openstack neutron-fwaas 防火墙之iptables实现细节详解

我在操作neutron-fwaas的时候发现了一个有趣的现象

当我设置了目的ip为114.114.114.114的包可以通过防火墙时，内部的虚拟机可以ping通114.114.114.114

但是仔细一想这么做难道没问题吗？因为即使内部的ping 114.114.114.114的包可以通过防火墙，114.114.114.114的返回的包仍然无法通过啊

于是我从iptables的变化来看了看究竟加了哪些规则使得返回的包依然可以通过

蓝色的部分是添加了这个规则并创建防火墙后iptables的变化，可以看到，在iptables的FORWARD链上的filter表中增加了好几条自定义链

我们来具体看看filter链长啥样

ip netns exec qrouter-b83802c4-801a-4ff1-b8c7-8c585ed25669 iptables -t filter -nL

结果

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
neutron-l3-agent-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
neutron-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
neutron-l3-agent-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
neutron-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
neutron-l3-agent-OUTPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain neutron-filter-top (2 references)
target     prot opt source               destination         
neutron-l3-agent-local  all  --  0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-FORWARD (1 references)
target     prot opt source               destination         
neutron-l3-agent-scope  all  --  0.0.0.0/0            0.0.0.0/0           
neutron-l3-agent-iv45f2bd4c9  all  --  0.0.0.0/0            0.0.0.0/0           
neutron-l3-agent-ov45f2bd4c9  all  --  0.0.0.0/0            0.0.0.0/0           
neutron-l3-agent-fwaas-defau  all  --  0.0.0.0/0            0.0.0.0/0           
neutron-l3-agent-fwaas-defau  all  --  0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-INPUT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x1/0xffff
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:9697

Chain neutron-l3-agent-OUTPUT (1 references)
target     prot opt source               destination         

Chain neutron-l3-agent-fwaas-defau (2 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-iv45f2bd4c9 (1 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            114.114.114.114     

Chain neutron-l3-agent-local (1 references)
target     prot opt source               destination         

Chain neutron-l3-agent-ov45f2bd4c9 (1 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            114.114.114.114     

Chain neutron-l3-agent-scope (1 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0            mark match ! 0x4000000/0xffff0000
DROP       all  --  0.0.0.0/0            0.0.0.0/0            mark match ! 0x4000000/0xffff0000

filter表中forward链上添加了好几条自定义链,重点是下面这个

Chain neutron-l3-agent-iv45f2bd4c9 (1 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            114.114.114.114     

Chain neutron-l3-agent-local (1 references)
target     prot opt source               destination         

Chain neutron-l3-agent-ov45f2bd4c9 (1 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            114.114.114.114    

看到了吗，这里用了一个state,这个state的意思就是对于ESTABLISHED与RELATED的包进行通过，什么意思呢？本地主机ping 114.114.114.114,那么以后后续的从114.114.114.114接收的包全部都是ESTABLISHED的状态，直接通过，这样就避免了需要新建一条通过源ip为114.114.114.114的包的规则

并且可以验证

ip netns exec qrouter-b83802c4-801a-4ff1-b8c7-8c585ed25669 iptables -t filter -D neutron-l3-agent-ov45f2bd4c9 2

把state RELATED,ESTABLISHED这栏删除后发现ping不通了

2.关于RELATED,ESTABLISHED的理解

这个问题我在面试的时候被问过，当时懵了。。回来谷歌了一下，一种较好的理解如下：

Consider a NEW packet a telephone call before the receiver has picked up. An ESTABLISHED packet is their, "Hello." And a RELATED packet would be if you were calling to tell them about an e-mail you were about to send them. (The e-mail being RELATED.)

In case my analogy isn't so great, I personlly think the man pages handles it well:

NEW -- meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions, and

ESTABLISHED -- meaning that the packet is associated with a connection which has seen packets in both directions,

RELATED -- meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.

NEW相当于客户端发送的第一个包，ESTABLISHED相当于客户端向服务器发送了包后服务器对客户端进行了正常响应即可，并不是非要TCP，icmp与UDP也可以

3.可以通过arp吗?

不能，你说的那个需要arptable