openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #12934
Re: Security group isolation on same physical host
Looks like I tracked down the problem. I needed to enable netfilter
on the bridge.
On Thu, Jun 7, 2012 at 10:00 AM, Mitchell Broome
<mitchell.broome@xxxxxxxxx> wrote:
> So I'm running into a problem where two different virtual machines on
> the same physical host can get to each other bypassing security
> groups. As a test, I have removed all rules from the default security
> group and created two other groups for testing (test1 and test2) that
> only have inbound ssh access from a client network. The hosts are on
> 192.168.95.0/24 and the guest's fixed addresses are on
> 192.168.97.0/24. I'm not doing anything with floating ips, just
> strictly fixed ips. While testing, I'm using a single controller
> running everything except nova-compute and a single compute host only
> running nova-compute.
>
> I'm using centos 6.2 with openstack from epel:
> python-nova-2012.1-7.el6.noarch
> openstack-nova-2012.1-7.el6.noarch
>
>
> nova.conf (from the compute node):
> http://paste.openstack.org/show/18381/
>
> iptables -n -L:
> http://paste.openstack.org/show/18382/
>
> Is there some flag I'm missing in nova.conf to stop this?
References