计算节点上iptables安全组分析

计算节点上iptables安全组分析

之前介绍过neutron 安全组基于iptables 和 ct 实现，分析一下计算节点上面的neutron 安全组的iptables，加深一下理解iptables以及安全组的实现。（PS: 如下基于openstack stein)

查看某计算节点上面的iptables
#iptables -nvL

分别查看INPUT /FORWARD/OUTPUT 链的规则，查看iptables，发现INPUT/FORWARD都有规则

1、INPUT 链

概况来说，虚机的INPUT规则全都转给了虚机的安全组链

Chain INPUT (policy ACCEPT 4914K packets, 2696M bytes)
 pkts bytes target     prot opt in     out     source               destination         
 251M   48G neutron-openvswi-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0 

INPUT 链将来源是所有的都转给了 neutron-openvswi-INPUT 子链，

Chain neutron-openvswi-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-openvswi-o323ef4ca-8  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap323ef4ca-8a --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */
    0     0 neutron-openvswi-oa937d188-d  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tapa937d188-d6 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */

由上面可以看出，neutron-openvswi-INPUT链中将来自是 tap323ef4ca-8a和 tapa937d188-d6的流入转给了neutron-openvswi-o323ef4ca-8和 neutron-openvswi-oa937d188-d 两个安全组子链，再看下这俩安全组子链

Chain neutron-openvswi-o323ef4ca-8 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   656 RETURN     udp  --  *      *       0.0.0.0              255.255.255.255      udp spt:68 dpt:67 /* Allow DHCP client traffic. */
 460K  109M neutron-openvswi-s323ef4ca-8  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:68 dpt:67 /* Allow DHCP client traffic. */
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68 /* Prevent DHCP Spoofing by VM. */
 231K   94M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
 229K   15M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* priority:1 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
    0     0 neutron-openvswi-sg-fallback  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Send unmatched traffic to the fallback chain. */


Chain neutron-openvswi-oa937d188-d (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   656 RETURN     udp  --  *      *       0.0.0.0              255.255.255.255      udp spt:68 dpt:67 /* Allow DHCP client traffic. */
 428K  108M neutron-openvswi-sa937d188-d  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:68 dpt:67 /* Allow DHCP client traffic. */
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68 /* Prevent DHCP Spoofing by VM. */
 213K   94M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
 215K   14M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* priority:1 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
    0     0 neutron-openvswi-sg-fallback  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Send unmatched traffic to the fallback chain. */

**2. FORWARD链 **

FORWARD 链先跳到neutron-filter-top子链上，neutron-filter-top链会又跳到neutron-openvswi-local，而neutron-openvswi-local链是空链，因此会返回到母链 FORWARD 上，因此这里第一条规则其实没啥用。

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
1505K  824M neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
1505K  824M neutron-openvswi-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  700 75498 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  700 75498 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
  420 44194 ACCEPT     all  --  *      *       192.168.1.0/24       0.0.0.0/0           
  280 31304 ACCEPT     all  --  *      *       0.0.0.0/0            192.168.1.0/24      

Chain neutron-filter-top (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 283M   57G neutron-openvswi-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0 

Chain neutron-openvswi-local (1 references)
 pkts bytes target     prot opt in     out     source               destination

返回到 FORWARD 链后继续匹配第 2 条规则，跳转到了neutron-openvswi-FORWARD，我们查看该链的规则:

Chain neutron-openvswi-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 334K  306M neutron-openvswi-sg-chain  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-out tap323ef4ca-8a --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
 482K  115M neutron-openvswi-sg-chain  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap323ef4ca-8a --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
 309K  304M neutron-openvswi-sg-chain  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-out tapa937d188-d6 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
 449K  114M neutron-openvswi-sg-chain  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tapa937d188-d6 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-out tap344c3926-f5 --physdev-is-bridged /* Accept all packets when port is trusted. */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap344c3926-f5 --physdev-is-bridged /* Accept all packets when port is trusted. */

该链上一共有 6条规则，前4条都是虚机port对应的tap设备网卡的进出规则。

tapa937d188-d6是虚拟机 port 对应的 tap 设备（名称为 tap+portUUID 前 11 位)，前4条 规则表明无论是从这个 tap 设备进的还是出的包都进入子链neutron-openvswi-sg-chain处理。

我们继续查看neutron-openvswi-sg-chain查看链:

Chain neutron-openvswi-sg-chain (4 references)
 pkts bytes target     prot opt in     out     source               destination         
 334K  306M neutron-openvswi-i323ef4ca-8  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-out tap323ef4ca-8a --physdev-is-bridged /* Jump to the VM specific chain. */
 482K  115M neutron-openvswi-o323ef4ca-8  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tap323ef4ca-8a --physdev-is-bridged /* Jump to the VM specific chain. */
 309K  304M neutron-openvswi-ia937d188-d  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-out tapa937d188-d6 --physdev-is-bridged /* Jump to the VM specific chain. */
 449K  114M neutron-openvswi-oa937d188-d  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in tapa937d188-d6 --physdev-is-bridged /* Jump to the VM specific chain. */
1574K  839M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

从规则我们可以看出：

• --physdev-out表示从 tapa937d188-d6出来发往虚拟机的包，通过子链neutron-openvswi-ia937d188-d处理，即虚拟机入访流量。
• --physdev-in表示从虚拟机发出进入 tap323ef4ca-8a 的包，通过子链neutron-openvswi-i323ef4ca-8处理，即虚拟机出访流量。

**2.1 安全组入方向规则 **

Chain neutron-openvswi-ia937d188-d (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 309K  304M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
    0     0 RETURN     udp  --  *      *       0.0.0.0/0            172.16.1.118         udp spt:67 dpt:68 /* priority:1 */
    2   684 RETURN     udp  --  *      *       0.0.0.0/0            255.255.255.255      udp spt:67 dpt:68 /* priority:1 */
    5   436 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            /* priority:1 */
   78  3160 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* priority:1 */
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 /* priority:1 */
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp multiport dports 1:65535 /* priority:1 */
    0     0 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp multiport dports 1:65535 /* priority:1 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
    0     0 neutron-openvswi-sg-fallback  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Send unmatched traffic to the fallback chain. */

**2.1 安全组出方向规则 **

Chain neutron-openvswi-oa937d188-d (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   656 RETURN     udp  --  *      *       0.0.0.0              255.255.255.255      udp spt:68 dpt:67 /* Allow DHCP client traffic. */
 449K  114M neutron-openvswi-sa937d188-d  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:68 dpt:67 /* Allow DHCP client traffic. */
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68 /* Prevent DHCP Spoofing by VM. */
 222K   99M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
 226K   15M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* priority:1 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
    0     0 neutron-openvswi-sg-fallback  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Send unmatched traffic to the fallback chain. */