目录

FORWARD

优质
小牛编辑
120浏览
2023-12-01

FORWARD

FORWARD chain上主要实现安全组的功能。用户在配置缺省安全规则时候(例如允许ssh到vm,允许ping到vm),影响该chain。

#iptables --line-numbers -vnL FORWARDChain FORWARD (policy ACCEPT 0 packets, 0 bytes)num   pkts bytes target     prot opt in     out     source               destination1    16203 5342K neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/02    16203 5342K neutron-openvswi-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/03        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

同样跳转到neutron-filter-top,无规则。跳转到neutron-openvswi-FORWARD。

#iptables --line-numbers -vnL neutron-openvswi-FORWARDChain neutron-openvswi-FORWARD (1 references)num   pkts bytes target     prot opt in     out     source               destination1     8170 2630K neutron-openvswi-sg-chain  all  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out tap583c7038-d3 --physdev-is-bridged2     8156 2729K neutron-openvswi-sg-chain  all  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in tap583c7038-d3 --physdev-is-bridged

neutron-openvswi-FORWARD将匹配所有进出tap-XXX端口的流量。

#iptables --line-numbers -vnL neutron-openvswi-sg-chainChain neutron-openvswi-sg-chain (2 references)num   pkts bytes target     prot opt in     out     source               destination1     8170 2630K neutron-openvswi-i583c7038-d  all  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out tap583c7038-d3 --physdev-is-bridged2     8156 2729K neutron-openvswi-o583c7038-d  all  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in tap583c7038-d3 --physdev-is-bridged3    12442 4163K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

如果是网桥从tap-XXX端口发出到VM的流量,则跳转到neutron-openvswi-i9LETTERID;如果是从tap-XXX端口进入到网桥的(即vm发出来的)流量,则跳转到neutron-openvswi-o9LETTERID。

#iptables --line-numbers -vnL neutron-openvswi-i583c7038-dChain neutron-openvswi-i583c7038-d (1 references)num   pkts bytes target     prot opt in     out     source               destination1        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID2      400 43350 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED3        1    60 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:224        1    84 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/05     3885 1391K RETURN     udp  --  *      *       192.168.0.3          0.0.0.0/0           udp spt:67 dpt:686     3885 1197K neutron-openvswi-sg-fallback  all  --  *      *       0.0.0.0/0            0.0.0.0/0

neutron-openvswi-i9LETTERID允许安全组中配置的策略(允许ssh、ping等)和dhcp reply通过。默认的neutron-openvswi-sg-fallback将drop所有流量。

#iptables --line-numbers -vnL neutron-openvswi-o583c7038-dChain neutron-openvswi-o583c7038-d (2 references)num   pkts bytes target     prot opt in     out     source               destination1     3886 1197K RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:68 dpt:672     4274 1533K neutron-openvswi-s583c7038-d  all  --  *      *       0.0.0.0/0            0.0.0.0/03        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:684        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID5     3963 1507K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED6      311 25752 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/07        0     0 neutron-openvswi-sg-fallback  all  --  *      *       0.0.0.0/0            0.0.0.0/0

neutron-openvswi-o9LETTERID将跳转到neutron-openvswi-s583c7038-d,允许DHCP Request和匹配VM的源IP和源MAC的流量通过。