将设为首页浏览此站
收藏本站联系我们相册切换到窄版

易陆发现互联网技术论坛

 找回密码
 开始注册
易陆发现互联网技术论坛»首页 云计算开源区 neutron网络 openstack - 安全组管理命令介绍
查看: 4105|回复: 0
收起左侧

openstack - 安全组管理命令介绍

[复制链接]
admin
发表于 2018-11-5 22:57:45 | 显示全部楼层 |阅读模式

马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。

您需要 登录 才可以下载或查看,没有账号?开始注册

x
1.如何创建自定义安全组?
* G" J2 b* c* U2 _2.如何查看安全组?
3 s) r+ X. w% o3.如何列出组中安全规则?
- N( R$ L3 Z6 z4.如何实现增加规则方法 (允许 ping)?4 {3 q. X" b% H1 O% z2 x1 P

6 e0 @( W# R: c9 A% M4 |; R7 B' d* P1 r
注: 已通过测试, 修改默认 secgroup 或自定义 secgroup 都可以完成数据访问测试
% e( o! l  k/ @帮助( V/ L- v. M0 a

# Y+ _" Q! U4 [  Y& l3 V# {3 h) f" Y' Q9 w% ~. @  x

. _5 |5 M  a  ~/ i
2 k& l0 h" `) _+ X0 H! k8 X
+ p4 `/ B% Y. X+ r& C& R# T, v' h# c5 l, j# H) l$ G, K. X8 a

  c9 G  q; n/ j! E- ^. h3 f  N% [! k6 v- k2 `

  ]# `! r3 k; x# o7 u, i4 F  _+ d2 C2 Y3 t
8 \! ?& X% O4 J
& f) J* q3 P' m; |
2 ?1 m; V% T' ]2 q0 B
0 ~  z% c/ @; _5 k

7 f$ g( p) \1 \4 z  H* Y, a# u) G2 N3 F

" D8 |; O. m+ d9 X8 v# G7 ~6 Y0 a/ o7 U8 D5 ?

2 S* y, ^0 D, R4 M- N8 k: i: y
8 O7 a: H4 U, Y8 A  w- I8 R. s: C* R7 ^) J7 Y: v. F8 X; I) J

  a6 b, M& I& c5 @
. O# j6 x6 \9 U/ M) J" _% t) K% d& n1 q
- \0 V/ C! ]; [9 A+ i9 `
/ M$ t; I% }6 d% v; \) Z: V

% h3 }: O* |7 @3 m' L, K
9 {% S# l- Z1 {4 F: b' N' Q
7 X7 U; b- B. q0 m: N9 L+ \: A8 p

" X5 F; H% |# f; E4 n
[root@station140 ~(keystone_admin)]# nova help | grep secgroup
$ S" U) Q  G+ e/ l! M' a
add-secgroup Add a Security Group to a server.
7 q% K) I9 r: R$ v7 g8 k
list-secgroup List Security Group(s) of a server.

' M3 X, z5 T0 N! n* W5 i! Z- U* S
remove-secgroup Remove a Security Group from a server.
8 w) @+ p1 B) n* c
secgroup-add-group-rule
6 g  l- b" F# {/ W8 s
secgroup-add-rule Add a rule to a security group.

# h- z* M- p( o3 u6 q4 i
secgroup-create Create a security group.

! \. n1 |& n' o$ ?# u
secgroup-delete Delete a security group.

. o; R# r" n0 z& S
secgroup-delete-group-rule
  @) x4 c; f0 F0 h
secgroup-delete-rule

8 }% z$ }( i/ V3 ?- ~1 r% {
secgroup-list List security groups for the current tenant.

$ [  Z' l: M( p9 ~9 I; Z
secgroup-list-rules

: T/ r. d/ ^- s
secgroup-update Update a security group.

) K7 Z! W* j% n( r
4 B% _3 o. t$ Y: J# k( b) |1 ~
1 L5 ]* R; q4 Z) c3 ?3 k/ i
创建自定义安全组

3 G& V4 p1 X3 G' h
[root@ ]# nova secgroup-create terry "allow ping and ssh"

& r& J- y, [7 I: M* S7 I
+--------------------------------------+-------+--------------------+

$ u; k* ?- \% D! A- b: `
| Id | Name | Description |

% H) O! l0 R. ^: Z3 E  j
+--------------------------------------+-------+--------------------+
8 k3 p4 d: g$ Y2 i" R
| 6966a8e4-0980-40ad-a409-baac65b60287 | terry | allow ping and ssh |

/ V7 Y& I: m! O* B- L) H" S# H2 i
+--------------------------------------+-------+--------------------+

# @9 H) V4 l3 x0 l

0 I6 I% y% T6 }4 k# ]( ^* T. T3 x, N

$ n7 K5 j5 v# I
* h( v0 B% E, H; a
. N) X1 r/ B7 W* x" i/ M5 |- W
7 e0 e3 L' W+ u6 ~
列出当前所有安全组5 O, _* A* D1 r+ J7 u7 L

$ ]1 G# K8 `. n) E- E* p* m: [" l2 B. i7 g0 B2 l
: y! u6 \/ ]3 }
: U  V3 R: b0 Y# h
5 H+ V6 p& k4 [- [) V9 L$ I$ s
[root@ ]# nova secgroup-list
" B$ L' _. l* Z2 x* c) Y5 c
+--------------------------------------+---------+--------------------+
% g8 `( c8 ~, p( R+ T. P
| Id | Name | Description |

- N. O9 Y, ^4 j3 ~: t2 l) s0 K
+--------------------------------------+---------+--------------------+

( m. M7 w- p- d3 T& c6 z
| 91a191a6-b89e-4f87-99c0-0fb985985978 | default | default |
' \) F7 h1 I8 Z7 w# J
| 6966a8e4-0980-40ad-a409-baac65b60287 | terry | allow ping and ssh |
3 A8 h: e+ q0 Q7 z: e
+--------------------------------------+---------+--------------------+
7 C) v; Q, d+ q+ [2 v0 X) Y2 j

( y* r5 e; \1 `4 m& x
列出某个组中的安全规则
# nova secgroup-list-rules default

; F3 O' M$ S6 X3 i8 K4 _& k
+-------------+-----------+---------+----------+--------------+

9 p2 ?, C: w& ]: K. R* O
| IP Protocol | From Port | To Port | IP Range | Source Group |

. `7 v# j  Q" B% l) z
+-------------+-----------+---------+----------+--------------+
5 I2 b- U  c2 m" d+ C: L4 x
| | | | | default |
! H5 \2 l+ A: t# _5 J1 X4 P) @
| | | | | default |
" B, C' R7 a* x/ Z* E
+-------------+-----------+---------+----------+--------------+
+ @6 j' R  [# B5 R: g4 N: O: ?, Y

' j. N5 _# n# x. o: v. M增加规则方法 (允许 ping)
9 J) Q5 w+ X3 S
, n# I2 g$ ^6 t  }1 K# r4 U
3 B2 V% B$ B4 z1 v, {1 ^4 g- Q* S$ P

. o: u3 P5 Q* m! m2 U' j2 s% ?8 C7 k9 Z& f* W* e
0 X1 T" L( v! w# W) e) V( v) [

; n) F. D- N1 `6 D8 Q
7 i+ R# d% t' j+ [1 H
- r- ^4 b5 \9 i: U% f1 `1 I7 D
' t0 }2 Z% [8 A* L8 ?9 W3 A, |& K) K' a! g  b$ @* ~
4 ^9 @$ Z" u2 k# H6 U2 s/ s
0 |! v' h8 A) J( f( b

9 A6 ^2 q; B( y+ c' B1 j) v
7 r4 @5 }* J3 z# V, \( X
# nova secgroup-add-rule terry icmp -1 -1 0.0.0.0/0
7 ~; |$ f6 y3 p: ~# z$ R
+-------------+-----------+---------+-----------+--------------+
* t9 V  e- J' [. Z
| IP Protocol | From Port | To Port | IP Range | Source Group |
/ e; a" K9 Z8 J( i
+-------------+-----------+---------+-----------+--------------+

7 a8 D0 X+ n$ ^# t) p
| icmp | -1 | -1 | 0.0.0.0/0 | |
3 g4 l8 B5 C' F1 A1 [5 n8 u1 O! P
+-------------+-----------+---------+-----------+--------------+

! E! R% {9 v9 u5 m$ c9 K
2 H! e3 Q% v' F+ _, R# u: m增加规则方法 (允许 ssh)
, r2 k+ d( j& b# d, r- R5 Z
$ w5 h3 t% L4 K. Q! K3 Z' M% R/ d' e
: i+ y' z& l' k' V. B
: }& ?# p2 u( i& M$ Z8 s! U5 s+ p' f" @& `3 X/ e, ?) `5 f8 a* O- z6 M. R% L
4 H* `5 w. z* T
# nova secgroup-add-rule terry tcp 22 22 0.0.0.0/0
" F# r1 O/ a/ Y- {/ L0 |6 @3 U
+-------------+-----------+---------+-----------+--------------+

# w2 s# H/ ^& a- e. j1 o& m- M
| IP Protocol | From Port | To Port | IP Range | Source Group |
* \2 Z' \3 A# D# X7 ~" N7 q6 \
+-------------+-----------+---------+-----------+--------------+

: E/ T0 r! l" r$ v
| tcp | 22 | 22 | 0.0.0.0/0 | |

  V) {3 B' W! ^
+-------------+-----------+---------+-----------+--------------+
$ q: Y+ J, h1 Y; T( c

  O' X* a$ z" r+ a( R( U8 O# n增加规则方法 (允许 dns 外部访问)( _5 f3 ^/ j9 n6 `: E$ P. ]9 I

- r! `3 d! Q- x: W% T( c
# nova secgroup-add-rule terry udp 53 53 0.0.0.0/0
, V4 A" R8 s% Y
+-------------+-----------+---------+-----------+--------------+
% s+ ^! _) r: V% d
| IP Protocol | From Port | To Port | IP Range | Source Group |

* i, U. |! i% m2 W1 K5 ]$ f
+-------------+-----------+---------+-----------+--------------+
! ~6 ]9 z, }7 J8 Y  A9 a! h
| udp | 53 | 53 | 0.0.0.0/0 | |
% K, G; W: c  S+ s4 w8 _% a: u" f, W
+-------------+-----------+---------+-----------+--------------+
2 [% F9 c" d3 t5 ~

: H5 Q7 M& ~7 Y# s" \4 `列出自定义组规则
' Q/ N# I2 u+ d8 g/ C* q% O
$ H; P/ a7 j" o1 a! ^2 R" O$ |
0 u2 o, x/ B/ I" g9 m
# nova secgroup-list-rules terry
1 k- a5 D! R) H2 E
+-------------+-----------+---------+-----------+--------------+

7 p* ~( @- g0 d
| IP Protocol | From Port | To Port | IP Range | Source Group |

; c) X1 _' u! m! C- y, _
+-------------+-----------+---------+-----------+--------------+

- b3 G& d# W: o" ~/ {7 C) X
| tcp | 22 | 22 | 0.0.0.0/0 | |

. ?6 l9 w- G& a7 s
| udp | 53 | 53 | 0.0.0.0/0 | |
: G1 U, _; f1 ?
| icmp | -1 | -1 | 0.0.0.0/0 | |
/ I% f4 m9 r& j4 S; V: H1 Y$ M3 P- o
+-------------+-----------+---------+-----------+--------------+

& w7 x& X6 r5 Y# u5 w8 y. K9 z& R  J: ~; J3 `
尝试修改 default secgroup3 g5 \& i8 t  v0 j0 U& j
列出 default secgroup 规则
; ]+ ]) j* X3 S% c" |. L
# nova secgroup-list-rules default
4 \( b9 @. R2 d6 C) y* D
+-------------+-----------+---------+----------+--------------+
' [( c  ~( G! g/ w& m* E5 s1 a) x( v/ {
| IP Protocol | From Port | To Port | IP Range | Source Group |
% G1 W, @; [/ [1 [' o* E
+-------------+-----------+---------+----------+--------------+
) ^( ]/ A9 |' M0 J! V& i. C
| | | | | default |

& }! o. S5 \/ U3 g1 W
| | | | | default |
0 v) p; a, @2 {7 c; Q
+-------------+-----------+---------+----------+--------------+
3 P# E$ u- d: v4 U

9 V" S& Z$ m( v添加规则 (允许 ping)
# @/ j0 i3 e; ^9 F# z! M. G$ V; u& M3 v: z. O

" Z% h$ _' t6 I9 `7 v' b. \* @! ?7 ~+ h. W9 |9 x

7 D, d# ^5 A5 f/ R3 Q) S. x6 ]
7 g  m# ?; L- }2 n2 {$ d! I" Z/ m
# nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
9 b+ G: H) G  C6 }" N/ t
+-------------+-----------+---------+-----------+--------------+
/ R) o& a$ ~, n7 O4 w
| IP Protocol | From Port | To Port | IP Range | Source Group |

- Q( R4 f, ~! S$ y% U
+-------------+-----------+---------+-----------+--------------+
% b! s% R. H$ l% z
| icmp | -1 | -1 | 0.0.0.0/0 | |
3 S0 G* _$ ~. j+ f' |* w0 @3 G
+-------------+-----------+---------+-----------+--------------+

8 _& I1 r" O- C
添加规则 (允许 ssh)

: M/ u/ Q4 i9 Q8 p4 P# M; T
# nova secgroup-add-rule default tcp 22 22 0.0.0.0/0

2 @7 T5 y: ?& M5 v! y
+-------------+-----------+---------+-----------+--------------+

( U& b0 w% u3 M' I5 d
| IP Protocol | From Port | To Port | IP Range | Source Group |
4 C" k  @/ `$ v& E& a9 G( z, _
+-------------+-----------+---------+-----------+--------------+

# _% ]! B3 A+ p+ \; V  ^
| tcp | 22 | 22 | 0.0.0.0/0 | |

# i  T3 c( X4 S" z% ^+ e- u. e
+-------------+-----------+---------+-----------+--------------+

: H6 r! {( \1 O- ?2 t; @! S* R5 _添加规则 (允许 dns外部访问)
. l# C7 Q4 q: x. C; E' T' M% A/ ~+ N; i% J+ p. m' b& D0 c
+ P5 b- s/ s! m9 B. b
2 h) `/ h: Y- H4 t! w1 x
7 P3 |8 S* m1 F$ E4 [
' R& P/ ~7 p. r! d: Y
# nova secgroup-add-rule default udp 53 53 0.0.0.0/0

9 i1 j) ^2 j% m5 O8 ]  J9 D3 h8 A
+-------------+-----------+---------+-----------+--------------+
4 I3 L$ ?/ m4 B. N0 i( ^! \0 h
| IP Protocol | From Port | To Port | IP Range | Source Group |

: t2 s" F$ F& t- l* r$ A
+-------------+-----------+---------+-----------+--------------+

7 w: P7 k( t5 N5 W9 j
| udp | 53 | 53 | 0.0.0.0/0 | |

2 P9 d* B# q) T
+-------------+-----------+---------+-----------+--------------+

, A9 }9 k1 k" d) _, W: a
9 D& o8 X) j* o4 ~3 X; f1 N) [. D0 r) Z" n" w2 ^4 G" K
列出默认组规则! g6 q% r9 t% f( ]( Z0 Q6 U
0 e; [% p3 N& v- O2 p6 h% V

, ^# `1 J% t  T! \* N$ p3 j2 K, U! W! D! c" u- g& U

+ T. }6 s# @3 o7 ?, r$ K
3 d; T1 d9 P) c0 t/ p
+ K5 B# g, H1 H' J2 Z2 U: n$ H- ?
0 U2 p# n+ I0 Q' p/ m8 J# ~
# nova secgroup-list-rules default
, L- `1 ]$ Q) h( D  P
+-------------+-----------+---------+-----------+--------------+
4 m' P7 M! e' A
| IP Protocol | From Port | To Port | IP Range | Source Group |

5 j. I) y2 Q1 V$ @  g
+-------------+-----------+---------+-----------+--------------+
# v1 W, x/ M( b* g
| | | | | default |
0 h' S3 C+ @9 L' |
| icmp | -1 | -1 | 0.0.0.0/0 | |

8 J% A  ^0 R) Q- c1 L9 L
| tcp | 22 | 22 | 0.0.0.0/0 | |

  T: t: Y6 J. w4 v& W' \
| | | | | default |

) _6 M" c6 m( {; E6 Z  b
| udp | 53 | 53 | 0.0.0.0/0 | |
( d( H' v- s) W( {* u/ x2 M* L
+-------------+-----------+---------+-----------+--------------+

& o' m/ H$ n4 _4 k
; \% w2 i; d" S+ L! s& r删除某个实例, 使用中的规则
- I, O4 ~# S" N) i0 ^' R
% X. `0 [" e. _) K# y6 g2 [
* Q2 Z& k5 Z# C; x5 a" c: I
: k2 K% {; J- G0 ^2 G) T" h. X: l0 E

' `+ C7 G: j, ^5 C+ |1 s# c
nova remove-secgroup terry_instance1 terry

5 t, s* x: u$ \6 {' j% |
, ?2 N( p; s8 d2 }) J

+ K8 c- E$ b. G$ i0 j" h( j
- N5 I/ B5 h) i' ^
0 p% b; R6 H, p* Z3 I2 C
注: 在虚拟机启动后, 无法在增加其他规则1 D3 g" v% Z8 p# X2 s

$ d0 {- b1 j. C- N* {9 ~& q# G  u5 d1 l

8 C/ T; o7 C# Y8 r. x& H5 f
1 D9 @+ o4 L! E9 t* M4 F# [$ _! |8 b! B# x) X4 z) x, L

3 w: g: ?3 R, y. E4 p6 e. D: e: |8 t: d( C7 w; o4 T8 H4 {6 |. h

  r5 o. o1 W6 R- C$ v, w
: Z/ K  p. `; D  ^" x+ Q+ v3 V/ i- q5 x5 @
8 e, O( S7 V5 ]( d9 d5 i) A5 C4 F8 T

+ I* A# `, W  a; \9 e2 o. w
' U& a9 }7 `' i# h  P: S; H4 Z0 l. @% R1 u1 T
3 P8 \; x; D, @. r

7 c9 Y+ w1 O$ I9 N  [
# O( ]: D! M! V  {* O% P! n6 q# c7 k9 q& y
9 P) H8 P# r7 j- o% L- t
) U" ^' \5 i. S2 v
! S" u6 E) x" S8 |/ ^5 e$ |; q: i7 C

* N  ?7 m# F( U
7 }4 g2 d/ n) Z5 Y7 e! b% d, d0 n; _$ y7 J0 I5 E7 g/ n) v6 ?9 ]$ Z

7 w5 G8 k' D: d. n# s* {" i' W+ t+ ^
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 开始注册

本版积分规则

关闭

站长推荐上一条 /4 下一条

北京云银创陇科技有限公司以云计算运维,代码开发

QQ|返回首页|Archiver|小黑屋|易陆发现技术论坛 ( 蜀ICP备2026014127号-1 )点击这里给我发消息

GMT+8, 2026-4-8 23:55 , Processed in 0.080553 second(s), 24 queries .

Powered by Discuz! X3.4 Licensed

© 2012-2025 Discuz! Team.

快速回复 返回顶部 返回列表