1. 简介
1.1 什么是安全组
用来控制云主机虚拟网卡的流量
-
安全组绑定在云主机虚拟网卡上,对所有经过该网卡的流量生效,包括云主机访问公网,以及云主机之间互访等所有通过该网卡进出云主机的流量。
-
安全组放通符合安全组规则的流量,拒绝已有规则之外的流量。
-
单一网卡绑定多个安全组时,生效规则为所有安全组规则的并集。
-
同一安全组内的实例之间可以实现内网互通。
-
同时绑定有状态和无状态安全组时,无状态安全组的优先级比有状态安全组高。
1.2 分类:云主机和裸金属
安全组有 云主机安全组 和 裸金属安全组。
云主机创建时默认为有状态安全组:
1、云主机安全组实现云主机的访问控制,绑定同一个安全组的云主机使用相同的访问控制策略。
2、云主机默认安全组default放通所有协议所有端口的流出,以及同一安全组内云主机的流入;同一VPC下绑定默认安全组的云主机无需额外配置即可完成互访。
3、对于有状态安全组,建立会话后存在3600s的老化时间,会话期间关联的IP地址新规则不生效。裸金属安全组:
1、裸金属安全组实现裸金属服务器的访问控制,绑定同一个安全组的裸金属服务器使用相同的访问控制策略。
2、裸金属默认安全组default放通所有协议所有端口的流出,禁止所有流入。
3、裸金属安全组不支持同一子网内裸金属服务器之间的访问控制。1.3 和FWaas的区别
在openstack中,防火墙由“Security Group”和"FWaas"构成。Security Group在port级别提供对vm网络通信的访问控制。Fwaas则运行在vrouter上在subnet边界控制子网。(Security Group保护port, Fwaas保护subnet)
2. 安全组规则
1、访问协议:协议类型. TCP/UDP/ICMP/ANY, 待扩展支持: GRE,VRPR,IGMP
2、端口:可添加多个(不超过3个)独立端口或端口范围,端口范围为1-65535。
3、授权类型/对象:授权类型分为地址段访问和安全组访问,其中地址段访问可填写三个IP地址信息信息,安全组访问仅可支持一个来源安全组。
选择来源类型为地址段访问时,来源范围为某一个IP地址或者一段IP地址范围,也可以勾选任意来源。
选择来源类型为安全组访问时,来源范围为另一安全组内的所有云主机。4、方向:流入或流出
流入方向是指外部向云主机发送数据包,比如外部ping云主机,或是云主机下载文件等。
流出方向就是云主机向外部发送数据包,比如云主机ping外部地址,或是云主机向外传输网页内容等。3. 流表
3.1 环境
虚拟机信息汇总:
| port | ip | 计算节点 | vhu | vtep ip |
|---|---|---|---|---|
| port1 | 178.1.3.2 | compute-6 | 0x6 | 20.100.57.212 |
| port2 | 178.1.3.4 | compute-6 | 0x3 | 20.100.57.233 |
VPC信息汇总:
| 名称 | cidr | network uuid |
|---|---|---|
| vpc1 | 178.1.0.0/16 | 3532e395-9173-416b-87a0-198610e84747 |
3.2 默认情况
3.2.1 系统自带的默认安全组
对于云主机,会自动绑定一个系统自带一个默认的安全组
(1) 放通所有协议所有端口的流出
(2) 放通同一安全组内云主机的流入
(3) 放通同VPC流量(1) 操作
无,port1 和port2创建成功后,会自动绑定
(2) 现象
VM1 -> VM2 可通
(3) 查看默认安全组的规则
| security_group_rules | { |
| | "security_group_id": "e273947c-c6a3-4e91-864f-8456d13aff4f", |
| | "action": "allow", |
| | "direction": "ingress", |
| | "ethertype": "IPv4", |
| | "port_range_min": null, |
| | "port_range_max": null, |
| | "priority": 100, |
| | "protocol": null, |
| | "remote_group_id": null, |
| | "remote_ip_prefix": "0.0.0.0/0", |
| | "remote_ips": null, |
| | "remote_ips_action": null, |
| | "description": null, |
| | "id": "4eefc9d5-de6a-4fd7-a872-867bf4b479d7", |
| | "project_id": "b9f6327bfbaf4e76ad9043c0e8771e02", |
| | "revision_number": 1, |
| | "tenant_id": "b9f6327bfbaf4e76ad9043c0e8771e02" |
| | } |
允许任意源的ipv4包进入
| | { |
| | "security_group_id": "e273947c-c6a3-4e91-864f-8456d13aff4f", |
| | "action": "allow", |
| | "direction": "ingress", |
| | "ethertype": "IPv6", |
| | "port_range_min": null, |
| | "port_range_max": null, |
| | "priority": 100, |
| | "protocol": null, |
| | "remote_group_id": null, |
| | "remote_ip_prefix": "0::0/0", |
| | "remote_ips": null, |
| | "remote_ips_action": null, |
| | "description": null, |
| | "id": "5aad23e9-48a4-4240-a083-8343e458bcee", |
| | "project_id": "b9f6327bfbaf4e76ad9043c0e8771e02", |
| | "revision_number": 1, |
| | "tenant_id": "b9f6327bfbaf4e76ad9043c0e8771e02" |
| | } |
允许任意源的ipv6包进入
| | { |
| | "security_group_id": "e273947c-c6a3-4e91-864f-8456d13aff4f", |
| | "action": "allow", |
| | "direction": "egress", |
| | "ethertype": "IPv6", |
| | "port_range_min": null, |
| | "port_range_max": null, |
| | "priority": 100, |
| | "protocol": null, |
| | "remote_group_id": null, |
| | "remote_ip_prefix": "::/0", |
| | "remote_ips": null, |
| | "remote_ips_action": null, |
| | "description": null, |
| | "id": "ba67e136-7562-44ba-85f7-55c1da849863", |
| | "project_id": "b9f6327bfbaf4e76ad9043c0e8771e02", |
| | "revision_number": 1, |
| | "tenant_id": "b9f6327bfbaf4e76ad9043c0e8771e02" |
| | } |
允许ipv6包发往任意目的地
| | { |
| | "security_group_id": "e273947c-c6a3-4e91-864f-8456d13aff4f", |
| | "action": "allow", |
| | "direction": "egress", |
| | "ethertype": "IPv4", |
| | "port_range_min": null, |
| | "port_range_max": null, |
| | "priority": 100, |
| | "protocol": null, |
| | "remote_group_id": null, |
| | "remote_ip_prefix": "0.0.0.0/0", |
| | "remote_ips": null, |
| | "remote_ips_action": null, |
| | "description": "default-rule-e273947c", |
| | "id": "f421d2cc-e37e-4661-9b32-0b581013e91e", |
| | "project_id": "b9f6327bfbaf4e76ad9043c0e8771e02", |
| | "revision_number": 1, |
| | "tenant_id": "b9f6327bfbaf4e76ad9043c0e8771e02" |
| | } |
允许ipv4包发往任意目的地(4) 流表变化
72号表 出 增加了ip ipv6 可出
[root@tianchi-compute-6 ~]# ovs-ofctl dump-flows br-int -O openflow13 table=72,reg12=0x6
cookie=0x63e4904900f4c806, duration=9431.484s, table=72, n_packets=73, n_bytes=5908, priority=2010,ip,reg12=0x6 actions=goto_table:74
cookie=0x63e4904900f4c806, duration=9431.484s, table=72, n_packets=0, n_bytes=0, priority=2010,ipv6,reg12=0x6 actions=goto_table:74152号表 出 增加了ip ipv6两个可入
[root@tianchi-compute-6 ~]# ovs-ofctl dump-flows br-int -O openflow13 table=152,reg13=0x6
cookie=0x63e4904900f4c806, duration=9628.551s, table=152, n_packets=0, n_bytes=0, priority=2010,ip,reg13=0x6 actions=goto_table:154
cookie=0x63e4904900f4c806, duration=9628.551s, table=152, n_packets=0, n_bytes=0, priority=2010,ipv6,reg13=0x6 actions=goto_table:1543.2.2 创建一个默认的有状态安全组
用户如果自己创建了一个安全组,默认是有状态安全组。A06租户的默认自带两个准入规则。生产创建,会多一个icmp准入
(1) 操作
创建一个安全组,默认是有状态的
tianchi security-group-create yx-port1
将port1和port2绑定到yx-port1安全组
tianchi port-update 4cfafd07-e200-4c8f-8f54-d0df8be8a2f3 --security-group 867991c1-8f7e-419d-942f-7489533baadb
tianchi port-update 0dcb4d84-c5b9-4898-b2c5-318caad91037 --security-group 867991c1-8f7e-419d-942f-7489533baadb(2) 现象
vm1 -> vm2 ping 不通,因为准出不准入,在入口的安全组那边,被drop了 (一般是可以ping通的,因为有icmp准入)
(3) 查看规则
| security_group_rules | { |
| | "security_group_id": "867991c1-8f7e-419d-942f-7489533baadb", |
| | "action": "allow", |
| | "direction": "egress", |
| | "ethertype": "IPv6", |
| | "port_range_min": null, |
| | "port_range_max": null, |
| | "priority": 100, |
| | "protocol": null, |
| | "remote_group_id": null, |
| | "remote_ip_prefix": "::/0", |
| | "remote_ips": null, |
| | "remote_ips_action": null, |
| | "description": "default-rule-867991c1", |
| | "id": "aba5de77-2146-427d-8b56-83b10589392c", |
| | "project_id": "b9f6327bfbaf4e76ad9043c0e8771e02", |
| | "revision_number": 1, |
| | "tenant_id": "b9f6327bfbaf4e76ad9043c0e8771e02" |
| | } |
ipv6 准出
| | { |
| | "security_group_id": "867991c1-8f7e-419d-942f-7489533baadb", |
| | "action": "allow", |
| | "direction": "egress", |
| | "ethertype": "IPv4", |
| | "port_range_min": null, |
| | "port_range_max": null, |
| | "priority": 100, |
| | "protocol": null, |
| | "remote_group_id": null, |
| | "remote_ip_prefix": "0.0.0.0/0", |
| | "remote_ips": null, |
| | "remote_ips_action": null, |
| | "description": "default-rule-867991c1", |
| | "id": "eca29447-6009-4583-a73f-31a413786398", |
| | "project_id": "b9f6327bfbaf4e76ad9043c0e8771e02", |
| | "revision_number": 1, |
| | "tenant_id": "b9f6327bfbaf4e76ad9043c0e8771e02" |
| | }
ipv4 准出(4) 流表变化
152号表中,ip ipv6的准入流表没了, 入方向直接drop
[root@tianchi-compute-6 ~]# ovs-ofctl dump-flows br-int -O openflow13 table=152,
cookie=0x63e4904900000000, duration=91449.370s, table=152, n_packets=19, n_bytes=1862, priority=0 actions=drop出方向的72号表流表和系统自带的一样
3.3 端口限制
可以通过安全组,对访问的端口做限制。可添加多个(不超过3个)独立端口或端口范围,端口范围为1-65535。
3.3.1 固定端口
(1) 操作
准出已经全放开了,准入方向上增加一条端口范围58 tcp准入,IP/协议 不做限制
tianchi security-group-rule-create --port-range-min 58 --port-range-max 58 --remote-ip-prefix "0.0.0.0/0" --action allow --priority 10 867991c1-8f7e-419d-942f-7489533baadb ingress --protocol tcp(2) 现象
vm1 可以tcp 发包到vm2的58端口
(3) 查看规则
| | { |
| | "security_group_id": "867991c1-8f7e-419d-942f-7489533baadb", |
| | "action": "allow", |
| | "direction": "ingress", |
| | "ethertype": "IPv4", |
| | "port_range_min": 58, |
| | "port_range_max": 58, |
| | "priority": 10, |
| | "protocol": "tcp", |
| | "remote_group_id": null, |
| | "remote_ip_prefix": "0.0.0.0/0", |
| | "remote_ips": null, |
| | "remote_ips_action": null, |
| | "description": null, |
| | "id": "e032932f-3466-4488-a5b7-42e9d1e53c7e", |
| | "project_id": "b9f6327bfbaf4e76ad9043c0e8771e02", |
| | "revision_number": 1, |
| | "tenant_id": "b9f6327bfbaf4e76ad9043c0e8771e02" |
| | } (4) 流表变化
[root@tianchi-compute-6 ~]# ovs-ofctl dump-flows br-int -O openflow13 table=152
cookie=0x63e4904900f4c806, duration=17.873s, table=152, n_packets=0, n_bytes=0, priority=3810,tcp,reg13=0x6,tp_dst=58 actions=goto_table:154
cookie=0x63e4904900f4c803, duration=17.863s, table=152, n_packets=0, n_bytes=0, priority=3810,tcp,reg13=0x3,tp_dst=58 actions=goto_table:154s3.3.2 端口范围
(1) 操作
准出已经全放开了,准入方向上增加一条端口范围52-53 tcp准入,IP/协议 不做限制
tianchi security-group-rule-create --port-range-min 52 --port-range-max 53 --remote-ip-prefix "0.0.0.0/0" --action allow --priority 10 867991c1-8f7e-419d-942f-7489533baadb ingress --protocol tcp(2) 现象
vm1 可以tcp 发包到vm2的52,53端口
(3) 查看规则
| { |
| | "security_group_id": "867991c1-8f7e-419d-942f-7489533baadb", |
| | "action": "allow", |
| | "direction": "ingress", |
| | "ethertype": "IPv4", |
| | "port_range_min": 52, |
| | "port_range_max": 53, |
| | "priority": 10, |
| | "protocol": "tcp", |
| | "remote_group_id": null, |
| | "remote_ip_prefix": "0.0.0.0/0", |
| | "remote_ips": null, |
| | "remote_ips_action": null, |
| | "description": null, |
| | "id": "d8a2b076-b006-449a-aac2-bc1c52c947f9", |
| | "project_id": "b9f6327bfbaf4e76ad9043c0e8771e02", |
| | "revision_number": 1, |
| | "tenant_id": "b9f6327bfbaf4e76ad9043c0e8771e02" |(4) 流表变化
准入流表中,分别给两个port增加了一条,匹配端口范围tp_dst=0x34/0xfffe
[root@tianchi-compute-6 ~]# ovs-ofctl dump-flows br-int -O openflow13 table=152
cookie=0x63e4904900f4c806, duration=138.395s, table=152, n_packets=0, n_bytes=0, priority=3810,tcp,reg13=0x6,tp_dst=0x34/0xfffe actions=goto_table:154
cookie=0x63e4904900f4c803, duration=138.395s, table=152, n_packets=0, n_bytes=0, priority=3810,tcp,reg13=0x3,tp_dst=0x34/0xfffe actions=goto_table:1543.4 访问协议限制
访问协议:协议类型. TCP/UDP/ICMP/ANY, 待扩展支持: GRE,VRPR,IGMP
(1) 操作
分别增加 58端口tcp/udp , icmp, any
tianchi security-group-rule-create --port-range-min 58 --port-range-max 58 --remote-ip-prefix "0.0.0.0/0" --action allow --priority 10 867991c1-8f7e-419d-942f-7489533baadb ingress --protocol tcp
tianchi security-group-rule-create --port-range-min 58 --port-range-max 58 --remote-ip-prefix "0.0.0.0/0" --action allow --priority 10 867991c1-8f7e-419d-942f-7489533baadb ingress --protocol udp
tianchi security-group-rule-create --remote-ip-prefix "0.0.0.0/0" --action allow --priority 10 867991c1-8f7e-419d-942f-7489533baadb ingress --protocol icmp
tianchi security-group-rule-create --remote-ip-prefix "1.1.1.0/24" --action allow --priority 10 f13bf4cf-c23d-48dd-b87e-29a8bb9e9396 ingress --protocol any(2) 现象
tcp udp 的58端口准入, icmp准入
(3) 查看规则
| | { |
| | "security_group_id": "867991c1-8f7e-419d-942f-7489533baadb", |
| | "action": "allow", |
| | "direction": "ingress", |
| | "ethertype": "IPv4", |
| | "port_range_min": 58, |
| | "port_range_max": 58, |
| | "priority": 10, |
| | "protocol": "tcp", |
| | "remote_group_id": null, |
| | "remote_ip_prefix": "0.0.0.0/0", |
| | "remote_ips": null, |
| | "remote_ips_action": null, |
| | "description": null, |
| | "id": "e032932f-3466-4488-a5b7-42e9d1e53c7e", |
| | "project_id": "b9f6327bfbaf4e76ad9043c0e8771e02", |
| | "revision_number": 1, |
| | "tenant_id": "b9f6327bfbaf4e76ad9043c0e8771e02" |
| security_group_rules | { |
| | "security_group_id": "867991c1-8f7e-419d-942f-7489533baadb", |
| | "action": "allow", |
| | "direction": "ingress", |
| | "ethertype": "IPv4", |
| | "port_range_min": 58, |
| | "port_range_max": 58, |
| | "priority": 10, |
| | "protocol": "udp", |
| | "remote_group_id": null, |
| | "remote_ip_prefix": "0.0.0.0/0", |
| | "remote_ips": null, |
| | "remote_ips_action": null, |
| | "description": null, |
| | "id": "3e514f9a-37bb-464f-83e5-6eca404dc8c2", |
| | "project_id": "b9f6327bfbaf4e76ad9043c0e8771e02", |
| | "revision_number": 1, |
| | "tenant_id": "b9f6327bfbaf4e76ad9043c0e8771e02" |
| | }
| | { |
| | "security_group_id": "867991c1-8f7e-419d-942f-7489533baadb", |
| | "action": "allow", |
| | "direction": "ingress", |
| | "ethertype": "IPv4", |
| | "port_range_min": null, |
| | "port_range_max": null, |
| | "priority": 10, |
| | "protocol": "icmp", |
| | "remote_group_id": null, |
| | "remote_ip_prefix": "0.0.0.0/0", |
| | "remote_ips": null, |
| | "remote_ips_action": null, |
| | "description": null, |
| | "id": "6f0f3b77-5a04-46f7-af1b-252c8045783c", |
| | "project_id": "b9f6327bfbaf4e76ad9043c0e8771e02", |
| | "revision_number": 1, |
| | "tenant_id": "b9f6327bfbaf4e76ad9043c0e8771e02" |
| | }
any
| | { |
| | "security_group_id": "f13bf4cf-c23d-48dd-b87e-29a8bb9e9396", |
| | "action": "allow", |
| | "direction": "ingress", |
| | "ethertype": "IPv4", |
| | "port_range_min": null, |
| | "port_range_max": null, |
| | "priority": 10, |
| | "protocol": "any", |
| | "remote_group_id": null, |
| | "remote_ip_prefix": "1.1.1.0/24", |
| | "remote_ips": null, |
| | "remote_ips_action": null, |
| | "description": null, |
| | "id": "254f0762-f2fb-41bd-934a-30c8503aff03", |
| | "project_id": "b9f6327bfbaf4e76ad9043c0e8771e02", |
| | "revision_number": 1, |
| | "tenant_id": "b9f6327bfbaf4e76ad9043c0e8771e02" |
| | } (4) 流表变化
[root@tianchi-compute-6 ~]# ovs-ofctl dump-flows br-int -O openflow13 table=152
cookie=0x63e4904900f4c806, duration=17.873s, table=152, n_packets=0, n_bytes=0, priority=3810,tcp,reg13=0x6,tp_dst=58 actions=goto_table:154
cookie=0x63e4904900f4c803, duration=17.863s, table=152, n_packets=0, n_bytes=0, priority=3810,tcp,reg13=0x3,tp_dst=58 actions=goto_table:154
[root@tianchi-compute-6 ~]# ovs-ofctl dump-flows br-int -O openflow13 table=152| grep udp
cookie=0x63e4904900f4c803, duration=29.471s, table=152, n_packets=0, n_bytes=0, priority=3810,udp,reg13=0x3,tp_dst=58 actions=goto_table:154
cookie=0x63e4904900f4c806, duration=29.456s, table=152, n_packets=0, n_bytes=0, priority=3810,udp,reg13=0x6,tp_dst=58 actions=goto_table:154
[root@tianchi-compute-6 ~]# ovs-ofctl dump-flows br-int -O openflow13 table=152| grep icmp
cookie=0x63e4904900f4c803, duration=29.081s, table=152, n_packets=0, n_bytes=0, priority=3810,icmp,reg13=0x3 actions=goto_table:154
cookie=0x63e4904900f4c806, duration=29.071s, table=152, n_packets=0, n_bytes=0, priority=3810,icmp,reg13=0x6 actions=goto_table:154
[root@tianchi-compute-6 ~]# ovs-ofctl dump-flows br-int -O openflow13 table=152
cookie=0x63e4904900f4c806, duration=57.246s, table=152, n_packets=0, n_bytes=0, priority=3810,ip,reg13=0x6,nw_src=1.1.1.0/24 actions=goto_table:1543.5 IP限制
IP可以通过两种方式来限制
授权类型/对象:授权类型分为地址段访问和安全组访问,其中地址段访问可填写三个IP地址信息信息,安全组访问仅可支持一个来源安全组。
选择来源类型为地址段访问时,来源范围为某一个IP地址或者一段IP地址范围,也可以勾选任意来源
选择来源类型为安全组访问时,来源范围为另一安全组内的所有云主机。3.5.1 授权类型:安全组访问
选择来源类型为安全组访问时,来源范围为另一安全组内的所有云主机。
(1) 操作
创建两个安全组,清空两个安全组自带的规则
tianchi security-group-create yx-group1 f13bf4cf-c23d-48dd-b87e-29a8bb9e9396
tianchi security-group-create yx-group2 395e5ef1-62bb-4533-8ff8-20fe2f3d42ac
清空略port1绑定安全组1
tianchi port-update 4cfafd07-e200-4c8f-8f54-d0df8be8a2f3 --security-group f13bf4cf-c23d-48dd-b87e-29a8bb9e9396port2 绑定安全组2
tianchi port-update 0dcb4d84-c5b9-4898-b2c5-318caad91037 --security-group 395e5ef1-62bb-4533-8ff8-20fe2f3d42ac 更新完,vm1和vm2不通。安全组关于reg12 reg13的流表全没了,走默认drop的路由
操作1:在安全组1上添加规则,到group-id=安全组2的,icmp准出
tianchi security-group-rule-create --remote-group-id 395e5ef1-62bb-4533-8ff8-20fe2f3d42ac --action allow --priority 10 f13bf4cf-c23d-48dd-b87e-29a8bb9e9396 egress --protocol icmp操作2: 在安全组2上添加规则,从group-id=安全组1中来的流量,icmp准入
tianchi security-group-rule-create --remote-group-id f13bf4cf-c23d-48dd-b87e-29a8bb9e9396 --action allow --priority 10 395e5ef1-62bb-4533-8ff8-20fe2f3d42ac ingress --protocol icmp(2) 现象
vm1 可ping vm2
(3) 查看规则
安全组1 的规则
| security_group_rules | { |
| | "security_group_id": "f13bf4cf-c23d-48dd-b87e-29a8bb9e9396", |
| | "action": "allow", |
| | "direction": "egress", |
| | "ethertype": "IPv4", |
| | "port_range_min": null, |
| | "port_range_max": null, |
| | "priority": 10, |
| | "protocol": "icmp", |
| | "remote_group_id": "395e5ef1-62bb-4533-8ff8-20fe2f3d42ac", |
| | "remote_ip_prefix": null, |
| | "remote_ips": null, |
| | "remote_ips_action": null, |
| | "description": null, |
| | "id": "072586d7-d91e-490a-813e-a85efce6056d", |
| | "project_id": "b9f6327bfbaf4e76ad9043c0e8771e02", |
| | "revision_number": 1, |
| | "tenant_id": "b9f6327bfbaf4e76ad9043c0e8771e02" |
| | } 安全组2的规则
| security_group_rules | { |
| | "security_group_id": "395e5ef1-62bb-4533-8ff8-20fe2f3d42ac", |
| | "action": "allow", |
| | "direction": "ingress", |
| | "ethertype": "IPv4", |
| | "port_range_min": null, |
| | "port_range_max": null, |
| | "priority": 10, |
| | "protocol": "icmp", |
| | "remote_group_id": "f13bf4cf-c23d-48dd-b87e-29a8bb9e9396", |
| | "remote_ip_prefix": null, |
| | "remote_ips": null, |
| | "remote_ips_action": null, |
| | "description": null, |
| | "id": "a22babb7-818e-4fed-b17a-a0cbd5b00514", |
| | "project_id": "b9f6327bfbaf4e76ad9043c0e8771e02", |
| | "revision_number": 1, |
| | "tenant_id": "b9f6327bfbaf4e76ad9043c0e8771e02" |
| | } (4) 流表变化
操作1导致的流表变化,会自动把remote-group-id转为对方机器的IP
[root@tianchi-compute-6 ~]# ovs-ofctl dump-flows br-int -O openflow13 table=72| grep icmp
cookie=0x63e4904900f4c806, duration=11.751s, table=72, n_packets=0, n_bytes=0, priority=3810,icmp,reg12=0x6,nw_dst=178.1.3.4 actions=goto_table:74操作2导致的流表变化
[root@tianchi-compute-6 ~]# ovs-ofctl dump-flows br-int -O openflow13 table=152| grep icmp
cookie=0x63e4904900f4c803, duration=1480.190s, table=152, n_packets=0, n_bytes=0, priority=3810,icmp,reg13=0x3,nw_src=178.1.3.2 actions=goto_table:1543.5.2 授权类型:地址段访问
(1) 操作
操作1: 删除上面两个remote_group规则后, vm1 -> vm2 不通
操作2:在安全组1上添加规则,到178.1.3.0/24的流量,icmp准出
tianchi security-group-rule-create --remote_ip_prefix 178.1.3.0/24 --action allow --priority 10 f13bf4cf-c23d-48dd-b87e-29a8bb9e9396 egress --protocol icmp操作3: 在安全组2上添加规则,从178.1.3.0/24中来的流量,icmp准入
tianchi security-group-rule-create --remote_ip_prefix 178.1.3.0/24 --action allow --priority 10 395e5ef1-62bb-4533-8ff8-20fe2f3d42ac ingress --protocol icmp(2) 现象
vm1 可ping vm2
(3) 查看规则
安全组1
| security_group_rules | { |
| | "security_group_id": "f13bf4cf-c23d-48dd-b87e-29a8bb9e9396", |
| | "action": "allow", |
| | "direction": "egress", |
| | "ethertype": "IPv4", |
| | "port_range_min": null, |
| | "port_range_max": null, |
| | "priority": 10, |
| | "protocol": "icmp", |
| | "remote_group_id": null, |
| | "remote_ip_prefix": "178.1.3.0/24", |
| | "remote_ips": null, |
| | "remote_ips_action": null, |
| | "description": null, |
| | "id": "ddd8ce07-8b30-4115-ad15-fc46ef7e056f", |
| | "project_id": "b9f6327bfbaf4e76ad9043c0e8771e02", |
| | "revision_number": 1, |
| | "tenant_id": "b9f6327bfbaf4e76ad9043c0e8771e02" |
| | } 安全组2
| security_group_rules | { |
| | "security_group_id": "395e5ef1-62bb-4533-8ff8-20fe2f3d42ac", |
| | "action": "allow", |
| | "direction": "ingress", |
| | "ethertype": "IPv4", |
| | "port_range_min": null, |
| | "port_range_max": null, |
| | "priority": 10, |
| | "protocol": "icmp", |
| | "remote_group_id": null, |
| | "remote_ip_prefix": "178.1.3.0/24", |
| | "remote_ips": null, |
| | "remote_ips_action": null, |
| | "description": null, |
| | "id": "d525779d-321a-4c41-a0f3-8a70b388efad", |
| | "project_id": "b9f6327bfbaf4e76ad9043c0e8771e02", |
| | "revision_number": 1, |
| | "tenant_id": "b9f6327bfbaf4e76ad9043c0e8771e02" |
| | } |(4) 流表变化
操作1导致的变化
[root@tianchi-compute-6 ~]# ovs-ofctl dump-flows br-int -O openflow13 table=72| grep icmp
cookie=0x63e4904900f4c806, duration=60.422s, table=72, n_packets=0, n_bytes=0, priority=3810,icmp,reg12=0x6,nw_dst=178.1.3.0/24 actions=goto_table:74操作2导致的变化
[root@tianchi-compute-6 ~]# ovs-ofctl dump-flows br-int -O openflow13 table=152| grep icmp
cookie=0x63e4904900f4c803, duration=18.716s, table=152, n_packets=0, n_bytes=0, priority=3810,icmp,reg13=0x3,nw_src=178.1.3.0/24 actions=goto_table:1543.6 deny
实现 178.1.3.0/24 IP段可出入,但178.1.3.2->178.1.3.4 不可以ping
只要实现178.1.3.4不可以让178.1.3.2 icmp入即可
(1) 操作
在安全组2上加from 178.1.3.2 icmp deny
tianchi security-group-rule-create --remote_ip_prefix 178.1.3.2/32 --action deny --priority 50 395e5ef1-62bb-4533-8ff8-20fe2f3d42ac ingress --protocol icmp(2) 现象
vm1 -> 无法ping vm2
(3) 查看规则
| security_group_rules | { |
| | "security_group_id": "395e5ef1-62bb-4533-8ff8-20fe2f3d42ac", |
| | "action": "deny", |
| | "direction": "ingress", |
| | "ethertype": "IPv4", |
| | "port_range_min": null, |
| | "port_range_max": null, |
| | "priority": 20, |
| | "protocol": "icmp", |
| | "remote_group_id": null, |
| | "remote_ip_prefix": "178.1.3.2/32", |
| | "remote_ips": null, |
| | "remote_ips_action": null, |
| | "description": null, |
| | "id": "cebe43f0-15e4-4205-99af-b3f7029cc1da", |
| | "project_id": "b9f6327bfbaf4e76ad9043c0e8771e02", |
| | "revision_number": 1, |
| | "tenant_id": "b9f6327bfbaf4e76ad9043c0e8771e02" |
| | } (4) 流表变化
[root@tianchi-compute-6 ~]# ovs-ofctl dump-flows br-int -O openflow13 table=152| grep icmp
cookie=0x63e4904900f4c803, duration=530.182s, table=152, n_packets=0, n_bytes=0, priority=3615,icmp,reg13=0x3,nw_src=178.1.3.2 actions=drop4. 有状态安全组和无状态安全组
参考 https://ecloud.10086.cn/op-help-center/doc/article/23882
4.1 简介
安全组可以分为有状态安全组和无状态安全组。
有状安全组会追踪连接的状态, 动态按需增加该连接特定的反向对等安全规则。在保证该连接双向流量正常通过的情况下,提供更好的安全防护。
无状态安全组不追踪,系统自动增加反向规则4.1 CT概要
网络连接状态一般通过ct来实现
ovs为了实现openflow新增的ct字段
4.3 举例
(1) 有状态安全组
定义一条有状态安全组规则:
允许TCP任何端口访问目的地址183.209.49.6/32端口80
使用VM 202.112.52.10 访问183.209.49.6:80 自动启动源端口50518去访问动态增加一条反向的安全规则来保证回程流量的通过,此时的规则为:
1. 允许TCP源地址202.112.52.10任何端口访问目的地址183.209.49.6的80端口
2. 允许TCP源地址183.209.49.6的源端口80访问202.112.52.10的50518端口(动态规则)新增的动态规则仅放通了源端口50518,既保证了流量的正常通过,也限制了其他未授权放通端口的访问,增加了安全性。
对于TCP,有状态安全组也会检查连接建立时TCP标记位(SYN, FIN等),仅放通有效的TCP连接。
新增动态规则在两端无流量交互一段时候后自动老化。
(2) 无状态安全组
无状态安全组不会追踪连接的状态,可以提供更好的新建性能。
-
无状态安全组不会追踪连接的状态,可以提供更好的新建性能。比如:
定义一条无状态安全组规则:
允许TCP任何端口访问目的地址183.209.49.6端口80此时,VM端口的安全规则为:
允许TCP源地址
202.112.52.10任何端口访问目的地址183.209.49.6目的端口80
允许TCP源地址183.209.49.6源端口80访问目的地址202.112.52.10任何端口无状态安全组不使用动态规则,而是系统自动增加反向规则。由于无状态安全组不会追踪特定连接,反向规则的安全性需要慎重评估,必要时需要增加额外的规则,以免产生安全隐患。如上例所示,该实例配置的规则实际放开了对端设备对本机任意端口的访问,极端情况下可能会存在被攻击的风险。
5.2 优先级赋值
公式:
Priority = Base*raw.getPriority + BaseBias + (if (action == Action.drop) DropBias else 0 )默认值:
object Prio {
val Base = 20
val BaseBias = 10
val DropBias = 5
}5.3 跨端口流表计算
https://rpm.pbone.net/manpage_idpl_23319267_numer_8_nazwa_ovs-ofctl.html
tp_dst=port/mask
Bitwise match on TCP (or UDP) source or destination port,respectively. The port and mask are 16-bit numberswritten in decimal or in hexadecimal prefixed by 0x. Each 1-bitin mask requires that the corresponding bit in port mustmatch. Each 0-bit in mask causes the corresponding bit to beignored.
Bitwise matches on transport ports are rarely useful in isolation, buta group of them can be used to reduce the number of flows required tomatch on a range of transport ports. For example, suppose that thegoal is to match TCP source ports 1000 to 1999, inclusive. One way isto insert 1000 flows, each of which matches on a single source port.Another way is to look at the binary representations of 1000 and 1999,as follows:
01111101000
11111001111
and then to transform those into a series of bitwise matches thataccomplish the same results:
01111101xxx
0111111xxxx
10xxxxxxxxx
110xxxxxxxx
1110xxxxxxx
11110xxxxxx
1111100xxxx
which become the following when written in the syntax required byovs-ofctl:
tcp,tp_src=0x03e8/0xfff8
tcp,tp_src=0x03f0/0xfff0
tcp,tp_src=0x0400/0xfe00
tcp,tp_src=0x0600/0xff00
tcp,tp_src=0x0700/0xff80
tcp,tp_src=0x0780/0xffc0
tcp,tp_src=0x07c0/0xfff0agent转换源码:
def ruleMasking(rangeMin: Int, rangeMax: Int) = {
val MAX_UINT16 = 0xFFFF
def lowBitMask(n: Int) = ((n & -n) - 1) & MAX_UINT16 // make sure mask not make `or` operate to negative
@tailrec
def iter(low: Int, lst: Seq[(Int, Int)]): Seq[(Int, Int)] = {
if (low > rangeMax) lst
else {
var mask = lowBitMask(low)
while ((low | mask) > rangeMax) mask >>= 1
iter((low | mask) + 1, lst :+ low -> (~mask & MAX_UINT16))
}
}
iter(rangeMin, Seq())
}
1680
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
