" Security groups and security group rules allows administrators and tenants the ability to specify the type of traffic and direction (ingress/egress) that is allowed to pass through a port. A security group is a container for security group rules." from openstack page.
In simple /technical term, Security group is set of IPTABLES rules applied on a Virtual Machine(VM) Port to allow/deny the traffic for the particualr VM. This is applied for per VM.
For example, you have two VMs(VM1, VM2) on the same network in your tenant. you can specify separate security group for each VM. VM1 allow only ICMP and SSH(security group1). VM2 allows ICMP,SSH,HTTP (security group2).
neutron security-group-create sg3
neutron security-group-rule-list
neutron security-group-rule-delete dc997759-d0e2-4ebe-8d8c-79e2fd457930
neutron security-group-rule-create --direction ingress --protocol icmp --remote-ip-prefix 0.0.0.0/0 sg3
neutron security-group-rule-create --direction egress --protocol icmp --remote-ip-prefix 0.0.0.0/0 sg3
neutron security-group-rule-create --direction ingress --protocol tcp --port-range-min 22 --port-range-max 22 --remote-ip-prefix 0.0.0.0/0 sg3
Security group rules are created as IPTABLE rules.
ubuntu@devstack1:~$ sudo brctl show
bridge name bridge id STP enabled interfaces
qbr240f3f9f-c5 8000.86f7a4cc70e6 no qvb240f3f9f-c5
tap240f3f9f-c5
qbr26c77979-ee 8000.6ad177ce5552 no qvb26c77979-ee
tap26c77979-ee
sudo iptbales -L
The relavent rules are below,
Chain neutron-openvswi-i26c77979-e (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN udp -- 10.0.0.2 anywhere udp spt:bootps udp dpt:bootpc
RETURN icmp -- anywhere anywhere
RETURN tcp -- anywhere anywhere tcp dpt:ssh
DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-openvswi-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */
Chain neutron-openvswi-o26c77979-e (2 references)
target prot opt source destination
RETURN udp -- 0.0.0.0 255.255.255.255 udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
neutron-openvswi-s26c77979-e all -- anywhere anywhere
RETURN udp -- anywhere anywhere udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
DROP udp -- anywhere anywhere udp spt:bootps udp dpt:bootpc /* Prevent DHCP Spoofing by VM. */
RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN icmp -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-openvswi-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */
Note: This has to verified on the COMPUTE Server where VM is deployed.
ubuntu@devstack1:~/devstack$ neutron security-group-create sg3
Created a new security_group:
+----------------------+------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+----------------------+------------------------------------------------------------------------------------------------------------------+
| description | |
| id | a09edf0e-0993-41c6-848d-e370eefff88b |
| name | sg3 |
| security_group_rules | {"remote_group_id": null, "direction": "egress", "protocol": null, "description": "", "ethertype": "IPv4", |
| | "remote_ip_prefix": null, "port_range_max": null, "security_group_id": "a09edf0e-0993-41c6-848d-e370eefff88b", |
| | "port_range_min": null, "tenant_id": "2b935fc82ad3468cb36df6c906dcbccc", "id": "7afc61f8-0142-4beb-900e- |
| | b5341df8f836"} |
| | {"remote_group_id": null, "direction": "egress", "protocol": null, "description": "", "ethertype": "IPv6", |
| | "remote_ip_prefix": null, "port_range_max": null, "security_group_id": "a09edf0e-0993-41c6-848d-e370eefff88b", |
| | "port_range_min": null, "tenant_id": "2b935fc82ad3468cb36df6c906dcbccc", "id": "dc997759-d0e2-4ebe-8d8c- |
| | 79e2fd457930"} |
| tenant_id | 2b935fc82ad3468cb36df6c906dcbccc |
+----------------------+------------------------------------------------------------------------------------------------------------------+
ubuntu@devstack1:~/devstack$ neutron security-group-show sg3
+----------------------+--------------------------------------------------------------------+
| Field | Value |
+----------------------+--------------------------------------------------------------------+
| description | |
| id | a09edf0e-0993-41c6-848d-e370eefff88b |
| name | sg3 |
| security_group_rules | { |
| | "remote_group_id": null, |
| | "direction": "egress", |
| | "protocol": null, |
| | "description": "", |
| | "ethertype": "IPv4", |
| | "remote_ip_prefix": null, |
| | "port_range_max": null, |
| | "security_group_id": "a09edf0e-0993-41c6-848d-e370eefff88b", |
| | "port_range_min": null, |
| | "tenant_id": "2b935fc82ad3468cb36df6c906dcbccc", |
| | "id": "7afc61f8-0142-4beb-900e-b5341df8f836" |
| | } |
| | { |
| | "remote_group_id": null, |
| | "direction": "egress", |
| | "protocol": null, |
| | "description": "", |
| | "ethertype": "IPv6", |
| | "remote_ip_prefix": null, |
| | "port_range_max": null, |
| | "security_group_id": "a09edf0e-0993-41c6-848d-e370eefff88b", |
| | "port_range_min": null, |
| | "tenant_id": "2b935fc82ad3468cb36df6c906dcbccc", |
| | "id": "dc997759-d0e2-4ebe-8d8c-79e2fd457930" |
| | } |
| tenant_id | 2b935fc82ad3468cb36df6c906dcbccc |
+----------------------+--------------------------------------------------------------------+
ubuntu@devstack1:~/devstack$ neutron security-group-rule-list
+--------------------------------------+----------------+-----------+-----------+---------------+------------------+
| id | security_group | direction | ethertype | port/protocol | remote |
+--------------------------------------+----------------+-----------+-----------+---------------+------------------+
| 072aa857-e3a2-4ee6-b6c0-1df9148edc39 | default | egress | IPv4 | any | any |
| 2d70e7eb-9255-4e82-9e1b-14ba4dd3d3b3 | sg2 | ingress | IPv4 | icmp | 0.0.0.0/0 (CIDR) |
| 3cbfb7bf-d065-4d2b-a233-6fb8195f41ce | sg1 | ingress | IPv4 | icmp | 0.0.0.0/0 (CIDR) |
| 47bf2681-a230-4627-9450-e1db16e958b8 | sg2 | egress | IPv4 | icmp | 0.0.0.0/0 (CIDR) |
| 510e1c50-028a-46b3-88e6-9cfcca4b701d | default | ingress | IPv6 | any | default (group) |
| 6eac7054-e497-4924-8085-890f4726fc8c | sg1 | ingress | IPv4 | 22/tcp | 0.0.0.0/0 (CIDR) |
| 7afc61f8-0142-4beb-900e-b5341df8f836 | sg3 | egress | IPv4 | any | any |
| 8862a606-f3f1-4842-be89-fcb8ffbf831a | default | egress | IPv6 | any | any |
| bacfd26d-11b6-431c-a990-2508bc7a5bc5 | sg1 | egress | IPv4 | icmp | 0.0.0.0/0 (CIDR) |
| bbd112d2-05c0-47d5-975e-765b0cfcf9a1 | default | ingress | IPv4 | any | default (group) |
| dc997759-d0e2-4ebe-8d8c-79e2fd457930 | sg3 | egress | IPv6 | any | any |
+--------------------------------------+----------------+-----------+-----------+---------------+------------------+
ubuntu@devstack1:~/devstack$
ubuntu@devstack1:~/devstack$ neutron security-group-rule-delete 7afc61f8-0142-4beb-900e-b5341df8f836
Deleted security_group_rule: 7afc61f8-0142-4beb-900e-b5341df8f836
ubuntu@devstack1:~/devstack$ neutron security-group-rule-delete dc997759-d0e2-4ebe-8d8c-79e2fd457930
Deleted security_group_rule: dc997759-d0e2-4ebe-8d8c-79e2fd457930
ubuntu@devstack1:~/devstack$ neutron security-group-show sg3
+----------------------+--------------------------------------+
| Field | Value |
+----------------------+--------------------------------------+
| description | |
| id | a09edf0e-0993-41c6-848d-e370eefff88b |
| name | sg3 |
| security_group_rules | |
| tenant_id | 2b935fc82ad3468cb36df6c906dcbccc |
+----------------------+--------------------------------------+
ubuntu@devstack1:~/devstack$
ubuntu@devstack1:~/devstack$ neutron security-group-rule-create --direction ingress --protocol icmp --remote-ip-prefix 0.0.0.0/0 sg3
Created a new security_group_rule:
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| description | |
| direction | ingress |
| ethertype | IPv4 |
| id | 959f3eef-afc4-40fb-9e7b-b470f95419d5 |
| port_range_max | |
| port_range_min | |
| protocol | icmp |
| remote_group_id | |
| remote_ip_prefix | 0.0.0.0/0 |
| security_group_id | a09edf0e-0993-41c6-848d-e370eefff88b |
| tenant_id | 2b935fc82ad3468cb36df6c906dcbccc |
+-------------------+--------------------------------------+
ubuntu@devstack1:~/devstack$ neutron security-group-rule-create --direction egress --protocol icmp --remote-ip-prefix 0.0.0.0/0 sg3
Created a new security_group_rule:
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| description | |
| direction | egress |
| ethertype | IPv4 |
| id | a64a6660-5697-45b9-811e-3dc709ae416d |
| port_range_max | |
| port_range_min | |
| protocol | icmp |
| remote_group_id | |
| remote_ip_prefix | 0.0.0.0/0 |
| security_group_id | a09edf0e-0993-41c6-848d-e370eefff88b |
| tenant_id | 2b935fc82ad3468cb36df6c906dcbccc |
+-------------------+--------------------------------------+
ubuntu@devstack1:~/devstack$
ubuntu@devstack1:~/devstack$ neutron security-group-rule-create --direction ingress --protocol tcp --port-range-min 22 --port-range-max 22 --remote-ip-prefix 0.0.0.0/0 sg3
Created a new security_group_rule:
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| description | |
| direction | ingress |
| ethertype | IPv4 |
| id | 159118e2-dd81-4f9f-bd4d-b18a636c1e00 |
| port_range_max | 22 |
| port_range_min | 22 |
| protocol | tcp |
| remote_group_id | |
| remote_ip_prefix | 0.0.0.0/0 |
| security_group_id | a09edf0e-0993-41c6-848d-e370eefff88b |
| tenant_id | 2b935fc82ad3468cb36df6c906dcbccc |
+-------------------+--------------------------------------+