neutron是如何通过iptables管理网络的

本文主要是介绍neutron是如何通过iptables管理网络的，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

在访问与安全的菜单下，新建一个安全组test。点击进入test，可以看到两个默认的出口，这个是系统自动定义好的，表示无论从哪个端口哪个ip都能出去。

然后添加两个新的规则

第一个规则表示，只能从默认安全组可以ping通该组的虚拟机；
第二个规则表示，只能从默认安全组跳进该组的虚拟机。

启动云主机创建新的虚拟机，选择oa环境和刚刚创建的安全组。
然后进入该虚拟机，查看虚拟机创在哪个物理机的节点上。我这里发现时在4号机的节点上，再次之间4号机上是没有任何虚拟机的。
查看iptables也看不到与虚拟机有关的规则。

Sugon04:~ # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
neutron-linuxbri-INPUT  all  --  anywhere             anywhere            Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
neutron-filter-top  all  --  anywhere             anywhere            
neutron-linuxbri-FORWARD  all  --  anywhere             anywhere            Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
neutron-filter-top  all  --  anywhere             anywhere            
neutron-linuxbri-OUTPUT  all  --  anywhere             anywhere            Chain neutron-filter-top (2 references)
target     prot opt source               destination         
neutron-linuxbri-local  all  --  anywhere             anywhere            Chain neutron-linuxbri-FORWARD (1 references)
target     prot opt source               destination         Chain neutron-linuxbri-INPUT (1 references)
target     prot opt source               destination         Chain neutron-linuxbri-OUTPUT (1 references)
target     prot opt source               destination         Chain neutron-linuxbri-local (1 references)
target     prot opt source               destination         Chain neutron-linuxbri-sg-chain (0 references)
target     prot opt source               destination         Chain neutron-linuxbri-sg-fallback (0 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             /* Default drop rule for unmatched traffic. */
Sugon04:~ #

创建新的虚拟机之后规则就出来了

Sugon04:~ # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
neutron-linuxbri-INPUT  all  --  anywhere             anywhere            Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
neutron-filter-top  all  --  anywhere             anywhere            
neutron-linuxbri-FORWARD  all  --  anywhere             anywhere            Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
neutron-filter-top  all  --  anywhere             anywhere            
neutron-linuxbri-OUTPUT  all  --  anywhere             anywhere            Chain neutron-filter-top (2 references)
target     prot opt source               destination         
neutron-linuxbri-local  all  --  anywhere             anywhere            Chain neutron-linuxbri-FORWARD (1 references)
target     prot opt source               destination         
neutron-linuxbri-sg-chain  all  --  anywhere             anywhere             PHYSDEV match --physdev-out tape68040f5-c3 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
neutron-linuxbri-sg-chain  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tape68040f5-c3 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */Chain neutron-linuxbri-INPUT (1 references)
target     prot opt source               destination         
neutron-linuxbri-oe68040f5-c  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tape68040f5-c3 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */Chain neutron-linuxbri-OUTPUT (1 references)
target     prot opt source               destination         Chain neutron-linuxbri-ie68040f5-c (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN     udp  --  172.16.15.23         anywhere             udp spt:bootps dpt:bootpc
RETURN     tcp  --  anywhere             anywhere             tcp dpt:ssh match-set NIPv43e07d4ff-0fdd-4fe0-988f- src
RETURN     icmp --  anywhere             anywhere             match-set NIPv43e07d4ff-0fdd-4fe0-988f- src
DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback  all  --  anywhere             anywhere             /* Send unmatched traffic to the fallback chain. */Chain neutron-linuxbri-local (1 references)
target     prot opt source               destination         Chain neutron-linuxbri-oe68040f5-c (2 references)
target     prot opt source               destination         
RETURN     udp  --  anywhere             anywhere             udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
neutron-linuxbri-se68040f5-c  all  --  anywhere             anywhere            
DROP       udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc /* Prevent DHCP Spoofing by VM. */
RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback  all  --  anywhere             anywhere             /* Send unmatched traffic to the fallback chain. */Chain neutron-linuxbri-se68040f5-c (1 references)
target     prot opt source               destination         
RETURN     all  --  172.16.15.31         anywhere             MAC FA:16:3E:05:B8:03 /* Allow traffic from defined IP/MAC pairs. */
DROP       all  --  anywhere             anywhere             /* Drop traffic without an IP/MAC allow rule. */Chain neutron-linuxbri-sg-chain (2 references)
target     prot opt source               destination         
neutron-linuxbri-ie68040f5-c  all  --  anywhere             anywhere             PHYSDEV match --physdev-out tape68040f5-c3 --physdev-is-bridged /* Jump to the VM specific chain. */
neutron-linuxbri-oe68040f5-c  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tape68040f5-c3 --physdev-is-bridged /* Jump to the VM specific chain. */
ACCEPT     all  --  anywhere             anywhere            Chain neutron-linuxbri-sg-fallback (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             /* Default drop rule for unmatched traffic. */
Sugon04:~ #

这个时候发现多了很多规则，那么这些规则和安全组的规则又是如何对应的呢？
先说INPUT链

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
neutron-linuxbri-INPUT  all  --  anywhere             anywhere

该链又指向下面这个

Chain neutron-linuxbri-INPUT (1 references)
target     prot opt source               destination         
neutron-linuxbri-oe68040f5-c  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tape68040f5-c3 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */

然后接着往下指

Chain neutron-linuxbri-oe68040f5-c (2 references)
target     prot opt source               destination         
RETURN     udp  --  anywhere             anywhere             udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
neutron-linuxbri-se68040f5-c  all  --  anywhere             anywhere            
DROP       udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc /* Prevent DHCP Spoofing by VM. */
RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback  all  --  anywhere             anywhere             /* Send unmatched traffic to the fallback chain. */

可以看到，到了这一步已经有了实际的规则，前两个规则和DHCP有关，不需理会。紧接着两个规则表示建立有效连接就返回包，无效连接就丢弃。这里的anywhere表示规则对所有的ip地址有效。
最后一条又指向一条链

Chain neutron-linuxbri-sg-fallback (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             /* Default drop rule for unmatched traffic. */

这条链表示凡是不匹配规则的都包都扔了，其实这也说明该iptables主要是通得策略，只让符合要求的通过。（相对有堵得策略，符合要求的就堵住不让过）

接着说FORWARD链

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
neutron-filter-top  all  --  anywhere             anywhere            
neutron-linuxbri-FORWARD  all  --  anywhere             anywhere

第一个分支

Chain neutron-filter-top (2 references)
target     prot opt source               destination         
neutron-linuxbri-local  all  --  anywhere             anywhere

再指向他，而且没有任何动作

Chain neutron-linuxbri-local (1 references)
target     prot opt source               destination

第二个分支

Chain neutron-linuxbri-FORWARD (1 references)
target     prot opt source               destination         
neutron-linuxbri-sg-chain  all  --  anywhere             anywhere             PHYSDEV match --physdev-out tape68040f5-c3 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
neutron-linuxbri-sg-chain  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tape68040f5-c3 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */

这里表示通过

neutron-linuxbri-sg-chain

转发物理设备的进出包

Chain neutron-linuxbri-sg-chain (2 references)
target     prot opt source               destination         
neutron-linuxbri-ie68040f5-c  all  --  anywhere             anywhere             PHYSDEV match --physdev-out tape68040f5-c3 --physdev-is-bridged /* Jump to the VM specific chain. */
neutron-linuxbri-oe68040f5-c  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tape68040f5-c3 --physdev-is-bridged /* Jump to the VM specific chain. */
ACCEPT     all  --  anywhere             anywhere

再看这两个链
进

neutron-linuxbri-ie68040f5-c

Chain neutron-linuxbri-ie68040f5-c (1 references)
<span style="color:#FF0000;">target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN     udp  --  172.16.15.23         anywhere             udp spt:bootps dpt:bootpc
RETURN     tcp  --  anywhere             anywhere             tcp dpt:ssh match-set NIPv43e07d4ff-0fdd-4fe0-988f- src
RETURN     icmp --  anywhere             anywhere             match-set NIPv43e07d4ff-0fdd-4fe0-988f- src
DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback  all  --  anywhere             anywhere             /* Send unmatched traffic to the fallback chain. */</span>

Chain neutron-linuxbri-sg-fallback (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             /* Default drop rule for unmatched traffic. */

出

neutron-linuxbri-oe68040f5-c

Chain neutron-linuxbri-oe68040f5-c (2 references)
target     prot opt source               destination         
<span style="color:#FF0000;">RETURN     udp  --  anywhere             anywhere             udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
neutron-linuxbri-se68040f5-c  all  --  anywhere             anywhere            
DROP       udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc /* Prevent DHCP Spoofing by VM. */
RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback  all  --  anywhere             anywhere             /* Send unmatched traffic to the fallback chain. */</span>

Chain neutron-linuxbri-sg-fallback (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             /* Default drop rule for unmatched traffic. */

最后说output链：

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
neutron-filter-top  all  --  anywhere             anywhere            
neutron-linuxbri-OUTPUT  all  --  anywhere             anywhere

1.1先走

neutron-filter-top

Chain neutron-filter-top (2 references)
target     prot opt source               destination         
neutron-linuxbri-local  all  --  anywhere             anywhere

1.2再到

Chain neutron-linuxbri-local (1 references)
target     prot opt source               destination

这条链下来没有任何动作

2.1再走

neutron-linuxbri-OUTPUT

Chain neutron-linuxbri-OUTPUT (1 references)
target     prot opt source               destination

这里只是厘清链的动作，还需要进一步补充，如果没有动作就使用默认动作，一般是accept。

补充：
这里操作iptables的地方是04节点，而虚拟机正是结立在该节点上。前期我们过多的将注意力放在INPUT和Output上，但是我们研究的却是针对虚拟机的规则。由此就造成了概念上走不通。现在换个思路。04节点作为虚拟机的中转站，那么所有的虚拟机获得的包都是从04上转发过来的。这样一来，当我们看04节点的iptables规则时，就无需关注INPUT和output，只需关注forward。因为INPUT和output是进出04节点的规则，而forward才是真正针对虚拟机的规则。

这篇关于neutron是如何通过iptables管理网络的的文章就介绍到这儿，希望我们推荐的文章对编程师们有所帮助！