1.如何创建自定义安全组?3 S# Q1 G& `2 I
2.如何查看安全组?/ B* \0 C( d$ s8 |8 A, a
3.如何列出组中安全规则?- N, g% m3 B2 k7 y, |& t5 l
4.如何实现增加规则方法 (允许 ping)?, u( N8 S3 ]! m' c
; n/ N5 l4 ^* y6 w' r" a8 V
8 X# p4 t% n9 \% ^8 h
注: 已通过测试, 修改默认 secgroup 或自定义 secgroup 都可以完成数据访问测试
/ L5 z' l, u- p- J帮助
. ]( }3 T+ {$ ^9 o3 c/ W7 O4 w7 v6 j% }4 c7 S0 }
! F( b# u* `9 R+ k3 u
5 j6 z& G- i# l( [( t! O( I2 Z% M( @! j4 ^' _4 ]
" [+ e' M4 t- _9 N; `
: s8 Q6 l8 _: k* ?
) I& n" v. x1 }; V M% j( `& U
0 g% i2 H+ X: ?: `
5 B4 {$ f1 n" _* a/ X: d" @; ~2 B1 Y# \2 K! ]0 i2 R# R- p2 p
9 D/ Q, X1 s6 C) j
8 S* i9 `; y# w& |2 }2 @0 X' d8 q. Q7 e3 P% ^0 V: I, t7 D. N$ ~
# l5 b. z( C/ x8 [; H! G: Q
2 o& I0 Z0 m9 _* h( \$ ~- A; d0 k9 Z c9 z0 H) \+ L* M" O( d
- m1 B7 c: R& G) T; y8 i7 ]( Y
5 M- C. }: I/ p2 z* p3 b# A. N: k* u/ V+ G c0 H* h8 X: l
5 t4 b/ R: }4 x1 y# V
5 `- |* }0 T5 M* k
6 T) E; b% Y- f" J9 }
, R' X i& K4 C: K; X4 b; A7 f; k: e$ G3 e9 s$ M% O/ |# [0 }
3 u4 O, A i& ~% ^. r
7 G' @, m& Z7 Q& I, @1 t4 e
0 g# n' H0 ^1 j* I4 |& N
4 }; ?- O+ B" U3 C
( F; l) Z9 ]4 t. G7 h" t
) L7 b8 f: i9 t5 O6 p* f[root@station140 ~(keystone_admin)]# nova help | grep secgroup 5 M3 `! d1 {6 y5 {1 b/ H+ E
add-secgroup Add a Security Group to a server.
& M+ i" r( J+ ]7 R- b' [ c7 H' Jlist-secgroup List Security Group(s) of a server. / a2 c& n) x& v/ q) s
remove-secgroup Remove a Security Group from a server. 7 S4 T9 }3 r. G5 p
secgroup-add-group-rule " E- U6 j: P }* l. ?% n
secgroup-add-rule Add a rule to a security group.
5 p6 @$ m" S0 y; c. o/ g0 b7 q- [1 esecgroup-create Create a security group.
$ r7 R( E6 M+ N; wsecgroup-delete Delete a security group.
, _- A2 M8 l0 u) Rsecgroup-delete-group-rule 4 e( {7 W, X/ z
secgroup-delete-rule 4 P3 _# f2 {; y$ P8 H
secgroup-list List security groups for the current tenant. 2 {! E4 j9 t" u. I
secgroup-list-rules
5 k- Q% n) c7 |! j7 rsecgroup-update Update a security group. - ~4 c* g; b. {
, t1 t2 Q" ^# I t# f; i- I& _7 C
, b+ H0 \# r) s3 N+ z8 ~! B4 w
创建自定义安全组 0 P( ^+ o% x5 D* r4 N
[root@ ]# nova secgroup-create terry "allow ping and ssh" 2 Y3 V& Q2 g7 Q" \1 w% r/ s
+--------------------------------------+-------+--------------------+
' l, |$ n" K! e| Id | Name | Description | 8 C& G8 ~% c( a4 W: K
+--------------------------------------+-------+--------------------+
) y8 q5 l6 D/ t( F& ?. `1 z| 6966a8e4-0980-40ad-a409-baac65b60287 | terry | allow ping and ssh | s8 p9 Y6 @5 {* L
+--------------------------------------+-------+--------------------+
& A) b Z! K+ E% U# h
7 |# N+ X" P2 X1 V7 b2 X% U+ V1 w; j; g" \
# d- y8 o4 Y# C& ~8 `7 k# @9 Z0 n
: y4 t/ [8 M) s+ Y列出当前所有安全组& Q) ?4 m: r: I6 c) Q9 F' C( z, }" P
/ L* k2 N% ]( C5 p& a
6 c' F% m* i# _# j8 r
C2 p# ^: }6 p8 c1 j
, ?7 p2 ^9 t/ d. F& q
8 w3 y# L/ |" J: A \ [/ b/ ][root@ ]# nova secgroup-list
! F q2 H8 y' T# U% t+--------------------------------------+---------+--------------------+ ( i3 t+ t2 f1 k2 b, b/ z# M
| Id | Name | Description | : N2 e/ y6 ~! x$ G
+--------------------------------------+---------+--------------------+
8 p- f' X7 k" l4 _. x: [; x3 b4 [| 91a191a6-b89e-4f87-99c0-0fb985985978 | default | default | 7 y- Z" v' R+ U, \7 q, ~$ D8 g: q
| 6966a8e4-0980-40ad-a409-baac65b60287 | terry | allow ping and ssh |
( d9 ~; p* F& k2 u5 [7 Y! B+ i+--------------------------------------+---------+--------------------+ , `# U) [% J/ f) w. a' Q+ ?
! U1 t4 V& M: {+ G
列出某个组中的安全规则 # nova secgroup-list-rules default 4 T6 P0 W# k3 E0 ^
+-------------+-----------+---------+----------+--------------+
. A! U; j# B5 C0 A1 j3 S| IP Protocol | From Port | To Port | IP Range | Source Group | 3 |4 U' O2 _# g* P5 G& U7 J
+-------------+-----------+---------+----------+--------------+
6 q* h% n d$ r, q$ w8 i| | | | | default | 3 h T% O l. J) e, c, O/ A$ b
| | | | | default | ( u4 |) \" J! v. \
+-------------+-----------+---------+----------+--------------+
( e* j2 s( J$ |3 h5 [1 Q/ D- i
$ @- {6 F- \7 h9 E$ W增加规则方法 (允许 ping)
1 o( [8 o1 Z9 d/ d) S* ]6 R) r3 h4 H2 H8 y8 ?6 U; s. P Y& L) q/ a
- d$ ]/ Q7 N3 b4 ]
2 l! u) v0 s3 @; m" w5 T
( q9 y# ~' J& h4 b! s. q9 F& n" {+ O2 s7 O! m% Z# m
, C/ |/ o) w+ s6 a
* {4 X( F" o. M- ?- [5 x8 f# n; ? r% _+ c; `$ n7 _) a, T
/ ] {4 f) W6 g* f0 _
. Z7 P# x8 L3 W! B# g% r1 Q9 c H% n4 l: N) P
) b3 O- \! L8 R# `" M% L! S7 C8 S1 Y# x. ?2 F3 y
/ h- e+ g+ X9 D7 a$ T" \( x
6 U# m8 h4 f" p. e- u
# nova secgroup-add-rule terry icmp -1 -1 0.0.0.0/0 . Z" @+ y0 B: B6 R
+-------------+-----------+---------+-----------+--------------+
9 l5 d/ Y8 a3 d6 m! V) H& K, K| IP Protocol | From Port | To Port | IP Range | Source Group | 5 Z( L1 ~0 i( A1 q/ R
+-------------+-----------+---------+-----------+--------------+ & V8 P! N6 V. W; u* i# i
| icmp | -1 | -1 | 0.0.0.0/0 | |
- `# C1 ^3 @ v5 j! g+-------------+-----------+---------+-----------+--------------+
4 M9 Y$ m5 q# `# y: l
5 Y& O( \. L$ Y4 n增加规则方法 (允许 ssh)
6 a: Y$ q: N: {7 O
. U' N$ ~4 f, r+ T" S/ O( F
' P8 v8 t" }9 x, a! `+ Q5 ]
! j2 o O& K5 c/ Q3 g- }7 m! J$ n8 |1 Y
% M) G5 L. K- k* |% O( B# nova secgroup-add-rule terry tcp 22 22 0.0.0.0/0 " C( w) V, m; S6 c
+-------------+-----------+---------+-----------+--------------+ , |" |& P9 O3 `( E
| IP Protocol | From Port | To Port | IP Range | Source Group | 8 Z( a8 ]( G7 T5 \
+-------------+-----------+---------+-----------+--------------+ + ~* Z5 b& u% `( x+ E& W
| tcp | 22 | 22 | 0.0.0.0/0 | | 6 Q( w7 d9 t: B! i, z4 ?
+-------------+-----------+---------+-----------+--------------+
( n& H3 U6 U G
/ P: P- D4 _" M. _1 @0 M- n0 x* D, F" h增加规则方法 (允许 dns 外部访问)7 ]3 b+ y# z+ t, j8 ~0 z
/ |% L, [0 S1 f& S" E; U# nova secgroup-add-rule terry udp 53 53 0.0.0.0/0
- M0 D, R$ ]. W+-------------+-----------+---------+-----------+--------------+ 6 r& f4 D/ [0 N
| IP Protocol | From Port | To Port | IP Range | Source Group |
. U2 i1 [9 I" U2 z- X9 M) m1 s+-------------+-----------+---------+-----------+--------------+
# E6 v2 P+ E/ q7 [! F* x1 s| udp | 53 | 53 | 0.0.0.0/0 | | ( H& ]. }; R) T# ~" V9 k
+-------------+-----------+---------+-----------+--------------+ : h; B1 v8 R% g% V# E
6 W' F1 f: u# W/ }+ G/ O3 b列出自定义组规则6 V6 D. L, S" a: Y3 d
8 T, d, v: X5 ?( q
2 Q/ _# K$ K1 i4 ~6 M
# nova secgroup-list-rules terry 7 P8 k: [" X, E I, k j
+-------------+-----------+---------+-----------+--------------+
4 ^4 a: }4 s0 q8 B1 X* Z0 ]| IP Protocol | From Port | To Port | IP Range | Source Group | + j, F+ @+ L% `) z
+-------------+-----------+---------+-----------+--------------+ / e6 y5 K* N- k* m7 ?, U2 @7 S
| tcp | 22 | 22 | 0.0.0.0/0 | |
$ L' V4 o$ P- j- ]| udp | 53 | 53 | 0.0.0.0/0 | |
# ?+ y: F3 a6 W) z) ?) |5 X| icmp | -1 | -1 | 0.0.0.0/0 | | : \1 a9 z8 F9 H4 p2 Q6 x4 d9 H
+-------------+-----------+---------+-----------+--------------+
; d( @1 @# k) o8 c; a5 j9 O
+ o& f7 Y* {8 F$ G尝试修改 default secgroup
k" x, a$ n% j. }" F列出 default secgroup 规则
3 @" h0 I2 U7 S6 ]' J+ f# nova secgroup-list-rules default
# ~" N+ u! ?6 I2 \) P7 r9 }+-------------+-----------+---------+----------+--------------+
8 v/ I- h6 r0 O. N7 ]1 e| IP Protocol | From Port | To Port | IP Range | Source Group |
, l8 ^8 r8 S9 e2 \+-------------+-----------+---------+----------+--------------+
$ r' w( {; n. r1 I) v1 g k| | | | | default |
$ E2 W% [. \% a- M| | | | | default | 0 |1 N& d' W6 ?7 s$ W) A
+-------------+-----------+---------+----------+--------------+ / X" e; A U' Z7 M8 }5 K
4 z5 q; k% S; [2 g: w- S
添加规则 (允许 ping)
8 Q u4 g7 L; G$ V0 h6 Z+ K& V& G
7 c9 W! G8 n& E( o: S. G& T
$ Q8 m8 [$ T6 [- g( _7 L3 N3 { ^; i+ v
. B+ x% E, A$ r4 U& i
# nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0 # z+ \ J1 d' l4 `7 L. I
+-------------+-----------+---------+-----------+--------------+ 2 H6 O4 l, o4 p5 L( s5 v; o
| IP Protocol | From Port | To Port | IP Range | Source Group |
0 G) S7 _- T$ h$ M- c+ M3 v+-------------+-----------+---------+-----------+--------------+ 5 k9 t9 z, z4 p# [" F
| icmp | -1 | -1 | 0.0.0.0/0 | | , T# X& V$ X5 Y4 B6 Q2 e
+-------------+-----------+---------+-----------+--------------+
8 z5 x/ D/ {8 U* y! ?3 C5 R添加规则 (允许 ssh) 9 G. k R T |- P$ m1 v1 h7 I
# nova secgroup-add-rule default tcp 22 22 0.0.0.0/0 * `+ g; B6 j+ {$ n
+-------------+-----------+---------+-----------+--------------+
& ^: @: r7 x* U0 ` P/ `1 V/ v| IP Protocol | From Port | To Port | IP Range | Source Group | $ m, b( Y% c+ L0 L' m
+-------------+-----------+---------+-----------+--------------+
" w7 v) }4 q9 I, ?. c6 U" w p| tcp | 22 | 22 | 0.0.0.0/0 | | : Z- C. g q( e4 B k" ? B& n1 m/ }
+-------------+-----------+---------+-----------+--------------+
2 q3 K3 o1 m3 J" P) T$ I添加规则 (允许 dns外部访问)
+ D. F3 r: \, }- B- {. Y7 b: L$ D! p' K
2 C/ T3 i% \" a3 Q
1 _' Q- k% b0 D" K' B# u' ^
* }) _" H7 q; \8 _0 H" D" [. I$ e3 f- i/ E+ c
# nova secgroup-add-rule default udp 53 53 0.0.0.0/0 % B5 x9 {4 y1 Y' ?2 |0 G
+-------------+-----------+---------+-----------+--------------+
4 @0 M+ y# S$ q/ y2 q| IP Protocol | From Port | To Port | IP Range | Source Group |
! t0 l9 ^/ [0 k. [$ K+ c: ~+-------------+-----------+---------+-----------+--------------+ 7 t4 D' {5 Q# M2 f/ d
| udp | 53 | 53 | 0.0.0.0/0 | |
$ ^9 y+ g4 M& C) I+-------------+-----------+---------+-----------+--------------+
) L3 ]! m2 Z4 {: \+ T3 j" B: W7 l: y. h$ q$ y
1 d v. o Y! P列出默认组规则2 n& C" a# Q: P! F8 f
- p3 E7 O. h# g& I0 C0 P
" y; |9 W9 {4 l, Y/ Y0 I3 o- M& M3 T4 Z
. I* N3 j- o: S. o
' G$ j9 L/ ]7 f3 z
9 D/ v# u y `, O& f7 a
7 i$ [& i1 U3 y6 F# H# nova secgroup-list-rules default " g' E7 K% H) ]. j6 b) T8 u v
+-------------+-----------+---------+-----------+--------------+
`9 Z8 z; z# v% H$ A2 U, G, K| IP Protocol | From Port | To Port | IP Range | Source Group | & [5 N* Q2 ^/ `" j
+-------------+-----------+---------+-----------+--------------+
8 b! B* f: m1 K7 f, Y- N| | | | | default | 2 c( W' x# b9 @. {: J# y+ A$ h3 m
| icmp | -1 | -1 | 0.0.0.0/0 | | ) [+ k! J/ N# I. ]$ m# D6 y
| tcp | 22 | 22 | 0.0.0.0/0 | | 2 D6 y! @5 a( l+ Z! B$ }' o
| | | | | default |
5 d' i" T+ h, r6 h- A| udp | 53 | 53 | 0.0.0.0/0 | | 9 i; n" X8 O! L( n8 m! n' ~
+-------------+-----------+---------+-----------+--------------+ ; k% J4 G2 {" p. F/ @+ ^1 }
. A* K( m4 L( l& n4 S删除某个实例, 使用中的规则
9 ]- F+ e" L/ y, f+ U& F: Z7 a1 k+ T. u/ f) B8 I# C
0 e8 B6 C; j% P; V
W+ H0 Q8 c& l7 f8 B @0 @' ?/ B) I' S8 v* s* i
# _, u/ e' i3 S; y3 Unova remove-secgroup terry_instance1 terry
8 P8 w9 s7 }, k. |# @1 F' c2 u3 V
9 n6 f$ ?4 S `$ a8 j( S
/ t. `2 |9 H$ f/ }; a- H# l5 M' y3 o+ b/ s0 H
7 N, |- D4 R3 _0 r9 e- _注: 在虚拟机启动后, 无法在增加其他规则, }3 @/ C% F9 Y! }6 l
: M6 {# k9 C; K- o
9 x% P# J4 f5 Y% t0 m4 J
. U N) b! Z5 H0 v8 N* T. U+ J' u% v
! A5 [0 K v# V
4 Q1 ^4 l. {0 Y
2 y) S. e' b7 ^% b: M# T8 b" [/ T4 S: k! Z; y: k
* x3 F. ~5 y/ a% V% D8 n! @
- G, }7 t; I2 c C0 N, }+ G9 y8 d
0 D" T- F; q5 A. r
4 f) I# k) d5 ^
% F1 W* m! N$ P4 V" D
" J( l: a' u3 w+ t: m s% Q* w
2 g6 q" X! j: N7 s
9 u, d: |0 C3 i" m' e
. i6 @4 r2 J! {- m$ ]
0 P$ O( s9 L9 n6 t3 z; D2 Q% z8 r, Z* c, w5 O ]
0 d& |9 }5 ]/ b
/ w0 O \# x# c- S8 W0 E) n% R9 J1 r j! A; u; _
2 o8 u6 J( [" F: g, s8 x! R$ Z3 @2 s5 N7 X" @" d
|
发表于 2018-11-5 22:57:45