OpenStack network: Start using iptables, tables, rules, and chains

This article explains that OpenStack uses iptables, chains, and rules to handle networking, which is very similar to other systems. But first, let's look at the structure of Iptables as a prelude to the use of technology in this article.

The structure of the iptable

Iptable is a user-space application that allows system administrators to configure tables provided by the Linux kernel firewall, iptable specifically IPV4 networks.

To set up a Linux firewall, use the rules, each specifying what to match in the package, and what to do with the package. A chain is a list of rules.

Iptable's predecessor IPChains add the concept of the rule chain; Iptable expands the concept to a table. So the structure of iptable is: iptables > Tables > Chains > Rules.

Iptable has four built-in tables:

Filter table: Default table, with the following chain:

INPUT is used to upload packets to the local server.

OUTPUT a package for local builds and outgoing local servers.

FORWARD for packets routed through the local server.

NAT table (network address translation):

Prerouting: For destination NAT, which changes the packet IP address before routing.

Postrouting: For source NAT, which changes the packet IP address before routing.

OUTPUT: NAT for local build packages on the firewall.

Mangle table: Changes for a specific package:

Prerouting

OUTPUT

FORWARD

INPUT

Postrouting

Raw table: For configuration exemptions:

Prerouting

OUTPUT

The iptable inside the OpenStack

Within the OpenStack, you will find the iptable chain and rules dominate in the Compute-nova module, which is a cloud structure controller (the main part of the IaaS system) written and used in most external libraries using Python. This article details the OpenStack components that are required for nova-network Flatdhcpmanager components and other networking tasks.

At the beginning, OpenStack defines some OpenStack chains. These chains form a chain structure with the Linux built-in chain. Another task at startup is to define some rules for a fixed network scope and Meta data Service. After you create and use the network, Nova-network sets some rules. When an instance is created (also known as a server and VM), Nova-compute creates an instance-specific chain and sets the rules under this chain to ensure the connection of the instance. In the case of floating IP, OpenStack can also use some rules to run normally. In addition, the OpenStack security group and its rules are embodied by the iptables rules.

First knowledge of OpenStack

OpenStack is a standard cloud operating system for both public and private clouds, developed by a global collaboration of developers and cloud computing technicians, and is free open source software released under the Apache license terms. Cloud service providers, businesses, and government organizations can use this free Apache licensed software to build a scalable cloud environment.

OpenStack currently contains six core software projects:

Cloud Compute-nova

Cloud Storage-swift

Image service-glance (Delivery and registration)

Identity Service-keystone

Dashboard-horizon

Network Connectivity-quantum

These projects, as well as the ecosystem of energetic technology providers and future projects, bring a pluggable framework and operating system for both public and private cloud-oriented systems.

The Nova project has more than 10 commands, of which 3 are related to VM connectivity:

NOVA-API provides metadata services for VMS.

Nova-compute set up a network environment for the VM.

Nova-network sets up the network environment for the entire cloud ecosystem, such as IP configuration and DHCP setup tasks.