Knowledgebase
Security Groups
Posted by Tobias J on 2018-06-14 14:02

Security groups are openstacks version of a firewall that will prevent certain traffic to reach your instance. The traffic will be dropped before reaching the instance, it is working like an iptable that drops everything as a last rule.

This means that it will only allow traffic that is specified on the security rules. If you only have rule that allows egress tcp traffic on all ports to all networks you will be able to connect out from the instance but not in to it.

 

To create a security group click on Security Groups in the menu. 

When first going to this page you will have a default group that will allow all traffic from everywhere, both ingress and egress.

Usually this is not something that we want to have. First of all we want to remove the ingress rules that allows all traffic. We don´t want anyone to connect to every port. For example we only want known ip addresses to connect to port 22 or 3389. This will prevent

the basic attacks on the server. For the same reason we don`t want to allow anyone to connect to port 3306 and messing with our sql. 

 

Lets say we have an web-server running nginx and mysql on a linux system and want to create a simple Security Group Rule set. 

First we want to remove the two ingress rules that allow all traffic. 

The next thing we want to do is to allow ourselves to have ssh access to the server. To do this we click on the "Create new rule" button.

We chose the protocol "SSH" which will fill out some fileds for us.

The direction is ingress, we want traffic to be allowed to our machine. The port used for SSH is 22 which is already filled for us. 

Under Network/IP we want to add a CIDR for the ip range we want to connect from. Easiest is to visit whatsmyip.com if you don`t know your ip. For me this will show "91.123.199.188" so if I only want

to connect from that ip the CIDR will be 91.123.199.188/32. I want to be able to connect from any address in that range so I will put 91.123.199.0/24 into that field and press enter. 

It will look something like this when configured correctly.

We now have SSH access to the server from our ip range. Now we want everyone to be able to access the server on port 80 and 443. Using the same logic as before we click on "Create new rule" and choses Web in protocol.

This will fill in the ingress rule and ports 80 and 443. For network we want everyone to be able to connect and thus choosing 0.0.0.0/0 as network CIDR.

Since our web-server is only connecting locally to mysql we will not have to open a port for this one. If you have a mysql server that you want to expose its port you can open it the same way as we did above.

Now we have all the rules for a simple web-server. Resulting in the following rules.