Filtering access with “Security Groups”

Note

“Security Groups” in OpenStack are IP filters that can be applied to one or more instances to all the project instances.

A security group called default is created in each project and it applies to all project instances.

By default a number of standard rules, not visible to users, such as allowing ping and other rules specific to the DC network were added to facilitate some generic access.

Display help

% openstack help security group
Command "security" matches:
  security group create
  security group delete
  security group list
  security group rule create
  security group rule delete
  security group rule list
  security group rule show
  security group set
  security group show

Create a security group

% openstack security group create --description "My security group" my_secgroup

Add rules

• Add a rule that allows SSH from a machine. Example of a machine with ip address 192.168.1.100:

  % openstack security group rule create --remote-ip 192.168.1.100/32 --protocol tcp --dst-port 22 my_secgroup
  

• Add a rule that allows SSH from a network. Example of 192.168.1.0/24 network:

  % openstack security group rule create --remote-ip 192.168.1.0/24 --protocol tcp --dst-port 22 my_secgroup
  

• List the security group rules

  % openstack security group rule list --long my_secgroup
  +--------------------------------------+-------------+-------------------+------------+-----------+-----------+-----------------------+
  | ID                                   | IP Protocol | IP Range          | Port Range | Direction | Ethertype | Remote Security Group |
  +--------------------------------------+-------------+-------------------+------------+-----------+-----------+-----------------------+
  | 154b4191-c1e6-4d23-9bfa-6455b4fff87a | tcp         | 192.168.1.100/32  | 22:22      | ingress   | IPv4      | None                  |
  | 3a5184cb-965c-4f0e-9e56-5738337709dc | None        | None              |            | egress    | IPv6      | None                  |
  | d21613f1-7a0a-4357-a051-8ee705d596fe | None        | None              |            | egress    | IPv4      | None                  |
  +--------------------------------------+-------------+-------------------+------------+-----------+-----------+-----------------------+
  

Add the security group to a VM

% openstack server add security group my_vm my_secgroup

Delete a rule

% openstack security group rule delete 154b4191-c1e6-4d23-9bfa-6455b4fff87a

Important

It is possible to delete a rule but it is not possible to modify it.