当前位置：首页 > news >正文

网站建设流程图解泉州市网站建设

news 2025/9/13 6:13:48

网站建设流程图解,泉州市网站建设,活动营销推广方案,请人做软件开发的网站计算节点上iptables安全组分析之前介绍过neutron 安全组基于iptables 和 ct 实现，分析一下计算节点上面的neutron 安全组的iptables，加深一下理解iptables以及安全组的实现。（PS: 如下基于openstack stein) 查看某计算节点上面的iptables …

计算节点上iptables安全组分析

之前介绍过neutron 安全组基于iptables 和 ct 实现，分析一下计算节点上面的neutron 安全组的iptables，加深一下理解iptables以及安全组的实现。（PS: 如下基于openstack stein)

查看某计算节点上面的iptables
#iptables -nvL

分别查看INPUT /FORWARD/OUTPUT 链的规则，查看iptables，发现INPUT/FORWARD都有规则

1、INPUT 链

概况来说，虚机的INPUT规则全都转给了虚机的安全组链

Chain INPUT (policy ACCEPT 4914K packets, 2696M bytes)pkts bytes target     prot opt in     out     source               destination         251M   48G neutron-openvswi-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

INPUT 链将来源是所有的都转给了 neutron-openvswi-INPUT 子链，

Chain neutron-openvswi-INPUT (1 references)pkts bytes target     prot opt in     out     source               destination         0     0 neutron-openvswi-o323ef4ca-8  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap323ef4ca-8a --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */0     0 neutron-openvswi-oa937d188-d  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tapa937d188-d6 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */

由上面可以看出，neutron-openvswi-INPUT链中将来自是 tap323ef4ca-8a和 tapa937d188-d6的流入转给了neutron-openvswi-o323ef4ca-8和 neutron-openvswi-oa937d188-d 两个安全组子链，再看下这俩安全组子链

Chain neutron-openvswi-o323ef4ca-8 (2 references)pkts bytes target     prot opt in     out     source               destination         2   656 RETURN     udp  --  *      *       0.0.0.0              255.255.255.255      udp spt:68 dpt:67 /* Allow DHCP client traffic. */460K  109M neutron-openvswi-s323ef4ca-8  all  --  *      *       0.0.0.0/0            0.0.0.0/0           0     0 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:68 dpt:67 /* Allow DHCP client traffic. */0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68 /* Prevent DHCP Spoofing by VM. */231K   94M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */229K   15M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* priority:1 */0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */0     0 neutron-openvswi-sg-fallback  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Send unmatched traffic to the fallback chain. */

Chain neutron-openvswi-oa937d188-d (2 references)pkts bytes target     prot opt in     out     source               destination         2   656 RETURN     udp  --  *      *       0.0.0.0              255.255.255.255      udp spt:68 dpt:67 /* Allow DHCP client traffic. */428K  108M neutron-openvswi-sa937d188-d  all  --  *      *       0.0.0.0/0            0.0.0.0/0           0     0 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:68 dpt:67 /* Allow DHCP client traffic. */0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68 /* Prevent DHCP Spoofing by VM. */213K   94M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */215K   14M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* priority:1 */0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */0     0 neutron-openvswi-sg-fallback  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Send unmatched traffic to the fallback chain. */

**2. FORWARD链 **

FORWARD 链先跳到neutron-filter-top子链上，neutron-filter-top链会又跳到neutron-openvswi-local，而neutron-openvswi-local链是空链，因此会返回到母链 FORWARD 上，因此这里第一条规则其实没啥用。

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target     prot opt in     out     source               destination         
1505K  824M neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
1505K  824M neutron-openvswi-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           700 75498 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           700 75498 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           420 44194 ACCEPT     all  --  *      *       192.168.1.0/24       0.0.0.0/0           280 31304 ACCEPT     all  --  *      *       0.0.0.0/0            192.168.1.0/24

Chain neutron-filter-top (2 references)pkts bytes target     prot opt in     out     source               destination         283M   57G neutron-openvswi-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain neutron-openvswi-local (1 references)pkts bytes target     prot opt in     out     source               destination

返回到 FORWARD 链后继续匹配第 2 条规则，跳转到了neutron-openvswi-FORWARD，我们查看该链的规则:

Chain neutron-openvswi-FORWARD (1 references)pkts bytes target     prot opt in     out     source               destination         334K  306M neutron-openvswi-sg-chain  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-out tap323ef4ca-8a --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */482K  115M neutron-openvswi-sg-chain  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap323ef4ca-8a --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */309K  304M neutron-openvswi-sg-chain  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-out tapa937d188-d6 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */449K  114M neutron-openvswi-sg-chain  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tapa937d188-d6 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-out tap344c3926-f5 --physdev-is-bridged /* Accept all packets when port is trusted. */0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap344c3926-f5 --physdev-is-bridged /* Accept all packets when port is trusted. */

该链上一共有 6条规则，前4条都是虚机port对应的tap设备网卡的进出规则。

tapa937d188-d6是虚拟机 port 对应的 tap 设备（名称为 tap+portUUID 前 11 位)，前4条规则表明无论是从这个 tap 设备进的还是出的包都进入子链neutron-openvswi-sg-chain处理。

我们继续查看neutron-openvswi-sg-chain查看链:

Chain neutron-openvswi-sg-chain (4 references)pkts bytes target     prot opt in     out     source               destination         334K  306M neutron-openvswi-i323ef4ca-8  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-out tap323ef4ca-8a --physdev-is-bridged /* Jump to the VM specific chain. */482K  115M neutron-openvswi-o323ef4ca-8  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap323ef4ca-8a --physdev-is-bridged /* Jump to the VM specific chain. */309K  304M neutron-openvswi-ia937d188-d  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-out tapa937d188-d6 --physdev-is-bridged /* Jump to the VM specific chain. */449K  114M neutron-openvswi-oa937d188-d  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tapa937d188-d6 --physdev-is-bridged /* Jump to the VM specific chain. */
1574K  839M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

从规则我们可以看出：

--physdev-out表示从 tapa937d188-d6出来发往虚拟机的包，通过子链neutron-openvswi-ia937d188-d处理，即虚拟机入访流量。
--physdev-in表示从虚拟机发出进入 tap323ef4ca-8a 的包，通过子链neutron-openvswi-i323ef4ca-8处理，即虚拟机出访流量。

**2.1 安全组入方向规则 **

Chain neutron-openvswi-ia937d188-d (1 references)pkts bytes target     prot opt in     out     source               destination         309K  304M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */0     0 RETURN     udp  --  *      *       0.0.0.0/0            172.16.1.118         udp spt:67 dpt:68 /* priority:1 */2   684 RETURN     udp  --  *      *       0.0.0.0/0            255.255.255.255      udp spt:67 dpt:68 /* priority:1 */5   436 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            /* priority:1 */78  3160 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* priority:1 */0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 /* priority:1 */0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp multiport dports 1:65535 /* priority:1 */0     0 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp multiport dports 1:65535 /* priority:1 */0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */0     0 neutron-openvswi-sg-fallback  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Send unmatched traffic to the fallback chain. */

**2.1 安全组出方向规则 **

Chain neutron-openvswi-oa937d188-d (2 references)pkts bytes target     prot opt in     out     source               destination         2   656 RETURN     udp  --  *      *       0.0.0.0              255.255.255.255      udp spt:68 dpt:67 /* Allow DHCP client traffic. */449K  114M neutron-openvswi-sa937d188-d  all  --  *      *       0.0.0.0/0            0.0.0.0/0           0     0 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:68 dpt:67 /* Allow DHCP client traffic. */0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68 /* Prevent DHCP Spoofing by VM. */222K   99M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */226K   15M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* priority:1 */0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */0     0 neutron-openvswi-sg-fallback  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Send unmatched traffic to the fallback chain. */

查看全文

http://www.15wanjia.com/news/190970.html