转载出处:
1. 简介neutron-l3-agent
OpenStack neutron-l3-agent 主要负责实现网络三层协议,为虚拟机完成SNAT,DNAT等地址的转换与伪装,提供安全弹性隔离的云网络环境,
下面详细叙述了OpenStack如何使用iptables链与规则完成复杂的neutron-l3-agent 的网络地址转换(NAT)功能,虚拟机floating ip与fixed ip绑定的工作原理。
2. iptables 简介
2.1 iptables 链拓扑结构
2.2 iptables 表结构
Table filter:
Chain INPUT
Chain FORWARDChain OUTPUT
filter 表用于一般的信息包过滤,它包含 INPUT 、 OUTPUT 和 FORWARD 链。
Table nat:
Chain PREROUTING
Chain OUTPUT
Chain POSTROUTING
PREROUTING 链由指定信息包一到达防火墙就改变它们的规则所组成,而 POSTROUTING 链由指定正当信息包打算离开防火墙时改变它们的规则所组成。
3. iptables command
# 添加一条规则到 INPUT 链的末尾,ACCEPT 来自源地址 10.9.1.141 的包
#允许protocol为TCP 、 UDP 、 ICMP 的包通过
# 从INPUT链中删除掉规则“Drop 到端口80的包”
# 将 INPUT 链的缺省规则指定为 DROP
[root@xianghui-10-9-1-141 ~]# iptables -P INPUT DROP
# 创建一个新链new-chain
# 删除Table filter 中的所有规则
[root@xianghui-10-9-1-141 ~]# iptables -F
# 列出INPUT链中的所有规则
[root@xianghui-10-9-1-141 ~]# neutron router-create router1
+--------------------------------------+---------+-----------------------+
| id | name | external_gateway_info |
+--------------------------------------+---------+-----------------------+
|c36b384e-b1f5-45e5-bb4f-c3ed32885142 | router1 | null |
+--------------------------------------+---------+-----------------------+
[root@xianghui-10-9-1-141 ~]# vi /etc/neutron/l3_agent.ini
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
# OS is RHEL6.4, not support namespace
use_namespaces = False
# This is done by setting the specific router_id.
router_id = c36b384e-b1f5-45e5-bb4f-c3ed32885142
# Name of bridge used for external network traffic. This should be set to
# empty value for the linux bridge
external_network_bridge = br-eth1
[root@xianghui-10-9-1-141 ~]# service neutron-l3-agent restart
启用转发功能
6. neutron floating ip 与 fixed ip 的转换
源地址转换(SNAT)[root@xianghui-10-9-1-141 ~]# iptables -t nat -Aneutron-l3-agent-float-snat -s 70.0.0.6/32-j SNAT --to-source 192.168.12.100
目的地址转换(DNAT)
[root@xianghui-10-9-1-141 ~]# iptables -t nat -Aneutron-l3-agent-PREROUTING -d 192.168.12.100/32-j DNAT --to-destination 70.0.0.6
测试:(从guest 70.0.0.11上ping 192.168.12.100, 结果被转发到70.0.0.6的guest上)
[root@xianghui-10-9-1-141 ~]# ssh ec2-user@70.0.0.11
[ec2-user@wordpress-test-wikidatabase-jevfsmkbakch ~]$ ping 192.168.12.100
PING 192.168.12.100 (192.168.12.100) 56(84) bytes of data.
64 bytes from 70.0.0.6: icmp_req=1 ttl=64 time=3.09 ms
64 bytes from 70.0.0.6: icmp_req=2 ttl=64 time=0.281 ms
64 bytes from 70.0.0.6: icmp_req=3 ttl=64 time=0.151 ms
将规则neutron-l3-agent-float-snat加到POSTROUTING规则之后,从70.0.0.6发出的包被伪装成来自192.168.12.16,借此掩盖源地址
[root@xianghui-10-9-1-141 ~]# iptables -t nat -A POSTROUTING -j neutron-l3-agent-float-snat
[ec2-user@wordpress-test-wikidatabase-jevfsmkbakch ~]$ ping 192.168.12.100
PING 192.168.12.100 (192.168.12.100) 56(84) bytes of data.
64 bytes from 192.168.12.100: icmp_req=1 ttl=63 time=2.47 ms
64 bytes from 192.168.12.100: icmp_req=2 ttl=63 time=0.199 ms
64 bytes from 192.168.12.100: icmp_req=3 ttl=63 time=0.251 ms
7. 实例分析(ALL-IN-ONE)
7.1 虚拟机的网络拓扑
7.2 虚拟机之间用floating ip ping通
# ping 192.168.12.100(70.0.0.6) from 70.0.0.11
# s:70.0.0.11 d:70.0.0.6
# prerouting -> forward -> postrouting
[root@xianghui-10-9-1-141 ~]# iptables -A neutron-l3-agent-FORWARD -d 70.0.0.11/32 -j ACCEPT
[root@xianghui-10-9-1-141 ~]# iptables -A neutron-l3-agent-FORWARD -d 70.0.0.6/32 -j ACCEPT
[root@xianghui-10-9-1-141 ~]# iptables -t nat -A neutron-l3-agent-PREROUTING -d 192.168.12.100/32 -j DNAT --to-destination 70.0.0.6
7.3 虚拟机主机ping通虚拟机的floating ip
-A OUTPUT -j neutron-l3-agent-OUTPUT
[root@xianghui-10-9-1-141 ~]# iptables -A neutron-l3-agent-OUTPUT -d 192.168.12.100/32 -j DNAT --to-destination 70.0.0.6