Created
June 4, 2020 17:08
-
-
Save drigz/95b9dd7374034555d9817bf6f1866e79 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ sudo iptables-save | |
# Generated by iptables-save v1.8.4 on Thu Jun 4 17:07:36 2020 | |
*filter | |
:INPUT ACCEPT [0:0] | |
:FORWARD DROP [0:0] | |
:OUTPUT ACCEPT [0:0] | |
:uplink-filter - [0:0] | |
:DOCKER - [0:0] | |
:DOCKER-ISOLATION-STAGE-1 - [0:0] | |
:DOCKER-ISOLATION-STAGE-2 - [0:0] | |
:DOCKER-USER - [0:0] | |
:KUBE-FIREWALL - [0:0] | |
:KUBE-KUBELET-CANARY - [0:0] | |
:KUBE-PROXY-CANARY - [0:0] | |
:KUBE-EXTERNAL-SERVICES - [0:0] | |
:KUBE-SERVICES - [0:0] | |
:KUBE-FORWARD - [0:0] | |
:WEAVE-NPC-INGRESS - [0:0] | |
:WEAVE-NPC-DEFAULT - [0:0] | |
:WEAVE-NPC - [0:0] | |
:WEAVE-NPC-EGRESS-ACCEPT - [0:0] | |
:WEAVE-NPC-EGRESS-CUSTOM - [0:0] | |
:WEAVE-NPC-EGRESS-DEFAULT - [0:0] | |
:WEAVE-NPC-EGRESS - [0:0] | |
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES | |
-A INPUT -j KUBE-FIREWALL | |
-A INPUT -p tcp -m tcp --dport 6781 -j DROP | |
-A INPUT -p tcp -m tcp --dport 6782 -j DROP | |
-A INPUT -p tcp -m tcp --dport 10251 -j DROP | |
-A INPUT -p tcp -m tcp --dport 10252 -j DROP | |
-A INPUT -p tcp -m tcp --dport 10256 -j DROP | |
-A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD | |
-A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
-A FORWARD -j DOCKER-USER | |
-A FORWARD -j DOCKER-ISOLATION-STAGE-1 | |
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
-A FORWARD -o docker0 -j DOCKER | |
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT | |
-A FORWARD -i docker0 -o docker0 -j ACCEPT | |
-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
-A OUTPUT -j KUBE-FIREWALL | |
-A OUTPUT -o lo -j uplink-filter | |
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 | |
-A DOCKER-ISOLATION-STAGE-1 -j RETURN | |
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP | |
-A DOCKER-ISOLATION-STAGE-2 -j RETURN | |
-A DOCKER-USER -j RETURN | |
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP | |
-A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns has no endpoints" -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable | |
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp has no endpoints" -m tcp --dport 53 -j REJECT --reject-with icmp-port-unreachable | |
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics has no endpoints" -m tcp --dport 9153 -j REJECT --reject-with icmp-port-unreachable | |
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP | |
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT | |
-A WEAVE-NPC-DEFAULT -m set --match-set weave-P.B|!ZhkAr5q=XZ?3}tMBA+0 dst -m comment --comment "DefaultAllow ingress isolation for namespace: kube-system" -j ACCEPT | |
-A WEAVE-NPC-DEFAULT -m set --match-set weave-Rzff}h:=]JaaJl/G;(XJpGjZ[ dst -m comment --comment "DefaultAllow ingress isolation for namespace: kube-public" -j ACCEPT | |
-A WEAVE-NPC-DEFAULT -m set --match-set weave-]B*(W?)t*z5O17G044[gUo#$l dst -m comment --comment "DefaultAllow ingress isolation for namespace: kube-node-lease" -j ACCEPT | |
-A WEAVE-NPC-DEFAULT -m set --match-set weave-;rGqyMIl1HN^cfDki~Z$3]6!N dst -m comment --comment "DefaultAllow ingress isolation for namespace: default" -j ACCEPT | |
-A WEAVE-NPC -m state --state RELATED,ESTABLISHED -j ACCEPT | |
-A WEAVE-NPC -d 224.0.0.0/4 -j ACCEPT | |
-A WEAVE-NPC -m physdev --physdev-out vethwe-bridge --physdev-is-bridged -j ACCEPT | |
-A WEAVE-NPC -m state --state NEW -j WEAVE-NPC-DEFAULT | |
-A WEAVE-NPC -m state --state NEW -j WEAVE-NPC-INGRESS | |
-A WEAVE-NPC-EGRESS-ACCEPT -j MARK --set-xmark 0x40000/0x40000 | |
-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-E1ney4o[ojNrLk.6rOHi;7MPE src -m comment --comment "DefaultAllow egress isolation for namespace: kube-system" -j WEAVE-NPC-EGRESS-ACCEPT | |
-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-E1ney4o[ojNrLk.6rOHi;7MPE src -m comment --comment "DefaultAllow egress isolation for namespace: kube-system" -j RETURN | |
-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-41s)5vQ^o/xWGz6a20N:~?#|E src -m comment --comment "DefaultAllow egress isolation for namespace: kube-public" -j WEAVE-NPC-EGRESS-ACCEPT | |
-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-41s)5vQ^o/xWGz6a20N:~?#|E src -m comment --comment "DefaultAllow egress isolation for namespace: kube-public" -j RETURN | |
-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-sui%__gZ}{kX~oZgI_Ttqp=Dp src -m comment --comment "DefaultAllow egress isolation for namespace: kube-node-lease" -j WEAVE-NPC-EGRESS-ACCEPT | |
-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-sui%__gZ}{kX~oZgI_Ttqp=Dp src -m comment --comment "DefaultAllow egress isolation for namespace: kube-node-lease" -j RETURN | |
-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-s_+ChJId4Uy_$}G;WdH|~TK)I src -m comment --comment "DefaultAllow egress isolation for namespace: default" -j WEAVE-NPC-EGRESS-ACCEPT | |
-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-s_+ChJId4Uy_$}G;WdH|~TK)I src -m comment --comment "DefaultAllow egress isolation for namespace: default" -j RETURN | |
-A WEAVE-NPC-EGRESS -m state --state RELATED,ESTABLISHED -j ACCEPT | |
-A WEAVE-NPC-EGRESS -m physdev --physdev-in vethwe-bridge --physdev-is-bridged -j RETURN | |
-A WEAVE-NPC-EGRESS -m addrtype --dst-type LOCAL -j RETURN | |
-A WEAVE-NPC-EGRESS -d 224.0.0.0/4 -j RETURN | |
-A WEAVE-NPC-EGRESS -m state --state NEW -j WEAVE-NPC-EGRESS-DEFAULT | |
-A WEAVE-NPC-EGRESS -m state --state NEW -m mark ! --mark 0x40000/0x40000 -j WEAVE-NPC-EGRESS-CUSTOM | |
-A WEAVE-NPC-EGRESS -m state --state NEW -m mark ! --mark 0x40000/0x40000 -j NFLOG --nflog-group 86 | |
COMMIT | |
# Completed on Thu Jun 4 17:07:37 2020 | |
# Generated by iptables-save v1.8.4 on Thu Jun 4 17:07:37 2020 | |
*nat | |
:PREROUTING ACCEPT [0:0] | |
:INPUT ACCEPT [0:0] | |
:POSTROUTING ACCEPT [0:0] | |
:OUTPUT ACCEPT [0:0] | |
:uplink-nat - [0:0] | |
:DOCKER - [0:0] | |
:KUBE-MARK-DROP - [0:0] | |
:KUBE-MARK-MASQ - [0:0] | |
:KUBE-POSTROUTING - [0:0] | |
:KUBE-KUBELET-CANARY - [0:0] | |
:KUBE-PROXY-CANARY - [0:0] | |
:KUBE-SERVICES - [0:0] | |
:KUBE-NODEPORTS - [0:0] | |
:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0] | |
:KUBE-SEP-KN4A7NIH6CBV62B6 - [0:0] | |
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER | |
-A PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8965 | |
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING | |
-A POSTROUTING -s 192.168.10.0/24 ! -o docker0 -j MASQUERADE | |
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
-A OUTPUT -o lo -j uplink-nat | |
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER | |
-A DOCKER -i docker0 -j RETURN | |
-A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000 | |
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000 | |
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE --random-fully | |
-A KUBE-SERVICES -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y | |
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS | |
-A KUBE-SVC-NPX46M4PTMTKRN6Y -j KUBE-SEP-KN4A7NIH6CBV62B6 | |
-A KUBE-SEP-KN4A7NIH6CBV62B6 -s 192.168.7.51/32 -j KUBE-MARK-MASQ | |
-A KUBE-SEP-KN4A7NIH6CBV62B6 -p tcp -m tcp -j DNAT --to-destination 192.168.7.51:8443 | |
COMMIT | |
# Completed on Thu Jun 4 17:07:37 2020 | |
# Generated by iptables-save v1.8.4 on Thu Jun 4 17:07:37 2020 | |
*mangle | |
:PREROUTING ACCEPT [0:0] | |
:INPUT ACCEPT [0:0] | |
:FORWARD ACCEPT [0:0] | |
:OUTPUT ACCEPT [0:0] | |
:POSTROUTING ACCEPT [0:0] | |
:KUBE-KUBELET-CANARY - [0:0] | |
:KUBE-PROXY-CANARY - [0:0] | |
COMMIT | |
# Completed on Thu Jun 4 17:07:37 2020 | |
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them | |
$ sudo iptables-legacy-save | |
# Generated by iptables-save v1.8.4 on Thu Jun 4 17:08:01 2020 | |
*nat | |
:PREROUTING ACCEPT [77:7011] | |
:INPUT ACCEPT [77:7011] | |
:OUTPUT ACCEPT [4246:294122] | |
:POSTROUTING ACCEPT [4246:294122] | |
COMMIT | |
# Completed on Thu Jun 4 17:08:01 2020 | |
# Generated by iptables-save v1.8.4 on Thu Jun 4 17:08:01 2020 | |
*filter | |
:INPUT ACCEPT [398335:105855837] | |
:FORWARD ACCEPT [0:0] | |
:OUTPUT ACCEPT [399152:66475764] | |
COMMIT | |
# Completed on Thu Jun 4 17:08:01 2020 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment