neutron是如何通过iptables管理网络的

2024-06-06 02:08

本文主要是介绍neutron是如何通过iptables管理网络的,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

在访问与安全的菜单下,新建一个安全组test。点击进入test,可以看到两个默认的出口,这个是系统自动定义好的,表示无论从哪个端口哪个ip都能出去。


然后添加两个新的规则

第一个规则表示,只能从默认安全组可以ping通该组的虚拟机;
第二个规则表示,只能从默认安全组跳进该组的虚拟机。

启动云主机创建新的虚拟机,选择oa环境和刚刚创建的安全组。
然后进入该虚拟机,查看虚拟机创在哪个物理机的节点上。我这里发现时在4号机的节点上,再次之间4号机上是没有任何虚拟机的。
查看iptables也看不到与虚拟机有关的规则。
Sugon04:~ # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
neutron-linuxbri-INPUT  all  --  anywhere             anywhere            Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
neutron-filter-top  all  --  anywhere             anywhere            
neutron-linuxbri-FORWARD  all  --  anywhere             anywhere            Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
neutron-filter-top  all  --  anywhere             anywhere            
neutron-linuxbri-OUTPUT  all  --  anywhere             anywhere            Chain neutron-filter-top (2 references)
target     prot opt source               destination         
neutron-linuxbri-local  all  --  anywhere             anywhere            Chain neutron-linuxbri-FORWARD (1 references)
target     prot opt source               destination         Chain neutron-linuxbri-INPUT (1 references)
target     prot opt source               destination         Chain neutron-linuxbri-OUTPUT (1 references)
target     prot opt source               destination         Chain neutron-linuxbri-local (1 references)
target     prot opt source               destination         Chain neutron-linuxbri-sg-chain (0 references)
target     prot opt source               destination         Chain neutron-linuxbri-sg-fallback (0 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             /* Default drop rule for unmatched traffic. */
Sugon04:~ # 

创建新的虚拟机之后规则就出来了
Sugon04:~ # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
neutron-linuxbri-INPUT  all  --  anywhere             anywhere            Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
neutron-filter-top  all  --  anywhere             anywhere            
neutron-linuxbri-FORWARD  all  --  anywhere             anywhere            Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
neutron-filter-top  all  --  anywhere             anywhere            
neutron-linuxbri-OUTPUT  all  --  anywhere             anywhere            Chain neutron-filter-top (2 references)
target     prot opt source               destination         
neutron-linuxbri-local  all  --  anywhere             anywhere            Chain neutron-linuxbri-FORWARD (1 references)
target     prot opt source               destination         
neutron-linuxbri-sg-chain  all  --  anywhere             anywhere             PHYSDEV match --physdev-out tape68040f5-c3 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
neutron-linuxbri-sg-chain  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tape68040f5-c3 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */Chain neutron-linuxbri-INPUT (1 references)
target     prot opt source               destination         
neutron-linuxbri-oe68040f5-c  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tape68040f5-c3 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */Chain neutron-linuxbri-OUTPUT (1 references)
target     prot opt source               destination         Chain neutron-linuxbri-ie68040f5-c (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN     udp  --  172.16.15.23         anywhere             udp spt:bootps dpt:bootpc
RETURN     tcp  --  anywhere             anywhere             tcp dpt:ssh match-set NIPv43e07d4ff-0fdd-4fe0-988f- src
RETURN     icmp --  anywhere             anywhere             match-set NIPv43e07d4ff-0fdd-4fe0-988f- src
DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback  all  --  anywhere             anywhere             /* Send unmatched traffic to the fallback chain. */Chain neutron-linuxbri-local (1 references)
target     prot opt source               destination         Chain neutron-linuxbri-oe68040f5-c (2 references)
target     prot opt source               destination         
RETURN     udp  --  anywhere             anywhere             udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
neutron-linuxbri-se68040f5-c  all  --  anywhere             anywhere            
DROP       udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc /* Prevent DHCP Spoofing by VM. */
RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback  all  --  anywhere             anywhere             /* Send unmatched traffic to the fallback chain. */Chain neutron-linuxbri-se68040f5-c (1 references)
target     prot opt source               destination         
RETURN     all  --  172.16.15.31         anywhere             MAC FA:16:3E:05:B8:03 /* Allow traffic from defined IP/MAC pairs. */
DROP       all  --  anywhere             anywhere             /* Drop traffic without an IP/MAC allow rule. */Chain neutron-linuxbri-sg-chain (2 references)
target     prot opt source               destination         
neutron-linuxbri-ie68040f5-c  all  --  anywhere             anywhere             PHYSDEV match --physdev-out tape68040f5-c3 --physdev-is-bridged /* Jump to the VM specific chain. */
neutron-linuxbri-oe68040f5-c  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tape68040f5-c3 --physdev-is-bridged /* Jump to the VM specific chain. */
ACCEPT     all  --  anywhere             anywhere            Chain neutron-linuxbri-sg-fallback (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             /* Default drop rule for unmatched traffic. */
Sugon04:~ # 

这个时候发现多了很多规则,那么这些规则和安全组的规则又是如何对应的呢?
先说INPUT链
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
neutron-linuxbri-INPUT  all  --  anywhere             anywhere  
该链又指向下面这个
Chain neutron-linuxbri-INPUT (1 references)
target     prot opt source               destination         
neutron-linuxbri-oe68040f5-c  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tape68040f5-c3 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */
然后接着往下指
Chain neutron-linuxbri-oe68040f5-c (2 references)
target     prot opt source               destination         
RETURN     udp  --  anywhere             anywhere             udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
neutron-linuxbri-se68040f5-c  all  --  anywhere             anywhere            
DROP       udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc /* Prevent DHCP Spoofing by VM. */
RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback  all  --  anywhere             anywhere             /* Send unmatched traffic to the fallback chain. */
可以看到,到了这一步已经有了实际的规则,前两个规则和DHCP有关,不需理会。紧接着两个规则表示建立有效连接就返回包,无效连接就丢弃。这里的anywhere表示规则对所有的ip地址有效。
最后一条又指向一条链
Chain neutron-linuxbri-sg-fallback (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             /* Default drop rule for unmatched traffic. */
这条链表示凡是不匹配规则的都包都扔了,其实这也说明该iptables主要是通得策略,只让符合要求的通过。(相对有堵得策略,符合要求的就堵住不让过)

接着说FORWARD链
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
neutron-filter-top  all  --  anywhere             anywhere            
neutron-linuxbri-FORWARD  all  --  anywhere             anywhere   
第一个分支
Chain neutron-filter-top (2 references)
target     prot opt source               destination         
neutron-linuxbri-local  all  --  anywhere             anywhere  
再指向他,而且没有任何动作
Chain neutron-linuxbri-local (1 references)
target     prot opt source               destination   
第二个分支
Chain neutron-linuxbri-FORWARD (1 references)
target     prot opt source               destination         
neutron-linuxbri-sg-chain  all  --  anywhere             anywhere             PHYSDEV match --physdev-out tape68040f5-c3 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
neutron-linuxbri-sg-chain  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tape68040f5-c3 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
这里表示通过
neutron-linuxbri-sg-chain
转发物理设备的进出包
Chain neutron-linuxbri-sg-chain (2 references)
target     prot opt source               destination         
neutron-linuxbri-ie68040f5-c  all  --  anywhere             anywhere             PHYSDEV match --physdev-out tape68040f5-c3 --physdev-is-bridged /* Jump to the VM specific chain. */
neutron-linuxbri-oe68040f5-c  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tape68040f5-c3 --physdev-is-bridged /* Jump to the VM specific chain. */
ACCEPT     all  --  anywhere             anywhere            
再看这两个链

neutron-linuxbri-ie68040f5-c
Chain neutron-linuxbri-ie68040f5-c (1 references)
<span style="color:#FF0000;">target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN     udp  --  172.16.15.23         anywhere             udp spt:bootps dpt:bootpc
RETURN     tcp  --  anywhere             anywhere             tcp dpt:ssh match-set NIPv43e07d4ff-0fdd-4fe0-988f- src
RETURN     icmp --  anywhere             anywhere             match-set NIPv43e07d4ff-0fdd-4fe0-988f- src
DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback  all  --  anywhere             anywhere             /* Send unmatched traffic to the fallback chain. */</span>
Chain neutron-linuxbri-sg-fallback (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             /* Default drop rule for unmatched traffic. */


neutron-linuxbri-oe68040f5-c
Chain neutron-linuxbri-oe68040f5-c (2 references)
target     prot opt source               destination         
<span style="color:#FF0000;">RETURN     udp  --  anywhere             anywhere             udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
neutron-linuxbri-se68040f5-c  all  --  anywhere             anywhere            
DROP       udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc /* Prevent DHCP Spoofing by VM. */
RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback  all  --  anywhere             anywhere             /* Send unmatched traffic to the fallback chain. */</span>
Chain neutron-linuxbri-sg-fallback (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             /* Default drop rule for unmatched traffic. */

最后说output链:
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
neutron-filter-top  all  --  anywhere             anywhere            
neutron-linuxbri-OUTPUT  all  --  anywhere             anywhere   
1.1先走
neutron-filter-top
Chain neutron-filter-top (2 references)
target     prot opt source               destination         
neutron-linuxbri-local  all  --  anywhere             anywhere 

1.2再到
Chain neutron-linuxbri-local (1 references)
target     prot opt source               destination  
这条链下来没有任何动作

2.1再走
neutron-linuxbri-OUTPUT
Chain neutron-linuxbri-OUTPUT (1 references)
target     prot opt source               destination  



这里只是厘清链的动作,还需要进一步补充,如果没有动作就使用默认动作,一般是accept。

补充:
这里操作iptables的地方是04节点,而虚拟机正是结立在该节点上。前期我们过多的将注意力放在INPUT和Output上,但是我们研究的却是针对虚拟机的规则。由此就造成了概念上走不通。现在换个思路。04节点作为虚拟机的中转站,那么所有的虚拟机获得的包都是从04上转发过来的。这样一来,当我们看04节点的iptables规则时,就无需关注INPUT和output,只需关注forward。因为INPUT和output是进出04节点的规则,而forward才是真正针对虚拟机的规则。




这篇关于neutron是如何通过iptables管理网络的的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!



http://www.chinasem.cn/article/1034796

相关文章

OpenStack Victoria版——7.2计算节点-Neutron网络服务组件

7.2计算节点-Neutron网络服务组件 更多步骤:OpenStack Victoria版安装部署系列教程 OpenStack部署系列文章 OpenStack Victoria版 安装部署系列教程 OpenStack Ussuri版 离线安装部署系列教程(全) OpenStack Train版 离线安装部署系列教程(全) 文章目录 一、安装相关软件二、配置公共组件三、配置网络

OpenStack Victoria版——7.1控制节点-Neutron网络服务组件

7.1控制节点-Neutron网络服务组件 更多步骤:OpenStack Victoria版安装部署系列教程 OpenStack部署系列文章 OpenStack Victoria版 安装部署系列教程 OpenStack Ussuri版 离线安装部署系列教程(全) OpenStack Train版 离线安装部署系列教程(全) 欢迎留言沟通,共同进步。 文章目录 一、创建n

iptables持久化命令:netfilter-persistent save

在Linux上,使用netfilter-persistent命令可以保存iptables防火墙规则,确保它们在系统重启后仍然有效。以下是如何使用netfilter-persistent来保存iptables规则的步骤: 打开终端:首先,你需要打开Linux系统的终端。保存规则:使用netfilter-persistent save命令可以保存当前的iptables规则。这个命令会调用所有插件,将

Netfilter学习之NAT类型动态配置(六)全锥型NAT用户空间iptables命令行实现

本文主要实现全锥型NAT的用户空间iptables命令行扩展的实现,实现思路见上文,具体可以模仿MASQUERADE的源码进行改写。 1.关键部分实现代码   由于fullcone类型并不需要输入参数,因此parse可以为空,print和save也很简单,只需要help和结构注册两部分保证正确即可。   help如下: static void FULLCONE_help(void){

iptables四表五链

netfilter/iptables netfilter是Linux内核中的一个框架,工作在网络层,用于处理ip数据包,iptables 则是一个命令行工具,通过与netfilter框架交互,实现对数据包的过滤和转发等操作 常见的UFW防火墙、firewalld防火墙都是基于iptables的,它们提供了更简单的管理iptables的rules的命令 Tables 表 filter 过滤

Linux运维--iptables防火墙命令以及端口号等详解(全)

Linux之iptable防火墙命令以及端口号等详解(全) 在Linux系统中,你可以使用firewalld和iptables来管理和设置防火墙规则。Firewalld是一个动态管理防火墙的工具,而iptables是一个更底层的工具,可以直接配置Linux内核的防火墙规则。 在RHEL 6.9及更早版本中,使用的是iptables作为防火墙管理工具,而在RHEL 7及更新版本中则使用Fire

iptables官方手册整理

1. 简介 2. 首先,什么是包过滤? 3. 快速入门指南 4. 数据包过滤流程 5. 具体如何使用 Iptables 命令实现过滤功能 6. 地址转换(NAT) 7. 排除建议 1. 简介   ———————————————————————————————————————————————— 读者们,大家好:   在这里我们假设你已经有一定的 IP 地址、网络地址、子网掩码、路由、DNS 基

iptables四个表五条链

iptables四个表五条链     其实关于iptables的使用网上的资料和教程也比较多,主要是要理解其中的路由前和路由后每个表和链所处的位置和作用,明白了也就简单了,以下是我转载的觉得写的比较详细的一篇博客,有时间我将写一篇关于这些表和链的实质性的配置例子。 一、netfilter和iptables说明:     1、   netfilter/ip

linux防火墙iptables详细教程

2.1 框架图 -->PREROUTING-->[ROUTE]-->FORWARD-->POSTROUTING-->  mangle     |     mangle     ^ mangle    nat       | & 2.1 框架图  -->PREROUTING-->[ROUTE]-->FORWARD-->POSTROUTING-->   mangle

CentOS 7告iptables防火墙提示Unit iptables.service failed to load

使用CentOS 7时发现使用iptables防火墙时提示错误Unit iptables.service failed to load,意思是防火墙运行启动失败了,那么要如何处理呢。 一直用CentOS 6 习惯了,一下没适应过来。防火墙配置后执行service iptables save 出现”Failed to restart iptables.service: Unit iptables.