openstack环境安全组总是不生效,安全组主要是依靠计算节点的iptables的forward链来生效的,每加一条规则就会根据网卡作为匹配条件,来生成一条iptables的规则。如果没有任何规则,默认是丢弃所有的包。由上面的问题大概猜测到时因为,没有开启包转发功能,所有修改
/etc/sysctl.conf文件
net.ipv4.ip_forward=1 net.ipv4.conf.default.rp_filter=1 net.bridge.bridge-nf-call-ip6tables=1 net.bridge.bridge-nf-call-iptables=1 net.bridge.bridge-nf-call-arptables=1
/etc/init.d/network restart
[root@master02 ~]# neutron --help | grep security
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead. (1) security-group-create Create a security group. (2) security-group-delete Delete a given security group. (3) security-group-list List security groups that belong to a given tenant. (4) security-group-rule-create Create a security group rule. (5) security-group-rule-delete Delete a given security group rule. (6) security-group-rule-list List security group rules that belong to a given tenant. (7) security-group-rule-show Show information of a given security group rule. (8) security-group-show Show information of a given security group. (9) security-group-update Update a given security group.
(1)创建安全组
[root@master02 ~]# neutron security-group-create test -f json
{
"tenant_id": "cdbcd047f8b84755958248c36ded1e73",
"security_group_rules": [
{
"direction": "egress",
"security_group_id": "6a92a0b7-6f15-4b45-a3d7-6dd26fe312f8",
},
{
"security_group_id": "6a92a0b7-6f15-4b45-a3d7-6dd26fe312f8",
}
],
"name": "test"
}
(2)删除安全组
[root@master02 ~]# neutron security-group-delete test
(4)[root@master02 ~]# openstack security group rule create test --proto icmp --remote-ip 0.0.0.0/0
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| created_at | 2018-11-03T15:44:44Z |
| description | |
| direction | ingress |
| ether_type | IPv4 |
| id | 75040506-f453-46d3-b65d-f6b8c615af5f |
| name | None |
| port_range_max | None |
| port_range_min | None |
| project_id | cdbcd047f8b84755958248c36ded1e73 |
| protocol | icmp |
| remote_group_id | None |
| remote_ip_prefix | 0.0.0.0/0 |
| revision_number | 1 |
| security_group_id | 692781ef-45e6-41c2-b29a-6f5d6dbc6dd7 |
| updated_at | 2018-11-03T15:44:44Z |
+-------------------+--------------------------------------+
(4)创建test安全组中的rule安全规则
4.1单独创建10000端口第一个为入口,第二个为出口
[root@master02 ~]# openstack security group rule create test --proto tcp --ingress --dst-port=10000 --remote-ip 0.0.0.0/0
[root@master02 ~]# openstack security group rule create test --proto tcp --egress --dst-port=1200 --remote-ip 0.0.0.0/0
4.2创建安全组范围,第一个为入口 ,第二个为出口
[root@master02 ~]# openstack security group rule create test --proto tcp --dst-port=21:23 --remote-ip 0.0.0.0/0
[root@master02 ~]# openstack security group rule create test --proto tcp --egress --dst-port=100:200 --remote-ip 0.0.0.0/0
4.3创建ICMP协议
[root@master02 ~]# openstack security group rule create test --proto icmp --egress --remote-ip 0.0.0.0/0 出口
[root@master02 ~]# openstack security group rule create test --proto icmp --ingress --remote-ip 0.0.0.0/0 入口
(5) 删除其中一个安全组规则
[root@master02 ~]# neutron security-group-rule-delete f3ac48cb-2660-4333-831d-8f6546d8fe93
(7)展示一个安全组规则
security-group-rule-show
[root@master02 ~]# neutron security-group-rule-show f3ac48cb-2660-4333-831d-8f6546d8fe93
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| created_at | 2018-11-03T14:54:35Z |
| description | |
| direction | egress |
| ethertype | IPv4 |
| id | f3ac48cb-2660-4333-831d-8f6546d8fe93 |
| port_range_max | |
| port_range_min | |
| project_id | cdbcd047f8b84755958248c36ded1e73 |
| protocol | |
| remote_group_id | |
| remote_ip_prefix | |
| revision_number | 1 |
| security_group_id | 692781ef-45e6-41c2-b29a-6f5d6dbc6dd7 |
| tenant_id | cdbcd047f8b84755958248c36ded1e73 |
| updated_at | 2018-11-03T14:54:35Z |
+-------------------+--------------------------------------+
[root@master02 ~]#
(8)[root@master02 ~]# neutron security-group-show test
[root@master02 ~]# neutron security-group-show test -f json
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
{
"security_group_rules": [
{
"security_group_id": "692781ef-45e6-41c2-b29a-6f5d6dbc6dd7",
"id": "bd4a66a4-89bc-47d9-b9aa-6ab8b513a94a"
},
{
"security_group_id": "692781ef-45e6-41c2-b29a-6f5d6dbc6dd7",
"id": "f3ac48cb-2660-4333-831d-8f6546d8fe93"
}
],
"revision_number": 1,
"project_id": "cdbcd047f8b84755958248c36ded1e73",
"id": "692781ef-45e6-41c2-b29a-6f5d6dbc6dd7",
"name": "test"
}[root@master02 ~]#
[root@master02 ~]# openstack security group rule list test
+--------------------------------------+-------------+-----------+-------------+-----------------------+
| ID | IP Protocol | IP Range | Port Range | Remote Security Group |
+--------------------------------------+-------------+-----------+-------------+-----------------------+
| 8dc9fd93-fc0f-4cd0-9716-24ec51c3cd58 | tcp | 0.0.0.0/0 | 10000:10000 | None |
| ac9f927a-94f6-4652-a251-d33753fee4aa | tcp | 0.0.0.0/0 | 11000:11000 | None |
+--------------------------------------+-------------+-----------+-------------+-----------------------+
[root@master02 ~]#
(9)列出一个安全组中所有的rule安全规则
[root@master02 ~]# openstack security group rule list shengxiluo5e416d72-shengxiluo-master-5b9d9f06-ylrodmyji2pb
+--------------------------------------+-------------+-------------+-------------+-----------------------+
| ID | IP Protocol | IP Range | Port Range | Remote Security Group |
+--------------------------------------+-------------+-------------+-------------+-----------------------+
| 008bd386-a91c-4d28-b98c-fa69959b3ea8 | tcp | 0.0.0.0/0 | 8030:8030 | None |
| 040e87ee-fa6a-4941-95bc-e8c446b317c2 | tcp | ::/0 | 6667:6667 | None |
| 044f1523-ff43-401b-8b87-7def78ee1c0d | None | None | | None |
| 0491ea10-d372-48fe-aa04-f2170dbb515e | tcp | ::/0 | 10020:10020 | None |
| 18cdee29-6bfb-42eb-bea9-5a9587033cc5 | tcp | 0.0.0.0/0 | 8050:8050 | None |
| 193c7a7b-68f0-4f4d-95bf-5172c0e4418b | tcp | ::/0 | 2181:2181 | None |
| 208c71cd-7f67-4f55-8f00-eb7768ca67e3 | tcp | 0.0.0.0/0 | 8088:8088 | None |
| 22850d64-894f-4f9a-820d-95c73d1a4103 | icmp | 0.0.0.0/0 | | None |
| 238fea4d-d418-41bc-8583-96a7867c64af | tcp | 0.0.0.0/0 | 10200:10200 | None |
| 241e163d-da87-40f3-82da-8301af22433e | tcp | ::/0 | 10000:10000 | None |
| 28402174-571c-45b6-86ce-70f0cb56fa95 | tcp | 0.0.0.0/0 | 8020:8020 | None |
| 2d9a7215-4754-44ba-b4c6-71d1870ec7e5 | tcp | ::/0 | 8088:8088 | None |
| 361704c8-7b2f-4b0c-85f1-0cff25684b46 | tcp | ::/0 | 11443:11443 | None |
| 39a52b58-3cc4-4135-9d96-6c700edd1c6c | icmp | 10.1.3.0/24 | :code=255 | None |
| 3c7761d2-86d0-40a5-9001-c54019562f91 | tcp | 0.0.0.0/0 | 50090:50090 | None |
| 3d42abe3-5453-429b-8301-371d53fd9dcd | tcp | 0.0.0.0/0 | 10000:10000 | None |
| 403a6ee3-5b27-4467-9489-52b6811920a7 | tcp | ::/0 | 11000:11000 | None |
| 454eb4bd-a813-4cac-98f2-357d6a34b855 | tcp | ::/0 | 8080:8080 | None |
| 485c8aa6-1a52-42ec-8f50-48a1be22d490 | tcp | 0.0.0.0/0 | 50070:50070 | None |
| 4b919600-57ac-4517-a2a3-9ff8dca5ebff | tcp | ::/0 | 50090:50090 | None |
| 59fe6ace-e2c5-4091-8501-7f365620a222 | tcp | ::/0 | 19888:19888 | None |
| 6181266e-0d68-4895-8211-306ba58b4b9f | tcp | ::/0 | 22:22 | None |
| 67e20ea4-9372-42f3-a4f7-289260f44452 | tcp | 0.0.0.0/0 | 8188:8188 | None |
| 69352d31-ce70-45b9-9764-b3326304c883 | tcp | 0.0.0.0/0 | 9000:9000 | None |
| 69eda47e-9bba-4bae-9ad7-76d13ea6ec61 | tcp | 0.0.0.0/0 | 19888:19888 | None |
| 6d956ffb-3f52-4530-9cf9-63ab04bd843a | tcp | 10.1.3.0/24 | 1:65535 | None |
| 7093c81b-4a7f-444c-855d-04b4e0f6ffd3 | None | None | | None |
| 77db7d10-3c35-4586-93e2-cc4614e4c0c2 | tcp | 0.0.0.0/0 | 8025:8025 | None |
| 77dcb6b0-5e84-4653-934d-7f05d3da8ff3 | tcp | ::/0 | 8141:8141 | None |
| 7b33c831-0baf-4a29-ba91-7eae2b35ef96 | tcp | 0.0.0.0/0 | 18080:18080 | None |
| 7b4a3806-73ea-47b5-a8d2-2a55ef91f252 | tcp | ::/0 | 8190:8190 | None |
| 7edd82e8-2d18-4852-810d-1a111afa4140 | tcp | 0.0.0.0/0 | 8141:8141 | None |
| 7fee4ce2-1e88-4421-81e7-a95996325f66 | tcp | ::/0 | 18080:18080 | None |
| 81e8b669-cc75-4823-8808-8bedfdece0ad | tcp | 0.0.0.0/0 | 9933:9933 | None |
| 8339e3b8-6a3d-471a-a53a-8eaacd5c678d | tcp | ::/0 | 8050:8050 | None |
| 86e77f59-3efb-47df-b158-537b7039e793 | tcp | ::/0 | 9999:9999 | None |
| 8fea2bfb-e7be-45fa-96bf-9e9f478ac5bf | tcp | 0.0.0.0/0 | 8080:8080 | None |
| 9447b88e-43a7-4148-b110-3c803db00f85 | tcp | 0.0.0.0/0 | 22:22 | None |
| 9876ae57-ec7d-475e-a1ed-19a8c36c5e62 | tcp | ::/0 | 8025:8025 | None |
| 9b9a54d2-668e-4ddc-bc93-d5a971c84771 | tcp | 0.0.0.0/0 | 6667:6667 | None |
| 9c8e487c-c473-4037-8376-5661095e0df9 | icmp | 0.0.0.0/0 | | None |
| 9da936ae-3bd7-472b-a30a-0cf3e57ff879 | tcp | 0.0.0.0/0 | 11443:11443 | None |
| 9dc4abe3-a4ac-45d4-ad63-49794d88da4f | tcp | 0.0.0.0/0 | 9999:9999 | None |
| ac625fd8-7dc9-4341-a3f1-83e251a82a18 | tcp | ::/0 | 8020:8020 | None |
| ac66c59d-a0ee-45e9-b6ee-1dfa7dc72490 | tcp | 0.0.0.0/0 | 8190:8190 | None |
| b7dec4e7-c588-4f76-af18-f251436310c8 | tcp | 0.0.0.0/0 | 2181:2181 | None |
| b92e07dd-8f88-4054-8010-a9ce4836b129 | tcp | ::/0 | 50070:50070 | None |
| c1841269-89ac-41c0-b628-7777e150a14c | tcp | ::/0 | 8188:8188 | None |
| c27d4c91-1763-4414-80ef-1c455d6447f8 | tcp | ::/0 | 8030:8030 | None |
| d41c1869-fc91-4d45-9412-a4e7d7efec3c | tcp | 0.0.0.0/0 | 10020:10020 | None |
| e694ecb4-3098-4767-8a27-8786a9e33b2e | tcp | ::/0 | 9000:9000 | None |
| ee93c272-cb8a-4a04-80aa-db6472f15b87 | udp | 10.1.3.0/24 | 1:65535 | None |
| f2321371-9d06-4d55-af56-ab6079fba21c | tcp | 0.0.0.0/0 | 50470:50470 | None |
| f815b27f-bd68-49c8-99dc-db8e8733f44b | tcp | ::/0 | 9933:9933 | None |
| fdc6ae3b-bda1-4544-be60-34584ac486d9 | tcp | ::/0 | 50470:50470 | None |
| fe5d84cf-0713-420b-b546-699cfb5fc98b | tcp | 0.0.0.0/0 | 11000:11000 | None |
| ffa7f262-56ae-4e48-8162-c6e07a86cfdb | tcp | ::/0 | 10200:10200 | None |