Created
March 10, 2020 15:49
-
-
Save DanielJonesEB/afa8095000d43756892120a37f3b0b61 to your computer and use it in GitHub Desktop.
Kubernetes The Hard Way iptables
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@worker-0:~# iptables -L | |
| Chain PREROUTING (policy ACCEPT) | |
| target prot opt source destination | |
| KUBE-SERVICES all -- anywhere anywhere /* kubernetes service portals */ | |
| Chain INPUT (policy ACCEPT) | |
| target prot opt source destination | |
| Chain OUTPUT (policy ACCEPT) | |
| target prot opt source destination | |
| KUBE-SERVICES all -- anywhere anywhere /* kubernetes service portals */ | |
| Chain POSTROUTING (policy ACCEPT) | |
| target prot opt source destination | |
| KUBE-POSTROUTING all -- anywhere anywhere /* kubernetes postrouting rules */ | |
| CNI-da656fe7e5c60b5739af5199 all -- 10.200.0.46 anywhere /* name: "bridge" id: "ce3eff85633b118bc8f30c110e9f13bac556df11c6af5730198f149ad03d82bf" */ | |
| CNI-e6f8915306a0d2afb9322e15 all -- 10.200.0.50 anywhere /* name: "bridge" id: "96f6dad29592b1f29be6cb220e81375a480d6ca5a0e000d5d5abbb9f8a8eeffd" */ | |
| CNI-a4fadfa1c00fc0d5a8c5612e all -- 10.200.0.52 anywhere /* name: "bridge" id: "5441e2c226a60f7fc101700f0d74a08545cb6dd0f98da19f1b6e211e06cee827" */ | |
| Chain CNI-a4fadfa1c00fc0d5a8c5612e (1 references) | |
| target prot opt source destination | |
| ACCEPT all -- anywhere 10.200.0.0/24 /* name: "bridge" id: "5441e2c226a60f7fc101700f0d74a08545cb6dd0f98da19f1b6e211e06cee827" */ | |
| MASQUERADE all -- anywhere !base-address.mcast.net/4 /* name: "bridge" id: "5441e2c226a60f7fc101700f0d74a08545cb6dd0f98da19f1b6e211e06cee827" */ | |
| Chain CNI-da656fe7e5c60b5739af5199 (1 references) | |
| target prot opt source destination | |
| ACCEPT all -- anywhere 10.200.0.0/24 /* name: "bridge" id: "ce3eff85633b118bc8f30c110e9f13bac556df11c6af5730198f149ad03d82bf" */ | |
| MASQUERADE all -- anywhere !base-address.mcast.net/4 /* name: "bridge" id: "ce3eff85633b118bc8f30c110e9f13bac556df11c6af5730198f149ad03d82bf" */ | |
| Chain CNI-e6f8915306a0d2afb9322e15 (1 references) | |
| target prot opt source destination | |
| ACCEPT all -- anywhere 10.200.0.0/24 /* name: "bridge" id: "96f6dad29592b1f29be6cb220e81375a480d6ca5a0e000d5d5abbb9f8a8eeffd" */ | |
| MASQUERADE all -- anywhere !base-address.mcast.net/4 /* name: "bridge" id: "96f6dad29592b1f29be6cb220e81375a480d6ca5a0e000d5d5abbb9f8a8eeffd" */ | |
| Chain KUBE-MARK-DROP (0 references) | |
| target prot opt source destination | |
| MARK all -- anywhere anywhere MARK or 0x8000 | |
| Chain KUBE-MARK-MASQ (2 references) | |
| target prot opt source destination | |
| MARK all -- anywhere anywhere MARK or 0x4000 | |
| Chain KUBE-NODEPORTS (1 references) | |
| target prot opt source destination | |
| KUBE-MARK-MASQ tcp -- anywhere anywhere /* default/nginx1: */ tcp dpt:32101 | |
| KUBE-SVC-253L2MOZ6TC5FE7P tcp -- anywhere anywhere /* default/nginx1: */ tcp dpt:32101 | |
| KUBE-MARK-MASQ tcp -- anywhere anywhere /* default/nginx2: */ tcp dpt:32102 | |
| KUBE-SVC-KN7BHMGRB3FSVEMI tcp -- anywhere anywhere /* default/nginx2: */ tcp dpt:32102 | |
| KUBE-MARK-MASQ tcp -- anywhere anywhere /* default/nginx0: */ tcp dpt:32100 | |
| KUBE-SVC-SJ5YE6C53UPXD73I tcp -- anywhere anywhere /* default/nginx0: */ tcp dpt:32100 | |
| Chain KUBE-POSTROUTING (1 references) | |
| target prot opt source destination | |
| MASQUERADE all -- anywhere anywhere /* kubernetes service traffic requiring SNAT */ mark match 0x4000/0x4000 | |
| Chain KUBE-SEP-3MQ7LGWSED2GAEFA (1 references) | |
| target prot opt source destination | |
| KUBE-MARK-MASQ all -- 10.200.2.65 anywhere | |
| DNAT tcp -- anywhere anywhere tcp to:10.200.2.65:80 | |
| Chain KUBE-SEP-4QSDQJ2XGBM3KIR7 (1 references) | |
| target prot opt source destination | |
| KUBE-MARK-MASQ all -- 10.200.0.52 anywhere | |
| DNAT tcp -- anywhere anywhere tcp to:10.200.0.52:80 | |
| Chain KUBE-SEP-B5QGFRIIAVJ4SUMQ (1 references) | |
| target prot opt source destination | |
| KUBE-MARK-MASQ all -- 10.200.2.55 anywhere | |
| DNAT tcp -- anywhere anywhere tcp to:10.200.2.55:9153 | |
| Chain KUBE-SEP-BKTFYET4HE3YMOJJ (1 references) | |
| target prot opt source destination | |
| KUBE-MARK-MASQ all -- 10.200.2.55 anywhere | |
| DNAT tcp -- anywhere anywhere tcp to:10.200.2.55:53 | |
| Chain KUBE-SEP-DEVX3KFWHGGJW53M (1 references) | |
| target prot opt source destination | |
| KUBE-MARK-MASQ all -- 10.200.1.41 anywhere | |
| DNAT tcp -- anywhere anywhere tcp to:10.200.1.41:53 | |
| Chain KUBE-SEP-E6U6KEZPQBWVNUQ2 (1 references) | |
| target prot opt source destination | |
| KUBE-MARK-MASQ all -- controller-1.c.dj-kthw3.internal anywhere | |
| DNAT tcp -- anywhere anywhere tcp to:10.240.0.11:6443 | |
| Chain KUBE-SEP-HFMBYHW5FO36NATD (1 references) | |
| target prot opt source destination | |
| KUBE-MARK-MASQ all -- controller-0.c.dj-kthw3.internal anywhere | |
| DNAT tcp -- anywhere anywhere tcp to:10.240.0.10:6443 | |
| Chain KUBE-SEP-SF3HLF254VH2WA6T (1 references) | |
| target prot opt source destination | |
| KUBE-MARK-MASQ all -- 10.200.1.41 anywhere | |
| DNAT tcp -- anywhere anywhere tcp to:10.200.1.41:9153 | |
| Chain KUBE-SEP-WC3UHWDNRVUZOT3Q (1 references) | |
| target prot opt source destination | |
| KUBE-MARK-MASQ all -- 10.200.1.45 anywhere | |
| DNAT tcp -- anywhere anywhere tcp to:10.200.1.45:80 | |
| Chain KUBE-SEP-WRZKKJS6MWEUDTA4 (1 references) | |
| target prot opt source destination | |
| KUBE-MARK-MASQ all -- controller-2.c.dj-kthw3.internal anywhere | |
| DNAT tcp -- anywhere anywhere tcp to:10.240.0.12:6443 | |
| Chain KUBE-SEP-ZF5QQE2XUFG2ACNS (1 references) | |
| target prot opt source destination | |
| KUBE-MARK-MASQ all -- 10.200.2.55 anywhere | |
| DNAT udp -- anywhere anywhere udp to:10.200.2.55:53 | |
| Chain KUBE-SEP-ZIO7FTENMB6T7XGS (1 references) | |
| target prot opt source destination | |
| KUBE-MARK-MASQ all -- 10.200.1.41 anywhere | |
| DNAT udp -- anywhere anywhere udp to:10.200.1.41:53 | |
| Chain KUBE-SERVICES (2 references) | |
| target prot opt source destination | |
| KUBE-MARK-MASQ tcp -- !10.200.0.0/16 10.32.0.1 /* default/kubernetes:https cluster IP */ tcp dpt:https | |
| KUBE-SVC-NPX46M4PTMTKRN6Y tcp -- anywhere 10.32.0.1 /* default/kubernetes:https cluster IP */ tcp dpt:https | |
| KUBE-MARK-MASQ tcp -- !10.200.0.0/16 10.32.0.101 /* default/nginx1: cluster IP */ tcp dpt:http | |
| KUBE-SVC-253L2MOZ6TC5FE7P tcp -- anywhere 10.32.0.101 /* default/nginx1: cluster IP */ tcp dpt:http | |
| KUBE-MARK-MASQ tcp -- !10.200.0.0/16 10.32.0.102 /* default/nginx2: cluster IP */ tcp dpt:http | |
| KUBE-SVC-KN7BHMGRB3FSVEMI tcp -- anywhere 10.32.0.102 /* default/nginx2: cluster IP */ tcp dpt:http | |
| KUBE-MARK-MASQ tcp -- !10.200.0.0/16 10.32.0.100 /* default/nginx0: cluster IP */ tcp dpt:http | |
| KUBE-SVC-SJ5YE6C53UPXD73I tcp -- anywhere 10.32.0.100 /* default/nginx0: cluster IP */ tcp dpt:http | |
| KUBE-MARK-MASQ udp -- !10.200.0.0/16 10.32.0.10 /* kube-system/kube-dns:dns cluster IP */ udp dpt:domain | |
| KUBE-SVC-TCOU7JCQXEZGVUNU udp -- anywhere 10.32.0.10 /* kube-system/kube-dns:dns cluster IP */ udp dpt:domain | |
| KUBE-MARK-MASQ tcp -- !10.200.0.0/16 10.32.0.10 /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:domain | |
| KUBE-SVC-ERIFXISQEP7F7OF4 tcp -- anywhere 10.32.0.10 /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:domain | |
| KUBE-MARK-MASQ tcp -- !10.200.0.0/16 10.32.0.10 /* kube-system/kube-dns:metrics cluster IP */ tcp dpt:9153 | |
| KUBE-SVC-JD5MR3NA4I4DYORP tcp -- anywhere 10.32.0.10 /* kube-system/kube-dns:metrics cluster IP */ tcp dpt:9153 | |
| KUBE-NODEPORTS all -- anywhere anywhere /* kubernetes service nodeports; NOTE: this must be the last rule in this chain */ ADDRTYPE match dst-type LOCAL | |
| Chain KUBE-SVC-253L2MOZ6TC5FE7P (2 references) | |
| target prot opt source destination | |
| KUBE-SEP-WC3UHWDNRVUZOT3Q all -- anywhere anywhere | |
| Chain KUBE-SVC-ERIFXISQEP7F7OF4 (1 references) | |
| target prot opt source destination | |
| KUBE-SEP-DEVX3KFWHGGJW53M all -- anywhere anywhere statistic mode random probability 0.50000000000 | |
| KUBE-SEP-BKTFYET4HE3YMOJJ all -- anywhere anywhere | |
| Chain KUBE-SVC-JD5MR3NA4I4DYORP (1 references) | |
| target prot opt source destination | |
| KUBE-SEP-SF3HLF254VH2WA6T all -- anywhere anywhere statistic mode random probability 0.50000000000 | |
| KUBE-SEP-B5QGFRIIAVJ4SUMQ all -- anywhere anywhere | |
| Chain KUBE-SVC-KN7BHMGRB3FSVEMI (2 references) | |
| target prot opt source destination | |
| KUBE-SEP-3MQ7LGWSED2GAEFA all -- anywhere anywhere | |
| Chain KUBE-SVC-NPX46M4PTMTKRN6Y (1 references) | |
| target prot opt source destination | |
| KUBE-SEP-HFMBYHW5FO36NATD all -- anywhere anywhere statistic mode random probability 0.33332999982 | |
| KUBE-SEP-E6U6KEZPQBWVNUQ2 all -- anywhere anywhere statistic mode random probability 0.50000000000 | |
| KUBE-SEP-WRZKKJS6MWEUDTA4 all -- anywhere anywhere | |
| Chain KUBE-SVC-SJ5YE6C53UPXD73I (2 references) | |
| target prot opt source destination | |
| KUBE-SEP-4QSDQJ2XGBM3KIR7 all -- anywhere anywhere | |
| Chain KUBE-SVC-TCOU7JCQXEZGVUNU (1 references) | |
| target prot opt source destination | |
| KUBE-SEP-ZIO7FTENMB6T7XGS all -- anywhere anywhere statistic mode random probability 0.50000000000 | |
| KUBE-SEP-ZF5QQE2XUFG2ACNS all -- anywhere anywhere |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment