Disable IP forwarding on compute nodes [closed]

asked 2017-11-13 08:34:49 -0600

tk8 gravatar image

Hi, I can't disable IP forwarding on my compute nodes. Every time I reboot the system, the forwarding is enabled. I don't have this issue with my cinder or swift nodes. I have ocata version installed.

edit retag flag offensive reopen merge delete

Closed for the following reason question is off-topic or not relevant by tk8
close date 2017-11-23 15:17:37.213300

Comments

I guess it has to be enabled so that the compute node can forward packets to its instances.

Bernd Bausch gravatar imageBernd Bausch ( 2017-11-13 08:44:30 -0600 )edit

Isn't it insecure if i have two network interfaces, one for management tasks and one for users? I don't like the idea that someone can access the management network from the productive network because of the enabled ip forwarding.

tk8 gravatar imagetk8 ( 2017-11-18 07:01:29 -0600 )edit

netfilter (also named iptables after the command used to configure it) should take care of the correct forwarding. In any case, to reach an instance, the packet needs to travel through the instance's host. If the host doesn't forward it, it won't arrive at the instance.

Bernd Bausch gravatar imageBernd Bausch ( 2017-11-18 08:24:56 -0600 )edit
add a comment