7.两个租户网络添加路由并配置防火墙规则
为两个租户网络添加路由和配置防火墙规则,可以实现不同租户网络的互通,并配置防火墙规则实现。这里选取tenant1和tenant2此两个租户来创建路由并配置防火墙规则
1)配置信息
#tenant1 add to qrouter01,gateway:qr01 10.0.0.1
#tenant2 add to qrouter01,gateway:qr02 10.0.1.1
2)创建tenant1网关qr01设备和qrouter01路由命名空间
ovs-vsctl -- --if-exists del-port qr01 -- add-port br-int qr01 -- set interface qr01 type=internal ovs-vsctl --timeout=10 set Port qr01 tag=1 ip netns add qrouter01 ip netns exec qrouter01 ip link set lo up ip link set qr01 netns qrouter01 ip netns exec qrouter01 ip link set qr01 up ip netns exec qrouter01 ip -4 addr add 10.0.0.1/24 brd 10.0.0.255 scope global dev qr01 ip netns exec qrouter01 sysctl -w net.ipv4.ip_forward=1
3)创建tenant2网关qr02设备
ovs-vsctl -- --if-exists del-port qr02 -- add-port br-int qr02 -- set interface qr02 type=internal ovs-vsctl --timeout=10 set Port qr02 tag=2 ip link set qr02 netns qrouter01 ip netns exec qrouter01 ip link set qr02 up ip netns exec qrouter01 ip -4 addr add 10.0.1.1/24 brd 10.0.1.255 scope global dev qr02
4)通过在qrouter01命名空间中同时分配添加了qr01(10.0.0.1)和qr02(10.0.1.1)两个租户的网关
通过命名空间内部路由表,即可实现两个租户网络间互相通讯。
5)配置租户间防火墙基础规则
ip netns exec qrouter01 iptables -F ip netns exec qrouter01 iptables -X ip netns exec qrouter01 iptables -Z ip netns exec qrouter01 iptables -t filter -P INPUT ACCEPT ip netns exec qrouter01 iptables -t filter -P FORWARD ACCEPT ip netns exec qrouter01 iptables -t filter -P OUTPUT ACCEPT ip netns exec qrouter01 iptables -t filter -N neutron-filter-top ip netns exec qrouter01 iptables -t filter -N neutron-l3-agent-FORWARD ip netns exec qrouter01 iptables -t filter -N neutron-l3-agent-INPUT ip netns exec qrouter01 iptables -t filter -N neutron-l3-agent-OUTPUT ip netns exec qrouter01 iptables -t filter -N neutron-l3-agent-fwaas-defau ip netns exec qrouter01 iptables -t filter -N neutron-l3-agent-iv01 ip netns exec qrouter01 iptables -t filter -N neutron-l3-agent-local ip netns exec qrouter01 iptables -t filter -N neutron-l3-agent-ov01 ip netns exec qrouter01 iptables -t filter -A INPUT -j neutron-l3-agent-INPUT ip netns exec qrouter01 iptables -t filter -A FORWARD -j neutron-filter-top ip netns exec qrouter01 iptables -t filter -A FORWARD -j neutron-l3-agent-FORWARD ip netns exec qrouter01 iptables -t filter -A OUTPUT -j neutron-filter-top ip netns exec qrouter01 iptables -t filter -A OUTPUT -j neutron-l3-agent-OUTPUT ip netns exec qrouter01 iptables -t filter -A neutron-filter-top -j neutron-l3-agent-local ip netns exec qrouter01 iptables -t filter -A neutron-l3-agent-FORWARD -o qr+ -j neutron-l3-agent-iv01 ip netns exec qrouter01 iptables -t filter -A neutron-l3-agent-FORWARD -i qr+ -j neutron-l3-agent-ov01 ip netns exec qrouter01 iptables -t filter -A neutron-l3-agent-FORWARD -o qr+ -j neutron-l3-agent-fwaas-defau ip netns exec qrouter01 iptables -t filter -A neutron-l3-agent-FORWARD -i qr+ -j neutron-l3-agent-fwaas-defau ip netns exec qrouter01 iptables -t filter -A neutron-l3-agent-INPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9697 -j ACCEPT ip netns exec qrouter01 iptables -t filter -A neutron-l3-agent-fwaas-defau -j DROP ip netns exec qrouter01 iptables -t filter -A neutron-l3-agent-iv01 -m state --state INVALID -j DROP ip netns exec qrouter01 iptables -t filter -A neutron-l3-agent-iv01 -m state --state RELATED,ESTABLISHED -j ACCEPT ip netns exec qrouter01 iptables -t filter -A neutron-l3-agent-ov01 -m state --state INVALID -j DROP ip netns exec qrouter01 iptables -t filter -A neutron-l3-agent-ov01 -m state --state RELATED,ESTABLISHED -j ACCEPT
6)放开ping和ssh服务
ip netns exec qrouter01 iptables -t filter -A neutron-l3-agent-iv01 -p icmp -j ACCEPT ip netns exec qrouter01 iptables -t filter -A neutron-l3-agent-ov01 -p icmp -j ACCEPT ip netns exec qrouter01 iptables -t filter -A neutron-l3-agent-iv01 -p tcp -m tcp --dport ssh -j ACCEPT ip netns exec qrouter01 iptables -t filter -A neutron-l3-agent-ov01 -p tcp -m tcp --dport ssh -j ACCEPT
参考资料:
SammyLiu的《Neutron 理解》系列 http://www.cnblogs.com/sammyliu/p/4622563.html
深入理解Neutron -- OpenStack 网络实现 https://www.gitbook.com/book/yeasy/openstack_understand_neutron/details
作者简介:赵俊峰,现为华胜信泰信息产业发展有限公司 云计算部Openstack开发工程师。主要从事Power和x86混合环境下Openstack相关计算、网络、存储相关服务软件开发和系统架构设计工作。