一、创建一个用于测试的安全组
openstack security group create SECURITY_GROUP_NAME --description GROUP_DESCRIPTION
[[email protected] ~/OpenStack]$ openstack security group create 测试安全组 --description '这是一个用于测试的安全组' +-----------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | created_at | 2020-07-30T15:35:12Z | | description | 这是一个用于测试的安全组 | | id | 86e3bce1-3608-4d79-aa8d-0f47c205e227 | | location | cloud='', project.domain_id='default', project.domain_name=, project.id='5df4e0c1c68647ef800e7904d455b58d', project.name='admin', region_name='RegionOne', zone= | | name | 测试安全组 | | project_id | 5df4e0c1c68647ef800e7904d455b58d | | revision_number | 1 | | rules | created_at='2020-07-30T15:35:12Z', direction='egress', ethertype='IPv6', id='2b0a0c2b-a08e-492e-8429-ba8ff1522862', updated_at='2020-07-30T15:35:12Z' | | | created_at='2020-07-30T15:35:12Z', direction='egress', ethertype='IPv4', id='a7a9f21e-5d7f-4ed6-8455-9bf249d838de', updated_at='2020-07-30T15:35:12Z' | | tags | [] | | updated_at | 2020-07-30T15:35:12Z | +-----------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ [[email protected] ~/OpenStack]$
二、给安全组添加规则
1、删除默认规则
[[email protected] ~/OpenStack]$ openstack security group rule delete 2b0a0c2b-a08e-492e-8429-ba8ff1522862 [[email protected] ~/OpenStack]$ openstack security group rule delete a7a9f21e-5d7f-4ed6-8455-9bf249d838de [[email protected] ~/OpenStack]$ openstack security group show 86e3bce1-3608-4d79-aa8d-0f47c205e227 +-----------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | created_at | 2020-07-30T15:35:12Z | | description | 这是一个用于测试的安全组 | | id | 86e3bce1-3608-4d79-aa8d-0f47c205e227 | | location | cloud='', project.domain_id='default', project.domain_name=, project.id='5df4e0c1c68647ef800e7904d455b58d', project.name='admin', region_name='RegionOne', zone= | | name | 测试安全组 | | project_id | 5df4e0c1c68647ef800e7904d455b58d | | revision_number | 3 | | rules | | | tags | [] | | updated_at | 2020-07-30T15:39:15Z | +-----------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ [[email protected] ~/OpenStack]$
2、给安全组添加放行全通行规则
[[email protected] ~/OpenStack]$ openstack security group rule create --egress --ethertype IPv4 --description "放行IPV4所有流量出去" 86e3bce1-3608-4d79-aa8d-0f47c205e227 +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | created_at | 2020-07-30T15:48:28Z | | description | 放行IPV4所有流量出去 | | direction | egress | | ether_type | IPv4 | | id | d8967eea-4cad-4466-9f0e-c7ba501a12d4 | | location | cloud='', project.domain_id='default', project.domain_name=, project.id='5df4e0c1c68647ef800e7904d455b58d', project.name='admin', region_name='RegionOne', zone= | | name | None | | port_range_max | None | | port_range_min | None | | project_id | 5df4e0c1c68647ef800e7904d455b58d | | protocol | None | | remote_group_id | None | | remote_ip_prefix | 0.0.0.0/0 | | revision_number | 0 | | security_group_id | 86e3bce1-3608-4d79-aa8d-0f47c205e227 | | tags | [] | | updated_at | 2020-07-30T15:48:28Z | +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ [[email protected] ~/OpenStack]$ openstack security group rule create --egress --ethertype IPv6 --description "放行IPV6所有流量出去" 86e3bce1-3608-4d79-aa8d-0f47c205e227 +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | created_at | 2020-07-30T15:48:37Z | | description | 放行IPV6所有流量出去 | | direction | egress | | ether_type | IPv6 | | id | e3fc1615-b3dc-4a84-aab7-30c461e5fb76 | | location | cloud='', project.domain_id='default', project.domain_name=, project.id='5df4e0c1c68647ef800e7904d455b58d', project.name='admin', region_name='RegionOne', zone= | | name | None | | port_range_max | None | | port_range_min | None | | project_id | 5df4e0c1c68647ef800e7904d455b58d | | protocol | None | | remote_group_id | None | | remote_ip_prefix | ::/0 | | revision_number | 0 | | security_group_id | 86e3bce1-3608-4d79-aa8d-0f47c205e227 | | tags | [] | | updated_at | 2020-07-30T15:48:37Z | +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ [[email protected] ~/OpenStack]$ [[email protected] ~/OpenStack]$ [[email protected] ~/OpenStack]$ openstack security group show 86e3bce1-3608-4d79-aa8d-0f47c205e227 +-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | created_at | 2020-07-30T15:35:12Z | | description | 这是一个用于测试的安全组 | | id | 86e3bce1-3608-4d79-aa8d-0f47c205e227 | | location | cloud='', project.domain_id='default', project.domain_name=, project.id='5df4e0c1c68647ef800e7904d455b58d', project.name='admin', region_name='RegionOne', zone= | | name | 测试安全组 | | project_id | 5df4e0c1c68647ef800e7904d455b58d | | revision_number | 7 | | rules | created_at='2020-07-30T15:48:28Z', description='放行IPV4所有流量出去', direction='egress', ethertype='IPv4', id='d8967eea-4cad-4466-9f0e-c7ba501a12d4', remote_ip_prefix='0.0.0.0/0', updated_at='2020-07-30T15:48:28Z' | | | created_at='2020-07-30T15:48:37Z', description='放行IPV6所有流量出去', direction='egress', ethertype='IPv6', id='e3fc1615-b3dc-4a84-aab7-30c461e5fb76', remote_ip_prefix='::/0', updated_at='2020-07-30T15:48:37Z' | | tags | [] | | updated_at | 2020-07-30T15:48:37Z | +-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ [[email protected] ~/OpenStack]$
3、添加ICMP规则
[[email protected] ~/OpenStack]$ openstack security group rule create --ingress --protocol icmp --description "允许PING" 86e3bce1-3608-4d79-aa8d-0f47c205e227 +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | created_at | 2020-07-30T15:51:57Z | | description | 允许PING | | direction | ingress | | ether_type | IPv4 | | id | 50fc9d9d-6dce-45bc-b7dc-3718611906b8 | | location | cloud='', project.domain_id='default', project.domain_name=, project.id='5df4e0c1c68647ef800e7904d455b58d', project.name='admin', region_name='RegionOne', zone= | | name | None | | port_range_max | None | | port_range_min | None | | project_id | 5df4e0c1c68647ef800e7904d455b58d | | protocol | icmp | | remote_group_id | None | | remote_ip_prefix | 0.0.0.0/0 | | revision_number | 0 | | security_group_id | 86e3bce1-3608-4d79-aa8d-0f47c205e227 | | tags | [] | | updated_at | 2020-07-30T15:51:57Z | +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ [[email protected] ~/OpenStack]$ openstack security group show 86e3bce1-3608-4d79-aa8d-0f47c205e227 +-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | created_at | 2020-07-30T15:35:12Z | | description | 这是一个用于测试的安全组 | | id | 86e3bce1-3608-4d79-aa8d-0f47c205e227 | | location | cloud='', project.domain_id='default', project.domain_name=, project.id='5df4e0c1c68647ef800e7904d455b58d', project.name='admin', region_name='RegionOne', zone= | | name | 测试安全组 | | project_id | 5df4e0c1c68647ef800e7904d455b58d | | revision_number | 8 | | rules | created_at='2020-07-30T15:51:57Z', description='允许PING', direction='ingress', ethertype='IPv4', id='50fc9d9d-6dce-45bc-b7dc-3718611906b8', protocol='icmp', remote_ip_prefix='0.0.0.0/0', updated_at='2020-07-30T15:51:57Z' | | | created_at='2020-07-30T15:48:28Z', description='放行IPV4所有流量出去', direction='egress', ethertype='IPv4', id='d8967eea-4cad-4466-9f0e-c7ba501a12d4', remote_ip_prefix='0.0.0.0/0', updated_at='2020-07-30T15:48:28Z' | | | created_at='2020-07-30T15:48:37Z', description='放行IPV6所有流量出去', direction='egress', ethertype='IPv6', id='e3fc1615-b3dc-4a84-aab7-30c461e5fb76', remote_ip_prefix='::/0', updated_at='2020-07-30T15:48:37Z' | | tags | [] | | updated_at | 2020-07-30T15:51:57Z | +-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ [[email protected] ~/OpenStack]$
4、添加指定IP的放行SSH端口和所有IP的WEB端口
[[email protected] ~/OpenStack]$ openstack security group rule create --ingress --ethertype IPv4 --protocol tcp --dst-port 22:22 --remote-ip 172.30.100.100 --description "SSH_PORT_ACCEPT" 86e3bce1-3608-4d79-aa8d-0f47c205e227 +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | created_at | 2020-07-30T16:00:17Z | | description | SSH_PORT_ACCEPT | | direction | ingress | | ether_type | IPv4 | | id | 3326f295-4e00-41ba-a560-e9623534ee75 | | location | cloud='', project.domain_id='default', project.domain_name=, project.id='5df4e0c1c68647ef800e7904d455b58d', project.name='admin', region_name='RegionOne', zone= | | name | None | | port_range_max | 22 | | port_range_min | 22 | | project_id | 5df4e0c1c68647ef800e7904d455b58d | | protocol | tcp | | remote_group_id | None | | remote_ip_prefix | 172.30.100.100/32 | | revision_number | 0 | | security_group_id | 86e3bce1-3608-4d79-aa8d-0f47c205e227 | | tags | [] | | updated_at | 2020-07-30T16:00:17Z | +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ [[email protected] ~/OpenStack]$ openstack security group rule create --ingress --ethertype IPv6 --protocol tcp --dst-port 22:22 --remote-ip 2404:eb40::100 --description "SSH_PORT_ACCEPT" 86e3bce1-3608-4d79-aa8d-0f47c205e227 +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | created_at | 2020-07-30T16:00:31Z | | description | SSH_PORT_ACCEPT | | direction | ingress | | ether_type | IPv6 | | id | 1aaa272b-3ee0-4acb-8f66-d40babd6e4c8 | | location | cloud='', project.domain_id='default', project.domain_name=, project.id='5df4e0c1c68647ef800e7904d455b58d', project.name='admin', region_name='RegionOne', zone= | | name | None | | port_range_max | 22 | | port_range_min | 22 | | project_id | 5df4e0c1c68647ef800e7904d455b58d | | protocol | tcp | | remote_group_id | None | | remote_ip_prefix | 2404:eb40::100/128 | | revision_number | 0 | | security_group_id | 86e3bce1-3608-4d79-aa8d-0f47c205e227 | | tags | [] | | updated_at | 2020-07-30T16:00:31Z | +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ [[email protected] ~/OpenStack]$
[[email protected] ~/OpenStack]$ openstack security group rule create --ingress --ethertype IPv4 --protocol tcp --dst-port 80:80 --description "HTTP_PORT_ACCEPT" 86e3bce1-3608-4d79-aa8d-0f47c205e227 +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | created_at | 2020-07-30T16:01:22Z | | description | HTTP_PORT_ACCEPT | | direction | ingress | | ether_type | IPv4 | | id | 76030ba4-e402-455a-9e19-1e23dba88d01 | | location | cloud='', project.domain_id='default', project.domain_name=, project.id='5df4e0c1c68647ef800e7904d455b58d', project.name='admin', region_name='RegionOne', zone= | | name | None | | port_range_max | 80 | | port_range_min | 80 | | project_id | 5df4e0c1c68647ef800e7904d455b58d | | protocol | tcp | | remote_group_id | None | | remote_ip_prefix | 0.0.0.0/0 | | revision_number | 0 | | security_group_id | 86e3bce1-3608-4d79-aa8d-0f47c205e227 | | tags | [] | | updated_at | 2020-07-30T16:01:22Z | +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ [[email protected] ~/OpenStack]$ openstack security group rule create --ingress --ethertype IPv4 --protocol tcp --dst-port 443:443 --description "HTTP_PORT_ACCEPT" 86e3bce1-3608-4d79-aa8d-0f47c205e227 +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | created_at | 2020-07-30T16:01:29Z | | description | HTTP_PORT_ACCEPT | | direction | ingress | | ether_type | IPv4 | | id | c7510f8a-5fc4-44fe-bd18-025db970c7b0 | | location | cloud='', project.domain_id='default', project.domain_name=, project.id='5df4e0c1c68647ef800e7904d455b58d', project.name='admin', region_name='RegionOne', zone= | | name | None | | port_range_max | 443 | | port_range_min | 443 | | project_id | 5df4e0c1c68647ef800e7904d455b58d | | protocol | tcp | | remote_group_id | None | | remote_ip_prefix | 0.0.0.0/0 | | revision_number | 0 | | security_group_id | 86e3bce1-3608-4d79-aa8d-0f47c205e227 | | tags | [] | | updated_at | 2020-07-30T16:01:29Z | +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ [[email protected] ~/OpenStack]$ openstack security group rule create --ingress --ethertype IPv6 --protocol tcp --dst-port 80:80 --description "HTTP_PORT_ACCEPT" 86e3bce1-3608-4d79-aa8d-0f47c205e227 +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | created_at | 2020-07-30T16:01:37Z | | description | HTTP_PORT_ACCEPT | | direction | ingress | | ether_type | IPv6 | | id | 07bfc115-0751-4cf7-8f54-be4d4a34f64c | | location | cloud='', project.domain_id='default', project.domain_name=, project.id='5df4e0c1c68647ef800e7904d455b58d', project.name='admin', region_name='RegionOne', zone= | | name | None | | port_range_max | 80 | | port_range_min | 80 | | project_id | 5df4e0c1c68647ef800e7904d455b58d | | protocol | tcp | | remote_group_id | None | | remote_ip_prefix | ::/0 | | revision_number | 0 | | security_group_id | 86e3bce1-3608-4d79-aa8d-0f47c205e227 | | tags | [] | | updated_at | 2020-07-30T16:01:37Z | +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ [[email protected] ~/OpenStack]$ openstack security group rule create --ingress --ethertype IPv6 --protocol tcp --dst-port 443:443 --description "HTTP_PORT_ACCEPT" 86e3bce1-3608-4d79-aa8d-0f47c205e227 +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | created_at | 2020-07-30T16:01:45Z | | description | HTTP_PORT_ACCEPT | | direction | ingress | | ether_type | IPv6 | | id | 597b0409-7512-4aea-ac12-a541fc37b802 | | location | cloud='', project.domain_id='default', project.domain_name=, project.id='5df4e0c1c68647ef800e7904d455b58d', project.name='admin', region_name='RegionOne', zone= | | name | None | | port_range_max | 443 | | port_range_min | 443 | | project_id | 5df4e0c1c68647ef800e7904d455b58d | | protocol | tcp | | remote_group_id | None | | remote_ip_prefix | ::/0 | | revision_number | 0 | | security_group_id | 86e3bce1-3608-4d79-aa8d-0f47c205e227 | | tags | [] | | updated_at | 2020-07-30T16:01:45Z | +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ [[email protected] ~/OpenStack]$
[[email protected] ~/OpenStack]$ openstack security group show 86e3bce1-3608-4d79-aa8d-0f47c205e227 +-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | created_at | 2020-07-30T15:35:12Z | | description | 这是一个用于测试的安全组 | | id | 86e3bce1-3608-4d79-aa8d-0f47c205e227 | | location | cloud='', project.domain_id='default', project.domain_name=, project.id='5df4e0c1c68647ef800e7904d455b58d', project.name='admin', region_name='RegionOne', zone= | | name | 测试安全组 | | project_id | 5df4e0c1c68647ef800e7904d455b58d | | revision_number | 14 | | rules | created_at='2020-07-30T16:01:37Z', description='HTTP_PORT_ACCEPT', direction='ingress', ethertype='IPv6', id='07bfc115-0751-4cf7-8f54-be4d4a34f64c', port_range_max='80', port_range_min='80', protocol='tcp', remote_ip_prefix='::/0', updated_at='2020-07-30T16:01:37Z' | | | created_at='2020-07-30T16:00:31Z', description='SSH_PORT_ACCEPT', direction='ingress', ethertype='IPv6', id='1aaa272b-3ee0-4acb-8f66-d40babd6e4c8', port_range_max='22', port_range_min='22', protocol='tcp', remote_ip_prefix='2404:eb40::100/128', updated_at='2020-07-30T16:00:31Z' | | | created_at='2020-07-30T16:00:17Z', description='SSH_PORT_ACCEPT', direction='ingress', ethertype='IPv4', id='3326f295-4e00-41ba-a560-e9623534ee75', port_range_max='22', port_range_min='22', protocol='tcp', remote_ip_prefix='172.30.100.100/32', updated_at='2020-07-30T16:00:17Z' | | | created_at='2020-07-30T15:51:57Z', description='允许PING', direction='ingress', ethertype='IPv4', id='50fc9d9d-6dce-45bc-b7dc-3718611906b8', protocol='icmp', remote_ip_prefix='0.0.0.0/0', updated_at='2020-07-30T15:51:57Z' | | | created_at='2020-07-30T16:01:45Z', description='HTTP_PORT_ACCEPT', direction='ingress', ethertype='IPv6', id='597b0409-7512-4aea-ac12-a541fc37b802', port_range_max='443', port_range_min='443', protocol='tcp', remote_ip_prefix='::/0', updated_at='2020-07-30T16:01:45Z' | | | created_at='2020-07-30T16:01:22Z', description='HTTP_PORT_ACCEPT', direction='ingress', ethertype='IPv4', id='76030ba4-e402-455a-9e19-1e23dba88d01', port_range_max='80', port_range_min='80', protocol='tcp', remote_ip_prefix='0.0.0.0/0', updated_at='2020-07-30T16:01:22Z' | | | created_at='2020-07-30T16:01:29Z', description='HTTP_PORT_ACCEPT', direction='ingress', ethertype='IPv4', id='c7510f8a-5fc4-44fe-bd18-025db970c7b0', port_range_max='443', port_range_min='443', protocol='tcp', remote_ip_prefix='0.0.0.0/0', updated_at='2020-07-30T16:01:29Z' | | | created_at='2020-07-30T15:48:28Z', description='放行IPV4所有流量出去', direction='egress', ethertype='IPv4', id='d8967eea-4cad-4466-9f0e-c7ba501a12d4', remote_ip_prefix='0.0.0.0/0', updated_at='2020-07-30T15:48:28Z' | | | created_at='2020-07-30T15:48:37Z', description='放行IPV6所有流量出去', direction='egress', ethertype='IPv6', id='e3fc1615-b3dc-4a84-aab7-30c461e5fb76', remote_ip_prefix='::/0', updated_at='2020-07-30T15:48:37Z' | | tags | [] | | updated_at | 2020-07-30T16:01:45Z | +-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ [[email protected] ~/OpenStack]$
您可以选择一种方式赞助本站
支付宝扫一扫赞助
微信钱包扫描赞助
赏