[英]How to disable internet in a centos VM instance created using openstack?
在使用 openstack 创建的 centos 虚拟机实例中,如何禁用互联网? 我只需要禁用互联网,而不需要禁用网络。 因为这个虚拟机应该能够与同一网络的其他虚拟机通信。
您可以使用修改后的安全组,它只允许访问本地网络。 默认情况下,安全组允许所有传出连接。 必须替换这些规则以将它们限制在本地网络中。
例子:
# create new security group
openstack security group create test-group
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at | 2020-06-24T20:20:38Z |
| description | test-group |
| id | a39ac981-6547-4ed3-a2da-7037e50ef00e |
| name | test-group |
| project_id | b9105cd288f740fcaec03d42fd93607e |
| revision_number | 2 |
| rules | created_at='2020-06-24T20:20:38Z', direction='egress', ethertype='IPv6', id='5439255a-3a7d-4f54-967d-6393622f7777', updated_at='2020-06-24T20:20:38Z' |
| | created_at='2020-06-24T20:20:38Z', direction='egress', ethertype='IPv4', id='6fe86a1b-47e4-4927-9533-92b9b1b8c50b', updated_at='2020-06-24T20:20:38Z' |
| updated_at | 2020-06-24T20:20:38Z |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
# list all rules. The only shown are the two default egress-rules
openstack security group rule list test-group
+--------------------------------------+-------------+----------+------------+-----------------------+
| ID | IP Protocol | IP Range | Port Range | Remote Security Group |
+--------------------------------------+-------------+----------+------------+-----------------------+
| 5439255a-3a7d-4f54-967d-6393622f7777 | None | None | | None |
| 6fe86a1b-47e4-4927-9533-92b9b1b8c50b | None | None | | None |
+--------------------------------------+-------------+----------+------------+-----------------------+
# delete the two rules
openstack security group rule delete 5439255a-3a7d-4f54-967d-6393622f7777 6fe86a1b-47e4-4927-9533-92b9b1b8c50b
# set the new egress-rule, which allows only communication within your local network
openstack security group rule create --egress --remote-ip 192.168.20.0/24 test-group
当然,您必须将示例中的192.168.20.0/24
替换为您的内部网络的子网范围,您的其他虚拟机也连接在该范围内。 如有必要,添加 ISMP、SSH 等入口规则,并将其用作虚拟机的唯一安全组。 有了这个,你的虚拟机只能连接到本地网络中的其他虚拟机,但不能再连接到互联网了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.