1 개요[ | ]
[root@controller ~]# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:8774 0.0.0.0:* LISTEN 30327/python2
tcp 0 0 0.0.0.0:8775 0.0.0.0:* LISTEN 30327/python2
tcp 0 0 0.0.0.0:9191 0.0.0.0:* LISTEN 14477/python2
tcp 0 0 0.0.0.0:8776 0.0.0.0:* LISTEN 11390/python2
tcp 0 0 0.0.0.0:25672 0.0.0.0:* LISTEN 9677/beam
tcp 0 0 127.0.0.1:6633 0.0.0.0:* LISTEN 19256/python2
tcp 0 0 192.168.43.233:873 0.0.0.0:* LISTEN 10697/xinetd
tcp 0 0 192.168.43.233:27017 0.0.0.0:* LISTEN 8487/mongod
tcp 0 0 0.0.0.0:8778 0.0.0.0:* LISTEN 24668/httpd
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 5076/mysqld
tcp 0 0 192.168.43.233:6379 0.0.0.0:* LISTEN 9141/redis-server 1
tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 7692/memcached
tcp 0 0 0.0.0.0:9292 0.0.0.0:* LISTEN 14409/python2
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 127.0.0.1:6640 0.0.0.0:* LISTEN 18378/ovsdb-server
tcp 0 0 192.168.43.233:6000 0.0.0.0:* LISTEN 17513/python2
tcp 0 0 192.168.43.233:8080 0.0.0.0:* LISTEN 15792/python2
tcp 0 0 192.168.43.233:6001 0.0.0.0:* LISTEN 17302/python2
tcp 0 0 0.0.0.0:4369 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 192.168.43.233:6002 0.0.0.0:* LISTEN 17083/python2
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 604/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 853/master
tcp 0 0 0.0.0.0:16509 0.0.0.0:* LISTEN 21273/libvirtd
tcp 0 0 0.0.0.0:9696 0.0.0.0:* LISTEN 32351/python2
tcp 0 0 0.0.0.0:6080 0.0.0.0:* LISTEN 30595/python2
tcp6 0 0 :::5000 :::* LISTEN 24668/httpd
tcp6 0 0 :::5672 :::* LISTEN 9677/beam
tcp6 0 0 :::8777 :::* LISTEN 24668/httpd
tcp6 0 0 :::8041 :::* LISTEN 24668/httpd
tcp6 0 0 :::8042 :::* LISTEN 24668/httpd
tcp6 0 0 :::111 :::* LISTEN 1/systemd
tcp6 0 0 :::80 :::* LISTEN 24668/httpd
tcp6 0 0 :::22 :::* LISTEN 604/sshd
tcp6 0 0 ::1:25 :::* LISTEN 853/master
tcp6 0 0 :::35357 :::* LISTEN 24668/httpd
tcp6 0 0 :::16509 :::* LISTEN 21273/libvirtd
[root@controller ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Tue Sep 12 17:07:00 2017
*mangle
:PREROUTING ACCEPT [3546182:696423341]
:INPUT ACCEPT [3535325:695275765]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3517940:542400596]
:POSTROUTING ACCEPT [3517940:542400596]
COMMIT
# Completed on Tue Sep 12 17:07:00 2017
# Generated by iptables-save v1.4.21 on Tue Sep 12 17:07:00 2017
*raw
:PREROUTING ACCEPT [3544791:695851260]
:OUTPUT ACCEPT [3516549:541828531]
:neutron-openvswi-OUTPUT - [0:0]
:neutron-openvswi-PREROUTING - [0:0]
-A PREROUTING -j neutron-openvswi-PREROUTING
-A OUTPUT -j neutron-openvswi-OUTPUT
COMMIT
# Completed on Tue Sep 12 17:07:00 2017
# Generated by iptables-save v1.4.21 on Tue Sep 12 17:07:00 2017
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 172.24.4.0/24 -o br-ex -m comment --comment "000 nat" -j MASQUERADE
COMMIT
# Completed on Tue Sep 12 17:07:00 2017
# Generated by iptables-save v1.4.21 on Tue Sep 12 17:07:00 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [175730:37243710]
:neutron-filter-top - [0:0]
:neutron-openvswi-FORWARD - [0:0]
:neutron-openvswi-INPUT - [0:0]
:neutron-openvswi-OUTPUT - [0:0]
:neutron-openvswi-local - [0:0]
:neutron-openvswi-sg-chain - [0:0]
:neutron-openvswi-sg-fallback - [0:0]
-A INPUT -j neutron-openvswi-INPUT
-A INPUT -s 192.168.43.233/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_192.168.43.233" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8042 -m comment --comment "001 aodh-api incoming aodh_api" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8777 -m comment --comment "001 ceilometer-api incoming ceilometer_api" -j ACCEPT
-A INPUT -s 192.168.43.233/32 -p tcp -m multiport --dports 3260 -m comment --comment "001 cinder incoming cinder_192.168.43.233" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8776 -m comment --comment "001 cinder-api incoming cinder_api" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming glance_api" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8041 -m comment --comment "001 gnocchi-api incoming gnocchi_api" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon 80 incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming keystone" -j ACCEPT
-A INPUT -s 192.168.43.233/32 -p tcp -m multiport --dports 3306 -m comment --comment "001 mariadb incoming mariadb_192.168.43.233" -j ACCEPT
-A INPUT -s 192.168.43.233/32 -p tcp -m multiport --dports 27017 -m comment --comment "001 mongodb-server incoming mongodb_server" -j ACCEPT
-A INPUT -p udp -m multiport --dports 67 -m comment --comment "001 neutron dhcp in incoming neutron_dhcp_in_192.168.43.233" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron server incoming neutron_server_192.168.43.233" -j ACCEPT
-A INPUT -s 192.168.43.233/32 -p gre -m comment --comment "001 neutron tunnel port incoming neutron_tunnel_192.168.43.233_192.168.43.233" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8773,8774,8775,8778 -m comment --comment "001 nova api incoming nova_api" -j ACCEPT
-A INPUT -s 192.168.43.233/32 -p tcp -m multiport --dports 5900:5999 -m comment --comment "001 nova compute incoming nova_compute" -j ACCEPT
-A INPUT -s 192.168.43.233/32 -p tcp -m multiport --dports 16509,49152:49215 -m comment --comment "001 nova qemu migration incoming nova_qemu_migration_192.168.43.233_192.168.43.233" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT
-A INPUT -s 192.168.43.233/32 -p tcp -m multiport --dports 6379 -m comment --comment "001 redis service incoming redis service from 192.168.43.233" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8080 -m comment --comment "001 swift proxy incoming swift_proxy" -j ACCEPT
-A INPUT -s 192.168.43.233/32 -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage and rsync incoming swift_storage_and_rsync_192.168.43.233" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A FORWARD -i br-ex -m comment --comment "000 forward in" -j ACCEPT
-A FORWARD -o br-ex -m comment --comment "000 forward out" -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A OUTPUT -p udp -m multiport --dports 68 -m comment --comment "001 neutron dhcp out outgoing neutron_dhcp_out_192.168.43.233" -j ACCEPT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-sg-chain -j ACCEPT
-A neutron-openvswi-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP
COMMIT
# Completed on Tue Sep 12 17:07:00 2017
[root@controller ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
neutron-openvswi-INPUT all -- anywhere anywhere
ACCEPT tcp -- controller.openstack.test anywhere multiport dports amqps,amqp /* 001 amqp incoming amqp_192.168.43.233 */
ACCEPT tcp -- anywhere anywhere multiport dports fs-agent /* 001 aodh-api incoming aodh_api */
ACCEPT tcp -- anywhere anywhere multiport dports 8777 /* 001 ceilometer-api incoming ceilometer_api */
ACCEPT tcp -- controller.openstack.test anywhere multiport dports iscsi-target /* 001 cinder incoming cinder_192.168.43.233 */
ACCEPT tcp -- anywhere anywhere multiport dports 8776 /* 001 cinder-api incoming cinder_api */
ACCEPT tcp -- anywhere anywhere multiport dports armtechdaemon /* 001 glance incoming glance_api */
ACCEPT tcp -- anywhere anywhere multiport dports 8041 /* 001 gnocchi-api incoming gnocchi_api */
ACCEPT tcp -- anywhere anywhere multiport dports http /* 001 horizon 80 incoming */
ACCEPT tcp -- anywhere anywhere multiport dports commplex-main,openstack-id /* 001 keystone incoming keystone */
ACCEPT tcp -- controller.openstack.test anywhere multiport dports mysql /* 001 mariadb incoming mariadb_192.168.43.233 */
ACCEPT tcp -- controller.openstack.test anywhere multiport dports 27017 /* 001 mongodb-server incoming mongodb_server */
ACCEPT udp -- anywhere anywhere multiport dports bootps /* 001 neutron dhcp in incoming neutron_dhcp_in_192.168.43.233 */
ACCEPT tcp -- anywhere anywhere multiport dports 9696 /* 001 neutron server incoming neutron_server_192.168.43.233 */
ACCEPT gre -- controller.openstack.test anywhere /* 001 neutron tunnel port incoming neutron_tunnel_192.168.43.233_192.168.43.233 */
ACCEPT tcp -- anywhere anywhere multiport dports 8773,8774,8775,8778 /* 001 nova api incoming nova_api */
ACCEPT tcp -- controller.openstack.test anywhere multiport dports rfb:cvsup /* 001 nova compute incoming nova_compute */
ACCEPT tcp -- controller.openstack.test anywhere multiport dports 16509,49152:49215 /* 001 nova qemu migration incoming nova_qemu_migration_192.168.43.233_192.168.43.233 */
ACCEPT tcp -- anywhere anywhere multiport dports 6080 /* 001 novncproxy incoming */
ACCEPT tcp -- controller.openstack.test anywhere multiport dports 6379 /* 001 redis service incoming redis service from 192.168.43.233 */
ACCEPT tcp -- anywhere anywhere multiport dports webcache /* 001 swift proxy incoming swift_proxy */
ACCEPT tcp -- controller.openstack.test anywhere multiport dports x11,6001,6002,rsync /* 001 swift storage and rsync incoming swift_storage_and_rsync_192.168.43.233 */
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-openvswi-FORWARD all -- anywhere anywhere
ACCEPT all -- anywhere anywhere /* 000 forward in */
ACCEPT all -- anywhere anywhere /* 000 forward out */
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-openvswi-OUTPUT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere multiport dports bootpc /* 001 neutron dhcp out outgoing neutron_dhcp_out_192.168.43.233 */
Chain neutron-filter-top (2 references)
target prot opt source destination
neutron-openvswi-local all -- anywhere anywhere
Chain neutron-openvswi-FORWARD (1 references)
target prot opt source destination
Chain neutron-openvswi-INPUT (1 references)
target prot opt source destination
Chain neutron-openvswi-OUTPUT (1 references)
target prot opt source destination
Chain neutron-openvswi-local (1 references)
target prot opt source destination
Chain neutron-openvswi-sg-chain (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain neutron-openvswi-sg-fallback (0 references)
target prot opt source destination
DROP all -- anywhere anywhere /* Default drop rule for unmatched traffic. */
2 같이 보기[ | ]
편집자
로그인하시면 댓글을 쓸 수 있습니다.
{{ comment.name }}
{{ comment.created | snstime }}
-
{{comment.page_title}} ―{{comment.name}}