美文网首页
Openstack 安全组的实现

Openstack 安全组的实现

作者: 圣地亚哥_SVIP | 来源:发表于2019-10-10 18:46 被阅读0次

    首先创建一个安全组Exam1,如下:

    neutron_securitygroup

    首先虚机在计算节点上的网卡连接情况如下:

    instance_port

    创建一台虚机,指定此虚机的安全组为Exam1,查看虚机的xml文件,关注其网卡部分,如下:

    <interface type='bridge'>
  <mac address='fa:16:3e:85:de:e9'/>
  <source bridge='qbrb0720a65-4a'/>
  <target dev='tapb0720a65-4a'/>
  <model type='virtio'/>
  <driver name='qemu'/>
  <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>

    虚机所连接的网桥为:qbrb0720a65-4a,对应的接口名称为:tapb0720a65-4a
    查看计算节点的linux bridge:

    [root@compute1 ~]# brctl show
bridge name bridge id       STP enabled interfaces
qbrb0720a65-4a      8000.f2c519de1624   no      qvbb0720a65-4a
                                                tapb0720a65-4a
virbr0      8000.525400eadc06   yes     virbr0-nic

    网桥qbrb0720a65-4a,有两个网口,分别为:qvbb0720a65-4a,tapb0720a65-4a;其中tapb0720a65-4a连接的就是计算实例;qvbb0720a65-4a:连接的是br-int桥。

    [root@compute1 ~]# ovs-vsctl list-ports br-int
patch-tun
qvob0720a65-4a

    br-int是ovs桥,其中qvob0720a65-4a对应的是qvbb0720a65-4a口。计算节点上的ovs桥的结构如下:

    Manager "ptcp:6640:127.0.0.1"
    is_connected: true
Bridge br-tun
    Controller "tcp:127.0.0.1:6633"
        is_connected: true
    fail_mode: secure
    Port "vxlan-c0a8000a"
        Interface "vxlan-c0a8000a"
            type: vxlan
            options: {df_default="true", in_key=flow, local_ip="192.168.0.11", out_key=flow, remote_ip="192.168.0.10"}
    Port br-tun
        Interface br-tun
            type: internal
    Port patch-int
        Interface patch-int
            type: patch
            options: {peer=patch-tun}
Bridge br-int
    Controller "tcp:127.0.0.1:6633"
        is_connected: true
    fail_mode: secure
    Port br-int
        Interface br-int
            type: internal
    Port "qvob0720a65-4a"
        tag: 1
        Interface "qvob0720a65-4a"
    Port patch-tun
        Interface patch-tun
            type: patch
            options: {peer=patch-int}

    如上,qvob0720a65-4a是与linux bridge qbrb0720a65-4a连接的口,patch-tun连接的br-tun桥,由于我们采用的vxlan的结构,所有需要br-tun作为此计算节点的vxlan的tunnel end。

    安全组
    安全组即是基于iptables,作用在linxu bridge tapb0720a65-4a口上的,这是linux bridge在openstack中存在的意义。
    查看iptables的规则,查看与此虚机相关的iptables rules:

    *raw 表
:PREROUTING ACCEPT [41317:5066793]
:OUTPUT ACCEPT [34856:6828423]
:neutron-openvswi-OUTPUT - [0:0]
:neutron-openvswi-PREROUTING - [0:0]
-A PREROUTING -j neutron-openvswi-PREROUTING
-A OUTPUT -j neutron-openvswi-OUTPUT
-A neutron-openvswi-PREROUTING -m physdev --physdev-in qvbb0720a65-4a -m comment --comment "Set zone for 0a65-4a86-4e75-8ec6-1661402a1b0a" -j CT --zone 4117
-A neutron-openvswi-PREROUTING -i qvbb0720a65-4a -m comment --comment "Set zone for 0a65-4a86-4e75-8ec6-1661402a1b0a" -j CT --zone 4117
-A neutron-openvswi-PREROUTING -m physdev --physdev-in tapb0720a65-4a -m comment --comment "Set zone for 0a65-4a86-4e75-8ec6-1661402a1b0a" -j CT --zone 4117

    ipables四个表的优先级raw-->mangle-->nat-->filter;上述的RAW表中,主要为此实例进出的数据包设置zone id。

    安全组作用于filter表中forward链:

    数据包->prerouting/raw -> prerouting(mangle/raw,实际实例的数据传输中不作用)->forward/filter->postrouting(mangle/raw) -> out

    查看filter表中相关的规则:

    :INPUT ACCEPT [44285:5662535]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [42549:8101485]
:neutron-filter-top - [0:0]
:neutron-openvswi-FORWARD - [0:0]
:neutron-openvswi-INPUT - [0:0]
:neutron-openvswi-OUTPUT - [0:0]
:neutron-openvswi-ib0720a65-4 - [0:0]
:neutron-openvswi-local - [0:0]
:neutron-openvswi-ob0720a65-4 - [0:0]
:neutron-openvswi-sb0720a65-4 - [0:0]
:neutron-openvswi-sg-chain - [0:0]
:neutron-openvswi-sg-fallback - [0:0]
#1. INPUT交由neutron-openvswi-INPUT处理,很少会匹配到
-A INPUT -j neutron-openvswi-INPUT   
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -j neutron-filter-top
#2. FORWARD 交由 neutron-openvswi-FORWARD链处理,承担所有流量
-A FORWARD -j neutron-openvswi-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
#dhcp流量
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-FORWARD -m physdev --physdev-out tapb0720a65-4a --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tapb0720a65-4a --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-INPUT -m physdev --physdev-in tapb0720a65-4a --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-openvswi-ob0720a65-4
-A neutron-openvswi-ib0720a65-4 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-openvswi-ib0720a65-4 -d 10.120.1.10/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-ib0720a65-4 -d 255.255.255.255/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-ib0720a65-4 -m set --match-set NIPv4fede6705-f4ed-42a7-9e3a- src -j RETURN
-A neutron-openvswi-ib0720a65-4 -s 1.1.1.0/24 -p tcp -m tcp --dport 8080 -j RETURN
-A neutron-openvswi-ib0720a65-4 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-ib0720a65-4 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-ob0720a65-4 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-openvswi-ob0720a65-4 -j neutron-openvswi-sb0720a65-4
-A neutron-openvswi-ob0720a65-4 -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-openvswi-ob0720a65-4 -p udp -m udp --sport 67 --dport 68 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP
-A neutron-openvswi-ob0720a65-4 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-openvswi-ob0720a65-4 -j RETURN
-A neutron-openvswi-ob0720a65-4 -d 2.2.2.0/24 -p tcp -m tcp --dport 8080 -j RETURN
-A neutron-openvswi-ob0720a65-4 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-ob0720a65-4 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-sb0720a65-4 -s 10.120.1.10/32 -m mac --mac-source FA:16:3E:85:DE:E9 -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN
-A neutron-openvswi-sb0720a65-4 -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tapb0720a65-4a --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-ib0720a65-4
-A neutron-openvswi-sg-chain -m physdev --physdev-in tapb0720a65-4a --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-ob0720a65-4
-A neutron-openvswi-sg-chain -j ACCEPT
-A neutron-openvswi-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP

    整理数据的处理流程:

    #1. INPUT交由neutron-openvswi-INPUT处理,很少会匹配到
-A INPUT -j neutron-openvswi-INPUT

#2. FORWARD 交由 neutron-openvswi-FORWARD链处理,承担所有流量
-A FORWARD -j neutron-openvswi-FORWARD

#明确规定指定的接口tapb0720a65-4a,进出流量交由指定的链neutron-openvswi-sg-chain进行处理
-A neutron-openvswi-FORWARD -m physdev --physdev-out tapb0720a65-4a --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tapb0720a65-4a --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain

#neutron-openvswi-sg-chain链,从tapb0720a65-4a出的流量交由neutron-openvswi-ib0720a65-4链处理,入的流量neutron-openvswi-ob0720a65-4链处理
-A neutron-openvswi-sg-chain -m physdev --physdev-out tapb0720a65-4a --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-ib0720a65-4
-A neutron-openvswi-sg-chain -m physdev --physdev-in tapb0720a65-4a --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-ob0720a65-4

#neutron-openvswi-ib0720a65-4
-A neutron-openvswi-ib0720a65-4 -s 1.1.1.0/24 -p tcp -m tcp --dport 8080 -j RETURN  //可以看到此链显示的放开8080端口(return到main链,实际是放开)
#neutron-openvswi-ob0720a65-4
-A neutron-openvswi-ob0720a65-4 -d 2.2.2.0/24 -p tcp -m tcp --dport 8080 -j RETURN //放通了8080端口
#匹配到的流量到此链处理
-A neutron-openvswi-sg-chain -j ACCEPT

对于未匹配的流量,则由以下规则处理,显示的丢弃:
-A neutron-openvswi-ib0720a65-4 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-ob0720a65-4 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP 

最后所有数据流量到达:
-A OUTPUT -j neutron-openvswi-OUTPUT //filter中OUTPUT默认ACCEPT

    相关文章

      网友评论

          本文标题:Openstack 安全组的实现

          本文链接:https://www.haomeiwen.com/subject/rcabpctx.html

          延伸阅读

          深度阅读

          • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

          栏目导航

          热点阅读

          关于我们|服务条款|联系我们|Openstack 安全组的实现|投稿指南|网站地图|RSS订阅|排版工具|手机版

          提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

          Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

          备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

          本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

          所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!