drigz · June 4, 2020 17:08
diff --git a/iptables-save b/iptables-save
 $ sudo iptables-save
 # Generated by iptables-save v1.8.4 on Thu Jun  4 17:07:36 2020
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD DROP [0:0]
 :OUTPUT ACCEPT [0:0]
 :uplink-filter - [0:0]
 :DOCKER - [0:0]
 :DOCKER-ISOLATION-STAGE-1 - [0:0]
 :DOCKER-ISOLATION-STAGE-2 - [0:0]
 :DOCKER-USER - [0:0]
 :KUBE-FIREWALL - [0:0]
 :KUBE-KUBELET-CANARY - [0:0]
 :KUBE-PROXY-CANARY - [0:0]
 :KUBE-EXTERNAL-SERVICES - [0:0]
 :KUBE-SERVICES - [0:0]
 :KUBE-FORWARD - [0:0]
 :WEAVE-NPC-INGRESS - [0:0]
 :WEAVE-NPC-DEFAULT - [0:0]
 :WEAVE-NPC - [0:0]
 :WEAVE-NPC-EGRESS-ACCEPT - [0:0]
 :WEAVE-NPC-EGRESS-CUSTOM - [0:0]
 :WEAVE-NPC-EGRESS-DEFAULT - [0:0]
 :WEAVE-NPC-EGRESS - [0:0]
 -A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
 -A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
 -A INPUT -j KUBE-FIREWALL
 -A INPUT -p tcp -m tcp --dport 6781 -j DROP
 -A INPUT -p tcp -m tcp --dport 6782 -j DROP
 -A INPUT -p tcp -m tcp --dport 10251 -j DROP
 -A INPUT -p tcp -m tcp --dport 10252 -j DROP
 -A INPUT -p tcp -m tcp --dport 10256 -j DROP
 -A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
 -A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
 -A FORWARD -j DOCKER-USER
 -A FORWARD -j DOCKER-ISOLATION-STAGE-1
 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -o docker0 -j DOCKER
 -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
 -A FORWARD -i docker0 -o docker0 -j ACCEPT
 -A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
 -A OUTPUT -j KUBE-FIREWALL
 -A OUTPUT -o lo -j uplink-filter
 -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
 -A DOCKER-ISOLATION-STAGE-1 -j RETURN
 -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
 -A DOCKER-ISOLATION-STAGE-2 -j RETURN
 -A DOCKER-USER -j RETURN
 -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
 -A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns has no endpoints" -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
 -A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp has no endpoints" -m tcp --dport 53 -j REJECT --reject-with icmp-port-unreachable
 -A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics has no endpoints" -m tcp --dport 9153 -j REJECT --reject-with icmp-port-unreachable
 -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
 -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
 -A WEAVE-NPC-DEFAULT -m set --match-set weave-P.B|!ZhkAr5q=XZ?3}tMBA+0 dst -m comment --comment "DefaultAllow ingress isolation for namespace: kube-system" -j ACCEPT
 -A WEAVE-NPC-DEFAULT -m set --match-set weave-Rzff}h:=]JaaJl/G;(XJpGjZ[ dst -m comment --comment "DefaultAllow ingress isolation for namespace: kube-public" -j ACCEPT
 -A WEAVE-NPC-DEFAULT -m set --match-set weave-]B*(W?)t*z5O17G044[gUo#$l dst -m comment --comment "DefaultAllow ingress isolation for namespace: kube-node-lease" -j ACCEPT
 -A WEAVE-NPC-DEFAULT -m set --match-set weave-;rGqyMIl1HN^cfDki~Z$3]6!N dst -m comment --comment "DefaultAllow ingress isolation for namespace: default" -j ACCEPT
 -A WEAVE-NPC -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A WEAVE-NPC -d 224.0.0.0/4 -j ACCEPT
 -A WEAVE-NPC -m physdev --physdev-out vethwe-bridge --physdev-is-bridged -j ACCEPT
 -A WEAVE-NPC -m state --state NEW -j WEAVE-NPC-DEFAULT
 -A WEAVE-NPC -m state --state NEW -j WEAVE-NPC-INGRESS
 -A WEAVE-NPC-EGRESS-ACCEPT -j MARK --set-xmark 0x40000/0x40000
 -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-E1ney4o[ojNrLk.6rOHi;7MPE src -m comment --comment "DefaultAllow egress isolation for namespace: kube-system" -j WEAVE-NPC-EGRESS-ACCEPT
 -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-E1ney4o[ojNrLk.6rOHi;7MPE src -m comment --comment "DefaultAllow egress isolation for namespace: kube-system" -j RETURN
 -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-41s)5vQ^o/xWGz6a20N:~?#|E src -m comment --comment "DefaultAllow egress isolation for namespace: kube-public" -j WEAVE-NPC-EGRESS-ACCEPT
 -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-41s)5vQ^o/xWGz6a20N:~?#|E src -m comment --comment "DefaultAllow egress isolation for namespace: kube-public" -j RETURN
 -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-sui%__gZ}{kX~oZgI_Ttqp=Dp src -m comment --comment "DefaultAllow egress isolation for namespace: kube-node-lease" -j WEAVE-NPC-EGRESS-ACCEPT
 -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-sui%__gZ}{kX~oZgI_Ttqp=Dp src -m comment --comment "DefaultAllow egress isolation for namespace: kube-node-lease" -j RETURN
 -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-s_+ChJId4Uy_$}G;WdH|~TK)I src -m comment --comment "DefaultAllow egress isolation for namespace: default" -j WEAVE-NPC-EGRESS-ACCEPT
 -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-s_+ChJId4Uy_$}G;WdH|~TK)I src -m comment --comment "DefaultAllow egress isolation for namespace: default" -j RETURN
 -A WEAVE-NPC-EGRESS -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A WEAVE-NPC-EGRESS -m physdev --physdev-in vethwe-bridge --physdev-is-bridged -j RETURN
 -A WEAVE-NPC-EGRESS -m addrtype --dst-type LOCAL -j RETURN
 -A WEAVE-NPC-EGRESS -d 224.0.0.0/4 -j RETURN
 -A WEAVE-NPC-EGRESS -m state --state NEW -j WEAVE-NPC-EGRESS-DEFAULT
 -A WEAVE-NPC-EGRESS -m state --state NEW -m mark ! --mark 0x40000/0x40000 -j WEAVE-NPC-EGRESS-CUSTOM
 -A WEAVE-NPC-EGRESS -m state --state NEW -m mark ! --mark 0x40000/0x40000 -j NFLOG --nflog-group 86
 COMMIT
 # Completed on Thu Jun  4 17:07:37 2020
 # Generated by iptables-save v1.8.4 on Thu Jun  4 17:07:37 2020
 *nat
 :PREROUTING ACCEPT [0:0]
 :INPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :uplink-nat - [0:0]
 :DOCKER - [0:0]
 :KUBE-MARK-DROP - [0:0]
 :KUBE-MARK-MASQ - [0:0]
 :KUBE-POSTROUTING - [0:0]
 :KUBE-KUBELET-CANARY - [0:0]
 :KUBE-PROXY-CANARY - [0:0]
 :KUBE-SERVICES - [0:0]
 :KUBE-NODEPORTS - [0:0]
 :KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
 :KUBE-SEP-KN4A7NIH6CBV62B6 - [0:0]
 -A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8965
 -A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
 -A POSTROUTING -s 192.168.10.0/24 ! -o docker0 -j MASQUERADE
 -A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
 -A OUTPUT -o lo -j uplink-nat
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
 -A DOCKER -i docker0 -j RETURN
 -A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
 -A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
 -A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE --random-fully
 -A KUBE-SERVICES -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
 -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
 -A KUBE-SVC-NPX46M4PTMTKRN6Y -j KUBE-SEP-KN4A7NIH6CBV62B6
 -A KUBE-SEP-KN4A7NIH6CBV62B6 -s 192.168.7.51/32 -j KUBE-MARK-MASQ
 -A KUBE-SEP-KN4A7NIH6CBV62B6 -p tcp -m tcp -j DNAT --to-destination 192.168.7.51:8443
 COMMIT
 # Completed on Thu Jun  4 17:07:37 2020
 # Generated by iptables-save v1.8.4 on Thu Jun  4 17:07:37 2020
 *mangle
 :PREROUTING ACCEPT [0:0]
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
 :KUBE-KUBELET-CANARY - [0:0]
 :KUBE-PROXY-CANARY - [0:0]
 COMMIT
 # Completed on Thu Jun  4 17:07:37 2020
 # Warning: iptables-legacy tables present, use iptables-legacy-save to see them
 $ sudo iptables-legacy-save
 # Generated by iptables-save v1.8.4 on Thu Jun  4 17:08:01 2020
 *nat
 :PREROUTING ACCEPT [77:7011]
 :INPUT ACCEPT [77:7011]
 :OUTPUT ACCEPT [4246:294122]
 :POSTROUTING ACCEPT [4246:294122]
 COMMIT
 # Completed on Thu Jun  4 17:08:01 2020
 # Generated by iptables-save v1.8.4 on Thu Jun  4 17:08:01 2020
 *filter
 :INPUT ACCEPT [398335:105855837]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [399152:66475764]
 COMMIT
 # Completed on Thu Jun  4 17:08:01 2020
	$ sudo iptables-save
	# Generated by iptables-save v1.8.4 on Thu Jun 4 17:07:36 2020
	*filter
	:INPUT ACCEPT [0:0]
	:FORWARD DROP [0:0]
	:OUTPUT ACCEPT [0:0]
	:uplink-filter - [0:0]
	:DOCKER - [0:0]
	:DOCKER-ISOLATION-STAGE-1 - [0:0]
	:DOCKER-ISOLATION-STAGE-2 - [0:0]
	:DOCKER-USER - [0:0]
	:KUBE-FIREWALL - [0:0]
	:KUBE-KUBELET-CANARY - [0:0]
	:KUBE-PROXY-CANARY - [0:0]
	:KUBE-EXTERNAL-SERVICES - [0:0]
	:KUBE-SERVICES - [0:0]
	:KUBE-FORWARD - [0:0]
	:WEAVE-NPC-INGRESS - [0:0]
	:WEAVE-NPC-DEFAULT - [0:0]
	:WEAVE-NPC - [0:0]
	:WEAVE-NPC-EGRESS-ACCEPT - [0:0]
	:WEAVE-NPC-EGRESS-CUSTOM - [0:0]
	:WEAVE-NPC-EGRESS-DEFAULT - [0:0]
	:WEAVE-NPC-EGRESS - [0:0]
	-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
	-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
	-A INPUT -j KUBE-FIREWALL
	-A INPUT -p tcp -m tcp --dport 6781 -j DROP
	-A INPUT -p tcp -m tcp --dport 6782 -j DROP
	-A INPUT -p tcp -m tcp --dport 10251 -j DROP
	-A INPUT -p tcp -m tcp --dport 10252 -j DROP
	-A INPUT -p tcp -m tcp --dport 10256 -j DROP
	-A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
	-A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
	-A FORWARD -j DOCKER-USER
	-A FORWARD -j DOCKER-ISOLATION-STAGE-1
	-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A FORWARD -o docker0 -j DOCKER
	-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
	-A FORWARD -i docker0 -o docker0 -j ACCEPT
	-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
	-A OUTPUT -j KUBE-FIREWALL
	-A OUTPUT -o lo -j uplink-filter
	-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
	-A DOCKER-ISOLATION-STAGE-1 -j RETURN
	-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
	-A DOCKER-ISOLATION-STAGE-2 -j RETURN
	-A DOCKER-USER -j RETURN
	-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
	-A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns has no endpoints" -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
	-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp has no endpoints" -m tcp --dport 53 -j REJECT --reject-with icmp-port-unreachable
	-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics has no endpoints" -m tcp --dport 9153 -j REJECT --reject-with icmp-port-unreachable
	-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
	-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
	-A WEAVE-NPC-DEFAULT -m set --match-set weave-P.B\|!ZhkAr5q=XZ?3}tMBA+0 dst -m comment --comment "DefaultAllow ingress isolation for namespace: kube-system" -j ACCEPT
	-A WEAVE-NPC-DEFAULT -m set --match-set weave-Rzff}h:=]JaaJl/G;(XJpGjZ[ dst -m comment --comment "DefaultAllow ingress isolation for namespace: kube-public" -j ACCEPT
	-A WEAVE-NPC-DEFAULT -m set --match-set weave-]B(W?)tz5O17G044[gUo#$l dst -m comment --comment "DefaultAllow ingress isolation for namespace: kube-node-lease" -j ACCEPT
	-A WEAVE-NPC-DEFAULT -m set --match-set weave-;rGqyMIl1HN^cfDki~Z$3]6!N dst -m comment --comment "DefaultAllow ingress isolation for namespace: default" -j ACCEPT
	-A WEAVE-NPC -m state --state RELATED,ESTABLISHED -j ACCEPT
	-A WEAVE-NPC -d 224.0.0.0/4 -j ACCEPT
	-A WEAVE-NPC -m physdev --physdev-out vethwe-bridge --physdev-is-bridged -j ACCEPT
	-A WEAVE-NPC -m state --state NEW -j WEAVE-NPC-DEFAULT
	-A WEAVE-NPC -m state --state NEW -j WEAVE-NPC-INGRESS
	-A WEAVE-NPC-EGRESS-ACCEPT -j MARK --set-xmark 0x40000/0x40000
	-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-E1ney4o[ojNrLk.6rOHi;7MPE src -m comment --comment "DefaultAllow egress isolation for namespace: kube-system" -j WEAVE-NPC-EGRESS-ACCEPT
	-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-E1ney4o[ojNrLk.6rOHi;7MPE src -m comment --comment "DefaultAllow egress isolation for namespace: kube-system" -j RETURN
	-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-41s)5vQ^o/xWGz6a20N:~?#\|E src -m comment --comment "DefaultAllow egress isolation for namespace: kube-public" -j WEAVE-NPC-EGRESS-ACCEPT
	-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-41s)5vQ^o/xWGz6a20N:~?#\|E src -m comment --comment "DefaultAllow egress isolation for namespace: kube-public" -j RETURN
	-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-sui%__gZ}{kX~oZgI_Ttqp=Dp src -m comment --comment "DefaultAllow egress isolation for namespace: kube-node-lease" -j WEAVE-NPC-EGRESS-ACCEPT
	-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-sui%__gZ}{kX~oZgI_Ttqp=Dp src -m comment --comment "DefaultAllow egress isolation for namespace: kube-node-lease" -j RETURN
	-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-s_+ChJId4Uy_$}G;WdH\|~TK)I src -m comment --comment "DefaultAllow egress isolation for namespace: default" -j WEAVE-NPC-EGRESS-ACCEPT
	-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-s_+ChJId4Uy_$}G;WdH\|~TK)I src -m comment --comment "DefaultAllow egress isolation for namespace: default" -j RETURN
	-A WEAVE-NPC-EGRESS -m state --state RELATED,ESTABLISHED -j ACCEPT
	-A WEAVE-NPC-EGRESS -m physdev --physdev-in vethwe-bridge --physdev-is-bridged -j RETURN
	-A WEAVE-NPC-EGRESS -m addrtype --dst-type LOCAL -j RETURN
	-A WEAVE-NPC-EGRESS -d 224.0.0.0/4 -j RETURN
	-A WEAVE-NPC-EGRESS -m state --state NEW -j WEAVE-NPC-EGRESS-DEFAULT
	-A WEAVE-NPC-EGRESS -m state --state NEW -m mark ! --mark 0x40000/0x40000 -j WEAVE-NPC-EGRESS-CUSTOM
	-A WEAVE-NPC-EGRESS -m state --state NEW -m mark ! --mark 0x40000/0x40000 -j NFLOG --nflog-group 86
	COMMIT
	# Completed on Thu Jun 4 17:07:37 2020
	# Generated by iptables-save v1.8.4 on Thu Jun 4 17:07:37 2020
	*nat
	:PREROUTING ACCEPT [0:0]
	:INPUT ACCEPT [0:0]
	:POSTROUTING ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	:uplink-nat - [0:0]
	:DOCKER - [0:0]
	:KUBE-MARK-DROP - [0:0]
	:KUBE-MARK-MASQ - [0:0]
	:KUBE-POSTROUTING - [0:0]
	:KUBE-KUBELET-CANARY - [0:0]
	:KUBE-PROXY-CANARY - [0:0]
	:KUBE-SERVICES - [0:0]
	:KUBE-NODEPORTS - [0:0]
	:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
	:KUBE-SEP-KN4A7NIH6CBV62B6 - [0:0]
	-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
	-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
	-A PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8965
	-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
	-A POSTROUTING -s 192.168.10.0/24 ! -o docker0 -j MASQUERADE
	-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
	-A OUTPUT -o lo -j uplink-nat
	-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
	-A DOCKER -i docker0 -j RETURN
	-A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
	-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
	-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE --random-fully
	-A KUBE-SERVICES -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
	-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
	-A KUBE-SVC-NPX46M4PTMTKRN6Y -j KUBE-SEP-KN4A7NIH6CBV62B6
	-A KUBE-SEP-KN4A7NIH6CBV62B6 -s 192.168.7.51/32 -j KUBE-MARK-MASQ
	-A KUBE-SEP-KN4A7NIH6CBV62B6 -p tcp -m tcp -j DNAT --to-destination 192.168.7.51:8443
	COMMIT
	# Completed on Thu Jun 4 17:07:37 2020
	# Generated by iptables-save v1.8.4 on Thu Jun 4 17:07:37 2020
	*mangle
	:PREROUTING ACCEPT [0:0]
	:INPUT ACCEPT [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	:POSTROUTING ACCEPT [0:0]
	:KUBE-KUBELET-CANARY - [0:0]
	:KUBE-PROXY-CANARY - [0:0]
	COMMIT
	# Completed on Thu Jun 4 17:07:37 2020
	# Warning: iptables-legacy tables present, use iptables-legacy-save to see them
	$ sudo iptables-legacy-save
	# Generated by iptables-save v1.8.4 on Thu Jun 4 17:08:01 2020
	*nat
	:PREROUTING ACCEPT [77:7011]
	:INPUT ACCEPT [77:7011]
	:OUTPUT ACCEPT [4246:294122]
	:POSTROUTING ACCEPT [4246:294122]
	COMMIT
	# Completed on Thu Jun 4 17:08:01 2020
	# Generated by iptables-save v1.8.4 on Thu Jun 4 17:08:01 2020
	*filter
	:INPUT ACCEPT [398335:105855837]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [399152:66475764]
	COMMIT
	# Completed on Thu Jun 4 17:08:01 2020