anfernee · March 2, 2020 05:56
diff --git a/iptables-save b/iptables-save
 -A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
 -A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
 -A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
 -A POSTROUTING -m comment --comment "ip-masq: ensure nat POSTROUTING directs all non-LOCAL destination traffic to our custom IP-MASQ chain" -m addrtype ! --dst-type LOCAL -j IP-MASQ
 -A IP-MASQ -d 169.254.0.0/16 -m comment --comment "ip-masq: local traffic is not subject to MASQUERADE" -j RETURN
 -A IP-MASQ -d 10.0.0.0/8 -m comment --comment "ip-masq: RFC 1918 reserved range is not subject to MASQUERADE" -j RETURN
 -A IP-MASQ -d 172.16.0.0/12 -m comment --comment "ip-masq: RFC 1918 reserved range is not subject to MASQUERADE" -j RETURN
 -A IP-MASQ -d 192.168.0.0/16 -m comment --comment "ip-masq: RFC 1918 reserved range is not subject to MASQUERADE" -j RETURN
 -A IP-MASQ -d 240.0.0.0/4 -m comment --comment "ip-masq: RFC 5735 reserved range is not subject to MASQUERADE" -j RETURN
 -A IP-MASQ -d 192.0.2.0/24 -m comment --comment "ip-masq: RFC 5737 reserved range is not subject to MASQUERADE" -j RETURN
 -A IP-MASQ -d 198.51.100.0/24 -m comment --comment "ip-masq: RFC 5737 reserved range is not subject to MASQUERADE" -j RETURN
 -A IP-MASQ -d 203.0.113.0/24 -m comment --comment "ip-masq: RFC 5737 reserved range is not subject to MASQUERADE" -j RETURN
 -A IP-MASQ -d 100.64.0.0/10 -m comment --comment "ip-masq: RFC 6598 reserved range is not subject to MASQUERADE" -j RETURN
 -A IP-MASQ -d 198.18.0.0/15 -m comment --comment "ip-masq: RFC 6815 reserved range is not subject to MASQUERADE" -j RETURN
 -A IP-MASQ -d 192.0.0.0/24 -m comment --comment "ip-masq: RFC 6890 reserved range is not subject to MASQUERADE" -j RETURN
 -A IP-MASQ -d 192.88.99.0/24 -m comment --comment "ip-masq: RFC 7526 reserved range is not subject to MASQUERADE" -j RETURN
 -A IP-MASQ -m comment --comment "ip-masq: outbound traffic is subject to MASQUERADE (must be last in chain)" -j MASQUERADE
 -A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
 -A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
 -A KUBE-NODEPORTS -p tcp -m comment --comment "kube-system/default-http-backend:http" -m tcp --dport 30336 -j KUBE-MARK-MASQ
 -A KUBE-NODEPORTS -p tcp -m comment --comment "kube-system/default-http-backend:http" -m tcp --dport 30336 -j KUBE-SVC-XP4WJ6VSLGWALMW5
 -A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE
 -A KUBE-SEP-6KJIUV7XVGYAGQT7 -s 10.48.0.10/32 -j KUBE-MARK-MASQ
 -A KUBE-SEP-6KJIUV7XVGYAGQT7 -p tcp -m tcp -j DNAT --to-destination 10.48.0.10:443
 -A KUBE-SEP-CSWJ6CPUOAWUS4LV -s 10.48.0.11/32 -j KUBE-MARK-MASQ
 -A KUBE-SEP-CSWJ6CPUOAWUS4LV -p tcp -m tcp -j DNAT --to-destination 10.48.0.11:8082
 -A KUBE-SEP-UMDLDSSAKMMDHF2T -s 10.48.0.8/32 -j KUBE-MARK-MASQ
 -A KUBE-SEP-UMDLDSSAKMMDHF2T -p tcp -m tcp -j DNAT --to-destination 10.48.0.8:8080
 -A KUBE-SEP-W6637JVGMAQFBLQR -s 10.48.0.9/32 -j KUBE-MARK-MASQ
 -A KUBE-SEP-W6637JVGMAQFBLQR -p tcp -m tcp -j DNAT --to-destination 10.48.0.9:53
 -A KUBE-SEP-WYPHW45BSK4YMG7K -s 35.238.149.10/32 -j KUBE-MARK-MASQ
 -A KUBE-SEP-WYPHW45BSK4YMG7K -p tcp -m tcp -j DNAT --to-destination 35.238.149.10:443
 -A KUBE-SEP-YJQPZ4AN5GDKXZAZ -s 10.48.0.9/32 -j KUBE-MARK-MASQ
 -A KUBE-SEP-YJQPZ4AN5GDKXZAZ -p udp -m udp -j DNAT --to-destination 10.48.0.9:53
 -A KUBE-SERVICES ! -s 10.48.0.0/14 -d 10.0.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-MARK-MASQ
 -A KUBE-SERVICES -d 10.0.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
 -A KUBE-SERVICES ! -s 10.48.0.0/14 -d 10.0.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-MARK-MASQ
 -A KUBE-SERVICES -d 10.0.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
 -A KUBE-SERVICES ! -s 10.48.0.0/14 -d 10.0.9.202/32 -p tcp -m comment --comment "kube-system/default-http-backend:http cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
 -A KUBE-SERVICES -d 10.0.9.202/32 -p tcp -m comment --comment "kube-system/default-http-backend:http cluster IP" -m tcp --dport 80 -j KUBE-SVC-XP4WJ6VSLGWALMW5
 -A KUBE-SERVICES ! -s 10.48.0.0/14 -d 10.0.0.117/32 -p tcp -m comment --comment "kube-system/heapster: cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
 -A KUBE-SERVICES -d 10.0.0.117/32 -p tcp -m comment --comment "kube-system/heapster: cluster IP" -m tcp --dport 80 -j KUBE-SVC-BJM46V3U5RZHCFRZ
 -A KUBE-SERVICES ! -s 10.48.0.0/14 -d 10.0.1.37/32 -p tcp -m comment --comment "kube-system/metrics-server: cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
 -A KUBE-SERVICES -d 10.0.1.37/32 -p tcp -m comment --comment "kube-system/metrics-server: cluster IP" -m tcp --dport 443 -j KUBE-SVC-LC5QY66VUV2HJ6WZ
 -A KUBE-SERVICES ! -s 10.48.0.0/14 -d 10.0.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
 -A KUBE-SERVICES -d 10.0.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
 -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
 -A KUBE-SVC-BJM46V3U5RZHCFRZ -j KUBE-SEP-CSWJ6CPUOAWUS4LV
 -A KUBE-SVC-ERIFXISQEP7F7OF4 -j KUBE-SEP-W6637JVGMAQFBLQR
 -A KUBE-SVC-LC5QY66VUV2HJ6WZ -j KUBE-SEP-6KJIUV7XVGYAGQT7
 -A KUBE-SVC-NPX46M4PTMTKRN6Y -j KUBE-SEP-WYPHW45BSK4YMG7K
 -A KUBE-SVC-TCOU7JCQXEZGVUNU -j KUBE-SEP-YJQPZ4AN5GDKXZAZ
 -A KUBE-SVC-XP4WJ6VSLGWALMW5 -j KUBE-SEP-UMDLDSSAKMMDHF2T
 # Completed on Mon Mar  2 05:54:34 2020
 # Generated by iptables-save v1.6.0 on Mon Mar  2 05:54:34 2020
 *mangle
 :PREROUTING ACCEPT [44314:297912688]
 :INPUT ACCEPT [18194:288294689]
 :FORWARD ACCEPT [26120:9617999]
 :OUTPUT ACCEPT [17839:7774231]
 :POSTROUTING ACCEPT [43791:17377018]
 :GCP-POSTROUTING - [0:0]
 :GCP-PREROUTING - [0:0]
 -A PREROUTING -m comment --comment "redirect all traffic to GCP-PREROUTING chain" -j GCP-PREROUTING
 -A POSTROUTING -m comment --comment "redirect all traffic to GCP-POSTROUTING chain" -j GCP-POSTROUTING
 -A GCP-POSTROUTING -m mark --mark 0x4000/0x4000 -m comment --comment "save the conn mark only if hairpin bit (0x4000/0x4000) is set" -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
 -A GCP-PREROUTING -m comment --comment "restore the conn mark if applicable" -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
 COMMIT
 # Completed on Mon Mar  2 05:54:34 2020
 # Generated by iptables-save v1.6.0 on Mon Mar  2 05:54:34 2020
 *filter
 :INPUT DROP [0:0]
 :FORWARD DROP [0:0]
 :OUTPUT DROP [0:0]
 :DOCKER - [0:0]
 :DOCKER-ISOLATION-STAGE-1 - [0:0]
 :DOCKER-ISOLATION-STAGE-2 - [0:0]
 :DOCKER-USER - [0:0]
 :KUBE-EXTERNAL-SERVICES - [0:0]
 :KUBE-FIREWALL - [0:0]
 :KUBE-FORWARD - [0:0]
 :KUBE-SERVICES - [0:0]
 -A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
 -A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
 -A INPUT -j KUBE-FIREWALL
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
 -A INPUT -p tcp -j ACCEPT
 -A INPUT -p udp -j ACCEPT
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -p sctp -j ACCEPT
 -A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
 -A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
 -A FORWARD -j DOCKER-USER
 -A FORWARD -j DOCKER-ISOLATION-STAGE-1
 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -o docker0 -j DOCKER
 -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
 -A FORWARD -i docker0 -o docker0 -j ACCEPT
 -A FORWARD -p tcp -j ACCEPT
 -A FORWARD -p udp -j ACCEPT
 -A FORWARD -p icmp -j ACCEPT
 -A FORWARD -p sctp -j ACCEPT
 -A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
 -A OUTPUT -j KUBE-FIREWALL
 -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
 -A OUTPUT -o lo -j ACCEPT
 -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
 -A DOCKER-ISOLATION-STAGE-1 -j RETURN
 -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
 -A DOCKER-ISOLATION-STAGE-2 -j RETURN
 -A DOCKER-USER -j RETURN
 -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
 -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
 -A KUBE-FORWARD -s 10.48.0.0/14 -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A KUBE-FORWARD -d 10.48.0.0/14 -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 COMMIT
 # Completed on Mon Mar  2 05:54:34 2020
	-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
	-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
	-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
	-A POSTROUTING -m comment --comment "ip-masq: ensure nat POSTROUTING directs all non-LOCAL destination traffic to our custom IP-MASQ chain" -m addrtype ! --dst-type LOCAL -j IP-MASQ
	-A IP-MASQ -d 169.254.0.0/16 -m comment --comment "ip-masq: local traffic is not subject to MASQUERADE" -j RETURN
	-A IP-MASQ -d 10.0.0.0/8 -m comment --comment "ip-masq: RFC 1918 reserved range is not subject to MASQUERADE" -j RETURN
	-A IP-MASQ -d 172.16.0.0/12 -m comment --comment "ip-masq: RFC 1918 reserved range is not subject to MASQUERADE" -j RETURN
	-A IP-MASQ -d 192.168.0.0/16 -m comment --comment "ip-masq: RFC 1918 reserved range is not subject to MASQUERADE" -j RETURN
	-A IP-MASQ -d 240.0.0.0/4 -m comment --comment "ip-masq: RFC 5735 reserved range is not subject to MASQUERADE" -j RETURN
	-A IP-MASQ -d 192.0.2.0/24 -m comment --comment "ip-masq: RFC 5737 reserved range is not subject to MASQUERADE" -j RETURN
	-A IP-MASQ -d 198.51.100.0/24 -m comment --comment "ip-masq: RFC 5737 reserved range is not subject to MASQUERADE" -j RETURN
	-A IP-MASQ -d 203.0.113.0/24 -m comment --comment "ip-masq: RFC 5737 reserved range is not subject to MASQUERADE" -j RETURN
	-A IP-MASQ -d 100.64.0.0/10 -m comment --comment "ip-masq: RFC 6598 reserved range is not subject to MASQUERADE" -j RETURN
	-A IP-MASQ -d 198.18.0.0/15 -m comment --comment "ip-masq: RFC 6815 reserved range is not subject to MASQUERADE" -j RETURN
	-A IP-MASQ -d 192.0.0.0/24 -m comment --comment "ip-masq: RFC 6890 reserved range is not subject to MASQUERADE" -j RETURN
	-A IP-MASQ -d 192.88.99.0/24 -m comment --comment "ip-masq: RFC 7526 reserved range is not subject to MASQUERADE" -j RETURN
	-A IP-MASQ -m comment --comment "ip-masq: outbound traffic is subject to MASQUERADE (must be last in chain)" -j MASQUERADE
	-A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
	-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
	-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-system/default-http-backend:http" -m tcp --dport 30336 -j KUBE-MARK-MASQ
	-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-system/default-http-backend:http" -m tcp --dport 30336 -j KUBE-SVC-XP4WJ6VSLGWALMW5
	-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE
	-A KUBE-SEP-6KJIUV7XVGYAGQT7 -s 10.48.0.10/32 -j KUBE-MARK-MASQ
	-A KUBE-SEP-6KJIUV7XVGYAGQT7 -p tcp -m tcp -j DNAT --to-destination 10.48.0.10:443
	-A KUBE-SEP-CSWJ6CPUOAWUS4LV -s 10.48.0.11/32 -j KUBE-MARK-MASQ
	-A KUBE-SEP-CSWJ6CPUOAWUS4LV -p tcp -m tcp -j DNAT --to-destination 10.48.0.11:8082
	-A KUBE-SEP-UMDLDSSAKMMDHF2T -s 10.48.0.8/32 -j KUBE-MARK-MASQ
	-A KUBE-SEP-UMDLDSSAKMMDHF2T -p tcp -m tcp -j DNAT --to-destination 10.48.0.8:8080
	-A KUBE-SEP-W6637JVGMAQFBLQR -s 10.48.0.9/32 -j KUBE-MARK-MASQ
	-A KUBE-SEP-W6637JVGMAQFBLQR -p tcp -m tcp -j DNAT --to-destination 10.48.0.9:53
	-A KUBE-SEP-WYPHW45BSK4YMG7K -s 35.238.149.10/32 -j KUBE-MARK-MASQ
	-A KUBE-SEP-WYPHW45BSK4YMG7K -p tcp -m tcp -j DNAT --to-destination 35.238.149.10:443
	-A KUBE-SEP-YJQPZ4AN5GDKXZAZ -s 10.48.0.9/32 -j KUBE-MARK-MASQ
	-A KUBE-SEP-YJQPZ4AN5GDKXZAZ -p udp -m udp -j DNAT --to-destination 10.48.0.9:53
	-A KUBE-SERVICES ! -s 10.48.0.0/14 -d 10.0.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-MARK-MASQ
	-A KUBE-SERVICES -d 10.0.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
	-A KUBE-SERVICES ! -s 10.48.0.0/14 -d 10.0.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-MARK-MASQ
	-A KUBE-SERVICES -d 10.0.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
	-A KUBE-SERVICES ! -s 10.48.0.0/14 -d 10.0.9.202/32 -p tcp -m comment --comment "kube-system/default-http-backend:http cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
	-A KUBE-SERVICES -d 10.0.9.202/32 -p tcp -m comment --comment "kube-system/default-http-backend:http cluster IP" -m tcp --dport 80 -j KUBE-SVC-XP4WJ6VSLGWALMW5
	-A KUBE-SERVICES ! -s 10.48.0.0/14 -d 10.0.0.117/32 -p tcp -m comment --comment "kube-system/heapster: cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
	-A KUBE-SERVICES -d 10.0.0.117/32 -p tcp -m comment --comment "kube-system/heapster: cluster IP" -m tcp --dport 80 -j KUBE-SVC-BJM46V3U5RZHCFRZ
	-A KUBE-SERVICES ! -s 10.48.0.0/14 -d 10.0.1.37/32 -p tcp -m comment --comment "kube-system/metrics-server: cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
	-A KUBE-SERVICES -d 10.0.1.37/32 -p tcp -m comment --comment "kube-system/metrics-server: cluster IP" -m tcp --dport 443 -j KUBE-SVC-LC5QY66VUV2HJ6WZ
	-A KUBE-SERVICES ! -s 10.48.0.0/14 -d 10.0.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
	-A KUBE-SERVICES -d 10.0.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
	-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
	-A KUBE-SVC-BJM46V3U5RZHCFRZ -j KUBE-SEP-CSWJ6CPUOAWUS4LV
	-A KUBE-SVC-ERIFXISQEP7F7OF4 -j KUBE-SEP-W6637JVGMAQFBLQR
	-A KUBE-SVC-LC5QY66VUV2HJ6WZ -j KUBE-SEP-6KJIUV7XVGYAGQT7
	-A KUBE-SVC-NPX46M4PTMTKRN6Y -j KUBE-SEP-WYPHW45BSK4YMG7K
	-A KUBE-SVC-TCOU7JCQXEZGVUNU -j KUBE-SEP-YJQPZ4AN5GDKXZAZ
	-A KUBE-SVC-XP4WJ6VSLGWALMW5 -j KUBE-SEP-UMDLDSSAKMMDHF2T
	# Completed on Mon Mar 2 05:54:34 2020
	# Generated by iptables-save v1.6.0 on Mon Mar 2 05:54:34 2020
	*mangle
	:PREROUTING ACCEPT [44314:297912688]
	:INPUT ACCEPT [18194:288294689]
	:FORWARD ACCEPT [26120:9617999]
	:OUTPUT ACCEPT [17839:7774231]
	:POSTROUTING ACCEPT [43791:17377018]
	:GCP-POSTROUTING - [0:0]
	:GCP-PREROUTING - [0:0]
	-A PREROUTING -m comment --comment "redirect all traffic to GCP-PREROUTING chain" -j GCP-PREROUTING
	-A POSTROUTING -m comment --comment "redirect all traffic to GCP-POSTROUTING chain" -j GCP-POSTROUTING
	-A GCP-POSTROUTING -m mark --mark 0x4000/0x4000 -m comment --comment "save the conn mark only if hairpin bit (0x4000/0x4000) is set" -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
	-A GCP-PREROUTING -m comment --comment "restore the conn mark if applicable" -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
	COMMIT
	# Completed on Mon Mar 2 05:54:34 2020
	# Generated by iptables-save v1.6.0 on Mon Mar 2 05:54:34 2020
	*filter
	:INPUT DROP [0:0]
	:FORWARD DROP [0:0]
	:OUTPUT DROP [0:0]
	:DOCKER - [0:0]
	:DOCKER-ISOLATION-STAGE-1 - [0:0]
	:DOCKER-ISOLATION-STAGE-2 - [0:0]
	:DOCKER-USER - [0:0]
	:KUBE-EXTERNAL-SERVICES - [0:0]
	:KUBE-FIREWALL - [0:0]
	:KUBE-FORWARD - [0:0]
	:KUBE-SERVICES - [0:0]
	-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
	-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
	-A INPUT -j KUBE-FIREWALL
	-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	-A INPUT -i lo -j ACCEPT
	-A INPUT -p icmp -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
	-A INPUT -p tcp -j ACCEPT
	-A INPUT -p udp -j ACCEPT
	-A INPUT -p icmp -j ACCEPT
	-A INPUT -p sctp -j ACCEPT
	-A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
	-A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
	-A FORWARD -j DOCKER-USER
	-A FORWARD -j DOCKER-ISOLATION-STAGE-1
	-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A FORWARD -o docker0 -j DOCKER
	-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
	-A FORWARD -i docker0 -o docker0 -j ACCEPT
	-A FORWARD -p tcp -j ACCEPT
	-A FORWARD -p udp -j ACCEPT
	-A FORWARD -p icmp -j ACCEPT
	-A FORWARD -p sctp -j ACCEPT
	-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
	-A OUTPUT -j KUBE-FIREWALL
	-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
	-A OUTPUT -o lo -j ACCEPT
	-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
	-A DOCKER-ISOLATION-STAGE-1 -j RETURN
	-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
	-A DOCKER-ISOLATION-STAGE-2 -j RETURN
	-A DOCKER-USER -j RETURN
	-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
	-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
	-A KUBE-FORWARD -s 10.48.0.0/14 -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A KUBE-FORWARD -d 10.48.0.0/14 -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	COMMIT
	# Completed on Mon Mar 2 05:54:34 2020
No results found