neutron是如何通过iptables管理网络的
2016-03-02 17:02
771 查看
在访问与安全的菜单下,新建一个安全组test。点击进入test,可以看到两个默认的出口,这个是系统自动定义好的,表示无论从哪个端口哪个ip都能出去。
然后添加两个新的规则
第一个规则表示,只能从默认安全组可以ping通该组的虚拟机;
第二个规则表示,只能从默认安全组跳进该组的虚拟机。
启动云主机创建新的虚拟机,选择oa环境和刚刚创建的安全组。
然后进入该虚拟机,查看虚拟机创在哪个物理机的节点上。我这里发现时在4号机的节点上,再次之间4号机上是没有任何虚拟机的。
查看iptables也看不到与虚拟机有关的规则。
创建新的虚拟机之后规则就出来了
这个时候发现多了很多规则,那么这些规则和安全组的规则又是如何对应的呢?
先说INPUT链
最后一条又指向一条链
接着说FORWARD链
进
出
最后说output链:
1.2再到
2.1再走
这里只是厘清链的动作,还需要进一步补充,如果没有动作就使用默认动作,一般是accept。
补充:
这里操作iptables的地方是04节点,而虚拟机正是结立在该节点上。前期我们过多的将注意力放在INPUT和Output上,但是我们研究的却是针对虚拟机的规则。由此就造成了概念上走不通。现在换个思路。04节点作为虚拟机的中转站,那么所有的虚拟机获得的包都是从04上转发过来的。这样一来,当我们看04节点的iptables规则时,就无需关注INPUT和output,只需关注forward。因为INPUT和output是进出04节点的规则,而forward才是真正针对虚拟机的规则。
然后添加两个新的规则
第一个规则表示,只能从默认安全组可以ping通该组的虚拟机;
第二个规则表示,只能从默认安全组跳进该组的虚拟机。
启动云主机创建新的虚拟机,选择oa环境和刚刚创建的安全组。
然后进入该虚拟机,查看虚拟机创在哪个物理机的节点上。我这里发现时在4号机的节点上,再次之间4号机上是没有任何虚拟机的。
查看iptables也看不到与虚拟机有关的规则。
Sugon04:~ # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination neutron-linuxbri-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination neutron-filter-top all -- anywhere anywhere neutron-linuxbri-FORWARD all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination neutron-filter-top all -- anywhere anywhere neutron-linuxbri-OUTPUT all -- anywhere anywhere Chain neutron-filter-top (2 references) target prot opt source destination neutron-linuxbri-local all -- anywhere anywhere Chain neutron-linuxbri-FORWARD (1 references) target prot opt source destination Chain neutron-linuxbri-INPUT (1 references) target prot opt source destination Chain neutron-linuxbri-OUTPUT (1 references) target prot opt source destination Chain neutron-linuxbri-local (1 references) target prot opt source destination Chain neutron-linuxbri-sg-chain (0 references) target prot opt source destination Chain neutron-linuxbri-sg-fallback (0 references) target prot opt source destination DROP all -- anywhere anywhere /* Default drop rule for unmatched traffic. */ Sugon04:~ #
创建新的虚拟机之后规则就出来了
Sugon04:~ # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination neutron-linuxbri-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination neutron-filter-top all -- anywhere anywhere neutron-linuxbri-FORWARD all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination neutron-filter-top all -- anywhere anywhere neutron-linuxbri-OUTPUT all -- anywhere anywhere Chain neutron-filter-top (2 references) target prot opt source destination neutron-linuxbri-local all -- anywhere anywhere Chain neutron-linuxbri-FORWARD (1 references) target prot opt source destination neutron-linuxbri-sg-chain all -- anywhere anywhere PHYSDEV match --physdev-out tape68040f5-c3 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */ neutron-linuxbri-sg-chain all -- anywhere anywhere PHYSDEV match --physdev-in tape68040f5-c3 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */ Chain neutron-linuxbri-INPUT (1 references) target prot opt source destination neutron-linuxbri-oe68040f5-c all -- anywhere anywhere PHYSDEV match --physdev-in tape68040f5-c3 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */ Chain neutron-linuxbri-OUTPUT (1 references) target prot opt source destination Chain neutron-linuxbri-ie68040f5-c (1 references) target prot opt source destination RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */ RETURN udp -- 172.16.15.23 anywhere udp spt:bootps dpt:bootpc RETURN tcp -- anywhere anywhere tcp dpt:ssh match-set NIPv43e07d4ff-0fdd-4fe0-988f- src RETURN icmp -- anywhere anywhere match-set NIPv43e07d4ff-0fdd-4fe0-988f- src DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */ neutron-linuxbri-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */ Chain neutron-linuxbri-local (1 references) target prot opt source destination Chain neutron-linuxbri-oe68040f5-c (2 references) target prot opt source destination RETURN udp -- anywhere anywhere udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */ neutron-linuxbri-se68040f5-c all -- anywhere anywhere DROP udp -- anywhere anywhere udp spt:bootps dpt:bootpc /* Prevent DHCP Spoofing by VM. */ RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */ RETURN all -- anywhere anywhere DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */ neutron-linuxbri-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */ Chain neutron-linuxbri-se68040f5-c (1 references) target prot opt source destination RETURN all -- 172.16.15.31 anywhere MAC FA:16:3E:05:B8:03 /* Allow traffic from defined IP/MAC pairs. */ DROP all -- anywhere anywhere /* Drop traffic without an IP/MAC allow rule. */ Chain neutron-linuxbri-sg-chain (2 references) target prot opt source destination neutron-linuxbri-ie68040f5-c all -- anywhere anywhere PHYSDEV match --physdev-out tape68040f5-c3 --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-linuxbri-oe68040f5-c all -- anywhere anywhere PHYSDEV match --physdev-in tape68040f5-c3 --physdev-is-bridged /* Jump to the VM specific chain. */ ACCEPT all -- anywhere anywhere Chain neutron-linuxbri-sg-fallback (2 references) target prot opt source destination DROP all -- anywhere anywhere /* Default drop rule for unmatched traffic. */ Sugon04:~ #
这个时候发现多了很多规则,那么这些规则和安全组的规则又是如何对应的呢?
先说INPUT链
Chain INPUT (policy ACCEPT) target prot opt source destination neutron-linuxbri-INPUT all -- anywhere anywhere该链又指向下面这个
Chain neutron-linuxbri-INPUT (1 references) target prot opt source destination neutron-linuxbri-oe68040f5-c all -- anywhere anywhere PHYSDEV match --physdev-in tape68040f5-c3 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */然后接着往下指
Chain neutron-linuxbri-oe68040f5-c (2 references) target prot opt source destination RETURN udp -- anywhere anywhere udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */ neutron-linuxbri-se68040f5-c all -- anywhere anywhere DROP udp -- anywhere anywhere udp spt:bootps dpt:bootpc /* Prevent DHCP Spoofing by VM. */ RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */ RETURN all -- anywhere anywhere DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */ neutron-linuxbri-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */可以看到,到了这一步已经有了实际的规则,前两个规则和DHCP有关,不需理会。紧接着两个规则表示建立有效连接就返回包,无效连接就丢弃。这里的anywhere表示规则对所有的ip地址有效。
最后一条又指向一条链
Chain neutron-linuxbri-sg-fallback (2 references) target prot opt source destination DROP all -- anywhere anywhere /* Default drop rule for unmatched traffic. */这条链表示凡是不匹配规则的都包都扔了,其实这也说明该iptables主要是通得策略,只让符合要求的通过。(相对有堵得策略,符合要求的就堵住不让过)
接着说FORWARD链
Chain FORWARD (policy ACCEPT) target prot opt source destination neutron-filter-top all -- anywhere anywhere neutron-linuxbri-FORWARD all -- anywhere anywhere第一个分支
Chain neutron-filter-top (2 references) target prot opt source destination neutron-linuxbri-local all -- anywhere anywhere再指向他,而且没有任何动作
Chain neutron-linuxbri-local (1 references) target prot opt source destination第二个分支
Chain neutron-linuxbri-FORWARD (1 references) target prot opt source destination neutron-linuxbri-sg-chain all -- anywhere anywhere PHYSDEV match --physdev-out tape68040f5-c3 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */ neutron-linuxbri-sg-chain all -- anywhere anywhere PHYSDEV match --physdev-in tape68040f5-c3 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */这里表示通过
neutron-linuxbri-sg-chain转发物理设备的进出包
Chain neutron-linuxbri-sg-chain (2 references) target prot opt source destination neutron-linuxbri-ie68040f5-c all -- anywhere anywhere PHYSDEV match --physdev-out tape68040f5-c3 --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-linuxbri-oe68040f5-c all -- anywhere anywhere PHYSDEV match --physdev-in tape68040f5-c3 --physdev-is-bridged /* Jump to the VM specific chain. */ ACCEPT all -- anywhere anywhere再看这两个链
进
neutron-linuxbri-ie68040f5-c
Chain neutron-linuxbri-ie68040f5-c (1 references) <span style="color:#FF0000;">target prot opt source destination RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */ RETURN udp -- 172.16.15.23 anywhere udp spt:bootps dpt:bootpc RETURN tcp -- anywhere anywhere tcp dpt:ssh match-set NIPv43e07d4ff-0fdd-4fe0-988f- src RETURN icmp -- anywhere anywhere match-set NIPv43e07d4ff-0fdd-4fe0-988f- src DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */ neutron-linuxbri-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */</span>
Chain neutron-linuxbri-sg-fallback (2 references) target prot opt source destination DROP all -- anywhere anywhere /* Default drop rule for unmatched traffic. */
出
neutron-linuxbri-oe68040f5-c
Chain neutron-linuxbri-oe68040f5-c (2 references) target prot opt source destination <span style="color:#FF0000;">RETURN udp -- anywhere anywhere udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */ neutron-linuxbri-se68040f5-c all -- anywhere anywhere DROP udp -- anywhere anywhere udp spt:bootps dpt:bootpc /* Prevent DHCP Spoofing by VM. */ RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */ RETURN all -- anywhere anywhere DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */ neutron-linuxbri-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */</span>
Chain neutron-linuxbri-sg-fallback (2 references) target prot opt source destination DROP all -- anywhere anywhere /* Default drop rule for unmatched traffic. */
最后说output链:
Chain OUTPUT (policy ACCEPT) target prot opt source destination neutron-filter-top all -- anywhere anywhere neutron-linuxbri-OUTPUT all -- anywhere anywhere1.1先走
neutron-filter-top
Chain neutron-filter-top (2 references) target prot opt source destination neutron-linuxbri-local all -- anywhere anywhere
1.2再到
Chain neutron-linuxbri-local (1 references) target prot opt source destination这条链下来没有任何动作
2.1再走
neutron-linuxbri-OUTPUT
Chain neutron-linuxbri-OUTPUT (1 references) target prot opt source destination
这里只是厘清链的动作,还需要进一步补充,如果没有动作就使用默认动作,一般是accept。
补充:
这里操作iptables的地方是04节点,而虚拟机正是结立在该节点上。前期我们过多的将注意力放在INPUT和Output上,但是我们研究的却是针对虚拟机的规则。由此就造成了概念上走不通。现在换个思路。04节点作为虚拟机的中转站,那么所有的虚拟机获得的包都是从04上转发过来的。这样一来,当我们看04节点的iptables规则时,就无需关注INPUT和output,只需关注forward。因为INPUT和output是进出04节点的规则,而forward才是真正针对虚拟机的规则。
相关文章推荐
- JAVA TCP/UDP网络编程
- 解决http转https在chrome里blocked的问题
- TCP的三次握手与四次挥手过程介绍
- Nginx https加密以及nginx日志配置与管理
- 使用相对Url无缝切换 HTTP HTTPS
- iOS网络开发(8)文件下载的实现
- 常见的HTTP请求头与响应头
- Java https服务器证书认证问题解决方案
- urllib2.URLError: <urlopen error unknown url type: https>
- 关于TCP_NODELAY和TCP_CORK选项
- Linux tcpdump命令详解
- BP神经网络推导过程详解
- 机器学习算法汇总:人工神经网络、深度学习及其它
- php调用java写的webservices提示Uncaught SoapFault exception: [HTTP] Not Found
- http_build_query函数带来的困扰
- 配置Tomcat使用https协议(配置SSL协议)
- TCP 过程
- 计算机网络地址分类
- iOS网络开发(7)大牛们的杰作AFNetworking
- 网络编程浅谈