Analysis of iptables security groups on computing nodes
I have introduced the implementation of neutron security group based on iptables and ct before. Let’s analyze the iptables of neutron security group on the computing node to deepen our understanding of iptables and the implementation of security group. (PS: The following is based on openstack stein)
View iptables on a certain computing node #iptables -nvL
Check the rules of the INPUT /FORWARD/OUTPUT chain respectively, check iptables, and find that there are rules for INPUT/FORWARD.
1. INPUT chain
Generally speaking, all the INPUT rules of the virtual machine are transferred to the security group chain of the virtual machine.
Chain INPUT (policy ACCEPT 4914K packets, 2696M bytes) pkts bytes target prot opt in out source destination 251M 48G neutron-openvswi-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
The INPUT chain transfers all sources to the neutron-openvswi-INPUT sub-chain,
Chain neutron-openvswi-INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 neutron-openvswi-o323ef4ca-8 all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap323ef4ca-8a --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */
0 0 neutron-openvswi-oa937d188-d all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tapa937d188-d6 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */
As can be seen from the above, the neutron-openvswi-INPUT chain transfers the inflow from tap323ef4ca-8a and tapa937d188-d6 to the two security group sub-chains neutron-openvswi-o323ef4ca-8 and neutron-openvswi-oa937d188-d. Let’s take a look at these two security group sub-chains.
Chain neutron-openvswi-o323ef4ca-8 (2 references)
pkts bytes target prot opt in out source destination
2 656 RETURN udp -- * * 0.0.0.0 255.255.255.255 udp spt:68 dpt:67 /* Allow DHCP client traffic. */
460K 109M neutron-openvswi-s323ef4ca-8 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67 /* Allow DHCP client traffic. */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 /* Prevent DHCP Spoofing by VM. */
231K 94M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
229K 15M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* priority:1 */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
0 0 neutron-openvswi-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0 /* Send unmatched traffic to the fallback chain. */
Chain neutron-openvswi-oa937d188-d (2 references)
pkts bytes target prot opt in out source destination
2 656 RETURN udp -- * * 0.0.0.0 255.255.255.255 udp spt:68 dpt:67 /* Allow DHCP client traffic. */
428K 108M neutron-openvswi-sa937d188-d all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67 /* Allow DHCP client traffic. */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 /* Prevent DHCP Spoofing by VM. */
213K 94M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
215K 14M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* priority:1 */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
0 0 neutron-openvswi-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0 /* Send unmatched traffic to the fallback chain. */
**2. FORWARD chain **
The FORWARD chain first jumps to the neutron-filter-top sub-chain, and the neutron-filter-top chain will jump to neutron-openvswi-local , and the neutron-openvswi-local chain is an empty chain, so it will return to the parent chain FORWARD, so the first rule here is actually useless.
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1505K 824M neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
1505K 824M neutron-openvswi-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
700 75498 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
700 75498 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
420 44194 ACCEPT all -- * * 192.168.1.0/24 0.0.0.0/0
280 31304 ACCEPT all -- * * 0.0.0.0/0 192.168.1.0/24
Chain neutron-filter-top (2 references) pkts bytes target prot opt in out source destination 283M 57G neutron-openvswi-local all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-openvswi-local (1 references) pkts bytes target prot opt in out source destination
After returning to the FORWARD chain, we continue to match the second rule and jump to neutron-openvswi-FORWARD. We check the rules of this chain:
Chain neutron-openvswi-FORWARD (1 references)
pkts bytes target prot opt in out source destination
334K 306M neutron-openvswi-sg-chain all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap323ef4ca-8a --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
482K 115M neutron-openvswi-sg-chain all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap323ef4ca-8a --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
309K 304M neutron-openvswi-sg-chain all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tapa937d188-d6 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
449K 114M neutron-openvswi-sg-chain all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tapa937d188-d6 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap344c3926-f5 --physdev-is-bridged /* Accept all packets when port is trusted. */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap344c3926-f5 --physdev-is-bridged /* Accept all packets when port is trusted. */
There are a total of 6 rules in this chain, and the first 4 are the entry and exit rules of the tap device network card corresponding to the virtual machine port.
tapa937d188-d6 is the tap device corresponding to the virtual machine port (the name is tap + the first 11 digits of the portUUID). The first 4 rules indicate that both inbound and outbound packets from this tap device enter the subchain neutron-openvswi- sg-chainprocessing.
Let’s continue to view neutron-openvswi-sg-chain to view the chain:
Chain neutron-openvswi-sg-chain (4 references) pkts bytes target prot opt in out source destination 334K 306M neutron-openvswi-i323ef4ca-8 all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap323ef4ca-8a --physdev-is-bridged /* Jump to the VM specific chain. */ 482K 115M neutron-openvswi-o323ef4ca-8 all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap323ef4ca-8a --physdev-is-bridged /* Jump to the VM specific chain. */ 309K 304M neutron-openvswi-ia937d188-d all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tapa937d188-d6 --physdev-is-bridged /* Jump to the VM specific chain. */ 449K 114M neutron-openvswi-oa937d188-d all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tapa937d188-d6 --physdev-is-bridged /* Jump to the VM specific chain. */ 1574K 839M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
From the rules we can see:
--physdev-outindicates that the packets sent from tapa937d188-d6 to the virtual machine are processed through the sub-chainneutron-openvswi-ia937d188-d, that is, the incoming traffic of the virtual machine .--physdev-inmeans that packets sent from the virtual machine into tap323ef4ca-8a are processed through the sub-chainneutron-openvswi-i323ef4ca-8, that is, outbound traffic from the virtual machine.
**2.1 Security group inbound direction rules **
Chain neutron-openvswi-ia937d188-d (1 references)
pkts bytes target prot opt in out source destination
309K 304M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
0 0 RETURN udp -- * * 0.0.0.0/0 172.16.1.118 udp spt:67 dpt:68 /* priority:1 */
2 684 RETURN udp -- * * 0.0.0.0/0 255.255.255.255 udp spt:67 dpt:68 /* priority:1 */
5 436 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 /* priority:1 */
78 3160 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* priority:1 */
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* priority:1 */
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 1:65535 /* priority:1 */
0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp multiport dports 1:65535 /* priority:1 */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
0 0 neutron-openvswi-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0 /* Send unmatched traffic to the fallback chain. */
**2.1 Security group outbound direction rules **
Chain neutron-openvswi-oa937d188-d (2 references)
pkts bytes target prot opt in out source destination
2 656 RETURN udp -- * * 0.0.0.0 255.255.255.255 udp spt:68 dpt:67 /* Allow DHCP client traffic. */
449K 114M neutron-openvswi-sa937d188-d all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67 /* Allow DHCP client traffic. */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 /* Prevent DHCP Spoofing by VM. */
222K 99M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
226K 15M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* priority:1 */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
0 0 neutron-openvswi-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0 /* Send unmatched traffic to the fallback chain. */