Skip to content

Instantly share code, notes, and snippets.

@anfernee

anfernee/iptables -L

Last active March 1, 2019 08:35
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save anfernee/68caf54836109e2a8e4f8370eedcadde to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save anfernee/68caf54836109e2a8e4f8370eedcadde to your computer and use it in GitHub Desktop.
Download ZIP
k8s node iptables
Raw
iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
KUBE-EXTERNAL-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes externally-visible service portals */
KUBE-FIREWALL all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere ctstate INVALID
KUBE-FORWARD all -- anywhere anywhere /* kubernetes forwarding rules */
DOCKER-ISOLATION all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
KUBE-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes service portals */
KUBE-FIREWALL all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain KUBE-EXTERNAL-SERVICES (1 references)
target prot opt source destination
Chain KUBE-FIREWALL (2 references)
target prot opt source destination
DROP all -- anywhere anywhere /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000
# Accept (1) marked as masq (2) conn tracked with podcidr ip?
Chain KUBE-FORWARD (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* kubernetes forwarding rules */ mark match 0x4000/0x4000
ACCEPT all -- 10.36.0.0/14 anywhere /* kubernetes forwarding conntrack pod source rule */ ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere 10.36.0.0/14 /* kubernetes forwarding conntrack pod destination rule */ ctstate RELATED,ESTABLISHED
Chain KUBE-SERVICES (1 references)
target prot opt source destination
Raw
iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
KUBE-SERVICES all -- anywhere anywhere /* kubernetes service portals */
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
KUBE-SERVICES all -- anywhere anywhere /* kubernetes service portals */
# OUTPUT/PREROUTING both points to KUBE-SERVICES for SNAT and DNAT.
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
KUBE-POSTROUTING all -- anywhere anywhere /* kubernetes postrouting rules */
MASQUERADE all -- anywhere !10.0.0.0/8 /* kubenet: SNAT for outbound traffic from cluster */ ADDRTYPE match dst-type !LOCAL
Chain DOCKER (0 references)
target prot opt source destination
Chain KUBE-MARK-DROP (0 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK or 0x8000
Chain KUBE-MARK-MASQ (17 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK or 0x4000
Chain KUBE-NODEPORTS (1 references)
target prot opt source destination
KUBE-MARK-MASQ tcp -- anywhere anywhere /* kube-system/default-http-backend:http */ tcp dpt:32096
KUBE-SVC-XP4WJ6VSLGWALMW5 tcp -- anywhere anywhere /* kube-system/default-http-backend:http */ tcp dpt:32096
Chain KUBE-POSTROUTING (1 references)
target prot opt source destination
MASQUERADE all -- anywhere anywhere /* kubernetes service traffic requiring SNAT */ mark match 0x4000/0x4000
# SEP: Service EndPoint. one for SNAT, other for DNAT.
Chain KUBE-SEP-3A2G6Q7PQVDFTGO2 (1 references)
target prot opt source destination
KUBE-MARK-MASQ all -- 10.36.3.2 anywhere /* kube-system/kube-dns:dns-tcp */
DNAT tcp -- anywhere anywhere /* kube-system/kube-dns:dns-tcp */ tcp to:10.36.3.2:53
Chain KUBE-SEP-5TCXBLIFSB7TNGRN (1 references)
target prot opt source destination
KUBE-MARK-MASQ all -- 10.36.3.2 anywhere /* kube-system/kube-dns:dns */
DNAT udp -- anywhere anywhere /* kube-system/kube-dns:dns */ udp to:10.36.3.2:53
Chain KUBE-SEP-6RTHVOJVKE2IJ2GA (1 references)
target prot opt source destination
KUBE-MARK-MASQ all -- 10.36.0.3 anywhere /* kube-system/kube-dns:dns */
DNAT udp -- anywhere anywhere /* kube-system/kube-dns:dns */ udp to:10.36.0.3:53
Chain KUBE-SEP-AZRC3RH3BG3W72GI (1 references)
target prot opt source destination
KUBE-MARK-MASQ all -- 10.36.1.4 anywhere /* kube-system/metrics-server: */
DNAT tcp -- anywhere anywhere /* kube-system/metrics-server: */ tcp to:10.36.1.4:443
Chain KUBE-SEP-BMEQ2KP5AV3OIB2A (1 references)
target prot opt source destination
KUBE-MARK-MASQ all -- 10.36.0.3 anywhere /* kube-system/kube-dns:dns-tcp */
DNAT tcp -- anywhere anywhere /* kube-system/kube-dns:dns-tcp */ tcp to:10.36.0.3:53
Chain KUBE-SEP-OTZCRRGTR4NBMLUM (1 references)
target prot opt source destination
KUBE-MARK-MASQ all -- 10.36.5.3 anywhere /* kube-system/heapster: */
DNAT tcp -- anywhere anywhere /* kube-system/heapster: */ tcp to:10.36.5.3:8082
Chain KUBE-SEP-PFZ2ZW3ALVJBQFTL (2 references)
target prot opt source destination
KUBE-MARK-MASQ all -- 10.36.2.5 anywhere /* default/nginx:http */
DNAT tcp -- anywhere anywhere /* default/nginx:http */ recent: SET name: KUBE-SEP-PFZ2ZW3ALVJBQFTL side: source mask: 255.255.255.255 tcp to:10.36.2.5:8
0
Chain KUBE-SEP-TWSKXYOJ5CRJMIFN (1 references)
target prot opt source destination
KUBE-MARK-MASQ all -- 138.180.155.104.bc.googleusercontent.com anywhere /* default/kubernetes:https */
DNAT tcp -- anywhere anywhere /* default/kubernetes:https */ tcp to:104.155.180.138:443
Chain KUBE-SEP-VFFA73QRVWFZAQAD (1 references)
target prot opt source destination
KUBE-MARK-MASQ all -- 10.36.0.8 anywhere /* kube-system/default-http-backend:http */
DNAT tcp -- anywhere anywhere /* kube-system/default-http-backend:http */ tcp to:10.36.0.8:8080
# KUBE-MARK-MASQ for cluster IP SNAT?
Chain KUBE-SERVICES (2 references)
target prot opt source destination
KUBE-MARK-MASQ tcp -- !10.36.0.0/14 10.39.254.25 /* kube-system/heapster: cluster IP */ tcp dpt:http
KUBE-SVC-BJM46V3U5RZHCFRZ tcp -- anywhere 10.39.254.25 /* kube-system/heapster: cluster IP */ tcp dpt:http
KUBE-MARK-MASQ udp -- !10.36.0.0/14 10.39.240.10 /* kube-system/kube-dns:dns cluster IP */ udp dpt:domain
KUBE-SVC-TCOU7JCQXEZGVUNU udp -- anywhere 10.39.240.10 /* kube-system/kube-dns:dns cluster IP */ udp dpt:domain
KUBE-MARK-MASQ tcp -- !10.36.0.0/14 10.39.240.10 /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:domain
KUBE-SVC-ERIFXISQEP7F7OF4 tcp -- anywhere 10.39.240.10 /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:domain
KUBE-MARK-MASQ tcp -- !10.36.0.0/14 10.39.245.157 /* kube-system/metrics-server: cluster IP */ tcp dpt:https
KUBE-SVC-LC5QY66VUV2HJ6WZ tcp -- anywhere 10.39.245.157 /* kube-system/metrics-server: cluster IP */ tcp dpt:https
KUBE-MARK-MASQ tcp -- !10.36.0.0/14 10.39.240.1 /* default/kubernetes:https cluster IP */ tcp dpt:https
KUBE-SVC-NPX46M4PTMTKRN6Y tcp -- anywhere 10.39.240.1 /* default/kubernetes:https cluster IP */ tcp dpt:https
KUBE-MARK-MASQ tcp -- !10.36.0.0/14 10.39.250.184 /* kube-system/default-http-backend:http cluster IP */ tcp dpt:http
KUBE-SVC-XP4WJ6VSLGWALMW5 tcp -- anywhere 10.39.250.184 /* kube-system/default-http-backend:http cluster IP */ tcp dpt:http
KUBE-MARK-MASQ tcp -- !10.36.0.0/14 10.39.241.1 /* default/nginx:http cluster IP */ tcp dpt:http
KUBE-SVC-P4Q3KNUAWJVP4ILH tcp -- anywhere 10.39.241.1 /* default/nginx:http cluster IP */ tcp dpt:http
KUBE-NODEPORTS all -- anywhere anywhere /* kubernetes service nodeports; NOTE: this must be the last rule in this chain */ ADDRTYPE match dst-type LOCAL
Chain KUBE-SVC-BJM46V3U5RZHCFRZ (1 references)
target prot opt source destination
KUBE-SEP-OTZCRRGTR4NBMLUM all -- anywhere anywhere /* kube-system/heapster: */
Chain KUBE-SVC-ERIFXISQEP7F7OF4 (1 references)
target prot opt source destination
KUBE-SEP-BMEQ2KP5AV3OIB2A all -- anywhere anywhere /* kube-system/kube-dns:dns-tcp */ statistic mode random probability 0.50000000000
KUBE-SEP-3A2G6Q7PQVDFTGO2 all -- anywhere anywhere /* kube-system/kube-dns:dns-tcp */
Chain KUBE-SVC-LC5QY66VUV2HJ6WZ (1 references)
target prot opt source destination
KUBE-SEP-AZRC3RH3BG3W72GI all -- anywhere anywhere /* kube-system/metrics-server: */
Chain KUBE-SVC-NPX46M4PTMTKRN6Y (1 references)
target prot opt source destination
KUBE-SEP-TWSKXYOJ5CRJMIFN all -- anywhere anywhere /* default/kubernetes:https */
Chain KUBE-SVC-P4Q3KNUAWJVP4ILH (1 references)
target prot opt source destination
KUBE-SEP-PFZ2ZW3ALVJBQFTL all -- anywhere anywhere /* default/nginx:http */ recent: CHECK seconds: 10800 reap name: KUBE-SEP-PFZ2ZW3ALVJBQFTL side: source ma
sk: 255.255.255.255
KUBE-SEP-PFZ2ZW3ALVJBQFTL all -- anywhere anywhere /* default/nginx:http */
Chain KUBE-SVC-TCOU7JCQXEZGVUNU (1 references)
target prot opt source destination
KUBE-SEP-6RTHVOJVKE2IJ2GA all -- anywhere anywhere /* kube-system/kube-dns:dns */ statistic mode random probability 0.50000000000
KUBE-SEP-5TCXBLIFSB7TNGRN all -- anywhere anywhere /* kube-system/kube-dns:dns */
Chain KUBE-SVC-XP4WJ6VSLGWALMW5 (2 references)
target prot opt source destination
KUBE-SEP-VFFA73QRVWFZAQAD all -- anywhere anywhere /* kube-system/default-http-backend:http */
Raw
iptables-save
# Generated by iptables-save v1.6.0 on Fri Mar 1 06:53:43 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [6:360]
:POSTROUTING ACCEPT [215:14668]
:DOCKER - [0:0]
:KUBE-MARK-DROP - [0:0]
:KUBE-MARK-MASQ - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-SEP-3A2G6Q7PQVDFTGO2 - [0:0]
:KUBE-SEP-5TCXBLIFSB7TNGRN - [0:0]
:KUBE-SEP-6RTHVOJVKE2IJ2GA - [0:0]
:KUBE-SEP-AZRC3RH3BG3W72GI - [0:0]
:KUBE-SEP-BMEQ2KP5AV3OIB2A - [0:0]
:KUBE-SEP-OTZCRRGTR4NBMLUM - [0:0]
:KUBE-SEP-PFZ2ZW3ALVJBQFTL - [0:0]
:KUBE-SEP-TWSKXYOJ5CRJMIFN - [0:0]
:KUBE-SEP-VFFA73QRVWFZAQAD - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-SVC-BJM46V3U5RZHCFRZ - [0:0]
:KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
:KUBE-SVC-LC5QY66VUV2HJ6WZ - [0:0]
:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
:KUBE-SVC-P4Q3KNUAWJVP4ILH - [0:0]
:KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
:KUBE-SVC-XP4WJ6VSLGWALMW5 - [0:0]
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
-A POSTROUTING ! -d 10.0.0.0/8 -m comment --comment "kubenet: SNAT for outbound traffic from cluster" -m addrtype ! --dst-type LOCAL -j MASQUERADE
-A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-system/default-http-backend:http" -m tcp --dport 32096 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-system/default-http-backend:http" -m tcp --dport 32096 -j KUBE-SVC-XP4WJ6VSLGWALMW5
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE
-A KUBE-SEP-3A2G6Q7PQVDFTGO2 -s 10.36.3.2/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-3A2G6Q7PQVDFTGO2 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 10.36.3.2:53
-A KUBE-SEP-5TCXBLIFSB7TNGRN -s 10.36.3.2/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-5TCXBLIFSB7TNGRN -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 10.36.3.2:53
-A KUBE-SEP-6RTHVOJVKE2IJ2GA -s 10.36.0.3/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-6RTHVOJVKE2IJ2GA -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 10.36.0.3:53
-A KUBE-SEP-AZRC3RH3BG3W72GI -s 10.36.1.4/32 -m comment --comment "kube-system/metrics-server:" -j KUBE-MARK-MASQ
-A KUBE-SEP-AZRC3RH3BG3W72GI -p tcp -m comment --comment "kube-system/metrics-server:" -m tcp -j DNAT --to-destination 10.36.1.4:443
-A KUBE-SEP-BMEQ2KP5AV3OIB2A -s 10.36.0.3/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-BMEQ2KP5AV3OIB2A -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 10.36.0.3:53
-A KUBE-SEP-OTZCRRGTR4NBMLUM -s 10.36.5.3/32 -m comment --comment "kube-system/heapster:" -j KUBE-MARK-MASQ
-A KUBE-SEP-OTZCRRGTR4NBMLUM -p tcp -m comment --comment "kube-system/heapster:" -m tcp -j DNAT --to-destination 10.36.5.3:8082
-A KUBE-SEP-PFZ2ZW3ALVJBQFTL -s 10.36.2.5/32 -m comment --comment "default/nginx:http" -j KUBE-MARK-MASQ
-A KUBE-SEP-PFZ2ZW3ALVJBQFTL -p tcp -m comment --comment "default/nginx:http" -m recent --set --name KUBE-SEP-PFZ2ZW3ALVJBQFTL --mask 255.255.255.255 --rsource -m tcp -j DNAT --to-destination 10.36.2.5:80
-A KUBE-SEP-TWSKXYOJ5CRJMIFN -s 104.155.180.138/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-TWSKXYOJ5CRJMIFN -p tcp -m comment --comment "default/kubernetes:https" -m tcp -j DNAT --to-destination 104.155.180.138:443
-A KUBE-SEP-VFFA73QRVWFZAQAD -s 10.36.0.8/32 -m comment --comment "kube-system/default-http-backend:http" -j KUBE-MARK-MASQ
-A KUBE-SEP-VFFA73QRVWFZAQAD -p tcp -m comment --comment "kube-system/default-http-backend:http" -m tcp -j DNAT --to-destination 10.36.0.8:8080
-A KUBE-SERVICES ! -s 10.36.0.0/14 -d 10.39.241.1/32 -p tcp -m comment --comment "default/nginx:http cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.39.241.1/32 -p tcp -m comment --comment "default/nginx:http cluster IP" -m tcp --dport 80 -j KUBE-SVC-P4Q3KNUAWJVP4ILH
-A KUBE-SERVICES ! -s 10.36.0.0/14 -d 10.39.254.25/32 -p tcp -m comment --comment "kube-system/heapster: cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.39.254.25/32 -p tcp -m comment --comment "kube-system/heapster: cluster IP" -m tcp --dport 80 -j KUBE-SVC-BJM46V3U5RZHCFRZ
-A KUBE-SERVICES ! -s 10.36.0.0/14 -d 10.39.240.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.39.240.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
-A KUBE-SERVICES ! -s 10.36.0.0/14 -d 10.39.240.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.39.240.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
-A KUBE-SERVICES ! -s 10.36.0.0/14 -d 10.39.245.157/32 -p tcp -m comment --comment "kube-system/metrics-server: cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.39.245.157/32 -p tcp -m comment --comment "kube-system/metrics-server: cluster IP" -m tcp --dport 443 -j KUBE-SVC-LC5QY66VUV2HJ6WZ
-A KUBE-SERVICES ! -s 10.36.0.0/14 -d 10.39.240.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.39.240.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
-A KUBE-SERVICES ! -s 10.36.0.0/14 -d 10.39.250.184/32 -p tcp -m comment --comment "kube-system/default-http-backend:http cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.39.250.184/32 -p tcp -m comment --comment "kube-system/default-http-backend:http cluster IP" -m tcp --dport 80 -j KUBE-SVC-XP4WJ6VSLGWALMW5
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-SVC-BJM46V3U5RZHCFRZ -m comment --comment "kube-system/heapster:" -j KUBE-SEP-OTZCRRGTR4NBMLUM
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-BMEQ2KP5AV3OIB2A
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SEP-3A2G6Q7PQVDFTGO2
-A KUBE-SVC-LC5QY66VUV2HJ6WZ -m comment --comment "kube-system/metrics-server:" -j KUBE-SEP-AZRC3RH3BG3W72GI
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-TWSKXYOJ5CRJMIFN
-A KUBE-SVC-P4Q3KNUAWJVP4ILH -m comment --comment "default/nginx:http" -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-PFZ2ZW3ALVJBQFTL --mask 255.255.255.255 --rsource -j KU
BE-SEP-PFZ2ZW3ALVJBQFTL
-A KUBE-SVC-P4Q3KNUAWJVP4ILH -m comment --comment "default/nginx:http" -j KUBE-SEP-PFZ2ZW3ALVJBQFTL
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-6RTHVOJVKE2IJ2GA
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SEP-5TCXBLIFSB7TNGRN
-A KUBE-SVC-XP4WJ6VSLGWALMW5 -m comment --comment "kube-system/default-http-backend:http" -j KUBE-SEP-VFFA73QRVWFZAQAD
COMMIT
# Completed on Fri Mar 1 06:53:43 2019
# Generated by iptables-save v1.6.0 on Fri Mar 1 06:53:43 2019
*mangle
:PREROUTING ACCEPT [22191779:384036457836]
:INPUT ACCEPT [143320:321944030]
:FORWARD ACCEPT [22048457:383714512874]
:OUTPUT ACCEPT [132042:22909248]
:POSTROUTING ACCEPT [22180505:383737422656]
COMMIT
# Completed on Fri Mar 1 06:53:43 2019
# Generated by iptables-save v1.6.0 on Fri Mar 1 06:53:43 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:KUBE-EXTERNAL-SERVICES - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-FORWARD - [0:0]
:KUBE-SERVICES - [0:0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
-A INPUT -j KUBE-FIREWALL
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -j ACCEPT
-A INPUT -p udp -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -p tcp -j ACCEPT
-A FORWARD -p udp -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -j KUBE-FIREWALL
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A DOCKER-ISOLATION -j RETURN
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
-A KUBE-FORWARD -s 10.36.0.0/14 -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A KUBE-FORWARD -d 10.36.0.0/14 -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Fri Mar 1 06:53:43 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment