Create a rule | Selectel Documentation

Create a rule in a security group

Through the control panel, you can create a rule with TCP, UDP, ICMP, or Any (all protocols). You can create a rule with any protocol through the OpenStack CLI.

Create a rule for incoming traffic⁠

Control panel
OpenStack CLI

В control panels from the top menu, press Products and select Cloud servers.
Go to the section Security groups.
Open the security group page.
Open the tab Incoming traffic.
Click Create a rule.
If one of the rule templates for incoming traffic is suitable for you, select a template from the list. The Protocol, Source, Source Ports, Traffic Destination, and Destination Port fields are filled in automatically.
If the templates don't fit, specify your rule parameters:

7.1. Select a protocol or press All protocols.

7.2 Specify the traffic source (Source):
- for traffic from an IP address or subnet — select CIDR and enter an IP address or subnet, or tap All sources;
- for traffic from the security group — select Security Group and select a group. Security groups in the same pool are available. If you need to accept traffic from another pool, specify the source CIDR.
7.3 Enter the port on which traffic is allowed to be received (Dst. port), either a single port or a range of ports, or press All ports.

7.4 Optional: enter a comment for the rule.
Click Create.

Open the OpenStack CLI.
Create a rule in the group:
```
openstack security group rule create \
    --ingress \
    [--remote-ip <remote_ip> | --remote-group <remote_group>] \
    [--protocol <protocol>] \
    [--dst-port <port_range>] \
    <security_group>
```
Specify:
- optional: traffic source, you can specify one or both parameters. If you do not specify a source, the subnet will be set by default 0.0.0.0/0:
  - --remote-ip <remote_ip> — to receive traffic from an IP address. Parameter <remote_ip> — IP address or subnet in CIDR format;
  - --remote-group <remote_group> — to receive traffic from another security group. Parameter <remote_group> — ID or group name, can be viewed with the command openstack security group list. To allow traffic within a group, specify the group name. You can only specify a group in the same pool, for traffic from another pool use --remote-ip <remote_ip>;
- optional: --protocol <protocol> — Protocol. Parameter <protocol> — protocol name from the list below. If you do not specify a parameter, any protocols will be allowed:
  - icmp — ICMP;
  - tcp — TCP;
  - udp — UDP;
  - ah — AH;
  - dccp — DCCP;
  - egp — EGP;
  - esp — ESP;
  - gre — GRE;
  - igmp — IGMP;
  - ipv6-encap — IPv6-ENCAP;
  - ipv6-frag — IPv6-Frag;
  - ipv6-icmp — IPv6-ICMP;
  - ipv6-nonxt — IPv6-NoNxt;
  - ipv6-opts — IPv6-Opts;
  - ipv6-route — IPv6-Route;
  - ospf — OSPF;
  - pgm — PGM;
  - rsvp — RSVP;
  - sctp — SCTP;
  - udplite — UDP Lite;
  - vrrp — VRRP;
  - ipip — IP-in-IP;
  - any — any protocol;
- optional: --dst-port <port_range> — server ports on which it is allowed to receive traffic. Parameter <port_range> — port number or port range, e.g. 137:139. Indicate if <protocol> — tcp, udp or any.
  
  Traffic to any TCP/UDP port blocked in Selectel by default, will be denied even if you specify that port in the rule;
- <security_group> — ID or security group name, can be viewed using the command openstack security group list.
Optional: check the list of rules in the security group:
```
openstack security group rule list <security_group>
```
Specify <security_group> — The ID or name of the security group to which you added the rule in step 2 can be viewed using the command openstack security group list.

Create a rule for outgoing traffic⁠

Control panel
OpenStack CLI

В control panels from the top menu, press Products and select Cloud servers.
Go to the section Security groups.
Open the security group page.
Open the tab Outgoing traffic.
Click Create a rule.
If one of the rule templates for outgoing traffic is suitable for you, select a template from the list. The Protocol, Source, Source Ports, Traffic Destination, and Destination Port fields are filled in automatically.
If the templates don't fit, specify your rule parameters:

7.1. Select a protocol or press All protocols.

7.2 Specify the destination of the traffic (Destination):
- for traffic from an IP address or subnet — select CIDR and enter an IP address or subnet or press All sources;
- for traffic from the security group — select Security Group and select a group. Security groups in the same pool are available. If you need to send traffic to another pool, specify the source CIDR.
7.3. Enter the source port (Src. port), either a single port or a range of ports, or tap All ports.

7.4 Optional: enter a comment for the rule.
Click Create.

Open the OpenStack CLI.
Create a rule in the group:
```
openstack security group rule create \
    --ingress \
    [--remote-ip <remote_ip> | --remote-group <remote_group>] \
    [--protocol <protocol>] \
    [--dst-port <port_range>] \
    <security_group>
```
Specify:
- optional: traffic source, you can specify one or both parameters. If you do not specify a source, the subnet will be set by default 0.0.0.0/0:
  - --remote-ip <remote_ip> — to receive traffic from an IP address. Parameter <remote_ip> — IP address or subnet in CIDR format;
  - --remote-group <remote_group> — to receive traffic from another security group. Parameter <remote_group> — ID or group name, can be viewed with the command openstack security group list. To allow traffic within a group, specify the group name. You can only specify a group in the same pool, for traffic from another pool use --remote-ip <remote_ip>;
- optional: --protocol <protocol> — Protocol. Parameter <protocol> — protocol name from the list below. If you do not specify a parameter, any protocols will be allowed:
  - icmp — ICMP;
  - tcp — TCP;
  - udp — UDP;
  - ah — AH;
  - dccp — DCCP;
  - egp — EGP;
  - esp — ESP;
  - gre — GRE;
  - igmp — IGMP;
  - ipv6-encap — IPv6-ENCAP;
  - ipv6-frag — IPv6-Frag;
  - ipv6-icmp — IPv6-ICMP;
  - ipv6-nonxt — IPv6-NoNxt;
  - ipv6-opts — IPv6-Opts;
  - ipv6-route — IPv6-Route;
  - ospf — OSPF;
  - pgm — PGM;
  - rsvp — RSVP;
  - sctp — SCTP;
  - udplite — UDP Lite;
  - vrrp — VRRP;
  - ipip — IP-in-IP;
  - any — any protocol;
- optional: --dst-port <port_range> — server ports on which it is allowed to receive traffic. Parameter <port_range> — port number or port range, e.g. 137:139. Indicate if <protocol> — tcp, udp or any.
  
  Traffic to any TCP/UDP port blocked in Selectel by default, will be denied even if you specify that port in the rule;
- <security_group> — ID or security group name, can be viewed using the command openstack security group list.
Optional: check the list of rules in the security group:
```
openstack security group rule list <security_group>
```
Specify <security_group> — The ID or name of the security group to which you added the rule in step 2 can be viewed using the command openstack security group list.

Create a rule in a security group

Create a rule for incoming traffic⁠​

Create a rule for outgoing traffic⁠​

Create a rule for incoming traffic⁠

Create a rule for outgoing traffic⁠