HOME
Openstack

openstack security group rule ( 생성 및 추가 삭제)

admin 2024.03.14

openstack에서 보안그룹이 존재하는데 이것은 openstack security group 이라고 표시한다

인스턴스 (서버)에 방화벽 정책이라고 보면 된다 (단순 포트 제어)

1. 그럼 먼저 linux에서 사용할 기본 그룹을 만들어보자

[root@controller ~]# openstack security group create  secgroup_linux_1
+-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field           | Value                                                                                                                                                                                                                      |
+-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at      | 2024-03-14T01:32:38Z                                                                                                                                                                                                       |
| description     | secgroup_linux_1                                                                                                                                                                                                           |
| id              | 9b6f872e-3e52-4e85-8a9d-4c90e7cae430                                                                                                                                                                                       |
| name            | secgroup_linux_1                                                                                                                                                                                                           |
| project_id      | 2a5b985486d844f3a9553ab1de778109                                                                                                                                                                                           |
| revision_number | 1                                                                                                                                                                                                                          |
| rules           | created_at='2024-03-14T01:32:38Z', direction='egress', ethertype='IPv4', id='8e2bfd9d-9707-4e0d-b8c0-0481be554166', standard_attr_id='62', tenant_id='2a5b985486d844f3a9553ab1de778109', updated_at='2024-03-14T01:32:38Z' |
|                 | created_at='2024-03-14T01:32:38Z', direction='egress', ethertype='IPv6', id='ef0b5760-141d-48f6-a120-2b94799caa1f', standard_attr_id='63', tenant_id='2a5b985486d844f3a9553ab1de778109', updated_at='2024-03-14T01:32:38Z' |
| stateful        | True                                                                                                                                                                                                                       |
| tags            | []                                                                                                                                                                                                                         |
| updated_at      | 2024-03-14T01:32:38Z                                                                                                                                                                                                       |
+-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

[root@controller ~]# openstack security group create secgroup_linux_1

+-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

| Field | Value |

| created_at | 2024-03-14T01:32:38Z |

| description | secgroup_linux_1 |

| id | 9b6f872e-3e52-4e85-8a9d-4c90e7cae430 |

| name | secgroup_linux_1 |

| project_id | 2a5b985486d844f3a9553ab1de778109 |

| revision_number | 1 |

| rules | created_at='2024-03-14T01:32:38Z', direction='egress', ethertype='IPv4', id='8e2bfd9d-9707-4e0d-b8c0-0481be554166', standard_attr_id='62', tenant_id='2a5b985486d844f3a9553ab1de778109', updated_at='2024-03-14T01:32:38Z' |

| | created_at='2024-03-14T01:32:38Z', direction='egress', ethertype='IPv6', id='ef0b5760-141d-48f6-a120-2b94799caa1f', standard_attr_id='63', tenant_id='2a5b985486d844f3a9553ab1de778109', updated_at='2024-03-14T01:32:38Z' |

| stateful | True |

| tags | [] |

| updated_at | 2024-03-14T01:32:38Z |

그룹이 만들어졌으면 해당 그룹에 룰을 확인해보자
ingress 인바운드 ( 즉 인스턴스 서버로 들어가는것)
egress 아웃바운드 ( 인스턴스 서버에서 외부로 나가는것)

[root@controller ~]# openstack security group rule list secgroup_linux_1
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| ID                                   | IP Protocol | Ethertype | IP Range  | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| 8e2bfd9d-9707-4e0d-b8c0-0481be554166 | None        | IPv4      | 0.0.0.0/0 |            | egress    | None                  | None                 |
| ef0b5760-141d-48f6-a120-2b94799caa1f | None        | IPv6      | ::/0      |            | egress    | None                  | None                 |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+

[root@controller ~]# openstack security group rule list secgroup_linux_1

+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+

+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+

+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+

해당 정책으로 서버에 아무것도 접속을 할수가 없다 서버에 접속할수 있게 ssh 포트를 추가해보자

[root@controller ~]# openstack security group rule create --protocol tcp --dst-port 22:22 secgroup_linux_1
+-------------------------+--------------------------------------+
| Field                   | Value                                |
+-------------------------+--------------------------------------+
| created_at              | 2024-03-14T01:39:56Z                 |
| description             |                                      |
| direction               | ingress                              |
| ether_type              | IPv4                                 |
| id                      | 6fe50fa4-6806-47cb-af1c-77a7619eb888 |
| name                    | None                                 |
| port_range_max          | 22                                   |
| port_range_min          | 22                                   |
| project_id              | 2a5b985486d844f3a9553ab1de778109     |
| protocol                | tcp                                  |
| remote_address_group_id | None                                 |
| remote_group_id         | None                                 |
| remote_ip_prefix        | 0.0.0.0/0                            |
| revision_number         | 0                                    |
| security_group_id       | 9b6f872e-3e52-4e85-8a9d-4c90e7cae430 |
| tags                    | []                                   |
| tenant_id               | 2a5b985486d844f3a9553ab1de778109     |
| updated_at              | 2024-03-14T01:39:56Z                 |
+-------------------------+--------------------------------------+

[root@controller ~]# openstack security group rule create --protocol tcp --dst-port 22:22 secgroup_linux_1

+-------------------------+--------------------------------------+

| Field | Value |

+-------------------------+--------------------------------------+

| created_at | 2024-03-14T01:39:56Z |

| description | |

| direction | ingress |

| ether_type | IPv4 |

| id | 6fe50fa4-6806-47cb-af1c-77a7619eb888 |

| name | None |

| port_range_max | 22 |

| port_range_min | 22 |

| project_id | 2a5b985486d844f3a9553ab1de778109 |

| protocol | tcp |

| remote_address_group_id | None |

| remote_group_id | None |

| remote_ip_prefix | 0.0.0.0/0 |

| revision_number | 0 |

| security_group_id | 9b6f872e-3e52-4e85-8a9d-4c90e7cae430 |

| tags | [] |

| tenant_id | 2a5b985486d844f3a9553ab1de778109 |

| updated_at | 2024-03-14T01:39:56Z |

+-------------------------+--------------------------------------+

룰을 다시확인해보면 ssh 접속이 될수 있게 수정되었다

[root@controller ~]# openstack security group rule list secgroup_linux_1                                  
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| ID                                   | IP Protocol | Ethertype | IP Range  | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| 6fe50fa4-6806-47cb-af1c-77a7619eb888 | tcp         | IPv4      | 0.0.0.0/0 | 22:22      | ingress   | None                  | None                 |
| 8e2bfd9d-9707-4e0d-b8c0-0481be554166 | None        | IPv4      | 0.0.0.0/0 |            | egress    | None                  | None                 |
| ef0b5760-141d-48f6-a120-2b94799caa1f | None        | IPv6      | ::/0      |            | egress    | None                  | None                 |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+

[root@controller ~]# openstack security group rule list secgroup_linux_1

+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+

+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+

| 6fe50fa4-6806-47cb-af1c-77a7619eb888 | tcp | IPv4 | 0.0.0.0/0 | 22:22 | ingress | None | None |

+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+

추가적으로 해당 인스터는은 웹서버를 운영을 하기 위해서 80, 443 포트를 허용

[root@controller ~]# openstack security group rule create --protocol tcp --dst-port 80:80 secgroup_linux_1 

[root@controller ~]# openstack security group rule create --protocol tcp --dst-port 443:443 secgroup_linux_1

[root@controller ~]# openstack security group rule create --protocol tcp --dst-port 80:80 secgroup_linux_1

[root@controller ~]# openstack security group rule create --protocol tcp --dst-port 443:443 secgroup_linux_1

다시 확인해보면

[root@controller ~]# openstack security group rule list secgroup_linux_1                                    
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| ID                                   | IP Protocol | Ethertype | IP Range  | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| 0cf9e7fb-8cc7-4f87-9200-c07f961f8eaf | tcp         | IPv4      | 0.0.0.0/0 | 443:443    | ingress   | None                  | None                 |
| 6fe50fa4-6806-47cb-af1c-77a7619eb888 | tcp         | IPv4      | 0.0.0.0/0 | 22:22      | ingress   | None                  | None                 |
| 8e2bfd9d-9707-4e0d-b8c0-0481be554166 | None        | IPv4      | 0.0.0.0/0 |            | egress    | None                  | None                 |
| abc6eed4-3498-47ad-853a-2fc4ef2aa2f3 | tcp         | IPv4      | 0.0.0.0/0 | 80:80      | ingress   | None                  | None                 |
| ef0b5760-141d-48f6-a120-2b94799caa1f | None        | IPv6      | ::/0      |            | egress    | None                  | None                 |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+

[root@controller ~]# openstack security group rule list secgroup_linux_1

+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+

+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+

| 0cf9e7fb-8cc7-4f87-9200-c07f961f8eaf | tcp | IPv4 | 0.0.0.0/0 | 443:443 | ingress | None | None |

| 6fe50fa4-6806-47cb-af1c-77a7619eb888 | tcp | IPv4 | 0.0.0.0/0 | 22:22 | ingress | None | None |

| abc6eed4-3498-47ad-853a-2fc4ef2aa2f3 | tcp | IPv4 | 0.0.0.0/0 | 80:80 | ingress | None | None |

+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+

만약 icmp를 허용하게 하려면 아래 명령어를 입력하면 된다

[root@controller ~]# openstack security group rule create --protocol icmp --ingress secgroup_linux_1        
+-------------------------+--------------------------------------+
| Field                   | Value                                |
+-------------------------+--------------------------------------+
| created_at              | 2024-03-14T01:51:43Z                 |
| description             |                                      |
| direction               | ingress                              |
| ether_type              | IPv4                                 |
| id                      | c0a65d43-0d27-4739-a7a8-98c8811236be |
| name                    | None                                 |
| port_range_max          | None                                 |
| port_range_min          | None                                 |
| project_id              | 2a5b985486d844f3a9553ab1de778109     |
| protocol                | icmp                                 |
| remote_address_group_id | None                                 |
| remote_group_id         | None                                 |
| remote_ip_prefix        | 0.0.0.0/0                            |
| revision_number         | 0                                    |
| security_group_id       | 9b6f872e-3e52-4e85-8a9d-4c90e7cae430 |
| tags                    | []                                   |
| tenant_id               | 2a5b985486d844f3a9553ab1de778109     |
| updated_at              | 2024-03-14T01:51:43Z                 |
+-------------------------+--------------------------------------+

[root@controller ~]# openstack security group rule create --protocol icmp --ingress secgroup_linux_1

+-------------------------+--------------------------------------+

| Field | Value |

+-------------------------+--------------------------------------+

| created_at | 2024-03-14T01:51:43Z |

| description | |

| direction | ingress |

| ether_type | IPv4 |

| id | c0a65d43-0d27-4739-a7a8-98c8811236be |

| name | None |

| port_range_max | None |

| port_range_min | None |

| project_id | 2a5b985486d844f3a9553ab1de778109 |

| protocol | icmp |

| remote_address_group_id | None |

| remote_group_id | None |

| remote_ip_prefix | 0.0.0.0/0 |

| revision_number | 0 |

| security_group_id | 9b6f872e-3e52-4e85-8a9d-4c90e7cae430 |

| tags | [] |

| tenant_id | 2a5b985486d844f3a9553ab1de778109 |

| updated_at | 2024-03-14T01:51:43Z |

+-------------------------+--------------------------------------+

룰셋을 삭제하는 방법은 우선 리스트를 확인한다음에 id 값을 삭제하면 된다

### 리스트확인
[root@controller ~]# openstack security group rule list secgroup_linux_1                            
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| ID                                   | IP Protocol | Ethertype | IP Range  | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| 0cf9e7fb-8cc7-4f87-9200-c07f961f8eaf | tcp         | IPv4      | 0.0.0.0/0 | 443:443    | ingress   | None                  | None                 |
| 6fe50fa4-6806-47cb-af1c-77a7619eb888 | tcp         | IPv4      | 0.0.0.0/0 | 22:22      | ingress   | None                  | None                 |
| 8e2bfd9d-9707-4e0d-b8c0-0481be554166 | None        | IPv4      | 0.0.0.0/0 |            | egress    | None                  | None                 |
| abc6eed4-3498-47ad-853a-2fc4ef2aa2f3 | tcp         | IPv4      | 0.0.0.0/0 | 80:80      | ingress   | None                  | None                 |
| dfda00b9-4eb5-4004-bcfa-ed9c139d5f19 | icmp        | IPv4      | 0.0.0.0/0 |            | ingress   | None                  | None                 |
| ef0b5760-141d-48f6-a120-2b94799caa1f | None        | IPv6      | ::/0      |            | egress    | None                  | None                 |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+

### 삭제
[root@controller ~]# openstack security group rule delete dfda00b9-4eb5-4004-bcfa-ed9c139d5f19

### 리스트확인

[root@controller ~]# openstack security group rule list secgroup_linux_1

+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+

+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+

| 0cf9e7fb-8cc7-4f87-9200-c07f961f8eaf | tcp | IPv4 | 0.0.0.0/0 | 443:443 | ingress | None | None |

| 6fe50fa4-6806-47cb-af1c-77a7619eb888 | tcp | IPv4 | 0.0.0.0/0 | 22:22 | ingress | None | None |

| abc6eed4-3498-47ad-853a-2fc4ef2aa2f3 | tcp | IPv4 | 0.0.0.0/0 | 80:80 | ingress | None | None |

+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+

### 삭제

[root@controller ~]# openstack security group rule delete dfda00b9-4eb5-4004-bcfa-ed9c139d5f19

그럼 특정 아이피에 대해서만 icmp 를 허용하게 하려면 — remoe-ip 를 입력하면 됨

[root@controller ~]# openstack security group rule create --protocol icmp --ingress --remote-ip 192.168.10.22 secgroup_linux_1

1	[root@controller ~]# openstack security group rule create --protocol icmp --ingress --remote-ip 192.168.10.22 secgroup_linux_1

확인

[root@controller ~]# openstack security group rule list secgroup_linux_1                                                     
+--------------------------------------+-------------+-----------+-----------------+------------+-----------+-----------------------+----------------------+
| ID                                   | IP Protocol | Ethertype | IP Range        | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------------+------------+-----------+-----------------------+----------------------+
| 0cf9e7fb-8cc7-4f87-9200-c07f961f8eaf | tcp         | IPv4      | 0.0.0.0/0       | 443:443    | ingress   | None                  | None                 |
| 171a5a53-9238-407a-b466-b4cc6a015fe1 | icmp        | IPv4      | 192.168.10.22/32 |            | ingress   | None                  | None                 |
| 6fe50fa4-6806-47cb-af1c-77a7619eb888 | tcp         | IPv4      | 0.0.0.0/0       | 22:22      | ingress   | None                  | None                 |
| 8e2bfd9d-9707-4e0d-b8c0-0481be554166 | None        | IPv4      | 0.0.0.0/0       |            | egress    | None                  | None                 |
| abc6eed4-3498-47ad-853a-2fc4ef2aa2f3 | tcp         | IPv4      | 0.0.0.0/0       | 80:80      | ingress   | None                  | None                 |
| ef0b5760-141d-48f6-a120-2b94799caa1f | None        | IPv6      | ::/0            |            | egress    | None                  | None                 |
+--------------------------------------+-------------+-----------+-----------------+------------+-----------+-----------------------+----------------------+

[root@controller ~]# openstack security group rule list secgroup_linux_1

+--------------------------------------+-------------+-----------+-----------------+------------+-----------+-----------------------+----------------------+

+--------------------------------------+-------------+-----------+-----------------+------------+-----------+-----------------------+----------------------+

| 0cf9e7fb-8cc7-4f87-9200-c07f961f8eaf | tcp | IPv4 | 0.0.0.0/0 | 443:443 | ingress | None | None |

| 6fe50fa4-6806-47cb-af1c-77a7619eb888 | tcp | IPv4 | 0.0.0.0/0 | 22:22 | ingress | None | None |

| abc6eed4-3498-47ad-853a-2fc4ef2aa2f3 | tcp | IPv4 | 0.0.0.0/0 | 80:80 | ingress | None | None |

+--------------------------------------+-------------+-----------+-----------------+------------+-----------+-----------------------+----------------------+

특정 아이피에 대해서만 3000번 포트를 허용하게 하려면 ( ingress / 기입 안해도 기본 default 값이 ingress 이다)

[root@controller ~]# openstack security group rule create --protocol tcp --dst-port 3000:3000 --remote-ip 192.168.100.55 secgroup_linux_1 

[root@controller ~]# openstack security group rule list secgroup_linux_1
+--------------------------------------+-------------+-----------+-------------------+------------+-----------+-----------------------+----------------------+
| ID                                   | IP Protocol | Ethertype | IP Range          | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-------------------+------------+-----------+-----------------------+----------------------+
| 0cf9e7fb-8cc7-4f87-9200-c07f961f8eaf | tcp         | IPv4      | 0.0.0.0/0         | 443:443    | ingress   | None                  | None                 |
| 171a5a53-9238-407a-b466-b4cc6a015fe1 | icmp        | IPv4      | 192.168.10.22/32   |            | ingress   | None                  | None                 |
| 6fe50fa4-6806-47cb-af1c-77a7619eb888 | tcp         | IPv4      | 0.0.0.0/0         | 22:22      | ingress   | None                  | None                 |
| 8e2bfd9d-9707-4e0d-b8c0-0481be554166 | None        | IPv4      | 0.0.0.0/0         |            | egress    | None                  | None                 |
| abc6eed4-3498-47ad-853a-2fc4ef2aa2f3 | tcp         | IPv4      | 0.0.0.0/0         | 80:80      | ingress   | None                  | None                 |
| ee585292-fab1-4fde-b86c-3141b7cf02a6 | tcp         | IPv4      | 192.168.100.55/32 | 3000:3000  | ingress   | None                  | None                 |
| ef0b5760-141d-48f6-a120-2b94799caa1f | None        | IPv6      | ::/0              |            | egress    | None                  | None                 |
+--------------------------------------+-------------+-----------+-------------------+------------+-----------+-----------------------+----------------------+

[root@controller ~]# openstack security group rule create --protocol tcp --dst-port 3000:3000 --remote-ip 192.168.100.55 secgroup_linux_1

[root@controller ~]# openstack security group rule list secgroup_linux_1

+--------------------------------------+-------------+-----------+-------------------+------------+-----------+-----------------------+----------------------+

+--------------------------------------+-------------+-----------+-------------------+------------+-----------+-----------------------+----------------------+

| 0cf9e7fb-8cc7-4f87-9200-c07f961f8eaf | tcp | IPv4 | 0.0.0.0/0 | 443:443 | ingress | None | None |

| 6fe50fa4-6806-47cb-af1c-77a7619eb888 | tcp | IPv4 | 0.0.0.0/0 | 22:22 | ingress | None | None |

| abc6eed4-3498-47ad-853a-2fc4ef2aa2f3 | tcp | IPv4 | 0.0.0.0/0 | 80:80 | ingress | None | None |

| ee585292-fab1-4fde-b86c-3141b7cf02a6 | tcp | IPv4 | 192.168.100.55/32 | 3000:3000 | ingress | None | None |

+--------------------------------------+-------------+-----------+-------------------+------------+-----------+-----------------------+----------------------+

ingress 만 출력하고 싶으면

[root@controller ~]# openstack security group rule list secgroup_linux_1 --ingress            
+--------------------------------------+-------------+-----------+-------------------+------------+-----------+-----------------------+----------------------+
| ID                                   | IP Protocol | Ethertype | IP Range          | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-------------------+------------+-----------+-----------------------+----------------------+
| 0cf9e7fb-8cc7-4f87-9200-c07f961f8eaf | tcp         | IPv4      | 0.0.0.0/0         | 443:443    | ingress   | None                  | None                 |
| 6fe50fa4-6806-47cb-af1c-77a7619eb888 | tcp         | IPv4      | 0.0.0.0/0         | 22:22      | ingress   | None                  | None                 |
| a2055db0-671d-4541-8f1d-27603d551a08 | icmp        | IPv4      | 192.168.10.22/32  |            | ingress   | None                  | None                 |
| abc6eed4-3498-47ad-853a-2fc4ef2aa2f3 | tcp         | IPv4      | 0.0.0.0/0         | 80:80      | ingress   | None                  | None                 |
| ee585292-fab1-4fde-b86c-3141b7cf02a6 | tcp         | IPv4      | 192.168.100.55/32 | 3000:3000  | ingress   | None                  | None                 |
+--------------------------------------+-------------+-----------+-------------------+------------+-----------+-----------------------+----------------------+

[root@controller ~]# openstack security group rule list secgroup_linux_1 --ingress

+--------------------------------------+-------------+-----------+-------------------+------------+-----------+-----------------------+----------------------+

+--------------------------------------+-------------+-----------+-------------------+------------+-----------+-----------------------+----------------------+

| 0cf9e7fb-8cc7-4f87-9200-c07f961f8eaf | tcp | IPv4 | 0.0.0.0/0 | 443:443 | ingress | None | None |

| 6fe50fa4-6806-47cb-af1c-77a7619eb888 | tcp | IPv4 | 0.0.0.0/0 | 22:22 | ingress | None | None |

| abc6eed4-3498-47ad-853a-2fc4ef2aa2f3 | tcp | IPv4 | 0.0.0.0/0 | 80:80 | ingress | None | None |

| ee585292-fab1-4fde-b86c-3141b7cf02a6 | tcp | IPv4 | 192.168.100.55/32 | 3000:3000 | ingress | None | None |

+--------------------------------------+-------------+-----------+-------------------+------------+-----------+-----------------------+----------------------+

egress 정책만 출력하고 싶다면

[root@controller ~]# openstack security group rule list secgroup_linux_1 --egress
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| ID                                   | IP Protocol | Ethertype | IP Range  | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| 8e2bfd9d-9707-4e0d-b8c0-0481be554166 | None        | IPv4      | 0.0.0.0/0 |            | egress    | None                  | None                 |
| ef0b5760-141d-48f6-a120-2b94799caa1f | None        | IPv6      | ::/0      |            | egress    | None                  | None                 |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+

[root@controller ~]# openstack security group rule list secgroup_linux_1 --egress

+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+

+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+

+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+

protocol로 출력하고 싶다면 tcp만 출력

[root@controller ~]# openstack security group rule list secgroup_linux_1 --protocol tcp
+--------------------------------------+-------------+-----------+-------------------+------------+-----------+-----------------------+----------------------+
| ID                                   | IP Protocol | Ethertype | IP Range          | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-------------------+------------+-----------+-----------------------+----------------------+
| 0cf9e7fb-8cc7-4f87-9200-c07f961f8eaf | tcp         | IPv4      | 0.0.0.0/0         | 443:443    | ingress   | None                  | None                 |
| 6fe50fa4-6806-47cb-af1c-77a7619eb888 | tcp         | IPv4      | 0.0.0.0/0         | 22:22      | ingress   | None                  | None                 |
| abc6eed4-3498-47ad-853a-2fc4ef2aa2f3 | tcp         | IPv4      | 0.0.0.0/0         | 80:80      | ingress   | None                  | None                 |
| ee585292-fab1-4fde-b86c-3141b7cf02a6 | tcp         | IPv4      | 192.168.100.55/32 | 3000:3000  | ingress   | None                  | None                 |
+--------------------------------------+-------------+-----------+-------------------+------------+-----------+-----------------------+----------------------+

[root@controller ~]# openstack security group rule list secgroup_linux_1 --protocol tcp

+--------------------------------------+-------------+-----------+-------------------+------------+-----------+-----------------------+----------------------+

+--------------------------------------+-------------+-----------+-------------------+------------+-----------+-----------------------+----------------------+

| 0cf9e7fb-8cc7-4f87-9200-c07f961f8eaf | tcp | IPv4 | 0.0.0.0/0 | 443:443 | ingress | None | None |

| 6fe50fa4-6806-47cb-af1c-77a7619eb888 | tcp | IPv4 | 0.0.0.0/0 | 22:22 | ingress | None | None |

| abc6eed4-3498-47ad-853a-2fc4ef2aa2f3 | tcp | IPv4 | 0.0.0.0/0 | 80:80 | ingress | None | None |

| ee585292-fab1-4fde-b86c-3141b7cf02a6 | tcp | IPv4 | 192.168.100.55/32 | 3000:3000 | ingress | None | None |

+--------------------------------------+-------------+-----------+-------------------+------------+-----------+-----------------------+----------------------+

protocol로 출력하고 싶다면 udp만 출력

[root@controller ~]# openstack security group rule list secgroup_linux_1 --protocol udp                     
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| ID                                   | IP Protocol | Ethertype | IP Range  | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| 038afd8a-81bf-4238-9338-84bce3d8e567 | udp         | IPv4      | 0.0.0.0/0 | 161:161    | ingress   | None                  | None                 |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+

[root@controller ~]# openstack security group rule list secgroup_linux_1 --protocol udp

+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+

+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+

| 038afd8a-81bf-4238-9338-84bce3d8e567 | udp | IPv4 | 0.0.0.0/0 | 161:161 | ingress | None | None |

+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+

근데 기본 정책을 사용하는 경우 서버에서 (인스턴스)에서 아웃바운드 정책이 모두 any로 열려져 있음
(기본정책)
outbound ( egress) 정책을 새로 구성하고 싶다면 기본 구성 정책을 삭제하고 추가하면 된다

자세한 부분은 공식 홈페이지 내용참고
https://docs.openstack.org/python-openstackclient/pike/cli/command-objects/security-group-rule.html#security-group-rule-create

상품명
주문번호
택배사
송장번호

시골청년의 엔지니어이야기 ( 진반장 )

openstack security group rule ( 생성 및 추가 삭제)

코멘트 쓰기 작성취소