Networking 如何在使用openstack创建的centos VM实例中禁用internet？

在使用openstack创建的centos虚拟机实例中，如何禁用internet？

---

我只需要禁用internet，但不需要禁用网络。因为此VM应该能够与同一网络的其他VM通信。

您可以使用修改后的安全组，该组只允许访问本地网络。默认情况下，安全组允许所有传出连接。必须替换这些规则，以将它们限制在本地网络中

例如：

# create new security group
openstack security group create test-group
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field           | Value                                                                                                                                                 |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at      | 2020-06-24T20:20:38Z                                                                                                                                  |
| description     | test-group                                                                                                                                            |
| id              | a39ac981-6547-4ed3-a2da-7037e50ef00e                                                                                                                  |
| name            | test-group                                                                                                                                            |
| project_id      | b9105cd288f740fcaec03d42fd93607e                                                                                                                      |
| revision_number | 2                                                                                                                                                     |
| rules           | created_at='2020-06-24T20:20:38Z', direction='egress', ethertype='IPv6', id='5439255a-3a7d-4f54-967d-6393622f7777', updated_at='2020-06-24T20:20:38Z' |
|                 | created_at='2020-06-24T20:20:38Z', direction='egress', ethertype='IPv4', id='6fe86a1b-47e4-4927-9533-92b9b1b8c50b', updated_at='2020-06-24T20:20:38Z' |
| updated_at      | 2020-06-24T20:20:38Z                                                                                                                                  |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+

# list all rules. The only shown are the two default egress-rules
openstack security group rule list test-group
+--------------------------------------+-------------+----------+------------+-----------------------+
| ID                                   | IP Protocol | IP Range | Port Range | Remote Security Group |
+--------------------------------------+-------------+----------+------------+-----------------------+
| 5439255a-3a7d-4f54-967d-6393622f7777 | None        | None     |            | None                  |
| 6fe86a1b-47e4-4927-9533-92b9b1b8c50b | None        | None     |            | None                  |
+--------------------------------------+-------------+----------+------------+-----------------------+

# delete the two rules
openstack security group rule delete 5439255a-3a7d-4f54-967d-6393622f7777 6fe86a1b-47e4-4927-9533-92b9b1b8c50b

# set the new egress-rule, which allows only communication within your local network
openstack security group rule create --egress --remote-ip 192.168.20.0/24  test-group

当然，您必须将示例中的

192.168.20.0/24

替换为您的内部网络的子网范围，您的其他VM也在该子网范围内连接。如有必要，添加ISMP、SSH等入口规则，并将其用作虚拟机的唯一安全组。通过这种方式，您的虚拟机可以仅连接到本地网络中的其他虚拟机，而不再连接到internet