我在操作neutron-fwaas的时候发现了一个有趣的现象
当我设置了目的ip为114.114.114.114的包可以通过防火墙时,内部的虚拟机可以ping通114.114.114.114
但是仔细一想这么做难道没问题吗?因为即使内部的ping 114.114.114.114的包可以通过防火墙,114.114.114.114的返回的包仍然无法通过啊
于是我从iptables的变化来看了看究竟加了哪些规则使得返回的包依然可以通过
蓝色的部分是添加了这个规则并创建防火墙后iptables的变化,可以看到,在iptables的FORWARD链上的filter表中增加了好几条自定义链
我们来具体看看filter链长啥样
ip netns exec qrouter-b83802c4-801a-4ff1-b8c7-8c585ed25669 iptables -t filter -nL
结果
Chain INPUT (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- 0.0.0.0/0 0.0.0.0/0
neutron-l3-agent-FORWARD all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- 0.0.0.0/0 0.0.0.0/0
neutron-l3-agent-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain neutron-filter-top (2 references)
target prot opt source destination
neutron-l3-agent-local all -- 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-FORWARD (1 references)
target prot opt source destination
neutron-l3-agent-scope all -- 0.0.0.0/0 0.0.0.0/0
neutron-l3-agent-iv45f2bd4c9 all -- 0.0.0.0/0 0.0.0.0/0
neutron-l3-agent-ov45f2bd4c9 all -- 0.0.0.0/0 0.0.0.0/0
neutron-l3-agent-fwaas-defau all -- 0.0.0.0/0 0.0.0.0/0
neutron-l3-agent-fwaas-defau all -- 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-INPUT (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 mark match 0x1/0xffff
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9697
Chain neutron-l3-agent-OUTPUT (1 references)
target prot opt source destination
Chain neutron-l3-agent-fwaas-defau (2 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-iv45f2bd4c9 (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 114.114.114.114
Chain neutron-l3-agent-local (1 references)
target prot opt source destination
Chain neutron-l3-agent-ov45f2bd4c9 (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 114.114.114.114
Chain neutron-l3-agent-scope (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 mark match ! 0x4000000/0xffff0000
DROP all -- 0.0.0.0/0 0.0.0.0/0 mark match ! 0x4000000/0xffff0000
filter表中forward链上添加了好几条自定义链,重点是下面这个
Chain neutron-l3-agent-iv45f2bd4c9 (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 114.114.114.114
Chain neutron-l3-agent-local (1 references)
target prot opt source destination
Chain neutron-l3-agent-ov45f2bd4c9 (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 114.114.114.114
看到了吗,这里用了一个state,这个state的意思就是对于ESTABLISHED与RELATED的包进行通过,什么意思呢?本地主机ping 114.114.114.114,那么以后后续的从114.114.114.114接收的包全部都是ESTABLISHED的状态,直接通过,这样就避免了需要新建一条通过源ip为114.114.114.114的包的规则
并且可以验证
ip netns exec qrouter-b83802c4-801a-4ff1-b8c7-8c585ed25669 iptables -t filter -D neutron-l3-agent-ov45f2bd4c9 2
把state RELATED,ESTABLISHED这栏删除后发现ping不通了
2.关于RELATED,ESTABLISHED的理解
这个问题我在面试的时候被问过,当时懵了。。回来谷歌了一下,一种较好的理解如下:
Consider a NEW packet a telephone call before the receiver has picked up. An ESTABLISHED packet is their, "Hello." And a RELATED packet would be if you were calling to tell them about an e-mail you were about to send them. (The e-mail being RELATED.)
In case my analogy isn't so great, I personlly think the man pages handles it well:
NEW -- meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions, and
ESTABLISHED -- meaning that the packet is associated with a connection which has seen packets in both directions,
RELATED -- meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.
NEW相当于客户端发送的第一个包,ESTABLISHED相当于客户端向服务器发送了包后服务器对客户端进行了正常响应即可,并不是非要TCP,icmp与UDP也可以
3.可以通过arp吗?
不能,你说的那个需要arptable