openstack安全组 |
您所在的位置:网站首页 › openstack安全组 › openstack安全组 |
openstack环境安全组总是不生效,安全组主要是依靠计算节点的iptables的forward链来生效的,每加一条规则就会根据网卡作为匹配条件,来生成一条iptables的规则。如果没有任何规则,默认是丢弃所有的包。由上面的问题大概猜测到时因为,没有开启包转发功能,所有修改 /etc/sysctl.conf文件 net.ipv4.ip_forward=1 net.ipv4.conf.default.rp_filter=1 net.bridge.bridge-nf-call-ip6tables=1 net.bridge.bridge-nf-call-iptables=1 net.bridge.bridge-nf-call-arptables=1/etc/init.d/network restart [root@master02 ~]# neutron --help | grep security neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead. (1) security-group-create Create a security group. (2) security-group-delete Delete a given security group. (3) security-group-list List security groups that belong to a given tenant. (4) security-group-rule-create Create a security group rule. (5) security-group-rule-delete Delete a given security group rule. (6) security-group-rule-list List security group rules that belong to a given tenant. (7) security-group-rule-show Show information of a given security group rule. (8) security-group-show Show information of a given security group. (9) security-group-update Update a given security group.(1)创建安全组 [root@master02 ~]# neutron security-group-create test -f json{ "tenant_id": "cdbcd047f8b84755958248c36ded1e73", "security_group_rules": [ { "direction": "egress", "security_group_id": "6a92a0b7-6f15-4b45-a3d7-6dd26fe312f8", }, { "security_group_id": "6a92a0b7-6f15-4b45-a3d7-6dd26fe312f8", } ], "name": "test"} (2)删除安全组 [root@master02 ~]# neutron security-group-delete test (4)[root@master02 ~]# openstack security group rule create test --proto icmp --remote-ip 0.0.0.0/0+-------------------+--------------------------------------+| Field | Value |+-------------------+--------------------------------------+| created_at | 2018-11-03T15:44:44Z || description | || direction | ingress || ether_type | IPv4 || id | 75040506-f453-46d3-b65d-f6b8c615af5f || name | None || port_range_max | None || port_range_min | None || project_id | cdbcd047f8b84755958248c36ded1e73 || protocol | icmp || remote_group_id | None || remote_ip_prefix | 0.0.0.0/0 || revision_number | 1 || security_group_id | 692781ef-45e6-41c2-b29a-6f5d6dbc6dd7 || updated_at | 2018-11-03T15:44:44Z |+-------------------+--------------------------------------+ (4)创建test安全组中的rule安全规则 4.1单独创建10000端口第一个为入口,第二个为出口 [root@master02 ~]# openstack security group rule create test --proto tcp --ingress --dst-port=10000 --remote-ip 0.0.0.0/0 [root@master02 ~]# openstack security group rule create test --proto tcp --egress --dst-port=1200 --remote-ip 0.0.0.0/0 4.2创建安全组范围,第一个为入口 ,第二个为出口 [root@master02 ~]# openstack security group rule create test --proto tcp --dst-port=21:23 --remote-ip 0.0.0.0/0 [root@master02 ~]# openstack security group rule create test --proto tcp --egress --dst-port=100:200 --remote-ip 0.0.0.0/04.3创建ICMP协议 [root@master02 ~]# openstack security group rule create test --proto icmp --egress --remote-ip 0.0.0.0/0 出口[root@master02 ~]# openstack security group rule create test --proto icmp --ingress --remote-ip 0.0.0.0/0 入口 (5) 删除其中一个安全组规则 [root@master02 ~]# neutron security-group-rule-delete f3ac48cb-2660-4333-831d-8f6546d8fe93
(7)展示一个安全组规则 security-group-rule-show [root@master02 ~]# neutron security-group-rule-show f3ac48cb-2660-4333-831d-8f6546d8fe93+-------------------+--------------------------------------+| Field | Value |+-------------------+--------------------------------------+| created_at | 2018-11-03T14:54:35Z || description | || direction | egress || ethertype | IPv4 || id | f3ac48cb-2660-4333-831d-8f6546d8fe93 || port_range_max | || port_range_min | || project_id | cdbcd047f8b84755958248c36ded1e73 || protocol | || remote_group_id | || remote_ip_prefix | || revision_number | 1 || security_group_id | 692781ef-45e6-41c2-b29a-6f5d6dbc6dd7 || tenant_id | cdbcd047f8b84755958248c36ded1e73 || updated_at | 2018-11-03T14:54:35Z |+-------------------+--------------------------------------+[root@master02 ~]# (8)[root@master02 ~]# neutron security-group-show test [root@master02 ~]# neutron security-group-show test -f jsonneutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.{ "security_group_rules": [ { "security_group_id": "692781ef-45e6-41c2-b29a-6f5d6dbc6dd7", "id": "bd4a66a4-89bc-47d9-b9aa-6ab8b513a94a" }, { "security_group_id": "692781ef-45e6-41c2-b29a-6f5d6dbc6dd7", "id": "f3ac48cb-2660-4333-831d-8f6546d8fe93" } ], "revision_number": 1, "project_id": "cdbcd047f8b84755958248c36ded1e73", "id": "692781ef-45e6-41c2-b29a-6f5d6dbc6dd7", "name": "test"}[root@master02 ~]# [root@master02 ~]# openstack security group rule list test+--------------------------------------+-------------+-----------+-------------+-----------------------+| ID | IP Protocol | IP Range | Port Range | Remote Security Group |+--------------------------------------+-------------+-----------+-------------+-----------------------+| 8dc9fd93-fc0f-4cd0-9716-24ec51c3cd58 | tcp | 0.0.0.0/0 | 10000:10000 | None || ac9f927a-94f6-4652-a251-d33753fee4aa | tcp | 0.0.0.0/0 | 11000:11000 | None |+--------------------------------------+-------------+-----------+-------------+-----------------------+[root@master02 ~]# (9)列出一个安全组中所有的rule安全规则 [root@master02 ~]# openstack security group rule list shengxiluo5e416d72-shengxiluo-master-5b9d9f06-ylrodmyji2pb+--------------------------------------+-------------+-------------+-------------+-----------------------+| ID | IP Protocol | IP Range | Port Range | Remote Security Group |+--------------------------------------+-------------+-------------+-------------+-----------------------+| 008bd386-a91c-4d28-b98c-fa69959b3ea8 | tcp | 0.0.0.0/0 | 8030:8030 | None || 040e87ee-fa6a-4941-95bc-e8c446b317c2 | tcp | ::/0 | 6667:6667 | None || 044f1523-ff43-401b-8b87-7def78ee1c0d | None | None | | None || 0491ea10-d372-48fe-aa04-f2170dbb515e | tcp | ::/0 | 10020:10020 | None || 18cdee29-6bfb-42eb-bea9-5a9587033cc5 | tcp | 0.0.0.0/0 | 8050:8050 | None || 193c7a7b-68f0-4f4d-95bf-5172c0e4418b | tcp | ::/0 | 2181:2181 | None || 208c71cd-7f67-4f55-8f00-eb7768ca67e3 | tcp | 0.0.0.0/0 | 8088:8088 | None || 22850d64-894f-4f9a-820d-95c73d1a4103 | icmp | 0.0.0.0/0 | | None || 238fea4d-d418-41bc-8583-96a7867c64af | tcp | 0.0.0.0/0 | 10200:10200 | None || 241e163d-da87-40f3-82da-8301af22433e | tcp | ::/0 | 10000:10000 | None || 28402174-571c-45b6-86ce-70f0cb56fa95 | tcp | 0.0.0.0/0 | 8020:8020 | None || 2d9a7215-4754-44ba-b4c6-71d1870ec7e5 | tcp | ::/0 | 8088:8088 | None || 361704c8-7b2f-4b0c-85f1-0cff25684b46 | tcp | ::/0 | 11443:11443 | None || 39a52b58-3cc4-4135-9d96-6c700edd1c6c | icmp | 10.1.3.0/24 | :code=255 | None || 3c7761d2-86d0-40a5-9001-c54019562f91 | tcp | 0.0.0.0/0 | 50090:50090 | None || 3d42abe3-5453-429b-8301-371d53fd9dcd | tcp | 0.0.0.0/0 | 10000:10000 | None || 403a6ee3-5b27-4467-9489-52b6811920a7 | tcp | ::/0 | 11000:11000 | None || 454eb4bd-a813-4cac-98f2-357d6a34b855 | tcp | ::/0 | 8080:8080 | None || 485c8aa6-1a52-42ec-8f50-48a1be22d490 | tcp | 0.0.0.0/0 | 50070:50070 | None || 4b919600-57ac-4517-a2a3-9ff8dca5ebff | tcp | ::/0 | 50090:50090 | None || 59fe6ace-e2c5-4091-8501-7f365620a222 | tcp | ::/0 | 19888:19888 | None || 6181266e-0d68-4895-8211-306ba58b4b9f | tcp | ::/0 | 22:22 | None || 67e20ea4-9372-42f3-a4f7-289260f44452 | tcp | 0.0.0.0/0 | 8188:8188 | None || 69352d31-ce70-45b9-9764-b3326304c883 | tcp | 0.0.0.0/0 | 9000:9000 | None || 69eda47e-9bba-4bae-9ad7-76d13ea6ec61 | tcp | 0.0.0.0/0 | 19888:19888 | None || 6d956ffb-3f52-4530-9cf9-63ab04bd843a | tcp | 10.1.3.0/24 | 1:65535 | None || 7093c81b-4a7f-444c-855d-04b4e0f6ffd3 | None | None | | None || 77db7d10-3c35-4586-93e2-cc4614e4c0c2 | tcp | 0.0.0.0/0 | 8025:8025 | None || 77dcb6b0-5e84-4653-934d-7f05d3da8ff3 | tcp | ::/0 | 8141:8141 | None || 7b33c831-0baf-4a29-ba91-7eae2b35ef96 | tcp | 0.0.0.0/0 | 18080:18080 | None || 7b4a3806-73ea-47b5-a8d2-2a55ef91f252 | tcp | ::/0 | 8190:8190 | None || 7edd82e8-2d18-4852-810d-1a111afa4140 | tcp | 0.0.0.0/0 | 8141:8141 | None || 7fee4ce2-1e88-4421-81e7-a95996325f66 | tcp | ::/0 | 18080:18080 | None || 81e8b669-cc75-4823-8808-8bedfdece0ad | tcp | 0.0.0.0/0 | 9933:9933 | None || 8339e3b8-6a3d-471a-a53a-8eaacd5c678d | tcp | ::/0 | 8050:8050 | None || 86e77f59-3efb-47df-b158-537b7039e793 | tcp | ::/0 | 9999:9999 | None || 8fea2bfb-e7be-45fa-96bf-9e9f478ac5bf | tcp | 0.0.0.0/0 | 8080:8080 | None || 9447b88e-43a7-4148-b110-3c803db00f85 | tcp | 0.0.0.0/0 | 22:22 | None || 9876ae57-ec7d-475e-a1ed-19a8c36c5e62 | tcp | ::/0 | 8025:8025 | None || 9b9a54d2-668e-4ddc-bc93-d5a971c84771 | tcp | 0.0.0.0/0 | 6667:6667 | None || 9c8e487c-c473-4037-8376-5661095e0df9 | icmp | 0.0.0.0/0 | | None || 9da936ae-3bd7-472b-a30a-0cf3e57ff879 | tcp | 0.0.0.0/0 | 11443:11443 | None || 9dc4abe3-a4ac-45d4-ad63-49794d88da4f | tcp | 0.0.0.0/0 | 9999:9999 | None || ac625fd8-7dc9-4341-a3f1-83e251a82a18 | tcp | ::/0 | 8020:8020 | None || ac66c59d-a0ee-45e9-b6ee-1dfa7dc72490 | tcp | 0.0.0.0/0 | 8190:8190 | None || b7dec4e7-c588-4f76-af18-f251436310c8 | tcp | 0.0.0.0/0 | 2181:2181 | None || b92e07dd-8f88-4054-8010-a9ce4836b129 | tcp | ::/0 | 50070:50070 | None || c1841269-89ac-41c0-b628-7777e150a14c | tcp | ::/0 | 8188:8188 | None || c27d4c91-1763-4414-80ef-1c455d6447f8 | tcp | ::/0 | 8030:8030 | None || d41c1869-fc91-4d45-9412-a4e7d7efec3c | tcp | 0.0.0.0/0 | 10020:10020 | None || e694ecb4-3098-4767-8a27-8786a9e33b2e | tcp | ::/0 | 9000:9000 | None || ee93c272-cb8a-4a04-80aa-db6472f15b87 | udp | 10.1.3.0/24 | 1:65535 | None || f2321371-9d06-4d55-af56-ab6079fba21c | tcp | 0.0.0.0/0 | 50470:50470 | None || f815b27f-bd68-49c8-99dc-db8e8733f44b | tcp | ::/0 | 9933:9933 | None || fdc6ae3b-bda1-4544-be60-34584ac486d9 | tcp | ::/0 | 50470:50470 | None || fe5d84cf-0713-420b-b546-699cfb5fc98b | tcp | 0.0.0.0/0 | 11000:11000 | None || ffa7f262-56ae-4e48-8162-c6e07a86cfdb | tcp | ::/0 | 10200:10200 | None | |
今日新闻 |
推荐新闻 |
CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |