本文主要是介绍neutron是如何通过iptables管理网络的,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
在访问与安全的菜单下,新建一个安全组test。点击进入test,可以看到两个默认的出口,这个是系统自动定义好的,表示无论从哪个端口哪个ip都能出去。
然后添加两个新的规则
第一个规则表示,只能从默认安全组可以ping通该组的虚拟机;
第二个规则表示,只能从默认安全组跳进该组的虚拟机。
启动云主机创建新的虚拟机,选择oa环境和刚刚创建的安全组。
然后进入该虚拟机,查看虚拟机创在哪个物理机的节点上。我这里发现时在4号机的节点上,再次之间4号机上是没有任何虚拟机的。
查看iptables也看不到与虚拟机有关的规则。
创建新的虚拟机之后规则就出来了
这个时候发现多了很多规则,那么这些规则和安全组的规则又是如何对应的呢?
先说INPUT链
最后一条又指向一条链
接着说FORWARD链
进
出
最后说output链:
1.2再到
2.1再走
这里只是厘清链的动作,还需要进一步补充,如果没有动作就使用默认动作,一般是accept。
补充:
这里操作iptables的地方是04节点,而虚拟机正是结立在该节点上。前期我们过多的将注意力放在INPUT和Output上,但是我们研究的却是针对虚拟机的规则。由此就造成了概念上走不通。现在换个思路。04节点作为虚拟机的中转站,那么所有的虚拟机获得的包都是从04上转发过来的。这样一来,当我们看04节点的iptables规则时,就无需关注INPUT和output,只需关注forward。因为INPUT和output是进出04节点的规则,而forward才是真正针对虚拟机的规则。
然后添加两个新的规则
第一个规则表示,只能从默认安全组可以ping通该组的虚拟机;
第二个规则表示,只能从默认安全组跳进该组的虚拟机。
启动云主机创建新的虚拟机,选择oa环境和刚刚创建的安全组。
然后进入该虚拟机,查看虚拟机创在哪个物理机的节点上。我这里发现时在4号机的节点上,再次之间4号机上是没有任何虚拟机的。
查看iptables也看不到与虚拟机有关的规则。
Sugon04:~ # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
neutron-linuxbri-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-linuxbri-FORWARD all -- anywhere anywhere Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-linuxbri-OUTPUT all -- anywhere anywhere Chain neutron-filter-top (2 references)
target prot opt source destination
neutron-linuxbri-local all -- anywhere anywhere Chain neutron-linuxbri-FORWARD (1 references)
target prot opt source destination Chain neutron-linuxbri-INPUT (1 references)
target prot opt source destination Chain neutron-linuxbri-OUTPUT (1 references)
target prot opt source destination Chain neutron-linuxbri-local (1 references)
target prot opt source destination Chain neutron-linuxbri-sg-chain (0 references)
target prot opt source destination Chain neutron-linuxbri-sg-fallback (0 references)
target prot opt source destination
DROP all -- anywhere anywhere /* Default drop rule for unmatched traffic. */
Sugon04:~ #
创建新的虚拟机之后规则就出来了
Sugon04:~ # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
neutron-linuxbri-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-linuxbri-FORWARD all -- anywhere anywhere Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-linuxbri-OUTPUT all -- anywhere anywhere Chain neutron-filter-top (2 references)
target prot opt source destination
neutron-linuxbri-local all -- anywhere anywhere Chain neutron-linuxbri-FORWARD (1 references)
target prot opt source destination
neutron-linuxbri-sg-chain all -- anywhere anywhere PHYSDEV match --physdev-out tape68040f5-c3 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
neutron-linuxbri-sg-chain all -- anywhere anywhere PHYSDEV match --physdev-in tape68040f5-c3 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */Chain neutron-linuxbri-INPUT (1 references)
target prot opt source destination
neutron-linuxbri-oe68040f5-c all -- anywhere anywhere PHYSDEV match --physdev-in tape68040f5-c3 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */Chain neutron-linuxbri-OUTPUT (1 references)
target prot opt source destination Chain neutron-linuxbri-ie68040f5-c (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN udp -- 172.16.15.23 anywhere udp spt:bootps dpt:bootpc
RETURN tcp -- anywhere anywhere tcp dpt:ssh match-set NIPv43e07d4ff-0fdd-4fe0-988f- src
RETURN icmp -- anywhere anywhere match-set NIPv43e07d4ff-0fdd-4fe0-988f- src
DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */Chain neutron-linuxbri-local (1 references)
target prot opt source destination Chain neutron-linuxbri-oe68040f5-c (2 references)
target prot opt source destination
RETURN udp -- anywhere anywhere udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
neutron-linuxbri-se68040f5-c all -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:bootps dpt:bootpc /* Prevent DHCP Spoofing by VM. */
RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */Chain neutron-linuxbri-se68040f5-c (1 references)
target prot opt source destination
RETURN all -- 172.16.15.31 anywhere MAC FA:16:3E:05:B8:03 /* Allow traffic from defined IP/MAC pairs. */
DROP all -- anywhere anywhere /* Drop traffic without an IP/MAC allow rule. */Chain neutron-linuxbri-sg-chain (2 references)
target prot opt source destination
neutron-linuxbri-ie68040f5-c all -- anywhere anywhere PHYSDEV match --physdev-out tape68040f5-c3 --physdev-is-bridged /* Jump to the VM specific chain. */
neutron-linuxbri-oe68040f5-c all -- anywhere anywhere PHYSDEV match --physdev-in tape68040f5-c3 --physdev-is-bridged /* Jump to the VM specific chain. */
ACCEPT all -- anywhere anywhere Chain neutron-linuxbri-sg-fallback (2 references)
target prot opt source destination
DROP all -- anywhere anywhere /* Default drop rule for unmatched traffic. */
Sugon04:~ #
这个时候发现多了很多规则,那么这些规则和安全组的规则又是如何对应的呢?
先说INPUT链
Chain INPUT (policy ACCEPT)
target prot opt source destination
neutron-linuxbri-INPUT all -- anywhere anywhere
该链又指向下面这个 Chain neutron-linuxbri-INPUT (1 references)
target prot opt source destination
neutron-linuxbri-oe68040f5-c all -- anywhere anywhere PHYSDEV match --physdev-in tape68040f5-c3 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */
然后接着往下指 Chain neutron-linuxbri-oe68040f5-c (2 references)
target prot opt source destination
RETURN udp -- anywhere anywhere udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
neutron-linuxbri-se68040f5-c all -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:bootps dpt:bootpc /* Prevent DHCP Spoofing by VM. */
RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */
可以看到,到了这一步已经有了实际的规则,前两个规则和DHCP有关,不需理会。紧接着两个规则表示建立有效连接就返回包,无效连接就丢弃。这里的anywhere表示规则对所有的ip地址有效。 最后一条又指向一条链
Chain neutron-linuxbri-sg-fallback (2 references)
target prot opt source destination
DROP all -- anywhere anywhere /* Default drop rule for unmatched traffic. */
这条链表示凡是不匹配规则的都包都扔了,其实这也说明该iptables主要是通得策略,只让符合要求的通过。(相对有堵得策略,符合要求的就堵住不让过) 接着说FORWARD链
Chain FORWARD (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-linuxbri-FORWARD all -- anywhere anywhere
第一个分支 Chain neutron-filter-top (2 references)
target prot opt source destination
neutron-linuxbri-local all -- anywhere anywhere
再指向他,而且没有任何动作 Chain neutron-linuxbri-local (1 references)
target prot opt source destination
第二个分支 Chain neutron-linuxbri-FORWARD (1 references)
target prot opt source destination
neutron-linuxbri-sg-chain all -- anywhere anywhere PHYSDEV match --physdev-out tape68040f5-c3 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
neutron-linuxbri-sg-chain all -- anywhere anywhere PHYSDEV match --physdev-in tape68040f5-c3 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
这里表示通过 neutron-linuxbri-sg-chain
转发物理设备的进出包 Chain neutron-linuxbri-sg-chain (2 references)
target prot opt source destination
neutron-linuxbri-ie68040f5-c all -- anywhere anywhere PHYSDEV match --physdev-out tape68040f5-c3 --physdev-is-bridged /* Jump to the VM specific chain. */
neutron-linuxbri-oe68040f5-c all -- anywhere anywhere PHYSDEV match --physdev-in tape68040f5-c3 --physdev-is-bridged /* Jump to the VM specific chain. */
ACCEPT all -- anywhere anywhere
再看这两个链 进
neutron-linuxbri-ie68040f5-c
Chain neutron-linuxbri-ie68040f5-c (1 references)
<span style="color:#FF0000;">target prot opt source destination
RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN udp -- 172.16.15.23 anywhere udp spt:bootps dpt:bootpc
RETURN tcp -- anywhere anywhere tcp dpt:ssh match-set NIPv43e07d4ff-0fdd-4fe0-988f- src
RETURN icmp -- anywhere anywhere match-set NIPv43e07d4ff-0fdd-4fe0-988f- src
DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */</span>
Chain neutron-linuxbri-sg-fallback (2 references)
target prot opt source destination
DROP all -- anywhere anywhere /* Default drop rule for unmatched traffic. */
出
neutron-linuxbri-oe68040f5-c
Chain neutron-linuxbri-oe68040f5-c (2 references)
target prot opt source destination
<span style="color:#FF0000;">RETURN udp -- anywhere anywhere udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
neutron-linuxbri-se68040f5-c all -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:bootps dpt:bootpc /* Prevent DHCP Spoofing by VM. */
RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */</span>
Chain neutron-linuxbri-sg-fallback (2 references)
target prot opt source destination
DROP all -- anywhere anywhere /* Default drop rule for unmatched traffic. */
最后说output链:
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-linuxbri-OUTPUT all -- anywhere anywhere
1.1先走 neutron-filter-top
Chain neutron-filter-top (2 references)
target prot opt source destination
neutron-linuxbri-local all -- anywhere anywhere
1.2再到
Chain neutron-linuxbri-local (1 references)
target prot opt source destination
这条链下来没有任何动作 2.1再走
neutron-linuxbri-OUTPUT
Chain neutron-linuxbri-OUTPUT (1 references)
target prot opt source destination
这里只是厘清链的动作,还需要进一步补充,如果没有动作就使用默认动作,一般是accept。
补充:
这里操作iptables的地方是04节点,而虚拟机正是结立在该节点上。前期我们过多的将注意力放在INPUT和Output上,但是我们研究的却是针对虚拟机的规则。由此就造成了概念上走不通。现在换个思路。04节点作为虚拟机的中转站,那么所有的虚拟机获得的包都是从04上转发过来的。这样一来,当我们看04节点的iptables规则时,就无需关注INPUT和output,只需关注forward。因为INPUT和output是进出04节点的规则,而forward才是真正针对虚拟机的规则。
这篇关于neutron是如何通过iptables管理网络的的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!