20
To add a filter to the sample list above you may formulate a command such as the one below:
net px_conf f i l t er i nser t t cp 1 DENY 10. 10. 1. 1 ANY 60
Connectivity Made Easy Page 14 of 26 The above command inserts the filter before Filter 2. Using the sample output above, the list of filters can be though of as an array with position index 0 occupied by Filter 1 and position index 1 occupied by Filter 2. As such the above command will insert the filter before Filter 2, pushing Filter 2 to position index 2 and automatically renamed to Filter 3. If you wish to use insert after the position, use the append command instead.
Note: Because of the array-based representation described above, if you are inserting the very first entry into an empty list, the position index should be 0 not 1.
This filter is matched when a host with IP address 10. 10. 1. 1 attempts to make a TCP connection to the InnGate on port 60. When matched, the connection is denied, as specified by the action. The order of precedence is simple, the first filter matched is the one that is applied.
Note: While the system allows you to specify the source port, because most outgoing connections use ephemeral ports, it is more common to set the source port to ANY indicating that all connection attempts from 10. 10. 1. 1 irregardless of its source port will match this filter.
net px_conf f i l t er del et e t cp 1
The command above deletes the TCP filter entry at position index 1.
net px_conf f i l t er del et e_f i r st t cp DENY 10. 10. 1. 1 ANY 60 The command above deletes the first TCP filter entry that matches the criteria specified. If you wish to delete all filter entries that match the criteria (i.e. duplicate entries), use the del et e_al l command instead.
2.7 syslog Using this command, remote logging of certain system events to a specified syslog server can be configured.
This command is only available in supervisor mode (see Section 3.3).
Usage: sysl og show sysl og show conf i g sysl og set ser ver addr ess sysl og enabl e/ di sabl e ser ver
Example: sysl og show Connectivity Made Easy Page 15 of 26 sysl og show conf i g sysl og set ser ver 192. 136. 112. 1 sysl og enabl e ser ver sysl og di sabl e ser ver
The remote syslog machine must be configured to accept logs through FTP and email delivery.
Set Options Description Ser ver Set IP address of the syslog server.
Enable/ Disable Options Ser ver Enable/disable remote logging.
2.8 webpx Using this command, the InnGate can be configured to use either a direct connection or specify a web proxy. A comma-separated list of valid proxies and associated ports can be specified. Also, you can set the contact email address presented to the user when a proxy error occurs.
This command is only available in supervisor mode (see Section 3.3).
Usage: webpx show webpx show conf i g webpx set [ pr oxy addr ess ] [ admi n_emai l emai l ] webpx enabl e/ di sabl e [ pr oxy] [ syst em_emai l ]
Example: webpx di sabl e pr oxy webpx enabl e syst em_emai l webpx set pr oxy pr oxy1. ant l abs. com: 8080, pr oxy2. ant l abs. com: 8080 admi n_emai l admi n_cont act @l ocal host . com
Set Options Description Pr oxy Comma separated list of proxy addresses of the form addr1:port1,addr2:port2,addr3:port3 admi n_emai l Webmasters the email address for proxy errors.
Enable/ Disable Options Pr oxy Enable/disable use of parent proxy. syst em_emai l Enable/disable use of system administrators email (in place of Webmasters email).
Connectivity Made Easy Page 16 of 26 2.9 websv Using this command, parameters for the web server can be configured.
This command is only available in supervisor mode (see Section 3.3).
Usage: websv show websv show conf i g websv set emai l emai l websv enabl e/ di sabl e syst em_emai l
Example: websv show websv show conf i g websv set emai l t est @ant l abs. com websv enabl e syst em_emai l ................................................................................................................ Set Options Description Emai l Webmasters email address for web server errors.
Enable/ Disable Options syst em_emai l Enable/disable use of system administrators email (in place of Webmasters email).
Connectivity Made Easy Page 17 of 26 Chapter 3 SYSTEM SECURITY COMMANDS
3.1 webadm Using this command, the administrators account details such as user id, email address and password for the web admin can be configured.
This command is only available in supervisor mode (see Section 3.3).
Usage: webadmshow webadmshow conf i g webadmset [ name i d ] [ passwor d] [ emai l addr ess ]
Example: webadmshow webadmshow conf i g webadmset name j ohnt an passwor d emai l anywher e@ant l abs. com
The default value for user id is r oot and password is admi n.
Set Options Description name Set system administrators user id. passwor d Set system administrators account password. emai l Set the email address of the administrator.
3.2 wadacc Restrictions on which IP addresses can have access to the web admin can be setup here.
This command is only available in supervisor mode (see Section 3.3).
Usage: wadacc show wadacc enabl e/ di sabl e [ deny_downst r eam/ i p_cont r ol ]
Example: wadacc show wadacc di sabl e deny_downst r eam wadacc enabl e i p_cont r ol
Set Options Description i p_cont r ol Configure the IP addresses that are allowed to access the web admin from the upstream. Connectivity Made Easy Page 18 of 26
Enable/ Disable Options deny_downst r eam Enable/disable access from downstream. i p_cont r ol Enable/disable upstream IP access control list.
3.3 enasup The InnGate features 2 levels of CLI access; operator mode and supervisor mode. Commands available in the operator mode are a subset of those in the supervisor mode.
This command enables the user to enter into the supervisor mode. After entering the command, a prompt for a password will appear.
Usage: enasup
3.4 passwd_sup This command changes the supervisor password. After entering the command, it prompts you for the new password.
This command is only available in supervisor mode (see Section 3.3).
Usage : passwd_sup
Connectivity Made Easy Page 19 of 26 Chapter 4 STATUS AND LOG COMMANDS
4.1 status This command displays information about the current system status.
Usage: st at us show
Example: st at us show
4.2 sessions This command displays the real-time information about the currently logged in sessions.
Usage: sessi ons show
Example: sessi ons show
4.3 session_log This command displays a historical trace of sessions that were previously active. You can also delete the log.
Usage: sessi on_l og show sessi on_l og del et e
4.4 show This command acts as a wrapper for displaying the configurations of all the commands listed above.
The show set t i ngs command is equivalent to <command>show and the show conf i g command is equivalent to <command> show conf i g as was discussed in Section 1.2.
Usage: show set t i ngs [ command_name] show conf i g [ command_name] show sessi ons show user s show sessi on_l og show usage_l og show st at us Connectivity Made Easy Page 20 of 26
Where command_name is one of the following:
dns email inetd ip ntpd syslog wadacc webadm webpx websv
Example: show set t i ngs dns show conf i g webadm
4.5 usage_log This command displays a device information and usage log of downstream users.
Usage: usage_l og show usage_l og del et e
4.6 users This command displays information about currently active downstream users.
Usage: user s show
Connectivity Made Easy Page 21 of 26 Chapter 5 SYSTEM COMMANDS
5.1 help Displays the list of supported commands and provides a description for each command.
Usage: hel p [ command]
Example: hel p r eboot
5.2 reboot This command is used to reboot the InnGate. You will be prompted to confirm the action.
This command is only available in supervisor mode (see Section 3.3).
Usage: r eboot
5.3 shutdown This command is used to shutdown the InnGate. You will be prompted to confirm the action.
This command is only available in supervisor mode (see Section 3.3).
Usage: shut down
5.4 restart Use this command to restart any service when troubleshooting.
This command is only available in supervisor mode (see Section 3.3).
Usage: r est ar t [ ser vi ce_name]
Where [ ser vi ce_name] is one of the following:
ant _aut h_t i mer ant _aut h_i nt upd ant mgr ar pd Webser ver dns mai l Snmp
Connectivity Made Easy Page 22 of 26
5.5 sshtun In some network configurations, the InnGate may reside in an internal scope and therefore assigned a private IP address. In such a case, Internet bound traffic originating from the InnGate (and other clients from the internal scope) would most likely be NATed onto the Internet. In such a scenario, an external host which may need to access the InnGate from the Internet will not be able to do so.
This command uses the port forwarding feature of SSH to create a tunnel from the InnGate (SSH client) to the external host (SSH server) so that the external hosts applications can subsequently communicate with the InnGate through the tunnel.
Usage: ssht un user i d r emot e- i p r emot e- por t l i st en- por t
Example: ssht un guest 123. 44. 55. 66 5468 1842
The above command specifies that port 5468 on the remote host 123.44.55.66 is to be forwarded to port 443 (HTTPS) on the InnGate. Once executed, applications on the remote host can access the InnGates HTTPS by connecting to port 5468 on the remote host.
5.6 check This command checks on the status of the httpd and squid daemon processes and restarts them if they are not active currently or abnormally terminated.
Usage: check syst em
This command also checks, repairs and optimizes all the mysql database tables. It can be invoked occasionally to optimize the database performance.
Usage: check dat abase
5.7 exit This command terminates the current CLI shell. When in supervisor mode, exi t will terminate the supervisor shell and return to operator mode shell.
Usage: exi t
Connectivity Made Easy Page 23 of 26 5.8 save_snapshot Use this command to save a snapshot of the current state of the InnGate. Upon executing this command, the InnGate will reboot to save the snapshot.
This command is only available in supervisor mode (see Section 3.3).
Usage: save_snapshot
5.9 restore_firmware Use this command to restore the InnGate to its factory default state. Upon executing this command, the InnGate will reboot to perform the restoration.
This command is only available in supervisor mode (see Section 3.3).
This command is only available via the serial port connection.
Usage: r est or e_f i r mwar e
5.10 restore_snapshot Use this command to restore the InnGate to the previously saved snapshot. Upon executing this command, the InnGate will reboot to perform the restoration. If a snapshot is not found, no changes will be made on the InnGate.
This command is only available in supervisor mode (see Section 3.3).
Usage: r est or e_snapshot Connectivity Made Easy Page 24 of 26 Appendix A UNIX SHELL COMMANDS
Listed below are the additional commands that are accessible via the interface. Supervisor-Only commands are only available in supervisor mode. Operator commands are available in both operator and supervisor mode.
Supervisor-Only Command Description ar p Manipulate the system ARP cache chmod Change file access permissions cp Copy files edi t Open a text editor l n Make links between files mai l q List pending mails in the mail queue menu Configure the system through a menu-based interface mkdi r Make new directories mv Move (rename) files passwd Change CLI operator password passwd_f t p Change password of ftp-only user r m Remove files or directories r mdi r Remove empty directories t ouch Change file timestamps Connectivity Made Easy Page 25 of 26 Operator Command Description cat Create and display short files cd Change current working directory cl ear Clear the display screen df Report filesystem disk space usage f r ee Display information about free and used memory on the system head Display the first part of file i f st at Display the Internet statistics l s List directory contents net st at Displays the network connections, routing tables, interface statistics, masquerade connections, netlink messages and multicast memberships nsl ookup Query Internet name server non-interactively. The interactive interface is disabled. pi ng Send ICMP ECHO_REQUESTS packets to network hosts pmst at Display high-level system performance overview ps Report process status information shd Show the current working directory r z Receive files sz Send one or more files t ai l View the last part of the input file t cpdump Dump traffic on a network t el net Display user interface to the TELNET protocol t er mi nal Change terminal type t r acepat h Traces path to a particular destination discovering MTU along this path t r acer out e Print the route packets take to network host ver si on Display version of the CLI vl andump Display VLAN information