'iptables'에 해당되는 글 1건

  1. 2014.09.30 Flow chart of iptables

1. Network A -> Network A

PREROUTING(nat:dnat) -> INPUT(filter) -> OUTPUT(nat:dnat) -> OUTPUT(filter->POSTROUTING(nat:snat)


2. Network A -> Network B

PREROUTING(nat:dnat) -> FORWARD(filter) -> POSTROUTING(nat:snat)


3. Nova Instance 생성 후 iptables nat

PREROUTING ACCEPT

    nova-network-PREROUTING

        -> VM DNAT 변환

    nova-compute-PREROUTING

    nova-api-metadat-PREROUTING

INPUT ACCEPT

OUTPUT ACCEPT

    nova-network-OUTPUT

        -> VM DNAT 변환

    nova-compute-OUTPUT

    nova-api-metadat-OUTPUT

POSTROUTING ACCEPT

    nova-network-POSTROUTING

    nova-compute-POSTROUTING

    nova-api-metadat-POSTROUTING

    nova-postrouting-bottom

        nova-network-snat

            nova-network-float-snat

                -> VM SNAT 변환

            

            -> Host SNAT 변환

        nova-compute-snat

            nova-compute-float-snat

        nova-api-metadat-snat

            nova-api-metadat-float-snat


4. Nova Instance 생성 후 iptables filter

INPUT ACCEPT

    nova-compute-INPUT

    nova-network-INPUT

        - dhcp 열기 (bridge 단위)

    nova-api-metadat-INPUT

        - nova metadata api 포트 8775 승인

FORWARD ACCEPT

    nova-filter-top

        nova-compute-local

            - nova-compute-inst-732 (인스턴스별 생성)

                nova-compute-provider

                - Secutiry rules 입력

                nova-compute-sg-fallback

                    - 모든 패킷 drop

        nova-network-local

        nova-api-metadat-local

    nova-compute-FORWARD

    nova-network-FORWARD

        - bridge 별 in/out 패킷 승인

    nova-api-metadat-FORWARD

OUTPUT ACCEPT

    nova-filter-top

        nova-compute-local

            - nova-compute-inst-732 (인스턴스별 생성)

                nova-compute-provider

                - Secutiry rules 입력

                nova-compute-sg-fallback

                    - 모든 패킷 drop

        nova-network-local

        nova-api-metadat-local

    nova-compute-OUTPUT

    nova-network-OUTPUT

    nova-api-metadat-OUTPUT





Posted by Kubernetes Korea co-leader seungkyua@gmail.com