计算节点上iptables安全组分析

robin59112023-10-31 15:21

计算节点上iptables安全组分析

之前介绍过neutron 安全组基于iptables 和 ct 实现,分析一下计算节点上面的neutron 安全组的iptables,加深一下理解iptables以及安全组的实现。(PS: 如下基于openstack stein)

查看某计算节点上面的iptables
#iptables -nvL

分别查看INPUT /FORWARD/OUTPUT 链的规则,查看iptables,发现INPUT/FORWARD都有规则

1、INPUT 链

概况来说,虚机的INPUT规则全都转给了虚机的安全组链

Chain INPUT (policy ACCEPT 4914K packets, 2696M bytes)
 pkts bytes target     prot opt in     out     source               destination         
 251M   48G neutron-openvswi-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

INPUT 链将来源是所有的都转给了 neutron-openvswi-INPUT 子链,

Chain neutron-openvswi-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-openvswi-o323ef4ca-8  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap323ef4ca-8a --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */
    0     0 neutron-openvswi-oa937d188-d  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tapa937d188-d6 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */

由上面可以看出,neutron-openvswi-INPUT链中将来自是 tap323ef4ca-8a和 tapa937d188-d6的流入转给了neutron-openvswi-o323ef4ca-8和 neutron-openvswi-oa937d188-d 两个安全组子链,再看下这俩安全组子链

Chain neutron-openvswi-o323ef4ca-8 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   656 RETURN     udp  --  *      *       0.0.0.0              255.255.255.255      udp spt:68 dpt:67 /* Allow DHCP client traffic. */
 460K  109M neutron-openvswi-s323ef4ca-8  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:68 dpt:67 /* Allow DHCP client traffic. */
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68 /* Prevent DHCP Spoofing by VM. */
 231K   94M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
 229K   15M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* priority:1 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
    0     0 neutron-openvswi-sg-fallback  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Send unmatched traffic to the fallback chain. */


Chain neutron-openvswi-oa937d188-d (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   656 RETURN     udp  --  *      *       0.0.0.0              255.255.255.255      udp spt:68 dpt:67 /* Allow DHCP client traffic. */
 428K  108M neutron-openvswi-sa937d188-d  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:68 dpt:67 /* Allow DHCP client traffic. */
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68 /* Prevent DHCP Spoofing by VM. */
 213K   94M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
 215K   14M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* priority:1 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
    0     0 neutron-openvswi-sg-fallback  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Send unmatched traffic to the fallback chain. */

**2. FORWARD链 **

FORWARD 链先跳到neutron-filter-top子链上,neutron-filter-top链会又跳到neutron-openvswi-local,而neutron-openvswi-local链是空链,因此会返回到母链 FORWARD 上,因此这里第一条规则其实没啥用。

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
1505K  824M neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
1505K  824M neutron-openvswi-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  700 75498 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  700 75498 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
  420 44194 ACCEPT     all  --  *      *       192.168.1.0/24       0.0.0.0/0           
  280 31304 ACCEPT     all  --  *      *       0.0.0.0/0            192.168.1.0/24      

Chain neutron-filter-top (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 283M   57G neutron-openvswi-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0 

Chain neutron-openvswi-local (1 references)
 pkts bytes target     prot opt in     out     source               destination

返回到 FORWARD 链后继续匹配第 2 条规则,跳转到了neutron-openvswi-FORWARD,我们查看该链的规则:

Chain neutron-openvswi-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 334K  306M neutron-openvswi-sg-chain  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-out tap323ef4ca-8a --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
 482K  115M neutron-openvswi-sg-chain  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap323ef4ca-8a --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
 309K  304M neutron-openvswi-sg-chain  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-out tapa937d188-d6 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
 449K  114M neutron-openvswi-sg-chain  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tapa937d188-d6 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-out tap344c3926-f5 --physdev-is-bridged /* Accept all packets when port is trusted. */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap344c3926-f5 --physdev-is-bridged /* Accept all packets when port is trusted. */

该链上一共有 6条规则,前4条都是虚机port对应的tap设备网卡的进出规则。

tapa937d188-d6是虚拟机 port 对应的 tap 设备(名称为 tap+portUUID 前 11 位),前4条 规则表明无论是从这个 tap 设备进的还是出的包都进入子链neutron-openvswi-sg-chain处理。

我们继续查看neutron-openvswi-sg-chain查看链:

Chain neutron-openvswi-sg-chain (4 references)
 pkts bytes target     prot opt in     out     source               destination         
 334K  306M neutron-openvswi-i323ef4ca-8  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-out tap323ef4ca-8a --physdev-is-bridged /* Jump to the VM specific chain. */
 482K  115M neutron-openvswi-o323ef4ca-8  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap323ef4ca-8a --physdev-is-bridged /* Jump to the VM specific chain. */
 309K  304M neutron-openvswi-ia937d188-d  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-out tapa937d188-d6 --physdev-is-bridged /* Jump to the VM specific chain. */
 449K  114M neutron-openvswi-oa937d188-d  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tapa937d188-d6 --physdev-is-bridged /* Jump to the VM specific chain. */
1574K  839M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

从规则我们可以看出:

  • --physdev-out表示从 tapa937d188-d6出来发往虚拟机的包,通过子链neutron-openvswi-ia937d188-d处理,即虚拟机入访流量。
  • --physdev-in表示从虚拟机发出进入 tap323ef4ca-8a 的包,通过子链neutron-openvswi-i323ef4ca-8处理,即虚拟机出访流量。

**2.1 安全组入方向规则 **

Chain neutron-openvswi-ia937d188-d (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 309K  304M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
    0     0 RETURN     udp  --  *      *       0.0.0.0/0            172.16.1.118         udp spt:67 dpt:68 /* priority:1 */
    2   684 RETURN     udp  --  *      *       0.0.0.0/0            255.255.255.255      udp spt:67 dpt:68 /* priority:1 */
    5   436 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            /* priority:1 */
   78  3160 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* priority:1 */
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 /* priority:1 */
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp multiport dports 1:65535 /* priority:1 */
    0     0 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp multiport dports 1:65535 /* priority:1 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
    0     0 neutron-openvswi-sg-fallback  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Send unmatched traffic to the fallback chain. */

**2.1 安全组出方向规则 **

Chain neutron-openvswi-oa937d188-d (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   656 RETURN     udp  --  *      *       0.0.0.0              255.255.255.255      udp spt:68 dpt:67 /* Allow DHCP client traffic. */
 449K  114M neutron-openvswi-sa937d188-d  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:68 dpt:67 /* Allow DHCP client traffic. */
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68 /* Prevent DHCP Spoofing by VM. */
 222K   99M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
 226K   15M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* priority:1 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
    0     0 neutron-openvswi-sg-fallback  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Send unmatched traffic to the fallback chain. */
相关推荐
mqiqe3 天前
云计算Openstack 虚拟机调度策略
云计算·openstack
小安运维日记8 天前
Linux云计算 |【第五阶段】CLOUD-DAY2
linux·运维·云计算·openstack
南宫乘风15 天前
OpenStack将运行的系统导出 QCOW2 镜像并导入阿里云
阿里云·云计算·openstack
学习向前冲17 天前
开源OpenStack
openstack
suum1 个月前
openstack-swift.18421165
openstack
极客先躯1 个月前
开源的云平台有哪些?
kubernetes·开源·openstack·cloudstack·云平台·docker swarm·opennebula
mqiqe1 个月前
云计算Openstack Horizon
云计算·openstack·perl
zkyqss1 个月前
OpenStack Yoga版安装笔记(十六)Openstack网络理解
笔记·openstack
mqiqe1 个月前
云计算Openstack Neutron
云计算·openstack·perl
mqiqe1 个月前
云计算Openstack Keystone
数据库·云计算·openstack
热门推荐
01【HarmonyOS】HUAWEI DevEco Studio 下载地址汇总02(欧拉)openEuler系统添加网卡文件配置流程、(欧拉)openEuler系统手动配置ipv6地址流程、(欧拉)openEuler系统网络管理说明03组基轨迹建模 GBTM的介绍与实现(Stata 或 R)04【AIGC】重塑未来的科技巨轮05全面解析:构建基于深度学习的安全帽检测系统(UI界面+YOLO代码+数据集)06【经验分享】Ubuntu22.04安装微信(linux官方版)07基于YOLOv10深度学习的CT扫描图像肾结石智能检测系统【python源码+Pyqt5界面+数据集+训练代码】深度学习实战、目标检测08Ubuntu 20.04使用Livox mid 360 测试 FAST_LIO09RAG 实践- Ollama+RagFlow 部署本地知识库10红米手机使用google play