Skip to content

Instantly share code, notes, and snippets.

@enixdark
Forked from anfernee/debug-note.md
Created July 17, 2022 11:09
Show Gist options
  • Save enixdark/8dfa7666ad4595ad7affb7f39bc3bde2 to your computer and use it in GitHub Desktop.
Save enixdark/8dfa7666ad4595ad7affb7f39bc3bde2 to your computer and use it in GitHub Desktop.
# First rule SNAT the packet that comes out of the gw node
-A CILIUM_POST_nat -s 10.11.1.0/24 ! -d 10.11.0.0/16 ! -o cilium_+ -m comment --comment "cilium masquerade non-cluster" -j MASQUERADE

-A CILIUM_POST_nat ! -o cilium_host -m comment --comment "exclude non-cilium_host traffic from masquerade" -j RETURN
-A CILIUM_POST_nat -m mark --mark 0xa00/0xe00 -m comment --comment "exclude proxy return traffic from masquarade" -j ACCEPT
-A CILIUM_POST_nat ! -s 10.11.1.253/32 ! -d 10.11.1.0/24 -o cilium_host -m comment --comment "cilium host->cluster masquerade" -j SNAT --to-source 10.11.1.253
-A CILIUM_POST_nat -s 127.0.0.1/32 -o cilium_host -m comment --comment "cilium host->cluster from 127.0.0.1 masquerade" -j SNAT --to-source 10.11.1.253
-A CILIUM_POST_nat -o cilium_host -m mark --mark 0xf00/0xf00 -m conntrack --ctstate DNAT -m comment --comment "hairpin traffic that originated from a local pod" -j SNAT --to-source 10.11.1.253

Delete the SNAT rule:

# iptables -t nat -D CILIUM_POST_nat 1
# iptables -t nat -L CILIUM_POST_nat 
kind: GatewayClass
metadata:
name: CloudNAT
provider: cloud-nat
spec:
region: us-central1
level: premium
---
kind: Gateway
metadata:
name: the-gateway
namespace: default
spec:
egressIP: 1.1.1.1
exportTo:
kind: EgressRoute
namespace: my-app
name: my-app
---
kind: EgressRoute
metadata:
namespace: my-app
name: my-app
spec:
match:
selector:
app: web
destination:
- ip: 4.4.4.4
route:
kind: Gateway
name: db-gateway
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment