7. Two tenant networks add routes and configure firewall rules
Adding Routing and configuring firewall rules for two tenant networks enables interoperability of different tenant networks and configures firewall rule implementations. Here choose Tenant1 and Tenant2 This two tenants to create routes and configure firewall rules
1) configuration information
#tenant1 Add to Qrouter01,gateway:qr01 10.0.0.1
#tenant2 Add to Qrouter01,gateway:qr02 10.0.1.1
2) Create TENANT1 Gateway Qr01 device and Qrouter01 routing namespace
ovs-vsctl----if -exists del-port Qr01--add-port br-int Qr01--set interface Qr01 type=internalovs -vsctl--timeout=10 set Port qr01 tag=1 ip netns add Qrouter01ip netns exec qrouter01 IP link set Lo upip link set qr01 netns qrouter01ip netns exec qrouter01 IP link set qr01 UPIP netns exec qrouter01 IP -4 addr Add 10.0 . 0.1 /10.0 . 0.255 scope global Dev Qr01ip netns exec qrouter01 sysctl - w net.ipv4.ip_forward=1
3) Create Tenant2 Gateway QR02 device
OVS-VSCTL----if-exists del-port qr02--add-port br-int qr02--set interface Qr02 type=Internalov s-vsctl--timeout= set Port qr02 tag=2-410.0. 1.1/10.0. 1.255 scope Global Dev Qr02
4) Two tenants with Qr01 (10.0.0.1) and Qr02 (10.0.1.1) added to the Qrouter01 namespace by assigning both gateways
Through the namespace internal routing table, you can communicate with each other across two tenant networks.
5) Configure the Inter-Tenant Firewall Foundation rules
IP netns exec qrouter01 iptables-Fip netns exec qrouter01 iptables-Xip netns exec qrouter01 iptables-Zip netns exec qrouter01 iptables-T Filter-P INPUT acceptip netns exec qrouter01 iptables-T Filter-P FORWARD acceptip netns exec qrouter01 iptables-T Filter-P OUTPUT acceptip netns exec qrouter01 iptables-T Filter-n neutron-filter-topip netns exec qrouter01 iptables-T Filter-n neutron-l3-agent-forwardip netns exec qrouter01 iptables-T Filter-n neutron-l3-agent-inputip netns exec qrouter01 iptables-T Filter-n neutron-l3-agent-outputip netns exec qrouter01 iptables-T Filter-n neutron-l3-agent-fwaas-defauip netns exec qrouter01 iptables-T Filter-n neutron-l3-agent-iv01ip netns exec qrouter01 iptables-T Filter-n neutron-l3-agent-localip netns exec qrouter01 iptables-T Filter-n neutron-l3-agent-ov01ip netns exec qrouter01 iptables-T filter-a input-j neutron-l3-agent-inputip netns exec qrouter01 iptables-T filter-a forward-j neutron-filter-topip netns exec qrouter01 iptables-T filter-a forward-j neutron-l3-agent-forwardip netns exec qrouter01 iptables-T filter-a output-j neutron-filter-topip netns exec qrouter01 iptables-T filter-a output-j neutron-l3-agent-outputip netns exec qrouter01 iptables-T filter-a neutron-filter-top-j neutron-l3-agent-localip netns exec qrouter01 iptables-T filter-a neutron-l3-agent-forward-o qr+-j neutron-l3-agent-iv01ip netns exec qrouter01 iptables-T filter-a neutron-l3-agent-forward-i qr+-j neutron-l3-agent-ov01ip netns exec qrouter01 iptables-T filter-a neutron-l3-agent-forward-o qr+-j neutron-l3-agent-fwaas-defauip netns exec qrouter01 iptables-T filter-a neutron-l3-agent-forward-i qr+-j neutron-l3-agent-fwaas-defauip netns exec qrouter01 iptables-T Filter-a neutron-l3-agent-input-d127.0.0.1/ +-P tcp-m TCP--dport9697-J Acceptip netns exec Qrouter01 iptables-T Filter-a Neutron-l3-agent-fwaas-defau-J Dropip netns exec Qrouter01 iptables-T filter-a neutron-l3-agent-iv01-m State--state INVALID-J Dropip netns exec Qrouter01 iptables-T filter-a neutron-l3-agent-iv01-m State--state related,established-J Acceptip netns exec Qrouter01 iptables-T filter-a neutron-l3-agent-ov01-m State--state INVALID-J Dropip netns exec Qrouter01 iptables-T filter-a neutron-l3-agent-ov01-m State--state related,established-j ACCEPT
6) Let go of the ping and SSH service
IP netns exec qrouter01 iptables-t filter-a neutron-l3-agent-iv01-p ICMP--T filter-a neutron-l3-agent-ov01- P ICMP-ssh -ssh -j ACCEPT
Resources:
Sammyliu's "Neutron Understanding" series http://www.cnblogs.com/sammyliu/p/4622563.html
In-depth understanding of neutron-OpenStack network implementation https://www.gitbook.com/book/yeasy/openstack_understand_neutron/details
Author profile: Zhao Junfeng, is now China Sheng Shun Thai Information Industry Development Co., Ltd., the cloud computing department OpenStack Development engineer. Mainly engaged in power and x86 mixed environment OpenStack related computing, network, storage-related services software development and system architecture design work.
Build OpenStack Run Environment from scratch (vi)--tenant inter-network Routing and Firewalls
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
