博客

openstack安全组规则

  • Post author:
  • Post category:其他


http://www.aboutyun.com/thread-8964-1-1.html


参考官方资料




You must modify the rules for the default security group because users cannot access instances that use the default group from




any IP address outside the cloud.






You can modify the rules in a security group to allow access to instances through different ports and protocols. For example,




you can modify rules to allow access to instances through SSH, to ping them, or to allow UDP traffic – for example, for a DNS




server running on an instance. You specify the following parameters for rules:






Source of traffic. Enable traffic to instances from either IP addresses inside the cloud from other group members or from all IP addresses.






Protocol. Choose TCP for SSH, ICMP for pings, or UDP.






Destination port on virtual machine. Defines a port range. To open a single port only, enter the same value twice. ICMP does not support ports: Enter values to define the codes and types of ICMP traffic to be allowed.






Rules are automatically enforced as soon as you create or modify them.






注: 已通过测试, 修改默认 secgroup 或自定义 secgroup 都可以完成数据访问测试




帮助

  1. [root@station140 ~(keystone_admin)]# nova help | grep secgroup
  2. add-secgroup        Add a Security Group to a server.
  3. list-secgroup       List Security Group(s) of a server.
  4. remove-secgroup     Remove a Security Group from a server.
  5. secgroup-add-group-rule
  6. secgroup-add-rule   Add a rule to a security group.
  7. secgroup-create     Create a security group.
  8. secgroup-delete     Delete a security group.
  9. secgroup-delete-group-rule
  10. secgroup-delete-rule
  11. secgroup-list       List security groups for the current tenant.
  12. secgroup-list-rules
  13. secgroup-update     Update a security group.


复制代码






创建自定义安全组

  1. [root@station140 ~(keystone_admin)]# nova secgroup-create terry “allow ping and ssh”
  2. +————————————–+——-+——————–+
  3. | Id                                   | Name  | Description        |
  4. +————————————–+——-+——————–+
  5. | 6966a8e4-0980-40ad-a409-baac65b60287 | terry | allow ping and ssh |
  6. +————————————–+——-+——————–+


复制代码






列出当前所有安全组

  1. [root@station140 ~(keystone_admin)]# nova  secgroup-list
  2. +————————————–+———+——————–+
  3. | Id                                   | Name    | Description        |
  4. +————————————–+———+——————–+
  5. | 91a191a6-b89e-4f87-99c0-0fb985985978 | default | default            |
  6. | 6966a8e4-0980-40ad-a409-baac65b60287 | terry   | allow ping and ssh |
  7. +————————————–+———+——————–+


复制代码






列出某个组中的安全规则

  1. [root@station140 ~(keystone_admin)]# nova  secgroup-list-rules default
  2. +————-+———–+———+———-+————–+
  3. | IP Protocol | From Port | To Port | IP Range | Source Group |
  4. +————-+———–+———+———-+————–+
  5. |             |           |         |          | default      |
  6. |             |           |         |          | default      |
  7. +————-+———–+———+———-+————–+


复制代码






增加规则方法 (允许 ping)

  1. [root@station140 ~(keystone_admin)]# nova secgroup-add-rule terry icmp -1 -1 0.0.0.0/0
  2. +————-+———–+———+———–+————–+
  3. | IP Protocol | From Port | To Port | IP Range  | Source Group |
  4. +————-+———–+———+———–+————–+
  5. | icmp        | -1        | -1      | 0.0.0.0/0 |              |
  6. +————-+———–+———+———–+————–+


复制代码






增加规则方法 (允许 ssh)


版权声明:本文为qq_19396231原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。