1.如何创建自定义安全组?
8 f" m$ p+ j3 B: @# z$ M2.如何查看安全组?
. V$ r& Q* B [/ ^1 t0 ^- ?3.如何列出组中安全规则?
3 z# U- }5 Q8 q3 b7 V3 h4.如何实现增加规则方法 (允许 ping)?! ^1 N3 ~1 s) E) C" W2 q4 w$ H
6 R6 e. `+ v0 i6 I& z! w9 ?& U& ] J- T5 _3 D% r0 U ]; W9 W2 r! K0 b
注: 已通过测试, 修改默认 secgroup 或自定义 secgroup 都可以完成数据访问测试
8 i7 T& S+ M2 @2 Y; `4 p. f1 v帮助; t- d0 p/ F; C& E* ~* d0 e' D
' y+ |% X, r+ o' t7 k& H7 l
: d5 w) b+ _% I& v
* @5 W) G" b: K, P
4 h7 R8 ?( e- [0 V/ {
; [: [; h2 D* s( i7 T
+ m0 F$ N7 q' f3 K; J2 |# A2 x
3 J# k; R7 g" S4 \( A/ k0 k7 S3 t( h& a3 {
( H5 l, ]# k# w& ?$ ^
/ X7 N" d) x3 E8 l: n) p& j4 c7 U
, c, u! a1 M( M( V6 i, w b
3 V# I8 p1 \3 P5 @9 k0 H% t9 p& [, \+ u
, X& F8 g) B% c9 n1 v. e
% U, k1 A6 \8 B* v9 Z" Z }( N1 t. l M3 ?
4 N- v' Y1 F; P! G
. C" s, U. x6 ], ?- ^* |8 I
3 @& e' C# ?) b# O% G+ w c9 d( R0 e- n
4 h! t8 O% \: U6 @, s' ]5 j) ]# p7 Y: f+ K$ _9 N8 B* q) D6 D
6 [2 X. K0 l: K' l& Q' ^$ A; @* Y
; L0 ~. r1 j& A# N! N; r
2 F. ]' W& A' m" c) p/ `* P
$ v8 a3 U5 l% A/ S8 @) V9 n7 h7 f S
. k( p% i) L3 | N8 e* f/ U; h
: w* e) o; \% k1 _( }, ~, s" J; {8 s
$ @# M8 f R: y. e, i! b6 U+ U
[root@station140 ~(keystone_admin)]# nova help | grep secgroup " ~3 b! T; H0 ]; z6 w: Z
add-secgroup Add a Security Group to a server.
( g0 ^2 }+ b. m- e. m5 _list-secgroup List Security Group(s) of a server. ; [0 L. e9 s' ?, O( ^7 I" v5 C9 C
remove-secgroup Remove a Security Group from a server. & s9 z0 z' v' Z. `" G# F! z
secgroup-add-group-rule
: r4 k1 i( C1 k; ysecgroup-add-rule Add a rule to a security group. % g) ?4 G9 B6 M- r
secgroup-create Create a security group.
0 o0 P8 B4 S+ y/ {2 o+ \: isecgroup-delete Delete a security group. ! @6 J$ W, v3 k% W; T( u& c
secgroup-delete-group-rule 6 p, \+ ^( ~; W' g
secgroup-delete-rule
5 o; B4 a9 w& I3 F3 `- d$ V+ A( fsecgroup-list List security groups for the current tenant.
+ T0 I: @% D9 T4 L7 Y+ Dsecgroup-list-rules
/ o* j4 }8 z$ u2 O) d: i# rsecgroup-update Update a security group. % I' n0 \9 J! o; e+ S) q
! {, j& t6 P5 F8 @& z* s% ]' F* F
! l* W2 O0 y8 g) P; A创建自定义安全组 3 u' G* [* A$ K2 b9 W/ L# T
[root@ ]# nova secgroup-create terry "allow ping and ssh" ! J/ O' q6 c& W( c% y! z5 d
+--------------------------------------+-------+--------------------+
$ H" m# K7 S! F. f9 ^& Y# w, \' q| Id | Name | Description |
5 I3 N" ]' X+ c2 s8 `+--------------------------------------+-------+--------------------+ & s: |* F" k# Y" W6 A. m8 Z
| 6966a8e4-0980-40ad-a409-baac65b60287 | terry | allow ping and ssh |
. m* c! d% U: G7 g2 r* C+--------------------------------------+-------+--------------------+ : O" C2 b6 T' I
9 r* h# _" ]& m% p, C
2 `8 d, @+ y" A; O, d
I9 a! N* D4 s6 s( i
. X7 P2 K1 ]% ]5 U4 x5 z
列出当前所有安全组' S0 r: B' T( h/ c1 _9 M* ]9 y
% v9 t+ u2 P2 A4 D8 }7 x" l
/ k' y4 v. E8 m& y8 s
( F/ H3 K" y2 A; {! M- c) Y3 n9 }+ b1 d( Y' L) E
( o9 b" K) m" f: ?! h# l: v6 M9 U+ C
[root@ ]# nova secgroup-list ( Z9 d6 y9 C7 D) G9 z6 K z# g
+--------------------------------------+---------+--------------------+ 6 J4 O1 \/ j/ h
| Id | Name | Description | 1 A& E p8 _1 t) H. h6 f( m) N: J
+--------------------------------------+---------+--------------------+
M4 F9 X6 {) i( h) ~| 91a191a6-b89e-4f87-99c0-0fb985985978 | default | default |
: }8 w- a/ z( E7 y( c1 F7 L7 @| 6966a8e4-0980-40ad-a409-baac65b60287 | terry | allow ping and ssh | + U) E' o: V$ J2 k
+--------------------------------------+---------+--------------------+
5 M8 l/ T8 |# ]7 ^
$ y& D9 e4 F: N8 b% Y6 o4 L
列出某个组中的安全规则 # nova secgroup-list-rules default {% S* f: I$ x9 G4 B Z( \
+-------------+-----------+---------+----------+--------------+
* k x0 a! c3 q! j( `6 W# S$ X6 N| IP Protocol | From Port | To Port | IP Range | Source Group |
( Q% q6 Q: i I$ `! C+-------------+-----------+---------+----------+--------------+ 2 _, w/ v4 r) ^* x4 j4 t/ z
| | | | | default | # Y1 U5 C* ?; M' X3 z( O
| | | | | default | : O. u1 }- I( W4 P
+-------------+-----------+---------+----------+--------------+
; [0 P& n# y; K3 [
增加规则方法 (允许 ping)8 x5 N. a/ `: W; c4 K# z
. X% i- N) O. D7 e6 a. c( f* c
D+ h, i) x& E& \1 o* H5 @8 p
3 ^* }% D4 R% `3 c! [; O; M5 _- H! I$ V1 k% o5 _) p9 z
6 `3 v1 @6 K- Y/ Y, C0 [
2 ~* |8 w- U+ r, z, S& ~0 L/ p4 z5 j" d7 V9 ^$ _
5 k% y3 U5 R3 r, e, n) c* ~5 z
0 Q" c; d9 \6 T) F! N: ]" J, C6 U7 l
% X0 m5 P. \, o( T6 x$ M6 I" A
; l4 U. j" m3 y$ Y+ z2 U# S
$ D" k# k, t8 g: _+ _7 z- s
; C) e0 m+ v- }$ z/ X; k$ k8 r0 m: x" X2 ?7 I3 o
# nova secgroup-add-rule terry icmp -1 -1 0.0.0.0/0 3 ^2 E( `" o. s2 I% c- j5 M |
+-------------+-----------+---------+-----------+--------------+ # X0 U- x2 R. L3 O% p$ Z5 d
| IP Protocol | From Port | To Port | IP Range | Source Group |
' q" o' ?9 Y6 J0 R( J3 v7 T+ X/ k: |- L+-------------+-----------+---------+-----------+--------------+
; j. [: \) p9 A c' M| icmp | -1 | -1 | 0.0.0.0/0 | | * `+ h# k) g3 U/ p9 T+ T, L
+-------------+-----------+---------+-----------+--------------+
7 {: s: P" d6 O* z' A$ D5 l' e
4 f8 z- I- H3 `增加规则方法 (允许 ssh)
+ Q' h" Y/ g2 K+ }5 Q% ~' G3 G/ J4 S" J
1 N1 ^: r) z$ k! ]1 h! \' N
% U* F7 R7 h6 T/ B+ ]3 V/ |7 d
8 X3 ~0 M- R; m# y% ^! n1 m3 N0 ^) v3 U9 |
# nova secgroup-add-rule terry tcp 22 22 0.0.0.0/0 # P+ b0 N# Y, r, ]4 G0 |' y/ R
+-------------+-----------+---------+-----------+--------------+
5 `; r8 n7 i5 l# w2 a7 T: S| IP Protocol | From Port | To Port | IP Range | Source Group | - f: B4 J" {) k, B6 n" Y
+-------------+-----------+---------+-----------+--------------+
5 h7 z. b# e5 m" A| tcp | 22 | 22 | 0.0.0.0/0 | | ! G+ v% P, _# j, q% C9 f* R7 O+ e0 b
+-------------+-----------+---------+-----------+--------------+
0 j1 P) y% h2 [6 b8 v. p
! M5 P3 c1 w) Z增加规则方法 (允许 dns 外部访问): c- y+ F6 f% }
' E3 g: ?; G' f0 P& H( ^
# nova secgroup-add-rule terry udp 53 53 0.0.0.0/0 , B0 w+ ?/ x- b8 W* a
+-------------+-----------+---------+-----------+--------------+
* w" i: \; _( R. J' O1 u# `: q+ V4 A0 U3 S| IP Protocol | From Port | To Port | IP Range | Source Group |
6 L! p, n/ h/ x+ x( u. a* g+-------------+-----------+---------+-----------+--------------+ ( @; Y/ F. {- u3 Y _" [
| udp | 53 | 53 | 0.0.0.0/0 | | , S4 _- y ^6 s2 L
+-------------+-----------+---------+-----------+--------------+ 7 g9 o; G0 Z6 n. H7 ~8 h, U* H
# t7 f' h! c; L/ J2 y# ?. J! |列出自定义组规则) v! t% x6 k" O( }2 _% f$ w6 N0 w
% d) ~( u5 }; j& P8 u
9 r# o; J, o/ e8 S: H# nova secgroup-list-rules terry
/ x" h) p3 k" i8 L( J+-------------+-----------+---------+-----------+--------------+ b& `/ {. C% m' T8 x
| IP Protocol | From Port | To Port | IP Range | Source Group |
6 Y1 b [9 U6 K7 B. [( [" X3 E' @+-------------+-----------+---------+-----------+--------------+ ' N/ c: e5 s: {1 s% M' g* R1 R
| tcp | 22 | 22 | 0.0.0.0/0 | |
% R5 ?5 z3 n" o3 X| udp | 53 | 53 | 0.0.0.0/0 | |
7 J. K9 g+ s8 S1 b1 ]& {8 X3 S| icmp | -1 | -1 | 0.0.0.0/0 | | 3 c8 }9 t( _2 P+ @# L
+-------------+-----------+---------+-----------+--------------+
- k$ w4 L0 c3 r+ c( c( G3 c
/ ]6 R: B3 ] i0 Q, j; r尝试修改 default secgroup- t* {* p2 G* ^: D% K
列出 default secgroup 规则+ w$ U1 A& }: }9 O/ w3 b" Q2 l7 a
# nova secgroup-list-rules default
' H1 ]' q% V2 b" t+-------------+-----------+---------+----------+--------------+ 0 G+ d. h( q1 D$ y& ~
| IP Protocol | From Port | To Port | IP Range | Source Group |
0 c. ], G3 F" ]$ }% {$ [$ R+-------------+-----------+---------+----------+--------------+ 8 w* {2 [. I0 _+ s/ U: H
| | | | | default | $ q7 s9 t0 D3 M/ q8 B' V7 r
| | | | | default | 9 n n% \ N( D! c
+-------------+-----------+---------+----------+--------------+ . B. k+ f: S4 [3 A! O( l1 o7 @
: `( i) s1 e, z( p1 @; B/ c3 F
添加规则 (允许 ping)
6 m9 b$ W' t) O/ ~! O3 ~8 w! S- r: z/ ~; a5 W7 z6 R
% M Z; Z4 P" r* d' H" t; E* l8 J, q5 s, O
/ D" m" }! D& J8 R# K' ?7 K
/ |2 u1 t" l5 I" {5 z# nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0 1 A+ B1 n/ p, k9 m3 v( j4 J) s
+-------------+-----------+---------+-----------+--------------+
" @% y1 g8 v1 P0 x+ c. K& S| IP Protocol | From Port | To Port | IP Range | Source Group |
* H9 X6 h& c }; N7 D+-------------+-----------+---------+-----------+--------------+ : ^) k& O0 y! G: c
| icmp | -1 | -1 | 0.0.0.0/0 | |
0 s/ ~+ I5 Q, Q0 F! h+-------------+-----------+---------+-----------+--------------+ 4 w6 s4 R- O S ?! A5 H. `0 F( ~" {
添加规则 (允许 ssh)
1 e# M2 r" k2 @# v7 Z# nova secgroup-add-rule default tcp 22 22 0.0.0.0/0 u& t! z2 k6 [2 w
+-------------+-----------+---------+-----------+--------------+ a, n O9 o% ^2 e( h U+ G
| IP Protocol | From Port | To Port | IP Range | Source Group | 7 c, }: o3 p0 k2 ~7 L; f, R
+-------------+-----------+---------+-----------+--------------+
5 L& J+ e+ _$ w! x4 q9 I7 ^0 ~, @| tcp | 22 | 22 | 0.0.0.0/0 | | 4 G" ~8 h9 Y) c: F' Q6 e. k F
+-------------+-----------+---------+-----------+--------------+
% |/ ~# w) E2 L/ J( ^; I" T+ L M. h添加规则 (允许 dns外部访问)
4 H* d E+ y+ E: I( [& [" B9 r* Z+ o# N# X! q6 {
' ~. l+ ~! ^3 f4 ?/ ]1 j" ^
$ b. d# u1 b7 K; Q9 ^
6 c2 s9 G& Q0 ~4 G" P
& ^4 s6 o/ n) C# nova secgroup-add-rule default udp 53 53 0.0.0.0/0 $ _) \& T0 U% `/ J: j
+-------------+-----------+---------+-----------+--------------+
$ p$ g" `" s# z; ^* ^3 z' Y- E2 B| IP Protocol | From Port | To Port | IP Range | Source Group | ) H2 J1 A' i+ S& \4 U
+-------------+-----------+---------+-----------+--------------+
. i6 {( t; q7 j' F| udp | 53 | 53 | 0.0.0.0/0 | |
- U- n6 Y8 l7 T, w& I! X+-------------+-----------+---------+-----------+--------------+
( F/ e( V0 w4 I
0 S! r) u# m, B- _ k& o* F0 k1 p( y, F7 t; }9 V
列出默认组规则
0 d/ D( A. W; `% w1 m( s# C* D d( s7 P6 H
& f+ D5 c8 {* m1 O" h/ A! y4 K* k4 x7 {0 o
+ e/ @( ^3 ~5 ~ }: ~3 u- L# J/ `. H# S. m
, G" R# I3 I% k
* r, s. G" h' E5 { H6 F# nova secgroup-list-rules default 1 H" f) P5 q2 k6 C
+-------------+-----------+---------+-----------+--------------+ - D7 K; \$ k1 q8 p% P. Y1 p
| IP Protocol | From Port | To Port | IP Range | Source Group | 7 _, u2 o% m' ^
+-------------+-----------+---------+-----------+--------------+ - O, g! ~$ G- q( K+ k6 S
| | | | | default | : p7 v3 T4 U; O' {! T
| icmp | -1 | -1 | 0.0.0.0/0 | |
; Y: D) N6 A0 ~% G2 P| tcp | 22 | 22 | 0.0.0.0/0 | | ; O- U' _7 y+ ^
| | | | | default | - B& J8 i( e8 x- z- j8 _" Q0 [8 H$ [9 B
| udp | 53 | 53 | 0.0.0.0/0 | |
; W U4 J. Z/ W# @) |+-------------+-----------+---------+-----------+--------------+ / o1 t/ ~! w5 t2 O
% X$ n8 z! T0 `9 v$ j$ N
删除某个实例, 使用中的规则5 y q1 T! u' v
2 c7 S7 r- D7 \2 i- I. u1 Z
4 y4 C1 z$ ]- c8 Z. S
- E' X. L; ]+ |" B y; J
) X1 t2 I' G- K' N) M0 M, j, i: d6 f4 j. r; C3 Z# e, A
nova remove-secgroup terry_instance1 terry ( F) c) n% K( w$ D- E' l& E
P6 x" u/ S* E: k3 v7 {
1 b' D" `( H% P* A; v
( A# J6 V6 g$ }6 F& N
/ \" U- @$ b" b0 Z. Z: X: z0 M注: 在虚拟机启动后, 无法在增加其他规则
0 Z4 x1 \& b6 G0 j
; ~& G% |3 M' l- z9 N1 A$ c5 l M9 z
4 N+ k! |1 A8 A7 P Y2 J
& J1 Y4 l7 e1 V* M2 B/ @5 f5 d4 ?5 f9 |, C/ `
! r3 D! C0 \; d, Q( ]8 F
. d9 B' Z0 j2 J8 v: s6 L# Y7 I$ P$ _7 v4 e( e- U
/ f* L) s; d8 x6 p: C! F9 U
" K. O* E# m2 z( V0 K& t/ t
9 U* Q# ^7 `, @6 \8 z) o+ Q+ a9 o, ?: W# y' J
2 H! k d! i2 B9 s8 F- D& r2 T. `1 f1 H9 g. ]" x) x
7 T8 \; t3 N3 o1 y. Q8 n4 s$ C
3 G# \$ M3 R) I* L5 B0 w) M& X( ^7 l* j4 a8 R3 R) l" P: D- F, {
, U# q* v$ Q% S5 _
8 m: g! }0 N! s' l% \2 R. ?" D" O, Y/ a j3 a8 Z
/ c) ~/ v2 f v* F: C
( q$ v4 N8 t" w: a2 M& x1 @+ x4 k1 x/ f, s+ `7 Z
* f9 U: O1 v$ Z8 `# p6 t
% ]" H: I! d; a% N; ~7 E7 Z( e% f* c- o+ v3 S
|
发表于 2018-11-5 22:57:45