Create a rule | Selectel Documentation

Create a rule in a security group

OpenStack CLI

Incoming traffic
Outgoing traffic

Open the OpenStack CLI.
Create a rule in the group:
```
openstack security group rule create \
  --ingress \
  [--remote-ip <remote_ip> | --remote-group <remote_group>] \
  [--protocol <protocol>] \
  [--dst-port <port_range>] \
  <security_group>
```
Specify:
- optional: traffic source, you can specify one or both parameters. If you do not specify a source, the subnet will be set by default 0.0.0.0/0:
  - --remote-ip <remote_ip> — to receive traffic from an IP address. Parameter <remote_ip> — IP address or subnet in CIDR format;
  - --remote-group <remote_group> — to receive traffic from another security group. Parameter <remote_group> — ID or group name, can be viewed with the command openstack security group list. To allow traffic within a group, specify the group name. You can only specify a group in the same pool, for traffic from another pool use --remote-ip <remote_ip>;
- optional: --protocol <protocol> — Protocol. Parameter <protocol> — protocol name from the list below. If you do not specify a parameter, any protocols will be allowed:
  - icmp — ICMP;
  - tcp — TCP;
  - udp — UDP;
  - ah — AH;
  - dccp — DCCP;
  - egp — EGP;
  - esp — ESP;
  - gre — GRE;
  - igmp — IGMP;
  - ipv6-encap — IPv6-ENCAP;
  - ipv6-frag — IPv6-Frag;
  - ipv6-icmp — IPv6-ICMP;
  - ipv6-nonxt — IPv6-NoNxt;
  - ipv6-opts — IPv6-Opts;
  - ipv6-route — IPv6-Route;
  - ospf — OSPF;
  - pgm — PGM;
  - rsvp — RSVP;
  - sctp — SCTP;
  - udplite — UDP Lite;
  - vrrp — VRRP;
  - ipip — IP-in-IP;
  - any — any protocol;
- optional: --dst-port <port_range> — server ports on which it is allowed to receive traffic. Parameter <port_range> — port number or port range, e.g. 137:139. Indicate if <protocol> — tcp, udp or any.
  
  Traffic to any TCP/UDP port blocked in Selectel by default, will be denied even if you specify that port in the rule;
- <security_group> — The ID or name of the security group you created in step 2 can be viewed using the command openstack security group list.
Optional: check the list of rules in the security group:
```
openstack security group rule list <security_group>
```
Specify <security_group> — The ID or name of the security group to which you added the rule in step 2 can be viewed with openstack security group list

Open the OpenStack CLI.
Create a rule in the group:
```
openstack security group rule create \
    --egress \
    [--remote-ip <remote_ip> | --remote-group <remote_group>] \
    [--dst-port <port_range>] \
    [--protocol <protocol>] \
    <security_group>
```
Specify:
- optional: traffic assignment, you can specify one or both parameters. If you do not specify a destination, the default subnet will be set to the subnet 0.0.0.0/0:
  - --remote-ip <remote_ip> — to send traffic to an IP address. Parameter <remote_ip> — IP address or subnet in CIDR format;
  - --remote-group <remote_group> — to send traffic to another security group. Parameter <remote_group> — ID or group name, can be viewed with the command openstack security group list. To allow traffic within a group, specify the group name. You can only specify a group in the same pool, for traffic from another pool use --remote-ip <remote_ip>;
- optional: --protocol <protocol> — Protocol. Parameter <protocol> — protocol name from the list below. If you do not specify a parameter, any protocols will be allowed:
  - icmp — ICMP;
  - tcp — TCP;
  - udp — UDP;
  - ah — AH;
  - dccp — DCCP;
  - egp — EGP;
  - esp — ESP;
  - gre — GRE;
  - igmp — IGMP;
  - ipv6-encap — IPv6-ENCAP;
  - ipv6-frag — IPv6-Frag;
  - ipv6-icmp — IPv6-ICMP;
  - ipv6-nonxt — IPv6-NoNxt;
  - ipv6-opts — IPv6-Opts;
  - ipv6-route — IPv6-Route;
  - ospf — OSPF;
  - pgm — PGM;
  - rsvp — RSVP;
  - sctp — SCTP;
  - udplite — UDP Lite;
  - vrrp — VRRP;
  - ipip — IP-in-IP;
  - any — any protocol;
- optional: --dst-port <port_range> — server ports from which traffic is allowed to be sent. Parameter <port_range> — port number or port range, e.g. 137:139. Indicate if <protocol> — tcp, udp or any.
  
  Traffic to any TCP/UDP port blocked in Selectel by default, will be denied even if you specify that port in the rule;
- <security_group> — The ID or name of the security group you created in step 2 can be viewed using the command openstack security group list.
Optional: check the list of rules in the security group:
```
openstack security group rule list <security_group>
```
Specify <security_group> — The ID or name of the security group to which you added the rule in step 2 can be viewed with openstack security group list <security_group>.