← Back to branch summary

~koolhead17/openstackbook/cssbook 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

<?xml version="1.0" encoding="UTF-8"?><chapter xmlns:db="http://docbook.org/ns/docbook" xmlns="http://docbook.org/ns/docbook" xml:id="Security-d1e2500" version="5.0" xml:base="Security.xml">
<title>Security</title>
<section xml:id="Security_Overview-d1e2505">
<title>Security Overview</title>
<para>OpenStack provides ingress filtering for the instances based on the concept of security groups. OpenStack accomplishes ingress filtering by creating suitable IP Tables rules. A Security Group is a named set of rules that get applied to the incoming packets for the instances. You can specify a security group while launching an instance. Each security group can have multiple rules associated with it. Each rule specifies the source IP/network, protocol type, destination ports etc. Any packet matching these parameters specified in a rule is allowed in. Rest of the packets are blocked.</para>
<para>A security group that does not have any rules associated with it causes blocking of all incoming traffic. The mechanism only provides ingress filtering and does not provide any egress filtering. As a result all outbound traffic is allowed. If you need to implement egress filtering, you will need to implement that inside the instance using a firewall.</para>
<para>Tools like Hybridfox let you manage security groups and also let you specify a security group while launching an instance. You can also use command line tools from euca2ools package such as euca-authorize for this purpose.</para>
<para>Here are a few euca commands to manage security groups. Like in our earlier chapters, the project name is "proj"</para>

<para>Create a security group named "myservers".</para>
<programlisting> 
euca-add-group -d "My Servers" myservers
</programlisting>

<para>Add a rule to the security group "myservers" allowing icmp and tcp traffic from 192.168.1.1.</para>
<programlisting>
euca-authorize -P tcp -s 192.168.1.1 -p 22 myservers
euca-authorize -P icmp -s 192.168.1.1 -t -1:-1 myservers
</programlisting>

<para>For a Windows instance, add a rule to accept incoming RDP connections</para>
<programlisting>
euca-authorize -P tcp -s 192.168.1.1 -p 3389 myservers
</programlisting>

<para>Rules can be viewed with euca-describe-groups command.</para>
<programlisting>
$ euca-describe-groups
GROUP    proj   myservers    my servers
PERMISSION    proj    myservers    ALLOWS    tcp    22    22    FROM    CIDR 192.168.1.1
PERMISSION    proj   myservers    ALLOWS    icmp    -1    -1    FROM    CIDR   192.168.1.1
PERMISSION    proj    myservers    ALLOWS    tcp    3389   3389    FROM    CIDR 192.168.1.1
</programlisting>

<para>Remove the rule for ssh traffic from the source ip 192.168.1.1 from the security group "myservers"</para>
<programlisting>
euca-revoke -P tcp -s 192.168.1.1 -p 22 myservers
</programlisting>

<para>Delete the security group "myservers"</para>
<programlisting>
euca-delete-group myservers
</programlisting>

<para>Launch an instance associated with the security group "myservers".</para>
<programlisting>
euca-run-instances ami-XXXXXXXX -k mykey -g myservers
</programlisting>

<para>When you do not specify a security group, the instance gets associated with an inbuilt security group called "default". The rules for this security group can also be modified using euca-add, euca-revoke commands.</para>
</section>
</chapter>