日志
OpenStack中给实例的fixed和float Ip 设置iptables策略
fixed ip策略
例如instances-00000032这个实例
instances_gateway='10.0.0.2'
fixed_range='10.0.0.0/24'
instance_fixed_ip='10.0.0.3'
#nova-compute-inst-32的'32'等于instances-00000032中的'32'
iptables -t filter -N nova-compute-inst-32
iptables -t filter -A nova-compute-inst-32 -m state --state INVALID -j DROP
iptables -t filter -A nova-compute-inst-32 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A nova-compute-inst-32 -j nova-compute-provider
iptables -t filter -A nova-compute-inst-32 -s $instances_gateway/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
iptables -t filter -A nova-compute-inst-32 -s $fixed_range -j ACCEPT
iptables -t filter -A nova-compute-inst-32 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -t filter -A nova-compute-inst-32 -p icmp -j ACCEPT
iptables -t filter -A nova-compute-inst-32 -j nova-compute-sg-fallback
iptables -t filter -A nova-compute-local -d $instance_fixed_ip/32 -j nova-compute-inst-32
floating ip策略
publicinterface='eth1'
instancefloatip='192.168.23.182'
ip addr add $instancefloatip/32 dev $publicinterface
iptables -t nat -A nova-network-OUTPUT -d $instancefloatip/32 -j DNAT --to-destination $instancefixedip
iptables -t nat -A nova-network-PREROUTING -d $instancefloatip/32 -j DNAT --to-destination $instancefixedip
iptables -t nat -A nova-network-float-snat -s $instancefloatip/32 -j SNAT --to-source $instancefloatip
记得保存规则
# /etc/init.d/iptables save
/2 
