Last active
August 4, 2021 17:52
-
-
Save anfernee/7eaa5feaa46fbc160123a5bbe1c05721 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Generated by iptables-save v1.6.1 on Wed Aug 4 16:59:19 2021 | |
| *mangle | |
| :PREROUTING ACCEPT [856536:2689798381] | |
| :INPUT ACCEPT [846190:2658161040] | |
| :FORWARD ACCEPT [10346:31637341] | |
| :OUTPUT ACCEPT [838510:556224859] | |
| :POSTROUTING ACCEPT [848856:587862200] | |
| :KUBE-KUBELET-CANARY - [0:0] | |
| :KUBE-PROXY-CANARY - [0:0] | |
| COMMIT | |
| # Completed on Wed Aug 4 16:59:19 2021 | |
| # Generated by iptables-save v1.6.1 on Wed Aug 4 16:59:19 2021 | |
| *filter | |
| :INPUT ACCEPT [846031:2657686532] | |
| :FORWARD DROP [0:0] | |
| :OUTPUT ACCEPT [838354:556203147] | |
| :DOCKER - [0:0] | |
| :DOCKER-ISOLATION-STAGE-1 - [0:0] | |
| :DOCKER-ISOLATION-STAGE-2 - [0:0] | |
| :DOCKER-USER - [0:0] | |
| :KUBE-EXTERNAL-SERVICES - [0:0] | |
| :KUBE-FIREWALL - [0:0] | |
| :KUBE-FORWARD - [0:0] | |
| :KUBE-KUBELET-CANARY - [0:0] | |
| :KUBE-NODEPORTS - [0:0] | |
| :KUBE-PROXY-CANARY - [0:0] | |
| :KUBE-SERVICES - [0:0] | |
| -A INPUT -m comment --comment "kubernetes health check service ports" -j KUBE-NODEPORTS | |
| -A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES | |
| -A INPUT -j KUBE-FIREWALL | |
| -A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD | |
| -A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES | |
| -A FORWARD -j DOCKER-USER | |
| -A FORWARD -j DOCKER-ISOLATION-STAGE-1 | |
| -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| -A FORWARD -o docker0 -j DOCKER | |
| -A FORWARD -i docker0 ! -o docker0 -j ACCEPT | |
| -A FORWARD -i docker0 -o docker0 -j ACCEPT | |
| -A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A OUTPUT -j KUBE-FIREWALL | |
| -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 5000 -j ACCEPT | |
| -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 | |
| -A DOCKER-ISOLATION-STAGE-1 -j RETURN | |
| -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP | |
| -A DOCKER-ISOLATION-STAGE-2 -j RETURN | |
| -A DOCKER-USER -j RETURN | |
| -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP | |
| -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP | |
| -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP | |
| -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT | |
| -A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| -A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| -A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp has no endpoints" -m tcp --dport 53 -j REJECT --reject-with icmp-port-unreachable | |
| -A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics has no endpoints" -m tcp --dport 9153 -j REJECT --reject-with icmp-port-unreachable | |
| -A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns has no endpoints" -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable | |
| COMMIT | |
| # Completed on Wed Aug 4 16:59:19 2021 | |
| # Generated by iptables-save v1.6.1 on Wed Aug 4 16:59:19 2021 | |
| *nat | |
| :PREROUTING ACCEPT [30:1906] | |
| :INPUT ACCEPT [1:44] | |
| :OUTPUT ACCEPT [1885:113792] | |
| :POSTROUTING ACCEPT [1885:113792] | |
| :DOCKER - [0:0] | |
| :KUBE-KUBELET-CANARY - [0:0] | |
| :KUBE-MARK-DROP - [0:0] | |
| :KUBE-MARK-MASQ - [0:0] | |
| :KUBE-NODEPORTS - [0:0] | |
| :KUBE-POSTROUTING - [0:0] | |
| :KUBE-PROXY-CANARY - [0:0] | |
| :KUBE-SEP-H6QXRFVUSUGKBVUX - [0:0] | |
| :KUBE-SERVICES - [0:0] | |
| :KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0] | |
| -A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER | |
| -A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER | |
| -A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING | |
| -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE | |
| -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 5000 -j MASQUERADE | |
| -A DOCKER -i docker0 -j RETURN | |
| -A DOCKER ! -i docker0 -p tcp -m tcp --dport 5000 -j DNAT --to-destination 172.17.0.2:5000 | |
| -A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000 | |
| -A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000 | |
| -A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN | |
| -A KUBE-POSTROUTING -j MARK --set-xmark 0x4000/0x0 | |
| -A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE | |
| -A KUBE-SEP-H6QXRFVUSUGKBVUX -s 192.168.36.11/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-H6QXRFVUSUGKBVUX -p tcp -m comment --comment "default/kubernetes:https" -m tcp -j DNAT [unsupported revision] | |
| -A KUBE-SERVICES ! -s 10.10.0.0/16 -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y | |
| -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS | |
| -A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-H6QXRFVUSUGKBVUX | |
| COMMIT | |
| # Completed on Wed Aug 4 16:59:19 2021 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Chain KUBE-FORWARD (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 1 40 DROP all -- any any anywhere anywhere ctstate INVALID | |
| 0 0 ACCEPT all -- any any anywhere anywhere /* kubernetes forwarding rules */ mark match 0x4000/0x4000 | |
| 162 34652 ACCEPT all -- any any anywhere anywhere /* kubernetes forwarding conntrack pod source rule */ ctstate RELATED,ESTABLISHED | |
| 0 0 ACCEPT all -- any any anywhere anywhere /* kubernetes forwarding conntrack pod destination rule */ ctstate RELATED,ESTABLISHED |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment