1.简介neutron-l3-agentOpenStackneutron-l3-agent主要负责实现网络三层协议,为虚拟机完成SNAT,DNAT等地址的转换与伪装,提供安全弹性隔离的云网络环境,下面详细叙述了OpenStack如何使用iptables链与规则完成复杂的neutron-l3-agent的网络地址转换(N
1. 简介neutron-l3-agent
OpenStack neutron-l3-agent
主要负责实现网络三层协议,为虚拟机完成SNAT,DNAT等地址的转换与伪装,提供安全弹性隔离的云网络环境,
下面详细叙述了OpenStack如何使用iptables链与规则完成复杂的neutron-l3-agent
的网络地址转换(NAT)功能,虚拟机floating ip与fixed ip绑定的工作原理。
2. iptables 简介
2.1 iptables 链拓扑结构
2.2 iptables 表结构
Table filter:
Chain
INPUT
Chain
FORWARD
Chain
OUTPUT
filter 表用于一般的信息包过滤,它包含
INPUT 、 OUTPUT 和 FORWARD 链。
Table nat:
Chain
PREROUTING
Chain
OUTPUT
Chain
POSTROUTING
PREROUTING
链由指定信息包一到达防火墙就改变它们的规则所组成,而 POSTROUTING
链由指定正当信息包打算离开防火墙时改变它们的规则所组成。
3. iptables command
# 添加一条规则到 INPUT 链的末尾,ACCEPT 来自源地址 10.9.1.141 的包
[root@xianghui-10-9-1-141 ~]# iptables -A INPUT -s 10.9.1.141 -j ACCEPT
#允许protocol为TCP 、 UDP 、 ICMP 的包通过
[root@xianghui-10-9-1-141 ~]# iptables -A INPUT -p TCP, UDP
# 从INPUT链中删除掉规则“Drop 到端口80的包”
[root@xianghui-10-9-1-141 ~]# iptables -D INPUT --dport 80 -j DROP
# 将 INPUT 链的缺省规则指定为 DROP
[root@xianghui-10-9-1-141 ~]# iptables -P INPUT DROP
# 创建一个新链new-chain
[root@xianghui-10-9-1-141 ~]# iptables -N new-chain
# 删除Table filter 中的所有规则
[root@xianghui-10-9-1-141 ~]# iptables -F
# 列出INPUT链中的所有规则
[root@xianghui-10-9-1-141 ~]# iptables -L INPUT
# 删除链
[root@xianghui-10-9-1-141 ~]# iptables -X
4. 配置neutron-l3-agent
[root@xianghui-10-9-1-141 ~]# neutron router-create router1
+--------------------------------------+---------+-----------------------+
| id | name | external_gateway_info |
+--------------------------------------+---------+-----------------------+
|c36b384e-b1f5-45e5-bb4f-c3ed32885142 | router1 | null |
+--------------------------------------+---------+-----------------------+
[root@xianghui-10-9-1-141 ~]# vi /etc/neutron/l3_agent.ini
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
# OS is RHEL6.4, not support namespace
use_namespaces = False
# This is done by setting the specific router_id.
router_id = c36b384e-b1f5-45e5-bb4f-c3ed32885142
# Name of bridge used for external network traffic. This should be set to
# empty value for the linux bridge
external_network_bridge = br-eth1
[root@xianghui-10-9-1-141 ~]# service neutron-l3-agent restart
启用转发功能
[root@xianghui-10-9-1-141 ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
5. neutron 利用iptables 实现 NAT 原理
iptables 中neutron l3 agent自定义的链:
neutron-l3-agent-PREROUTING
neutron-l3-agent-OUTPUT
neutron-l3-agent-POSTROUTING
创建外部网络(分配floatingip)
[root@xianghui-10-9-1-141 ~]# neutron net-create ext_net --router:external=True
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | 2d72d81b-cf09-459e-87fb-a50fa0e8730a |
| name | ext_net |
| provider:network_type | vlan |
| provider:physical_network | physnet1 |
| provider:segmentation_id | 1000 |
| router:external | True |
| shared | False |
| status | ACTIVE |
| subnets | e1932e73-1e4b-4f87-9ebf-758a757e20ef |
| tenant_id | b21a96e16c3c438caab4a27a1f58a5b8 |
+---------------------------+--------------------------------------+
[root@oc2603148815 cfn]# subnet-create ext_net --allocation-pool start=192.168.12.10,end=192.168.12.50 --gateway 192.168.12.1 192.168.12.0/24 --enable_dhcp=False
+------------------+----------------------------------------------------+
| Field | Value |
+------------------+----------------------------------------------------+
| allocation_pools | {"start": "192.168.12.10", "end": "192.168.12.50"} |
| cidr | 192.168.12.0/24 |
| dns_nameservers | |
| enable_dhcp | False |
| gateway_ip | 192.168.12.1 |
| host_routes | |
| id | e1932e73-1e4b-4f87-9ebf-758a757e20ef |
| ip_version | 4 |
| name | |
| network_id | 2d72d81b-cf09-459e-87fb-a50fa0e8730a |
| tenant_id | b21a96e16c3c438caab4a27a1f58a5b8 |
+------------------+----------------------------------------------------+
创建内部网络(分配fixedip)
[root@oc2603148815 cfn]# neutron net-create vlan-70 --provider:network_type vlan --provider:physical_network physnet1 --provider:segmentation_id 16
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | 793a95b7-cf1f-4bde-b7b8-5a9a2e552fae |
| name | vlan-70 |
| provider:network_type | vlan |
| provider:physical_network | physnet1 |
| provider:segmentation_id | 16 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | f542941d-5d53-45e4-85d0-944e030c2bcc |
| tenant_id | b21a96e16c3c438caab4a27a1f58a5b8 |
+---------------------------+--------------------------------------+
[root@oc2603148815 cfn]# neutron subnet-create vlan-70 70.0.0.0/24
+------------------+--------------------------------------------+
| Field | Value |
+------------------+--------------------------------------------+
| allocation_pools | {"start": "70.0.0.2", "end": "70.0.0.254"} |
| cidr | 70.0.0.0/24 |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 70.0.0.1 |
| host_routes | |
| id | f542941d-5d53-45e4-85d0-944e030c2bcc |
| ip_version | 4 |
| name | |
| network_id | 793a95b7-cf1f-4bde-b7b8-5a9a2e552fae |
| tenant_id | b21a96e16c3c438caab4a27a1f58a5b8 |
+------------------+--------------------------------------------+
[root@oc2603148815 cfn]# neutron net-list
+--------------------------------------+---------+------------------------------------------------------+
| id | name | subnets |
+--------------------------------------+---------+------------------------------------------------------+
| 2d72d81b-cf09-459e-87fb-a50fa0e8730a | ext_net | e1932e73-1e4b-4f87-9ebf-758a757e20ef 192.168.12.0/24 |
| 793a95b7-cf1f-4bde-b7b8-5a9a2e552fae | vlan-70 | f542941d-5d53-45e4-85d0-944e030c2bcc 70.0.0.0/24 |
+--------------------------------------+---------+------------------------------------------------------+
绑定内外网到router1
# neutron router-gateway-set $ROUTER_ID $EXTERNAL_NETWORK_ID
[root@oc2603148815 cfn]# neutron router-gateway-set 06d85a01-fc42-4cde-a0f1-377f2f394a64 2d72d81b-cf09-459e-87fb-a50fa0e8730a
# neutron router-interface-add $ROUTER_ID $SUBNET_ID
[root@oc2603148815 cfn]# neutron router-interface-add 06d85a01-fc42-4cde-a0f1-377f2f394a64 f542941d-5d53-45e4-85d0-944e030c2bcc
经过上面的步骤后neutron-l3-agent会加入下列规则到iptables:
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-l3-agent-snat -s 70.0.0.0/24 -j SNAT --to-source 192.168.12.10
-A neutron-postrouting-bottom -j neutron-l3-agent-snat
创建floating ip(192.168.12.11)并绑定到vm的fixed ip(选择70.0.0.3):
[root@xianghui-10-9-1-141 ~]# neutron floatingip-create 2d72d81b-cf09-459e-87fb-a50fa0e8730a
Created a new floatingip:
+---------------------+--------------------------------------+
| Field | Value |
+---------------------+--------------------------------------+
| fixed_ip_address | |
| floating_ip_address | 192.168.12.11 |
| floating_network_id | 2d72d81b-cf09-459e-87fb-a50fa0e8730a |
| id | f8b48ab7-ea51-4f29-bc84-0ab179808dbb |
| port_id | |
| router_id | |
| tenant_id | adc4e7a4effa44ffa3c6e48dd5a8555a |
+---------------------+--------------------------------------+
找出想要被绑定的fixed ip 的port id
[root@xianghui-10-9-1-141 ~]# neutron port-list
+--------------------------------------+------+-------------------+--------------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+--------------------------------------------------------------------------------------+
| 0d06055b-2f31-4d8e-b8da-e048d76a07cc | | fa:16:3e:d7:f4:19 | {"subnet_id": "5c62752f-27ba-4d38-9702-2ca17ec2741d", "ip_address": "70.0.0.3"} |
+--------------------------------------+------+-------------------+--------------------------------------------------------------------------------------+
[root@xianghui-10-9-1-141 ~]# neutron floatingip-associate f8b48ab7-ea51-4f29-bc84-0ab179808dbb0d06055b-2f31-4d8e-b8da-e048d76a07cc
Associated floatingip f8b48ab7-ea51-4f29-bc84-0ab179808dbb
[root@xianghui-10-9-1-141 ~]# neutron floatingip-list
+--------------------------------------+------------------+---------------------+--------------------------------------+
| id | fixed_ip_address | floating_ip_address | port_id |
+--------------------------------------+------------------+---------------------+--------------------------------------+
| f8b48ab7-ea51-4f29-bc84-0ab179808dbb | 70.0.0.3 | 192.168.12.11 | b0797fe6-b799-41ea-86d0-9d9bfa0b2eb9 |
+--------------------------------------+------------------+---------------------+--------------------------------------+
经过前面步骤后,iptables会多出下面的规则,
所有目标ip是192.168.12.11的包都会被转发到ip 70.0.0.3的guest上
-A neutron-l3-agent-OUTPUT -d 192.168.12.11/32 -j DNAT --to-destination 70.0.0.3
-A neutron-l3-agent-PREROUTING -d 192.168.12.11/32 -j DNAT --to-destination 70.0.0.3
-A neutron-l3-agent-float-snat -s 70.0.0.3/32 -j SNAT --to-source 192.168.12.11
6. neutron floating ip 与 fixed ip
的转换
源地址转换(SNAT)
[root@xianghui-10-9-1-141 ~]# iptables -t nat -Aneutron-l3-agent-float-snat -s 70.0.0.6/32-j SNAT --to-source 192.168.12.100
目的地址转换(DNAT)
[root@xianghui-10-9-1-141 ~]# iptables -t nat -Aneutron-l3-agent-PREROUTING -d 192.168.12.100/32-j DNAT --to-destination 70.0.0.6
测试:(从guest 70.0.0.11上ping 192.168.12.100,
结果被转发到70.0.0.6的guest上)
[root@xianghui-10-9-1-141 ~]# ssh ec2-user@70.0.0.11
[ec2-user@wordpress-test-wikidatabase-jevfsmkbakch ~]$ ping 192.168.12.100
PING 192.168.12.100 (192.168.12.100) 56(84) bytes of data.
64 bytes from 70.0.0.6: icmp_req=1 ttl=64 time=3.09 ms
64 bytes from 70.0.0.6: icmp_req=2 ttl=64 time=0.281 ms
64 bytes from 70.0.0.6: icmp_req=3 ttl=64 time=0.151 ms
将规则neutron-l3-agent-float-snat加到POSTROUTING规则之后,从70.0.0.6发出的包被伪装成来自192.168.12.16,借此掩盖源地址
[root@xianghui-10-9-1-141 ~]# iptables -t nat -A POSTROUTING -j neutron-l3-agent-float-snat
[ec2-user@wordpress-test-wikidatabase-jevfsmkbakch ~]$ ping 192.168.12.100
PING 192.168.12.100 (192.168.12.100) 56(84) bytes of data.
64 bytes from 192.168.12.100: icmp_req=1 ttl=63 time=2.47 ms
64 bytes from 192.168.12.100: icmp_req=2 ttl=63 time=0.199 ms
64 bytes from 192.168.12.100: icmp_req=3 ttl=63 time=0.251 ms
7. 实例分析(ALL-IN-ONE)
7.1 虚拟机的网络拓扑
7.2 虚拟机之间用floating ip ping通
# ping 192.168.12.100(70.0.0.6) from 70.0.0.11
# s:70.0.0.11 d:70.0.0.6
# prerouting -> forward -> postrouting
[root@xianghui-10-9-1-141 ~]# iptables -A neutron-l3-agent-FORWARD -d 70.0.0.11/32 -j ACCEPT
[root@xianghui-10-9-1-141 ~]# iptables -A neutron-l3-agent-FORWARD -d 70.0.0.6/32 -j ACCEPT
[root@xianghui-10-9-1-141 ~]# iptables -t nat -A neutron-l3-agent-PREROUTING -d 192.168.12.100/32 -j DNAT --to-destination 70.0.0.6
7.3 虚拟机主机ping通虚拟机的floating ip
-A OUTPUT -j neutron-l3-agent-OUTPUT
[root@xianghui-10-9-1-141 ~]# iptables -A neutron-l3-agent-OUTPUT -d 192.168.12.100/32 -j DNAT --to-destination 70.0.0.6
京公网安备 11010802041100号 | 京ICP备19059560号-4 | PHP1.CN 第一PHP社区 版权所有 