1. Network A -> Network A
PREROUTING(nat:dnat) -> INPUT(filter) -> OUTPUT(nat:dnat) -> OUTPUT(filter) ->POSTROUTING(nat:snat)
2. Network A -> Network B
PREROUTING(nat:dnat) -> FORWARD(filter) -> POSTROUTING(nat:snat)
3. Nova Instance 생성 후 iptables nat
PREROUTING ACCEPT
nova-network-PREROUTING
-> VM DNAT 변환
nova-compute-PREROUTING
nova-api-metadat-PREROUTING
INPUT ACCEPT
OUTPUT ACCEPT
nova-network-OUTPUT
-> VM DNAT 변환
nova-compute-OUTPUT
nova-api-metadat-OUTPUT
POSTROUTING ACCEPT
nova-network-POSTROUTING
nova-compute-POSTROUTING
nova-api-metadat-POSTROUTING
nova-postrouting-bottom
nova-network-snat
nova-network-float-snat
-> VM SNAT 변환
-> Host SNAT 변환
nova-compute-snat
nova-compute-float-snat
nova-api-metadat-snat
nova-api-metadat-float-snat
4. Nova Instance 생성 후 iptables filter
INPUT ACCEPT
nova-compute-INPUT
nova-network-INPUT
- dhcp 열기 (bridge 단위)
nova-api-metadat-INPUT
- nova metadata api 포트 8775 승인
FORWARD ACCEPT
nova-filter-top
nova-compute-local
- nova-compute-inst-732 (인스턴스별 생성)
nova-compute-provider
- Secutiry rules 입력
nova-compute-sg-fallback
- 모든 패킷 drop
nova-network-local
nova-api-metadat-local
nova-compute-FORWARD
nova-network-FORWARD
- bridge 별 in/out 패킷 승인
nova-api-metadat-FORWARD
OUTPUT ACCEPT
nova-filter-top
nova-compute-local
- nova-compute-inst-732 (인스턴스별 생성)
nova-compute-provider
- Secutiry rules 입력
nova-compute-sg-fallback
- 모든 패킷 drop
nova-network-local
nova-api-metadat-local
nova-compute-OUTPUT
nova-network-OUTPUT
nova-api-metadat-OUTPUT
