Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you the practice of how to carry out Neutron FWaaS. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

Today we will learn FWaaS through experiments.

In our experimental environment, there are two instance: cirros-vm1 (172.16.100.3) and cirros-vm2 (172.16.101.3).

Cirros-vm1 and cirros-vm2 are located on the network vlan100 and vlan101, respectively. The connection between vlan100 and vlan101 is made by the virtual router test_router.

When no FWaaS is applied to test_router, cirros-vm1 can access cirros-vm2 across the network through ping and ssh.

The following experiments will be carried out: 1. Create a firewall "test_firewall" that does not contain any rule and apply it to test_router.

The FWaaS takes effect and any cross-subnet traffic is blocked by default. two。 Create a rule to allow ssh and add it to the test_firewall. At this point, cirros-vm1 should be able to ssh cirros-vm2.

Apply firewall without rule

Click the menu Project-> Network-> Firewalls to open the Firewall Policies tab page. There is currently no Policie defined.

Click

Button to display the Policy creation page.

Name Policy "test_policy" and click the "Add" button directly.

So the test_policy we created does not contain any Rule.

Go to the "Firewalls" tab and click the "Create Firewall" button.

Name the new Firewall "test_firewall" and associate it with "test_policy".

Select "test_router" in the Routers tab. Click "Add" to create the firewall.

Wait for the Status of test_firewall to change to "Active" when test_router has successfully applied test_policy.

You can view router namespace's iptables rules through iptables-save

In order to let you know what has changed at the bottom, the following vimdiff shows the changes in iptables rules before and after the application of test_firewall.

Let's analyze these rules.

Route uses chain when forwarding packets:

-A FORWARD-j neutron-vpn-agen-FORWARD

The rules for neutron-vpn-agen-FORWARD are as follows:

-A neutron-vpn-agen-FORWARD-o qr-+-j neutron-vpn-agen-iv4e85f4601

-A neutron-vpn-agen-FORWARD-I qr-+-j neutron-vpn-agen-ov4e85f4601

-A neutron-vpn-agen-FORWARD-o qr-+-j neutron-vpn-agen-fwaas-defau

-A neutron-vpn-agen-FORWARD-I qr-+-j neutron-vpn-agen-fwaas-defau

Let's take the first item as an example, which means that it is issued from any qr-* interface of router namespace.

Chain neutron-vpn-agen-iv4e85f4601 is applied to all the traffic, and the chain is defined as follows:

-A neutron-vpn-agen-iv4e85f4601-m state-- state INVALID-j DROP

-A neutron-vpn-agen-iv4e85f4601-m state-- state RELATED,ESTABLISHED-j ACCEPT

The rules are:

1. If the status of the packet is INVALID, then DROP.

two。 If the state of the packet is RELATED or ESTABLISHED, then ACCEPT.

How to deal with other normally transmitted data? Go back to neutron-vpn-agen-FORWARD chain's next rule about router out-of-office data:

-A neutron-vpn-agen-FORWARD-o qr-+-j neutron-vpn-agen-fwaas-defau

The content of neutron-vpn-agen-fwaas-defau is:

-A neutron-vpn-agen-fwaas-defau-j DROP

It can be seen that the data is discarded. By the same token, all data entering qr-* interface on router will be discarded.

The conclusion is that without defining any firewall rule, packets entering and leaving the router will be discarded.

Ping and ssh tests show that cirros-vm1 is no longer able to communicate with cirros-vm2.

The above is the editor for you to share how to carry out the practice of Neutron FWaaS, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.