Openstack에서 VM에 대한 Security Group을 제공하지만 네트워크에서 Firewall 서비스를 이용하여 전체 네트워크에 대한 방화벽을 설정할 수 있다.
UI가 제공되면 손쉽게 할 수 있지만, 아쉽게도 Horizon에서 Pike버전 이후 부터 UI가 보이지 않아 CLI로 셋팅을 해본다.
방화벽을 생성하기 위해서는 우선 Policy를 생성한다.
neutron firewall-policy-create admin-fw-policy
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Created a new firewall_policy:
+----------------+--------------------------------------+
| Field | Value |
+----------------+--------------------------------------+
| audited | False |
| description | |
| firewall_rules | |
| id | ec61ea6b-6b4a-4924-a3ef-d9738a24a270 |
| name | admin-fw-policy |
| project_id | 87b56ff22e3a4158b55d1c8671524763 |
| shared | False |
| tenant_id | 87b56ff22e3a4158b55d1c8671524763 |
+----------------+--------------------------------------+
생성되면 아래와 같이 조회된다. 아직 방화벽 Rule을 셋팅하지 않았기 때문에 해당 부분은 이후 생성해야 한다.
neutron firewall-policy-list
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+-----------------+----------------+
| id | name | firewall_rules |
+--------------------------------------+-----------------+----------------+
| ec61ea6b-6b4a-4924-a3ef-d9738a24a270 | admin-fw-policy | [] |
+--------------------------------------+-----------------+----------------+
아래와 같이 방화벽 규칙을 설정한다. 우선 ssh port에 대해서 destination port 22를 allow하는 규칙을 생성한다.
neutron firewall-rule-create --protocol tcp --destination-port 22 --action allow
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Created a new firewall_rule:
+------------------------+--------------------------------------+
| Field | Value |
+------------------------+--------------------------------------+
| action | allow |
| description | |
| destination_ip_address | |
| destination_port | 22 |
| enabled | True |
| firewall_policy_id | |
| id | 8c5ac363-2fbd-4cc4-893d-2e703340ed45 |
| ip_version | 4 |
| name | |
| position | |
| project_id | 87b56ff22e3a4158b55d1c8671524763 |
| protocol | tcp |
| shared | False |
| source_ip_address | |
| source_port | |
| tenant_id | 87b56ff22e3a4158b55d1c8671524763 |
+------------------------+--------------------------------------+
생성한 firewall rule을 policy로 넣어준다.
neutron firewall-policy-insert-rule admin-fw-policy 8c5ac363-2fbd-4cc4-893d-2e703340ed45
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Inserted firewall rule in firewall policy admin-fw-policy
넣어주고 나면 아래와 같이 업데이트가 된다
neutron firewall-policy-list
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+-----------------+----------------------------------------+
| id | name | firewall_rules |
+--------------------------------------+-----------------+----------------------------------------+
| ec61ea6b-6b4a-4924-a3ef-d9738a24a270 | admin-fw-policy | [8c5ac363-2fbd-4cc4-893d-2e703340ed45] |
+--------------------------------------+-----------------+----------------------------------------+
그리고 마지막으로 방화벽을 생성한다.
neutron firewall-create admin-fw-policy
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Created a new firewall:
+--------------------+--------------------------------------+
| Field | Value |
+--------------------+--------------------------------------+
| admin_state_up | True |
| description | |
| firewall_policy_id | ec61ea6b-6b4a-4924-a3ef-d9738a24a270 |
| id | a9f772ee-3542-4cef-84af-145e91f7fc39 |
| name | |
| project_id | 87b56ff22e3a4158b55d1c8671524763 |
| router_ids | 02540dec-d416-45fe-a6c9-5ded58200046 |
| status | PENDING_CREATE |
| tenant_id | 87b56ff22e3a4158b55d1c8671524763 |
+--------------------+--------------------------------------+
현재 VM에 대해 방화벽을 생성하기전에 SecurityGroup에 ICMP를 등록해두어서 ping이 아래와 같이 동작했었는데
~$ ping 192.168.76.210
PING 192.168.76.210 (192.168.76.210) 56(84) bytes of data.
64 bytes from 192.168.76.210: icmp_seq=4 ttl=62 time=5.73 ms
64 bytes from 192.168.76.210: icmp_seq=5 ttl=62 time=5.38 ms
64 bytes from 192.168.76.210: icmp_seq=6 ttl=62 time=5.45 ms
64 bytes from 192.168.76.210: icmp_seq=7 ttl=62 time=5.22 ms
방화벽을 생성하고 난 이후에는 해당 방화벽에 PING 응답이 없게 된다
~$ ping 192.168.76.210
PING 192.168.76.210 (192.168.76.210) 56(84) bytes of data.
기본적으로 All Deny 정책이기 때문에 외부로 인터넷이 되기 위해서는 UDP 53 (DNS), TCP 80, 443 (HTTP)를 열어둔다.
neutron firewall-rule-create --protocol udp --source-ip-address 0.0.0.0/0 --destination_ip_address 0.0.0.0/0 --destination-port 53 --action allow
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Created a new firewall_rule:
+------------------------+--------------------------------------+
| Field | Value |
+------------------------+--------------------------------------+
| action | allow |
| description | |
| destination_ip_address | 0.0.0.0/0 |
| destination_port | 53 |
| enabled | True |
| firewall_policy_id | |
| id | b5a6aa26-f114-44de-aa7b-053eb339dc8f |
| ip_version | 4 |
| name | |
| position | |
| project_id | 87b56ff22e3a4158b55d1c8671524763 |
| protocol | udp |
| shared | False |
| source_ip_address | 0.0.0.0/0 |
| source_port | |
| tenant_id | 87b56ff22e3a4158b55d1c8671524763 |
+------------------------+--------------------------------------+
neutron firewall-policy-insert-rule admin-fw-policy b5a6aa26-f114-44de-aa7b-053eb339dc8f
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Inserted firewall rule in firewall policy admin-fw-policy