| Node/Pod | IP |
|---|---|
| Source Pod | 10.11.1.103 |
| Source Node | 192.168.11.12 |
| Gateway Node | 192.168.11.11 |
| External Service | 192.168.11.13 |
Added the following on both source and gateway node. Egress gateway datapath still works.
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
Append the following rules in source node. Egress datapath is broken.
iptables -I INPUT 1 -m state --state INVALID -j DROP
iptables -I OUTPUT 1 -m state --state INVALID -j DROP
iptables -I FORWARD 1 -m state --state INVALID -j DROP # This one drop the packet.
curl 196.168.11.13
[NEW] tcp 6 120 SYN_SENT src=10.11.1.103 dst=192.168.33.13 sport=33528 dport=80 [UNREPLIED] src=192.168.33.13 dst=10.11.1.103 sport=80 dport=33528
[UPDATE] tcp 6 60 SYN_RECV src=10.11.1.103 dst=192.168.33.13 sport=33528 dport=80 src=192.168.33.13 dst=10.11.1.103 sport=80 dport=33528
[UPDATE] tcp 6 86400 ESTABLISHED src=10.11.1.103 dst=192.168.33.13 sport=33528 dport=80 src=192.168.33.13 dst=10.11.1.103 sport=80 dport=33528 [ASSURED]
[UPDATE] tcp 6 120 FIN_WAIT src=10.11.1.103 dst=192.168.33.13 sport=33528 dport=80 src=192.168.33.13 dst=10.11.1.103 sport=80 dport=33528 [ASSURED]
[UPDATE] tcp 6 30 LAST_ACK src=10.11.1.103 dst=192.168.33.13 sport=33528 dport=80 src=192.168.33.13 dst=10.11.1.103 sport=80 dport=33528 [ASSURED]
[UPDATE] tcp 6 120 TIME_WAIT src=10.11.1.103 dst=192.168.33.13 sport=33528 dport=80 src=192.168.33.13 dst=10.11.1.103 sport=80 dport=33528 [ASSURED]
[NEW] tcp 6 300 ESTABLISHED src=192.168.33.13 dst=10.11.1.103 sport=80 dport=33546 [UNREPLIED] src=10.11.1.103 dst=192.168.33.13 sport=33546 dport=80
[UPDATE] tcp 6 120 FIN_WAIT src=192.168.33.13 dst=10.11.1.103 sport=80 dport=33546 [UNREPLIED] src=10.11.1.103 dst=192.168.33.13 sport=33546 dport=80
[DESTROY] tcp 6 FIN_WAIT src=192.168.33.13 dst=10.11.1.103 sport=80 dport=33546 [UNREPLIED] src=10.11.1.103 dst=192.168.33.13 sport=33546 dport=80