Configuring Security Groups

Published on: November 4, 2016

Configuring Security Groups

Security Groups provide a firewall that is in front of an instance. These rules are applied before any network packets even reach it. A Security Group is required for every instance so configuring a general set of firewall rules is essential.

All rules are based on an explicit allow list. This means that only the ports/IPs that are defined in the Security Group will be allowed through. By default, a new Security Group will only allow outbound traffic.

1. Create a new Security Group.

Horizon

===============
[ Compute > Access & Security > Security Groups > CREATE SECURITY GROUP ]
===============

CLI

===============
$ openstack security group create
===============

2. Manage the rules.

Horizon

===============
[ Compute > Access & Security > Security Groups ]
[ Manage Rules (Actions) > + ADD RULE ]
[ Manage Rules (Actions) > DELETE RULE (Actions) ]
===============

CLI

===============
$ openstack help security group rule create
$ openstack security group rule create
===============

3. Here are examples of how to add new rules to allow certain traffic inbound (ingress) or outbound (egress) to/from an instance.

3a. Allow all traffic. This includes TCP, UDP, and ICMP packets.

Horizon

===============
Add Rule
Rule: All TCP
Direction: Ingress
Remote: CIDR
CIDR: 0.0.0.0/0
===============
Add Rule
Rule: All UDP
Direction: Ingress
Remote: CIDR
CIDR: 0.0.0.0/0
===============
Add Rule
Rule: All TCP
Direction: Egress
Remote: CIDR
CIDR: 0.0.0.0/0
===============
Add Rule
Rule: All UDP
Direction: Egress
Remote: CIDR
CIDR: 0.0.0.0/0
===============
Add Rule
Rule: All ICMP
Direction: Ingress
Remote: CIDR
CIDR: 0.0.0.0/0
===============
Add Rule
Rule: All ICMP
Direction: Egress
Remote: CIDR
CIDR: 0.0.0.0/0
===============

CLI

===============
$ openstack security group rule create –protocol tcp –ingress
$ openstack security group rule create –protocol udp –ingress
$ openstack security group rule create –protocol icmp –ingress
$ openstack security group rule create –protocol tcp –egress
$ openstack security group rule create –protocol udp –egress
$ openstack security group rule create –protocol icmp –egress
===============

3b. Allow inbound connections to a HTTP web server (port 80).

Horizon

===============
Add Rule
Rule: Custom TCP Rule
Direction: Ingress
Open Port: Port
Port: 80
CIDR: 0.0.0.0/0
===============

CLI

===============
$ openstack security group rule create –protocol tcp –ingress –dst-port 80
===============

3c. Allow connections to a SSH server (port 22) from a specific IP.

Horizon

===============
Add Rule
Rule: Custom TCP Rule
Direction: Ingress
Open Port: Port
Port: 22
CIDR: 172.190.254.150/24
===============

CLI

===============
$ openstack security group rule create –protocol tcp –ingress –dst-port 22 –src-ip 172.190.254.150/24
===============

3d. Open a range of ports. This will allow FTP (20 and 21) as well as SSH (22) traffic inbound.

Horizon

===============
Add Rule
Rule: Custom TCP Rule
Direction: Ingress
Open Port: Port Range
From Port: 20
To Port: 22
CIDR: 0.0.0.0/0
===============

CLI

===============
$ openstack security group rule create –protocol tcp –ingress –dst-port 20:22
===============



Back To Top