Create a rule in a security group

You can:

create rules one at a time — create a rule for inbound traffic or outbound traffic through the Control Panel or OpenStack CLI;
bulk add rules from a file — prepare a file in the format .json file with the description of the necessary rules and upload it to the control panel.

Through the Control Panel and Add File, you can create a rule with TCP, UDP, ICMP, or Any (all protocols).Through the OpenStack CLI, you can create a rule with any protocol.

You can also copy rules from one security group to another, to do this, copy the security group.

Create a rule for incoming traffic

Control panel
OpenStack CLI

In the dashboard, on the top menu, click Products and select Cloud Servers.
Go to the Security Groups section.
Open the security group page.
Open the Incoming Traffic tab.
Click Create Rule.
If one of the rule templates for incoming traffic is suitable for you, select a template from the list. The Protocol, Source, Source Ports, Traffic Destination, and Destination Port fields are filled in automatically.
If the templates don't fit, specify your rule parameters:

7.1. Select a protocol or click All Protocols.

7.2 Specify the traffic source (Source):
- for traffic from an IP address or subnet — select CIDR and enter the IP address or subnet, or click All Sources;
- for traffic from a security group — select Security Group and select the group. Security groups in the same pool are available. If you need to accept traffic from another pool, specify the source CIDR.
7.3 Enter the port on which traffic is allowed to be received (Dst. port) — a single port or a range of ports, or click All Ports.

7.4 Optional: enter a comment for the rule.
Click Create.

Open the OpenStack CLI.
Create a rule in the group:
```
openstack security group rule create \
    --ingress \
    [--remote-ip <remote_ip> | --remote-group <remote_group>] \
    [--protocol <protocol>] \
    [--dst-port <port_range>] \
    <security_group>
```
Specify:
- optional: traffic source, you can specify one or both parameters. If you do not specify a source, the default subnet is 0.0.0.0/0::
  - --remote-ip <remote_ip> — to receive traffic from an IP address. Parameter <remote_ip> — IP address or subnet in CIDR format;
  - --remote-group <remote_group> — to accept traffic from another security group. The parameter <remote_group> — ID or group name, can be viewed with the command openstack security group list. To allow traffic within a group, specify its name. You can only specify a group in the same pool, for traffic from another pool use --remote-ip <remote_ip>;
- optional: --protocol <protocol> — protocol. The parameter <protocol> is the name of the protocol from the list below. If you do not specify the parameter, any protocols will be allowed:
  - icmp — ICMP;
  - tcp — TCP;
  - udp — UDP;
  - ah — AH;
  - dccp — DCCP;
  - egp — EGP;
  - esp — ESP;
  - gre — GRE;
  - igmp — IGMP;
  - ipv6-encap — IPv6-ENCAP;
  - ipv6-frag — IPv6-Frag;
  - ipv6-icmp — IPv6-ICMP;
  - ipv6-nonxt — IPv6-NoNxt;
  - ipv6-opts — IPv6-Opts;
  - ipv6-route — IPv6-Route;
  - ospf — OSPF;
  - pgm — PGM;
  - rsvp — RSVP;
  - sctp — SCTP;
  - udplite — UDP Lite;
  - vrrp — VRRP;
  - ipip — IP-in-IP;
  - any — any protocol;
- optional: --dst-port <port_range> — server ports on which it is allowed to receive traffic. Parameter <port_range> — port number or port range, for example 137:139. Specify if <protocol> is tcp, udp, or any.
  
  Traffic to any TCP/UDP port blocked in Selectel by default will be denied even if you specify that port in the rule;
- <security_group> — The ID or name of the security group can be viewed with the command openstack security group list.
Optional: check the list of rules in the security group:
```
openstack security group rule list <security_group>
```
Specify <security_group> — The ID or name of the security group to which you added the rule in step 2 can be viewed using the openstack security group list command.

Create a rule for outgoing traffic

Control panel
OpenStack CLI

In the Dashboard, on the top menu, click Products and select Cloud Servers.
Go to the Security Groups section.
Open the security group page.
Open the Outgoing Traffic tab.
Click Create Rule.
If one of the rule templates for outgoing traffic is suitable for you, select a template from the list. The Protocol, Source, Source Ports, Traffic Destination, and Destination Port fields are filled in automatically.
If the templates don't fit, specify your rule parameters:

7.1. Select a protocol or click All Protocols.

7.2 Specify the destination of the traffic (Destination):
- for traffic from an IP address or subnet — select CIDR and enter the IP address or subnet or click All Sources;
- for traffic from a security group — select Security Group and select the group. Security groups in the same pool are available. If you need to send traffic to another pool, specify the source CIDR.
7.3 Enter the source port (Src. port) — a single port or a range of ports or click All Ports.

7.4 Optional: enter a comment for the rule.
Click Create.

Open the OpenStack CLI.
Create a rule in the group:
```
openstack security group rule create \
    --egress \
    [--remote-ip <remote_ip> | --remote-group <remote_group>] \
    [--dst-port <port_range>] \
    [--protocol <protocol>] \
    <security_group>
```
Specify:
- optional: traffic assignment, you can specify one or both parameters. If you do not specify a destination, the default subnet is 0.0.0.0/0::
  - --remote-ip <remote_ip> — To send traffic to an IP address. Parameter <remote_ip> — IP address or subnet in CIDR format;
  - --remote-group <remote_group> — to send traffic to another security group. The parameter <remote_group> — ID or group name, can be viewed with the command openstack security group list. To allow traffic within a group, specify its name. You can only specify a group in the same pool, for traffic from another pool use --remote-ip <remote_ip>;
- optional: --protocol <protocol> — protocol. The parameter <protocol> is the name of the protocol from the list below. If you do not specify the parameter, any protocols will be allowed:
  - icmp — ICMP;
  - tcp — TCP;
  - udp — UDP;
  - ah — AH;
  - dccp — DCCP;
  - egp — EGP;
  - esp — ESP;
  - gre — GRE;
  - igmp — IGMP;
  - ipv6-encap — IPv6-ENCAP;
  - ipv6-frag — IPv6-Frag;
  - ipv6-icmp — IPv6-ICMP;
  - ipv6-nonxt — IPv6-NoNxt;
  - ipv6-opts — IPv6-Opts;
  - ipv6-route — IPv6-Route;
  - ospf — OSPF;
  - pgm — PGM;
  - rsvp — RSVP;
  - sctp — SCTP;
  - udplite — UDP Lite;
  - vrrp — VRRP;
  - ipip — IP-in-IP;
  - any — any protocol;
- optional: --dst-port <port_range> — server ports from which it is allowed to send traffic. Parameter <port_range> — port number or port range, for example 137:139. Specify if <protocol> is tcp, udp, or any.
  
  Traffic to any TCP/UDP port blocked in Selectel by default will be denied even if you specify that port in the rule;
- <security_group> — The ID or name of the security group can be viewed with the command openstack security group list.
Optional: check the list of rules in the security group:
```
openstack security group rule list <security_group>
```
Specify <security_group> — The ID or name of the security group to which you added the rule in step 2 can be viewed using the openstack security group list command.

1. Prepare a file describing the rules

In the dashboard, on the top menu, click Products and select Cloud Servers.
Go to the Security Groups section.
Open the security group page.
From the menu of the security group, select Add Rules from JSON.
Click on the link in the text to download the file template.
Open the file in any text editor.
Edit the content of the file — delete or add the required number of blocks with rules, specify parameters for each rule:
- direction — traffic direction: ingress for incoming traffic, egress for outgoing traffic;
- ethertype — IP type: IPv4 or IPv6;
- port_range_max — last port in the allowed port range: a number from 1 to 65,535.If the protocol of the rule is icmp instead of the port number, specify the ICMP type.To allow all ports or ICMP types, specify null;
- port_range_min — the first port in the allowed port range: a number from 1 to 65,535.If the protocol of the rule is icmp instead of the port number, specify the ICMP type.To allow all ports or ICMP types, specify null;
- protocol — protocol name:
  - icmp — ICMP;
  - tcp — TCP;
  - udp — UDP;
  - any or null — any protocol;
- traffic source or destination — specify one of the parameters, specify null for the other:
  - remote_group_id — Security group ID, can be viewed in control panel: in the top menu, click Products → Cloud Servers → Security Groups → in the group card, click .You can only specify a group in the same pool, for traffic from another pool use remote_ip_prefix.To allow traffic from all security groups, specify null;
  - remote_ip_prefix — IP address or subnet in CIDR format.To allow traffic from all IP addresses, specify null.
  If you specify null for both parameters, all traffic matching the other rule parameters will be allowed.
Save the modified file.

2. Upload the file to the control panel

In the dashboard, on the top menu, click Products and select Cloud Servers.
Go to the Security Groups section.
Open the security group page.
From the Security Group menu, select Add Rules from JSON.
Choose how to add rules from the file to existing rules in the group:
- add new rules to the old ones;
- or delete old rules and add new ones.
Upload the file you prepared earlier — drag and drop it into the upload box or click on the upload box and select the file.
Click Add or Delete and add.