INPUT
优质
小牛编辑
137浏览
2023-12-01
INPUT
#iptables --line-numbers -vnL INPUTChain INPUT (policy ACCEPT 0 packets, 0 bytes)num pkts bytes target prot opt in out source destination1 360K 56M neutron-openvswi-INPUT all -- * * 0.0.0.0/0 0.0.0.0/02 10583 2146K ACCEPT tcp -- * * 192.168.122.100 0.0.0.0/0 multiport dports 5666 /* 001 nagios-nrpe incoming 192.168.122.100 */3 846 50966 ACCEPT tcp -- * * 192.168.122.100 0.0.0.0/0 multiport dports 5900:5999 /* 001 nova compute incoming 192.168.122.100 */4 1033K 894M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED5 760 63840 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/06 1 60 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/07 977 58620 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:228 3899 1194K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
可以看到,跟安全组相关的规则被重定向到neutron-openvswi-INPUT。查看其规则,只有一条。
#iptables --line-numbers -vnL neutron-openvswi-INPUTChain neutron-openvswi-INPUT (1 references)num pkts bytes target prot opt in out source destination1 0 0 neutron-openvswi-o583c7038-d all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap583c7038-d3 --physdev-is-bridged
重定向到neutron-openvswi-o583c7038-d。
#iptables --line-numbers -vnL neutron-openvswi-o583c7038-dChain neutron-openvswi-o583c7038-d (2 references)num pkts bytes target prot opt in out source destination1 3894 1199K RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:672 4282 1536K neutron-openvswi-s583c7038-d all -- * * 0.0.0.0/0 0.0.0.0/03 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:684 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID5 3971 1510K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED6 311 25752 RETURN all -- * * 0.0.0.0/0 0.0.0.0/07 0 0 neutron-openvswi-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0
如果是vm发出的dhcp请求,直接通过,否则转到neutron-openvswi-s583c7038-d。
#iptables --line-numbers -vnL neutron-openvswi-s583c7038-dChain neutron-openvswi-s583c7038-d (1 references)num pkts bytes target prot opt in out source destination1 4284 1537K RETURN all -- * * 192.168.0.2 0.0.0.0/0 MAC FA:16:3E:9C:DC:3A2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
这条chain主要检查从vm发出来的网包,是否是openstack所分配的IP和MAC,如果不匹配,则禁止通过。这将防止利用vm上进行一些伪装地址的攻击。