Neutron-fwaas Configuration

Fwaas Introduction

Fwaas uses iptables to apply firewall policy to all networking routers within a project. (These iptables rules exist in the namespace of the router)
Fwaas supports one firewall policy and logical firewall instance per project. (My translation skills are limited)

Fwaas is currently in technical preview; untested operation is not recommended. (fwaas is only technically implemented now, and some untested operations are not recommended)

Differences between fwaas and Security Group

The iptables rules of fwaas exist in the namespace of the router (mainly focus on the filter table)

The iptables rules of Security Group exist in the compute node where the VM is located (mainly focus on the filter table)

This blog introduces iptables in neutron, which is well summarized. Http://lingxiankong.github.io/blog/2013/11/19/iptables-in-neutron/

Fwaas Architecture

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/4B/CD/wKioL1Qzy92DkuCWAALO_IRYpUY635.jpg "Title =" vgv @ a3yuf @ n} 0wk6d ~ U3qv6.jpg "alt =" wkiol1qzy92dkucwaalo_irypuy635.jpg "/>

Specific Configuration

[[email protected] neutron] # Vim/etc/neutron. conf # edit neutron. in the conf configuration file, add the following content: [Default] service_plugins = firewall [service_providers] service_provider = firewall: iptables: Neutron. agent. linux. iptables_firewall.ovshybridiptablesfirewalldriver: default [fwaas] driver = neutron. services. firewall. drivers. linux. iptables_fwaas.iptablesfwaasdriverenabled = true [[email protected] neutron] # Vim/etc/OP Enstack-dashboard/local_settings # edit the dashboard configuration file 'Enable _ Firewall': True, # enable the fwaas panel on the dashboard. The default value is false [[email protected] ~]. # Service neutron-server restart # restart the corresponding service to take effect stopping neutron: [OK] Starting neutron: [OK] [email protected] ~] # Service neutron-l3-agent restartstopping neutron-l3-agent: [OK] Starting neutron-l3-agent: [OK] [email protected] ~] # Service httpd restartstopping httpd: [OK] Starting httpd: [OK]

Use fwaas

Came to the animbus interface, illustrated with 650) This. width = 650; "src =" http://img.baidu.com/hi/jx2/j_0061.gif "alt =" j_0061.gif "/>!

1. add firewall rules

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/4B/CD/wKioL1Qz1dbzaS1aAAN0BBeWPB4331.jpg "Title =" 127d2lh0b2420.b6z@0ge9oow.cc.jpg "alt =" wkiol1qz1dbzas1aaan0bbewpb4331.jpg "/>

Click "fire wall" in the Left area, as shown in the right area.

Click "add rule" in the area on the right and enter the relevant information.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/4B/CB/wKiom1Qz1qWj5X7BAAFcgRk3FWU273.jpg "Title =" ([FD @ J) [uaegu} k $] 3 ~ Cve-v0.jpg "alt =" wkiom1qz1qwj5x7baafcgrk3fwu273.jpg "/>

Click "add"

2. Add a firewall policy

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/4B/CB/wKiom1Qz13PQmuSGAADwT8mkAq8450.jpg "style =" float: none; "Title =" empty "alt =" wkiom1qz13pqmusgaadwt8mkaq8450.jpg "/>

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/4B/CB/wKiom1Qz13SAjaF3AAEIwSwFHp0685.jpg "style =" float: none; "Title =" PT {ua_52} nol4 $ ewu ~ 9u8qr.jpg "alt =" wkiom1qz13sajaf3aaeiwswfhp0685.jpg "/>

3. Create a firewall

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/4B/CD/wKioL1Qz2E7hEzNdAADufBQIq2U135.jpg "Title =" 2rm38sck1_bb1ltp4enj'1fl.jpg "alt =" wkiol1qz2e7hezndaadufbqiq2u135.jpg "/>

Note the following:

The firewall remains in pending_create State until you create a networking router and attach an interface to it. (You should understand the meaning of this sentence)

Reference

Http://niusmallnan.github.io/_build/html/_templates/openstack/fwaas_setup.html

Https://wiki.openstack.org/wiki/Neutron/FWaaS/HowToInstall

This article is from the "the-way-to-cloud" blog, please be sure to keep this source http://iceyao.blog.51cto.com/9426658/1561057

Neutron-fwaas Configuration