一、安全組與iptables的關系
OpenStack的安全組(Security Group)默認是通過Linux的iptables實現的。以下是其主要實現原理和機制:
-
安全組與iptables的關系
OpenStack的安全組規則通過iptables的規則鏈實現。每條安全組規則會被轉換為相應的iptables規則,這些規則會動態生成并應用到計算節點的iptables中。 -
規則鏈的生成
安全組規則會根據虛擬機的網絡接口(如虛擬機網卡)生成特定的iptables規則鏈。
二、回顧“啟動一個實例”中的內容
在《OpenStack Yoga版安裝筆記(十四)啟動一個實例》中,執行了以下命令:
| 1、創建network | root@osclient ~(admin/amdin)# openstack network create ?--share --external --provider-physical-network provider --provider-network-type flat provider |
| 2、創建subnet | root@osclient ~(admin/amdin)# openstack subnet create --network provider --allocation-pool start=203.0.113.101,end=203.0.113.250 --dns-nameserver 8.8.4.4 --gateway 203.0.113.1 --subnet-range 203.0.113.0/24 provider |
| 3、創建一個新的計算實例類型(flavor) | root@osclient ~(admin/amdin)# openstack flavor create --id 0 --vcpus 1 --ram 64 --disk 1 m1.nano |
| 4、user "myuser"登錄到project "myproject" | root@osclient:~# cat demo-openrc? export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=myproject export OS_USERNAME=myuser export OS_PASSWORD=openstack export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 export PS1='\u@\h \W(myproject/myuser)\$ ' root@osclient:~# source demo-openrc? root@osclient ~(myproject/myuser)# pwd /root root@osclient ~(myproject/myuser)# |
| 5、生成一個 SSH 密鑰對(公鑰和私鑰) | root@osclient ~(myproject/myuser)# ssh-keygen -q -N "" 注:id_rsa,私鑰;id_rsa.pub,公鑰。 |
| 6、用戶myuser使用 OpenStack CLI 將公鑰上傳到項目 myproject 中 | root@osclient ~(myproject/myuser)# openstack keypair create --public-key ~/.ssh/id_rsa.pub mykey |
| 7、列出當前項目中所有已注冊的 SSH 密鑰對 | root@osclient ~(myproject/myuser)# openstack keypair list |
| 8、在project myporject中,為默認的安全組(default)添加一條允許 ICMP 流量的入向規則(缺省為入向) | root@osclient ~(myproject/myuser)# openstack security group rule create --proto icmp default |
| 9、在project myporject中,為默認的安全組(default)添加一條允許所有來源的 TCP 流量訪問 22 端口(SSH)的入向規則(缺省為入向) | root@osclient ~(myproject/myuser)# openstack security group rule create --proto tcp --dst-port 22 default |
| 10、列出當前項目中所有安全組的規則 | root@osclient ~(myproject/myuser)# openstack security group rule list |
| 11、在 OpenStack 中創建一個新的云實例。通過指定 flavor、鏡像、網絡、安全組和 SSH 密鑰對,可以配置實例的資源和訪問權限。確保所有指定的資源(如 flavor、鏡像、網絡和密鑰對)在當前項目中可用,并驗證實例的狀態以確保其正常運行。 可以使用之前產生的私鑰(id_rsa)通過SSH登錄到云實例: ssh -i ~/.ssh/id_rsa <username>@<instance_ip> | root@osclient ~(myproject/myuser)# openstack server create --flavor m1.nano --image cirros ? --nic net-id=48f2b88e-7740-4d94-a631-69e2abadf25b --security-group default ? --key-name mykey provider-instance |
三、創建虛機后的網絡拓撲
創建虛機后,Openstack視角的抽象網絡拓撲:
實際的網絡拓撲,其中openstack創建了qdhcpxxxx、brqxxxx、provider-instance:
另外,本次環境中,還有一臺運行openstack client的虛機(ip address: 10.0.20.100):
root@osclient:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000link/ether 00:0c:29:ff:20:81 brd ff:ff:ff:ff:ff:ffaltname enp2s1inet 10.0.20.100/24 brd 10.0.20.255 scope global ens33valid_lft forever preferred_lft foreverinet6 fe80::20c:29ff:feff:2081/64 scope link valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:44:6b:2d:6a brd ff:ff:ff:ff:ff:ffinet 172.17.0.1/16 brd 172.17.255.255 scope global docker0valid_lft forever preferred_lft forever
root@osclient:~# ls
admin-openrc demo-openrc myproject-admin-openrc
root@osclient:~# ?四、查看虛機運行所在的主機
1、普通role的user無法查看虛機所在的主機信息
user "myuser” 在project "myproject"中賦予role "myrole",這是普通權限。
root@osclient ~(admin/amdin)# source demo-openrc
root@osclient ~(myproject/myuser)# cat demo-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=myproject
export OS_USERNAME=myuser
export OS_PASSWORD=openstack
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
export PS1='\u@\h \W(myproject/myuser)\$ '
root@osclient ~(myproject/myuser)# openstack server list
+--------------------------------------+-------------------+---------+------------------------+--------+---------+
| ID | Name | Status | Networks | Image | Flavor |
+--------------------------------------+-------------------+---------+------------------------+--------+---------+
| d2e4bc39-63c8-4c80-b33f-52f4e1891f50 | provider-instance | SHUTOFF | provider=203.0.113.125 | cirros | m1.nano |
+--------------------------------------+-------------------+---------+------------------------+--------+---------+
root@osclient ~(myproject/myuser)# openstack server show d2e4bc39-63c8-4c80-b33f-52f4e1891f50
+-----------------------------+----------------------------------------------------------+
| Field | Value |
+-----------------------------+----------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-STS:power_state | Shutdown |
| OS-EXT-STS:task_state | None |
| OS-EXT-STS:vm_state | stopped |
| OS-SRV-USG:launched_at | 2024-09-28T03:28:51.000000 |
| OS-SRV-USG:terminated_at | None |
| accessIPv4 | |
| accessIPv6 | |
| addresses | provider=203.0.113.125 |
| config_drive | |
| created | 2024-09-28T02:49:20Z |
| flavor | m1.nano (0) |
| hostId | 892d1a79d804f6b0fbfb68938ec0df8a0abc8e3d52660529538123e4 |
| id | d2e4bc39-63c8-4c80-b33f-52f4e1891f50 |
| image | cirros (429decdd-9230-49c0-b735-70364c226eb5) |
| key_name | mykey |
| name | provider-instance |
| project_id | f5e75a3f7cc347ad89d20dcfe70dae01 |
| properties | |
| security_groups | name='default' |
| status | SHUTOFF |
| updated | 2025-03-28T22:36:21Z |
| user_id | 9382b59561c04dd1abf0a4cb7a8252ec |
| volumes_attached | |
+-----------------------------+----------------------------------------------------------+
root@osclient ~(myproject/myuser)#2、”admin" role的用戶可以查看虛機所在主機的信息
google關鍵字搜索”openstack server show hostId“,查看到類似的問題和解決辦法:
Question #246423 “host-ids and extended server attributes” : Questions : OpenStack Compute (nova)
將user"admin"在project "myproject" 中賦予"admin" role:
root@osclient ~(myproject/amdin)# source admin-openrc
root@osclient ~(admin/amdin)# openstack role list
+----------------------------------+----------+
| ID | Name |
+----------------------------------+----------+
| 17552c9a365d4944a50fd8ac271791c6 | member |
| 48fa6b74f7b74d8698fe20b21ae8a02b | testrole |
| 83144b48ff1b4c54bb21d1fcb15921b5 | myrole |
| be23525c20c44f05b3ba071455522fcb | reader |
| e434c66b7af647158bcaa77686ca6e93 | admin |
+----------------------------------+----------+
root@osclient ~(admin/amdin)# openstack role add --project myproject --user admin admin
root@osclient ~(admin/amdin)#
使用admin role的user可以查看虛機所在的主機信息,根據輸出結果,這臺虛機運行在host "compute1":
root@osclient ~(myproject/myuser)# source myproject-admin-openrc
root@osclient ~(myproject/admin)# cat myproject-admin-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=myproject
export OS_USERNAME=admin
export OS_PASSWORD=openstack
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
export PS1='\u@\h \W(myproject/admin)\$ '
root@osclient ~(myproject/admin)# openstack server list
+--------------------------------------+-------------------+---------+------------------------+--------+---------+
| ID | Name | Status | Networks | Image | Flavor |
+--------------------------------------+-------------------+---------+------------------------+--------+---------+
| d2e4bc39-63c8-4c80-b33f-52f4e1891f50 | provider-instance | SHUTOFF | provider=203.0.113.125 | cirros | m1.nano |
+--------------------------------------+-------------------+---------+------------------------+--------+---------+
root@osclient ~(myproject/admin)# openstack server show d2e4bc39-63c8-4c80-b33f-52f4e1891f50
+-------------------------------------+----------------------------------------------------------+
| Field | Value |
+-------------------------------------+----------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-SRV-ATTR:host | compute1 |
| OS-EXT-SRV-ATTR:hypervisor_hostname | compute1 |
| OS-EXT-SRV-ATTR:instance_name | instance-00000004 |
| OS-EXT-STS:power_state | Shutdown |
| OS-EXT-STS:task_state | None |
| OS-EXT-STS:vm_state | stopped |
| OS-SRV-USG:launched_at | 2024-09-28T03:28:51.000000 |
| OS-SRV-USG:terminated_at | None |
| accessIPv4 | |
| accessIPv6 | |
| addresses | provider=203.0.113.125 |
| config_drive | |
| created | 2024-09-28T02:49:20Z |
| flavor | m1.nano (0) |
| hostId | 892d1a79d804f6b0fbfb68938ec0df8a0abc8e3d52660529538123e4 |
| id | d2e4bc39-63c8-4c80-b33f-52f4e1891f50 |
| image | cirros (429decdd-9230-49c0-b735-70364c226eb5) |
| key_name | mykey |
| name | provider-instance |
| project_id | f5e75a3f7cc347ad89d20dcfe70dae01 |
| properties | |
| security_groups | name='default' |
| status | SHUTOFF |
| updated | 2025-03-28T22:36:21Z |
| user_id | 9382b59561c04dd1abf0a4cb7a8252ec |
| volumes_attached | |
+-------------------------------------+----------------------------------------------------------+
root@osclient ~(myproject/admin)#
字段 值 OS-EXT-AZ:availability_zone nova OS-EXT-SRV-ATTR:host compute1 OS-EXT-SRV-ATTR:hypervisor_hostname compute1 信息解讀:
availability_zone: nova
實例部署在默認的可用區(Availability Zone)
nova中。OpenStack中,
nova是默認的可用區名稱,表示實例運行在未特別配置的區域。
host: compute1
實例當前運行在名為
compute1的計算節點(Compute Node)上。這是物理主機的名稱,負責承載虛擬機實例。
hypervisor_hostname: compute1
該計算節點的虛擬化平臺(如KVM、Xen)的主機名也是
compute1。通常與
host字段一致,表示實例運行在同一個物理節點上。
五、虛機關閉狀態時查看iptables
1、查看虛機處于關閉狀態
root@osclient ~(myproject/admin)# source demo-openrc
root@osclient ~(myproject/myuser)# cat demo-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=myproject
export OS_USERNAME=myuser
export OS_PASSWORD=openstack
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
export PS1='\u@\h \W(myproject/myuser)\$ '
root@osclient ~(myproject/myuser)# openstack server list
+--------------------------------------+-------------------+---------+------------------------+--------+---------+
| ID | Name | Status | Networks | Image | Flavor |
+--------------------------------------+-------------------+---------+------------------------+--------+---------+
| d2e4bc39-63c8-4c80-b33f-52f4e1891f50 | provider-instance | SHUTOFF | provider=203.0.113.125 | cirros | m1.nano |
+--------------------------------------+-------------------+---------+------------------------+--------+---------+
root@osclient ~(myproject/myuser)# 2、?此時虛擬網絡環境
root@compute1:~# virsh net-listName State Autostart Persistent
--------------------------------------------default active yes yesroot@compute1:~# brctl show
bridge name bridge id STP enabled interfaces
brq48f2b88e-77 8000.ea99122ddd99 no
virbr0 8000.525400db7049 yes
root@compute1:~# 3、查看iptables
查看“provider-instance"虛機運行所在的主機compute1的iptables,由于虛機關閉,此時OpenStack Neutron沒有為該虛機添加相應規則。
root@compute1:~# iptables-save
# Generated by iptables-save v1.8.7 on Sun Mar 30 05:56:29 2025
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sun Mar 30 05:56:29 2025
# Generated by iptables-save v1.8.7 on Sun Mar 30 05:56:29 2025
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
COMMIT
# Completed on Sun Mar 30 05:56:29 2025
# Generated by iptables-save v1.8.7 on Sun Mar 30 05:56:29 2025
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Sun Mar 30 05:56:29 2025
root@compute1:~# root@compute1:~# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination
13804 3614K LIBVIRT_INP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 LIBVIRT_FWX all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LIBVIRT_FWI all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LIBVIRT_FWO all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination
12954 4090K LIBVIRT_OUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain LIBVIRT_FWI (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachableChain LIBVIRT_FWO (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachableChain LIBVIRT_FWX (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0 Chain LIBVIRT_INP (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:530 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:530 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:670 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67Chain LIBVIRT_OUT (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:530 0 ACCEPT tcp -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:530 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:680 0 ACCEPT tcp -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
root@compute1:~# LIBVIRT_FWI、LIBVIRT_FWO、LIBVIRT_FWX、LIBVIRT_INP、LIBVIRT_OUT是Libvirt在管理虛擬機網絡時創建的
iptables規則鏈,可參考<Ubuntu22.04 KVM安裝筆記>相關內容。這些鏈表不屬于Openstack Neutron管理。
六、虛機開啟時查看iptables
1、開啟虛機
root@osclient ~(myproject/myuser)# openstack server list
+--------------------------------------+-------------------+---------+------------------------+--------+---------+
| ID | Name | Status | Networks | Image | Flavor |
+--------------------------------------+-------------------+---------+------------------------+--------+---------+
| d2e4bc39-63c8-4c80-b33f-52f4e1891f50 | provider-instance | SHUTOFF | provider=203.0.113.125 | cirros | m1.nano |
+--------------------------------------+-------------------+---------+------------------------+--------+---------+
root@osclient ~(myproject/myuser)# openstack server start provider-instance
root@osclient ~(myproject/myuser)# openstack server list
+--------------------------------------+-------------------+--------+------------------------+--------+---------+
| ID | Name | Status | Networks | Image | Flavor |
+--------------------------------------+-------------------+--------+------------------------+--------+---------+
| d2e4bc39-63c8-4c80-b33f-52f4e1891f50 | provider-instance | ACTIVE | provider=203.0.113.125 | cirros | m1.nano |
+--------------------------------------+-------------------+--------+------------------------+--------+---------+
root@osclient ~(myproject/myuser)#
root@osclient ~(myproject/myuser)# 2、此時虛擬網絡環境
root@compute1:~# virsh net-listName State Autostart Persistent
--------------------------------------------default active yes yesroot@compute1:~# brctl show
bridge name bridge id STP enabled interfaces
brq48f2b88e-77 8000.ea99122ddd99 no ens35tap2d863922-bc
virbr0 8000.525400db7049 yes
root@compute1:~#
root@compute1:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000link/ether 00:0c:29:51:16:68 brd ff:ff:ff:ff:ff:ffaltname enp2s0inet 10.0.20.12/24 brd 10.0.20.255 scope global ens32valid_lft forever preferred_lft foreverinet6 fe80::20c:29ff:fe51:1668/64 scope link valid_lft forever preferred_lft forever
3: ens35: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master brq48f2b88e-77 state UP group default qlen 1000link/ether 00:0c:29:51:16:72 brd ff:ff:ff:ff:ff:ffaltname enp2s3inet6 fe80::20c:29ff:fe51:1672/64 scope link valid_lft forever preferred_lft forever
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000link/ether 52:54:00:db:70:49 brd ff:ff:ff:ff:ff:ffinet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0valid_lft forever preferred_lft forever
5: brq48f2b88e-77: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000link/ether ea:99:12:2d:dd:99 brd ff:ff:ff:ff:ff:ff
6: tap2d863922-bc: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master brq48f2b88e-77 state UNKNOWN group default qlen 1000link/ether fe:16:3e:60:78:cd brd ff:ff:ff:ff:ff:ffinet6 fe80::fc16:3eff:fe60:78cd/64 scope link valid_lft forever preferred_lft forever
root@compute1:~# 3、查看iptables-save
開啟虛機后,OpenStack Neutron根據安全組配置,在iptables中為該虛機插入相應的安全組規則。
root@compute1:~# iptables-save
# Generated by iptables-save v1.8.7 on Sun Mar 30 06:11:29 2025
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sun Mar 30 06:11:29 2025
# Generated by iptables-save v1.8.7 on Sun Mar 30 06:11:29 2025
*raw
:PREROUTING ACCEPT [1116:236588]
:OUTPUT ACCEPT [853:288723]
:neutron-linuxbri-OUTPUT - [0:0]
:neutron-linuxbri-PREROUTING - [0:0]
-A PREROUTING -j neutron-linuxbri-PREROUTING
-A OUTPUT -j neutron-linuxbri-OUTPUT
-A neutron-linuxbri-PREROUTING -m physdev --physdev-in brq48f2b88e-77 -m comment --comment "Set zone for d863922-bc" -j CT --zone 4097
-A neutron-linuxbri-PREROUTING -i brq48f2b88e-77 -m comment --comment "Set zone for d863922-bc" -j CT --zone 4097
-A neutron-linuxbri-PREROUTING -m physdev --physdev-in tap2d863922-bc -m comment --comment "Set zone for d863922-bc" -j CT --zone 4097
COMMIT
# Completed on Sun Mar 30 06:11:29 2025
# Generated by iptables-save v1.8.7 on Sun Mar 30 06:11:29 2025
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
:neutron-filter-top - [0:0]
:neutron-linuxbri-FORWARD - [0:0]
:neutron-linuxbri-INPUT - [0:0]
:neutron-linuxbri-OUTPUT - [0:0]
:neutron-linuxbri-i2d863922-b - [0:0]
:neutron-linuxbri-local - [0:0]
:neutron-linuxbri-o2d863922-b - [0:0]
:neutron-linuxbri-s2d863922-b - [0:0]
:neutron-linuxbri-sg-chain - [0:0]
:neutron-linuxbri-sg-fallback - [0:0]
-A INPUT -j neutron-linuxbri-INPUT
-A INPUT -j LIBVIRT_INP
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-linuxbri-FORWARD
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-linuxbri-OUTPUT
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
-A neutron-filter-top -j neutron-linuxbri-local
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tap2d863922-bc --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-linuxbri-sg-chain
-A neutron-linuxbri-FORWARD -m physdev --physdev-in tap2d863922-bc --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-linuxbri-sg-chain
-A neutron-linuxbri-INPUT -m physdev --physdev-in tap2d863922-bc --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-linuxbri-o2d863922-b
-A neutron-linuxbri-i2d863922-b -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-linuxbri-i2d863922-b -d 203.0.113.125/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-linuxbri-i2d863922-b -d 255.255.255.255/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-linuxbri-i2d863922-b -m set --match-set NIPv415dfe688-d6fc-4231-a670- src -j RETURN
-A neutron-linuxbri-i2d863922-b -p icmp -j RETURN
-A neutron-linuxbri-i2d863922-b -p tcp -m tcp --dport 22 -j RETURN
-A neutron-linuxbri-i2d863922-b -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-linuxbri-i2d863922-b -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback
-A neutron-linuxbri-o2d863922-b -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-linuxbri-o2d863922-b -j neutron-linuxbri-s2d863922-b
-A neutron-linuxbri-o2d863922-b -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-linuxbri-o2d863922-b -p udp -m udp --sport 67 --dport 68 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP
-A neutron-linuxbri-o2d863922-b -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-linuxbri-o2d863922-b -j RETURN
-A neutron-linuxbri-o2d863922-b -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-linuxbri-o2d863922-b -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback
-A neutron-linuxbri-s2d863922-b -s 203.0.113.125/32 -m mac --mac-source fa:16:3e:60:78:cd -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN
-A neutron-linuxbri-s2d863922-b -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP
-A neutron-linuxbri-sg-chain -m physdev --physdev-out tap2d863922-bc --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-i2d863922-b
-A neutron-linuxbri-sg-chain -m physdev --physdev-in tap2d863922-bc --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-o2d863922-b
-A neutron-linuxbri-sg-chain -j ACCEPT
-A neutron-linuxbri-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP
COMMIT
# Completed on Sun Mar 30 06:11:29 2025
# Generated by iptables-save v1.8.7 on Sun Mar 30 06:11:29 2025
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Sun Mar 30 06:11:29 2025
root@compute1:~# root@compute1:~# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination
77331 147M neutron-linuxbri-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
92507 151M LIBVIRT_INP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 4387 679K neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0 4387 679K neutron-linuxbri-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LIBVIRT_FWX all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LIBVIRT_FWI all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LIBVIRT_FWO all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination
73417 18M neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
73417 18M neutron-linuxbri-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
87631 23M LIBVIRT_OUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain LIBVIRT_FWI (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachableChain LIBVIRT_FWO (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachableChain LIBVIRT_FWX (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0 Chain LIBVIRT_INP (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:530 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:530 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:670 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67Chain LIBVIRT_OUT (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:530 0 ACCEPT tcp -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:530 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:680 0 ACCEPT tcp -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:68Chain neutron-filter-top (2 references)pkts bytes target prot opt in out source destination
77804 19M neutron-linuxbri-local all -- * * 0.0.0.0/0 0.0.0.0/0 Chain neutron-linuxbri-FORWARD (1 references)pkts bytes target prot opt in out source destination 4122 641K neutron-linuxbri-sg-chain all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap2d863922-bc --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */265 37986 neutron-linuxbri-sg-chain all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap2d863922-bc --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */Chain neutron-linuxbri-INPUT (1 references)pkts bytes target prot opt in out source destination 0 0 neutron-linuxbri-o2d863922-b all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap2d863922-bc --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */Chain neutron-linuxbri-OUTPUT (1 references)pkts bytes target prot opt in out source destination Chain neutron-linuxbri-i2d863922-b (1 references)pkts bytes target prot opt in out source destination 245 22997 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */2 732 RETURN udp -- * * 0.0.0.0/0 203.0.113.125 udp spt:67 dpt:680 0 RETURN udp -- * * 0.0.0.0/0 255.255.255.255 udp spt:67 dpt:680 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set NIPv415dfe688-d6fc-4231-a670- src1 60 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 2 104 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:220 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */3872 617K neutron-linuxbri-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0 /* Send unmatched traffic to the fallback chain. */Chain neutron-linuxbri-local (1 references)pkts bytes target prot opt in out source destination Chain neutron-linuxbri-o2d863922-b (2 references)pkts bytes target prot opt in out source destination 2 670 RETURN udp -- * * 0.0.0.0 255.255.255.255 udp spt:68 dpt:67 /* Allow DHCP client traffic. */263 37316 neutron-linuxbri-s2d863922-b all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67 /* Allow DHCP client traffic. */0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 /* Prevent DHCP Spoofing by VM. */246 36272 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */17 1044 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */0 0 neutron-linuxbri-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0 /* Send unmatched traffic to the fallback chain. */Chain neutron-linuxbri-s2d863922-b (1 references)pkts bytes target prot opt in out source destination 263 37316 RETURN all -- * * 203.0.113.125 0.0.0.0/0 MACfa:16:3e:60:78:cd /* Allow traffic from defined IP/MAC pairs. */0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* Drop traffic without an IP/MAC allow rule. */Chain neutron-linuxbri-sg-chain (2 references)pkts bytes target prot opt in out source destination 4122 641K neutron-linuxbri-i2d863922-b all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap2d863922-bc --physdev-is-bridged /* Jump to the VM specific chain. */265 37986 neutron-linuxbri-o2d863922-b all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap2d863922-bc --physdev-is-bridged /* Jump to the VM specific chain. */515 61879 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain neutron-linuxbri-sg-fallback (2 references)pkts bytes target prot opt in out source destination 3872 617K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* Default drop rule for unmatched traffic. */
root@compute1:~# neutron-XXX都是OpenStack Neutron配置的相關的鏈。
neutron-linuxbri-XXX?是 OpenStack Neutron 中與 Linux Bridge 插件相關的自定義鏈,是由 Neutron 在使用 Linux Bridge 網絡驅動時自動創建和管理的。
OpenStack管理的虛機的流量都是需要經過FORWARD鏈。
OpenStack創建的安全組就是通過在filter表的FORWARD鏈插入相關規則實現。
1/ 虛機入站和出站流量首先送到安全組鏈(neutron-linuxbri-sg-chain)
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-linuxbri-FORWARD
-A neutron-filter-top -j neutron-linuxbri-local
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tap2d863922-bc --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-linuxbri-sg-chain
-A neutron-linuxbri-FORWARD -m physdev --physdev-in tap2d863922-bc --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-linuxbri-sg-chain
-A neutron-linuxbri-sg-chain -m physdev --physdev-out tap2d863922-bc --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-i2d863922-b
-A neutron-linuxbri-sg-chain -m physdev --physdev-in tap2d863922-bc --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-o2d863922-b
-A neutron-linuxbri-sg-chain -j ACCEPT
neutron-filter-top是一個頂層鏈,通常被插入到FORWARD和OUTPUT鏈中。它的主要功能是將流量轉發到其他 Neutron 定義的鏈進行進一步處理。
neutron-linuxbri-local一般表示和本地(local)機器上的網絡接口或規則有關,通常用于處理本地出入的流量。
- 本文中neutron-linuxbri-local有定義,但沒有定義規則。“被跳轉的鏈存在但沒有任何規則,流量會“返回”到原來的鏈,繼續后面的規則執行。”
neutron-linuxbri-FORWARD 是一個與 Linux Bridge 插件相關的鏈,用于處理虛擬機的轉發流量。
1.
-A neutron-linuxbri-FORWARD
-A:表示將規則添加到一個已經存在的鏈中。
neutron-linuxbri-FORWARD:這是一個已經存在的鏈,通常用于處理通過 Linux Bridge(linuxbridge網絡插件)轉發的流量。
2.
-m physdev
-m physdev:這是一個用于匹配物理設備的擴展模塊,用來標識和過濾基于 物理設備(比如虛擬機網卡、物理網卡等)的流量。
3.
--physdev-out tap2d863922-bc
--physdev-out:表示匹配流量從指定的物理接口出去。
tap2d863922-bc:這是虛擬機的網絡接口設備名,通常是 虛擬網卡,代表這條規則僅適用于通過此虛擬網卡發送的流量。這個tap接口可能是由 Open vSwitch (OVS) 或 Linux Bridge(由 Neutron 管理)創建的。
tap2d863922-bc可能是 Neutron 創建的某個虛擬機接口的名稱,每個虛擬機都有類似的 tap 接口。注意:physdev-out是流量從網橋發往虛擬機的方向,即虛擬機入站流量;physdev-in是流量從虛擬機進入網橋的方向,即虛擬機出站流量。
4.
--physdev-is-bridged
--physdev-is-bridged:指定這個流量是通過 橋接網絡(即bridge模式)發送的。此標志確保該規則僅匹配通過橋接設備轉發的流量。這個標志通常在 Neutron 使用 Linux Bridge 或 OVS 作為網絡插件時出現。
5.
-m comment --comment "Direct traffic from the VM interface to the security group chain."
-m comment:這是一個用于添加注釋的模塊,它可以幫助解釋規則的目的。
--comment "Direct traffic from the VM interface to the security group chain.":這段注釋表明,這條規則的目的是將流量從虛擬機接口直接轉發到安全組鏈(neutron-linuxbri-sg-chain)。
6.
-j neutron-linuxbri-sg-chain
-j:表示 跳轉到(jump to)指定的鏈。
neutron-linuxbri-sg-chain:表示將匹配到的流量轉發到neutron-linuxbri-sg-chain鏈,通常這個鏈是用來處理與安全組相關的規則。也就是說,所有來自虛擬機接口(如tap2d863922-bc)的流量將被送往 安全組鏈 進行檢查和處理
neutron-linuxbri-sg-chain對流量進行進一步處理,虛機的入站流量送到該虛機的入站流量安全組鏈處理(neutron-linuxbri-i2d863922-b),虛機的出站流量送到該虛機的出站流量安全組鏈處理(neutron-linuxbri-o2d863922-b),最后接受所有未被前面規則匹配的流量。
2/ 虛機的入站流量送到該虛機的入站流量安全組鏈處理(neutron-linuxbri-i2d863922-b)
-A neutron-linuxbri-sg-chain -m physdev --physdev-out tap2d863922-bc --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-i2d863922-b
-A neutron-linuxbri-sg-chain:將這條規則添加到neutron-linuxbri-sg-chain鏈。
-m physdev --physdev-out tap2d863922-bc:匹配來自虛擬機接口tap2d863922-bc的虛擬機入站流量。
--physdev-is-bridged:確保這個流量是通過橋接設備(bridge)發送的,表示該流量經過了橋接網絡。
--comment "Jump to the VM specific chain.":注釋解釋該規則的作用是跳轉到虛擬機特定的鏈。
-j neutron-linuxbri-i2d863922-b:這條規則將流量跳轉到neutron-linuxbri-i2d863922-b鏈。這個鏈的規則與虛擬機的入站流量相關(控制該虛擬機接收流量的安全組規則)。作用:
如果流量從虛擬機接口
tap2d863922-bc?發往虛擬機(即虛擬機入站流量),它會跳轉到neutron-linuxbri-i2d863922-b鏈進行進一步處理。
3/ 虛機的出站流量送到該虛機的出站流量安全組鏈處理(neutron-linuxbri-o2d863922-b)
-A neutron-linuxbri-sg-chain -m physdev --physdev-in tap2d863922-bc --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-linuxbri-o2d863922-b
?
-A neutron-linuxbri-sg-chain:將這條規則添加到neutron-linuxbri-sg-chain鏈。
-m physdev --physdev-in tap2d863922-bc:匹配流量進入虛擬機接口tap2d863922-bc的虛擬機出站流量。
--physdev-is-bridged:確保這個流量是通過橋接設備發送的。
--comment "Jump to the VM specific chain.":注釋表示這條規則的作用是跳轉到虛擬機特定的鏈。
-j neutron-linuxbri-o2d863922-b:這條規則將流量跳轉到neutron-linuxbri-o2d863922-b鏈。這個鏈的規則與虛擬機的出站流量相關(控制該虛擬機發送流量的安全組規則)。作用:
如果流量是從虛擬機流入虛擬機接口
tap2d863922-bc(即虛擬機出站流量,虛擬機接口連接虛擬機的網卡),它會跳轉到neutron-linuxbri-o2d863922-b鏈進行進一步處理。
七、虛機入站流量安全組鏈規則解讀(neutron-linuxbri-i2d863922-b)
-A neutron-linuxbri-i2d863922-b -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-linuxbri-i2d863922-b -d 203.0.113.125/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-linuxbri-i2d863922-b -d 255.255.255.255/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-linuxbri-i2d863922-b -m set --match-set NIPv415dfe688-d6fc-4231-a670- src -j RETURN
-A neutron-linuxbri-i2d863922-b -p icmp -j RETURN
-A neutron-linuxbri-i2d863922-b -p tcp -m tcp --dport 22 -j RETURN
-A neutron-linuxbri-i2d863922-b -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-linuxbri-i2d863922-b -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback
neutron-linuxbri-i2d863922-b定義了針對來自虛擬機接口(tap2d863922-bc)的虛擬機入站流量的處理方式。
1. 第一條規則:
-A neutron-linuxbri-i2d863922-b -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-linuxbri-i2d863922-b:將這條規則添加到neutron-linuxbri-i2d863922-b鏈。
-m state --state RELATED,ESTABLISHED:匹配已經建立的或相關的連接的流量。即這些流量屬于一個已經存在的連接或會話。
--comment "Direct packets associated with a known session to the RETURN chain.":注釋表示該規則的作用是將已知會話的流量直接跳轉到RETURN鏈。
-j RETURN:流量會跳轉到RETURN鏈,通常這意味著會話相關的流量被允許通過或交給上級鏈進行進一步處理。2. 第二條規則:
-A neutron-linuxbri-i2d863922-b -d 203.0.113.125/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-d 203.0.113.125/32:匹配目的 IP 地址為203.0.113.125的流量。
-p udp:匹配 UDP 協議的流量。
--sport 67 --dport 68:匹配源端口為 67,目標端口為 68 的流量,這通常是 DHCP 流量(DHCP 客戶端與服務器之間的通信端口)。
-j RETURN:該流量會被直接跳轉到RETURN鏈,通常表示允許或不做任何處理。3. 第三條規則:
-A neutron-linuxbri-i2d863922-b -d 255.255.255.255/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-d 255.255.255.255/32:匹配目的地址為廣播地址(255.255.255.255)的流量。
-p udp:匹配 UDP 協議。
--sport 67 --dport 68:匹配源端口為 67,目標端口為 68 的流量,同樣是 DHCP 流量。
-j RETURN:此流量也會跳轉到RETURN鏈,通常表示允許廣播流量通過。4. 第四條規則:
-A neutron-linuxbri-i2d863922-b -m set --match-set NIPv415dfe688-d6fc-4231-a670- src -j RETURN
-m set --match-set NIPv415dfe688-d6fc-4231-a670- src:匹配源 IP 地址屬于NIPv415dfe688-d6fc-4231-a670-這個 IP 地址集合的流量。這個集合可能是事先定義的 IP 地址池或范圍。
-j RETURN:這些流量會直接跳轉到RETURN鏈,可能是允許這些流量通過或跳過其他檢查。5. 第五條規則:
-A neutron-linuxbri-i2d863922-b -p icmp -j RETURN
-p icmp:匹配 ICMP 協議的流量(例如 Ping 請求)。
-j RETURN:此類流量會直接跳轉到RETURN鏈,通常表示允許 ICMP 流量通過。6. 第六條規則:
-A neutron-linuxbri-i2d863922-b -p tcp -m tcp --dport 22 -j RETURN
-p tcp:匹配 TCP 協議的流量。
--dport 22:匹配目標端口為 22 的流量,通常是 SSH 流量。
-j RETURN:允許目標端口為 22 的流量直接通過,跳轉到RETURN鏈。7. 第七條規則:
-A neutron-linuxbri-i2d863922-b -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-m state --state INVALID:匹配無效狀態的流量,通常這些流量與已知連接不匹配,可能是損壞或偽造的包。
--comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack.":注釋解釋這條規則會丟棄看起來像是與現有連接相關的流量(例如,TCP ACK/FIN 包),但沒有連接跟蹤條目。
-j DROP:丟棄這些無效的包。8. 第八條規則:
-A neutron-linuxbri-i2d863922-b -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback
-j neutron-linuxbri-sg-fallback:如果流量沒有匹配到以上規則,它將跳轉到neutron-linuxbri-sg-fallback鏈。這個鏈可能包含其他的處理邏輯,例如安全組檢查或丟棄流量。注1:其中5、6條虛擬機入站規則,是之前添加到default安全組當中的。
注2:第4條規則涉及的IP地址集合,可以通過以下命令查看:
root@compute1:~# ipset list Name: NIPv415dfe688-d6fc-4231-a670- Type: hash:net Revision: 7 Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0xc7f31013 Size in memory: 504 References: 1 Number of entries: 1 Members: 203.0.113.125注3:查看連接跟蹤(connection tracking)信息,可以使用
conntrack命令。這個工具用于查看和管理內核中的連接跟蹤表。root@compute1:~# conntrack -L tcp 6 431986 ESTABLISHED src=10.0.20.12 dst=10.0.20.11 sport=59454 dport=5672 src=10.0.20.11 dst=10.0.20.12 sport=5672 dport=59454 [ASSURED] mark=0 use=1 udp 17 2 src=203.0.113.90 dst=239.255.255.250 sport=49337 dport=1900 [UNREPLIED] src=239.255.255.250 dst=203.0.113.90 sport=1900 dport=49337 mark=0 zone=4097 use=1 tcp 6 112 TIME_WAIT src=10.0.20.12 dst=10.0.20.11 sport=41734 dport=8778 src=10.0.20.11 dst=10.0.20.12 sport=8778 dport=41734 [ASSURED] mark=0 use=1 tcp 6 431986 ESTABLISHED src=10.0.20.12 dst=10.0.20.11 sport=59474 dport=5672 src=10.0.20.11 dst=10.0.20.12 sport=5672 dport=59474 [ASSURED] mark=0 use=1 tcp 6 431986 ESTABLISHED src=10.0.20.12 dst=10.0.20.11 sport=47200 dport=5672 src=10.0.20.11 dst=10.0.20.12 sport=5672 dport=47200 [ASSURED] mark=0 use=1 tcp 6 300 ESTABLISHED src=10.0.20.1 dst=10.0.20.12 sport=9901 dport=22 src=10.0.20.12 dst=10.0.20.1 sport=22 dport=9901 [ASSURED] mark=0 use=1 tcp 6 431992 ESTABLISHED src=10.0.20.12 dst=10.0.20.11 sport=59486 dport=5672 src=10.0.20.11 dst=10.0.20.12 sport=5672 dport=59486 [ASSURED] mark=0 use=1 tcp 6 431986 ESTABLISHED src=10.0.20.12 dst=10.0.20.11 sport=59470 dport=5672 src=10.0.20.11 dst=10.0.20.12 sport=5672 dport=59470 [ASSURED] mark=0 use=1 tcp 6 431991 ESTABLISHED src=203.0.113.90 dst=203.0.113.125 sport=2101 dport=22 src=203.0.113.125 dst=203.0.113.90 sport=22 dport=2101 [ASSURED] mark=0 zone=4097 use=1 tcp 6 51 TIME_WAIT src=10.0.20.12 dst=10.0.20.11 sport=47018 dport=8778 src=10.0.20.11 dst=10.0.20.12 sport=8778 dport=47018 [ASSURED] mark=0 use=1 tcp 6 431984 ESTABLISHED src=10.0.20.12 dst=10.0.20.11 sport=59440 dport=5672 src=10.0.20.11 dst=10.0.20.12 sport=5672 dport=59440 [ASSURED] mark=0 use=1 tcp 6 431986 ESTABLISHED src=10.0.20.12 dst=10.0.20.11 sport=59504 dport=5672 src=10.0.20.11 dst=10.0.20.12 sport=5672 dport=59504 [ASSURED] mark=0 use=1 tcp 6 431984 ESTABLISHED src=10.0.20.12 dst=10.0.20.11 sport=59432 dport=5672 src=10.0.20.11 dst=10.0.20.12 sport=5672 dport=59432 [ASSURED] mark=0 use=1 udp 17 15 src=203.0.113.90 dst=224.0.0.251 sport=5353 dport=5353 [UNREPLIED] src=224.0.0.251 dst=203.0.113.90 sport=5353 dport=5353 mark=0 zone=4097 use=1 tcp 6 431986 ESTABLISHED src=10.0.20.12 dst=10.0.20.11 sport=59418 dport=5672 src=10.0.20.11 dst=10.0.20.12 sport=5672 dport=59418 [ASSURED] mark=0 use=1 tcp 6 431986 ESTABLISHED src=10.0.20.12 dst=10.0.20.11 sport=48460 dport=5672 src=10.0.20.11 dst=10.0.20.12 sport=5672 dport=48460 [ASSURED] mark=0 use=1 tcp 6 75 TIME_WAIT src=203.0.113.90 dst=203.0.113.125 sport=2078 dport=22 src=203.0.113.125 dst=203.0.113.90 sport=22 dport=2078 [ASSURED] mark=0 zone=4097 use=1 tcp 6 428627 ESTABLISHED src=10.0.20.12 dst=10.0.20.11 sport=55168 dport=3306 src=10.0.20.11 dst=10.0.20.12 sport=3306 dport=55168 [ASSURED] mark=0 use=1 tcp 6 431992 ESTABLISHED src=10.0.20.12 dst=10.0.20.11 sport=59494 dport=5672 src=10.0.20.11 dst=10.0.20.12 sport=5672 dport=59494 [ASSURED] mark=0 use=2 tcp 6 57 CLOSE_WAIT src=10.0.20.12 dst=10.0.20.11 sport=33748 dport=8778 src=10.0.20.11 dst=10.0.20.12 sport=8778 dport=33748 [ASSURED] mark=0 use=1 tcp 6 431987 ESTABLISHED src=10.0.20.12 dst=10.0.20.11 sport=41996 dport=9696 src=10.0.20.11 dst=10.0.20.12 sport=9696 dport=41996 [ASSURED] mark=0 use=1 udp 17 24 src=203.0.113.90 dst=239.255.255.250 sport=62791 dport=1900 [UNREPLIED] src=239.255.255.250 dst=203.0.113.90 sport=1900 dport=62791 mark=0 zone=4097 use=1 tcp 6 431992 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=37286 dport=38013 src=127.0.0.1 dst=127.0.0.1 sport=38013 dport=37286 [ASSURED] mark=0 use=1 tcp 6 431986 ESTABLISHED src=10.0.20.12 dst=10.0.20.11 sport=59512 dport=5672 src=10.0.20.11 dst=10.0.20.12 sport=5672 dport=59512 [ASSURED] mark=0 use=1 conntrack v1.4.6 (conntrack-tools): 24 flow entries have been shown. root@compute1:~# conntrack -L | grep 203.0.113.125 conntrack v1.4.6 (conntrack-tools): 22 flow entries have been shown. tcp 6 431960 ESTABLISHED src=203.0.113.90 dst=203.0.113.125 sport=2101 dport=22 src=203.0.113.125 dst=203.0.113.90 sport=22 dport=2101 [ASSURED] mark=0 zone=4097 use=1 tcp 6 44 TIME_WAIT src=203.0.113.90 dst=203.0.113.125 sport=2078 dport=22 src=203.0.113.125 dst=203.0.113.90 sport=22 dport=2078 [ASSURED] mark=0 zone=4097 use=1 root@compute1:~#
🧑?💻 入站流量安全組鏈小結
這些規則在 neutron-linuxbri-i2d863922-b 鏈中處理虛擬機入站流量。根據不同的流量特征(如協議、端口、狀態等),它們會:
-
允許已知會話的流量通過(如已經建立的連接)。
-
允許 DHCP、ICMP、SSH 等特定流量通過。
-
丟棄無效的、無法匹配連接的流量(如無效的 TCP 包)。
-
將未匹配的流量發送到回退鏈,以便進一步處理。
?八、虛機出站流量安全組鏈規則解讀(neutron-linuxbri-o2d863922-b)
-A neutron-linuxbri-o2d863922-b -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-linuxbri-o2d863922-b -j neutron-linuxbri-s2d863922-b
-A neutron-linuxbri-o2d863922-b -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-linuxbri-o2d863922-b -p udp -m udp --sport 67 --dport 68 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP
-A neutron-linuxbri-o2d863922-b -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-linuxbri-o2d863922-b -j RETURN
-A neutron-linuxbri-o2d863922-b -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-linuxbri-o2d863922-b -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback
其他相關安全組鏈:
-A neutron-linuxbri-s2d863922-b -s 203.0.113.125/32 -m mac --mac-source fa:16:3e:60:78:cd -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN
-A neutron-linuxbri-s2d863922-b -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP
-A neutron-linuxbri-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP
neutron-linuxbri-i2d863922-b定義了針對來自虛擬機接口(tap2d863922-bc)的虛擬機出站流量的處理方式。
1. 第一條規則:
-A neutron-linuxbri-o2d863922-b -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-s 0.0.0.0/32 -d 255.255.255.255/32:匹配源地址為0.0.0.0(通常是 DHCP 客戶端的源地址)和目標地址為廣播地址255.255.255.255的流量。
-p udp:匹配 UDP 協議。
--sport 68 --dport 67:匹配源端口為 68,目標端口為 67 的流量,這是 DHCP 客戶端與 DHCP 服務器之間的標準端口。
-j RETURN:允許這類 DHCP 客戶端的流量通過,跳轉到RETURN鏈。2. 第二條規則:
-A neutron-linuxbri-o2d863922-b -j neutron-linuxbri-s2d863922-b
-j neutron-linuxbri-s2d863922-b:如果流量沒有匹配前面規則,它將跳轉到neutron-linuxbri-s2d863922-b鏈,這可能是針對其他流量進行的進一步處理。
neutron-linuxbri-s2d863922-b鏈,主要用于 基于 IP 地址和 MAC 地址的流量控制,對于沒有與 IP/MAC 地址對匹配的流量,直接丟棄。3. 第三條規則:
-A neutron-linuxbri-o2d863922-b -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
這條規則和第一條規則相同,允許源端口為 68,目標端口為 67 的 DHCP 客戶端流量。
4. 第四條規則:
-A neutron-linuxbri-o2d863922-b -p udp -m udp --sport 67 --dport 68 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP
-p udp:匹配 UDP 協議。
--sport 67 --dport 68:匹配源端口為 67,目標端口為 68 的流量,這是 DHCP 服務器與客戶端的標準端口。
-j DROP:丟棄任何源端口為 67,目標端口為 68 的流量,防止虛擬機進行 DHCP 欺騙(即偽造 DHCP 服務器響應)。5. 第五條規則:
-A neutron-linuxbri-o2d863922-b -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-m state --state RELATED,ESTABLISHED:匹配與已知會話相關的流量(即已建立或相關的連接)。
-j RETURN:流量會直接跳轉到RETURN鏈,表示這些流量可以繼續通過(通常是已建立的連接或會話)。6. 第六條規則:
-A neutron-linuxbri-o2d863922-b -j RETURN
-j RETURN:沒有條件的RETURN,這意味著流量直接返回,通常是默認的接受行為。由于這條規則沒有指定任何過濾條件(如 -s、-d、-p 等),它會匹配所有流量。因此,只要流量經過了 neutron-linuxbri-o2d863922-b 鏈,它就會立即匹配到這一條規則,并且流量會跳轉到 RETURN 鏈。這會使得其他規則(比如第 7 條和第 8 條規則)幾乎沒有機會被執行。。
7. 第七條規則:
-A neutron-linuxbri-o2d863922-b -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-m state --state INVALID:匹配無效狀態的流量,通常是一些無法匹配已建立連接的包,例如非法的 TCP ACK/FIN 包。
-j DROP:丟棄這些無效的流量包。8. 第八條規則:
-A neutron-linuxbri-o2d863922-b -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback
-j neutron-linuxbri-sg-fallback:如果流量沒有匹配前面所有的規則,它將跳轉到neutron-linuxbri-sg-fallback鏈,進行進一步的安全組處理。
🧑?💻 出站流量安全組鏈小結
這些規則主要負責處理 虛擬機到外部網絡的出站流量,特別關注 DHCP 流量和安全性。它們的作用包括:
-
允許 DHCP 客戶端的流量通過(源端口 68,目標端口 67)。
-
防止虛擬機進行 DHCP 欺騙(丟棄源端口 67,目標端口 68 的流量)。
-
允許已知會話的流量通過,跳轉到
RETURN鏈。 -
丟棄無效的、無法匹配已知連接的流量(如無效的 TCP 包)。
-
未匹配的流量被送到回退鏈(fallback),進行額外的安全組處理。
九、總結
OpenStack安全組是在計算節點本機上,通過iptables實現,不是在虛機(實例)中實現。
和入侵防御系統(IPS)有啥區別?)
)
)
)
 操作系統上添加 ollama 作為系統服務的步驟)
