how security group is implemented
Hi there,
I thought this is a straightforward thing to find out but it turned not.
I created a security group to allow ssh and http and run an instance with it.
On its physical host, I see the following proper iptables rules
Chain nova-compute-
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- 192.168.253.1 anywhere udp spt:bootps dpt:bootpc
ACCEPT all -- 192.168.253.0/24 anywhere
ACCEPT tcp -- 192.168.2.0/24 anywhere tcp dpt:ssh
ACCEPT tcp -- 192.168.2.0/24 anywhere tcp dpt:http
nova-compute-
The libvirt XML shows
interface type='bridge'>
<mac address=
<source bridge='br2'/>
<target dev='vnet2'/>
<filterref filter=
<parameter name='DHCPSERVER' value='
<parameter name='IP' value='
</filterref>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
So I went to look at its nwfilter
[root@node5 ~]# virsh nwfilter-dumpxml nova-instance-
<filter name='nova-
<uuid>
<filterref filter=
</filter>
It references the nova-base nwfilter, which is
[root@node5 nwfilter]# virsh nwfilter-dumpxml nova-base
<filter name='nova-base' chain='root'>
<uuid>
<filterref filter=
<filterref filter=
<filterref filter=
<filterref filter=
</filter>
But where are my custom rules allowing port 22 and 80? I haven't seen them any where but it apparently worked.
Is it run directly by iptables, without using the libvirt nwfilter?
I would assume it is a natural way to directly use nwfilter for security groups, right?
Thanks.
Shi
Question information
- Language:
- English Edit question
- Status:
- Answered
- Assignee:
- No assignee Edit question
- Last query:
- Last reply:
Can you help with this problem?
Provide an answer of your own, or ask Shi Jin for more information if necessary.