目录

INPUT

优质
小牛编辑
137浏览
2023-12-01

INPUT

#iptables --line-numbers -vnL INPUTChain INPUT (policy ACCEPT 0 packets, 0 bytes)num   pkts bytes target     prot opt in     out     source               destination1     360K   56M neutron-openvswi-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/02    10583 2146K ACCEPT     tcp  --  *      *       192.168.122.100      0.0.0.0/0           multiport dports 5666 /* 001 nagios-nrpe incoming 192.168.122.100 */3      846 50966 ACCEPT     tcp  --  *      *       192.168.122.100      0.0.0.0/0           multiport dports 5900:5999 /* 001 nova compute incoming 192.168.122.100 */4    1033K  894M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED5      760 63840 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/06        1    60 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/07      977 58620 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:228     3899 1194K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

可以看到,跟安全组相关的规则被重定向到neutron-openvswi-INPUT。查看其规则,只有一条。

#iptables --line-numbers -vnL neutron-openvswi-INPUTChain neutron-openvswi-INPUT (1 references)num   pkts bytes target     prot opt in     out     source               destination1        0     0 neutron-openvswi-o583c7038-d  all  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in tap583c7038-d3 --physdev-is-bridged

重定向到neutron-openvswi-o583c7038-d。

#iptables --line-numbers -vnL neutron-openvswi-o583c7038-dChain neutron-openvswi-o583c7038-d (2 references)num   pkts bytes target     prot opt in     out     source               destination1     3894 1199K RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:68 dpt:672     4282 1536K neutron-openvswi-s583c7038-d  all  --  *      *       0.0.0.0/0            0.0.0.0/03        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:684        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID5     3971 1510K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED6      311 25752 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/07        0     0 neutron-openvswi-sg-fallback  all  --  *      *       0.0.0.0/0            0.0.0.0/0

如果是vm发出的dhcp请求,直接通过,否则转到neutron-openvswi-s583c7038-d。

#iptables --line-numbers -vnL neutron-openvswi-s583c7038-dChain neutron-openvswi-s583c7038-d (1 references)num   pkts bytes target     prot opt in     out     source               destination1     4284 1537K RETURN     all  --  *      *       192.168.0.2          0.0.0.0/0           MAC FA:16:3E:9C:DC:3A2        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

这条chain主要检查从vm发出来的网包,是否是openstack所分配的IP和MAC,如果不匹配,则禁止通过。这将防止利用vm上进行一些伪装地址的攻击。