Security Group Rule Management
Security Group Rules define which traffic is allowed to instances assigned to the security group. A security group rule consists of three main parts:
Rule: You can specify the desired rule template or use custom rules, the options are Custom TCP Rule, Custom UDP Rule, or Custom ICMP Rule.
Open Port/Port Range: For TCP and UDP rules you may choose to open either a single port or a range of ports. Selecting the "Port Range" option will provide you with space to provide both the starting and ending ports for the range. For ICMP rules you instead specify an ICMP type and code in the spaces provided.
Remote: You must specify the source of the traffic to be allowed via this rule.
You may do so either in the form of an
IP address block (CIDR)
or via a source group (Security Group). Selecting a security group as the source will allow any other instance in that security group access to any other instance via this rule.
Add rule
Web Interface
In Web Interface(https://openstack.stfc.ac.uk/auth/login/?next=/) go to
Network->Security Groups
, select the Security Groups you wish to edit.Click MANAGE RULES
Click
ADD RULE
Input the following:
Rule: TCP, UDP or ICMP
Direction
Ingress
Egress
Open Port:
Port
Port Range
Port
the port number
You will see
From port
andTo port
filed if you selectedPORT RANGE
Remote (Source IP)
CIDR
Input the IP range
SECURITY GROUP
Select the Security group
Click
ADD
Command-Line
Check existing security group
$ openstack security group list
+--------------------------------------+-------------------------+----------------------------------------------+----------------------------------+------+
| ID | Name | Description | Project | Tags |
+--------------------------------------+-------------------------+----------------------------------------------+----------------------------------+------+
| c7e90937-af11-484c-8a21-90bea10e1407 | 1-group-rule-management | | 80ab2bd11e5f46bf96bf47658d07499d | [] |
+--------------------------------------+-------------------------+----------------------------------------------+----------------------------------+------+
Check existing rules in a security group
$ openstack security group rule list 1-group-rule-management
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| 33cd09ee-0e9b-4ce3-b028-7e24f9604431 | None | IPv6 | ::/0 | | egress | None | None |
| 7969c6ae-dec0-4071-935e-6a81e7d8ec5c | None | IPv4 | 0.0.0.0/0 | | egress | None | None |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
Create security group rule
Argument | Description | example |
---|---|---|
<security-group-name> | Name of the security group | 1-group-rule-management |
<rule> | The protocol: TCP, UDP or ICMP | tcp |
<port-range> | The range of ports to apply the rule: from_port:to_port | 89:90 |
<ip-range> | The source IP range for the rule | 0.0.0.0/0 |
<security-grouo> | Name of the source security group | 1-group-rule-management |
[--ingress | --egress] | Ingress rule or egress rule (default is --ingress) | --ingress |
based on traffic source IP
openstack security group rule create <security-group-name> --protocol <rule> --dst-port <port-range> --remote-ip <ip-range> [--ingress | --egress] #example $ openstack security group rule create 1-group-rule-management --protocol tcp --dst-port 89:90 --remote-ip 0.0.0.0/0 $ openstack security group rule list 1-group-rule-management +--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+ | ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group | +--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+ | 33cd09ee-0e9b-4ce3-b028-7e24f9604431 | None | IPv6 | ::/0 | | egress | None | None | | 7969c6ae-dec0-4071-935e-6a81e7d8ec5c | None | IPv4 | 0.0.0.0/0 | | egress | None | None | | 7f4e2c68-a369-4be8-8491-561cccffc90c | tcp | IPv4 | 0.0.0.0/0 | 89:90 | ingress | None | None | +--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
based on source security group
Delete Rules
Web Interface
In Web Interface(https://openstack.stfc.ac.uk/auth/login/?next=/ ) go to
Network->Security Groups
, select the Security Groups you wish to edit.Click MANAGE RULES
Click
DELETE RULE
Click
DELETE RULES
to confirm delete
Command-line
Get the security group name and the ID of the rule
Run
Security Group Rules define which traffic is allowed to instances assigned to the security group. A security group rule consists of three main parts:
Rule: You can specify the desired rule template or use custom rules, the options are Custom TCP Rule, Custom UDP Rule, or Custom ICMP Rule.
Open Port/Port Range: For TCP and UDP rules you may choose to open either a single port or a range of ports. Selecting the "Port Range" option will provide you with space to provide both the starting and ending ports for the range. For ICMP rules you instead specify an ICMP type and code in the spaces provided.
Remote: You must specify the source of the traffic to be allowed via this rule.
You may do so either in the form of an
IP address block (CIDR)
or via a source group (Security Group). Selecting a security group as the source will allow any other instance in that security group access to any other instance via this rule.
Add rule
Web Interface
In Web Interface(https://openstack.stfc.ac.uk/auth/login/?next=/) go to
Network->Security Groups
, select the Security Groups you wish to edit.Click MANAGE RULES
Click
ADD RULE
Input the following:
Rule: TCP, UDP or ICMP
Direction
Ingress
Egress
Open Port:
Port
Port Range
Port
the port number
You will see
From port
andTo port
filed if you selectedPORT RANGE
Remote (Source IP)
CIDR
Input the IP range
SECURITY GROUP
Select the Security group
Click
ADD
Command-Line
Check existing security group
Check existing rules in a security group
Create security group rule
Argument | Description | Example |
---|---|---|
<security-group-name> | Name of the security group | 1-group-rule-management |
<rule> | The protocol: TCP, UDP or ICMP | tcp |
<port-range> | The range of ports to apply the rule: from_port:to_port | 89:90 |
<ip-range> | The source IP range for the rule | 0.0.0.0/0 |
<source-security-group> | Name of the source security group | 9200-Elastic-Search |
[--ingress | --egress] | Ingress rule or egress rule (default is --ingress) | --ingress |
based on traffic source IP
based on source security group
Delete Rules
Web Interface
In Web Interface(https://openstack.stfc.ac.uk/auth/login/?next=/) go to
Network->Security Groups
, select the Security Groups you wish to edit.Click MANAGE RULES
Click
DELETE RULE
Click
DELETE RULES
to confirm delete
Command-line
Get the security group name and the ID of the rule
Run