Created
March 22, 2021 12:04
-
-
Save fjrti/96ffabc687b5de43c689852260e956ad to your computer and use it in GitHub Desktop.
iptables.txt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Generated by iptables-save v1.6.1 on Mon Oct 26 11:55:22 2020 | |
| *raw | |
| :PREROUTING ACCEPT [5751065:1174679472] | |
| :OUTPUT ACCEPT [5736441:1152388541] | |
| :CILIUM_OUTPUT_raw - [0:0] | |
| :CILIUM_PRE_raw - [0:0] | |
| -A PREROUTING -m comment --comment "cilium-feeder: CILIUM_PRE_raw" -j CILIUM_PRE_raw | |
| -A OUTPUT -m comment --comment "cilium-feeder: CILIUM_OUTPUT_raw" -j CILIUM_OUTPUT_raw | |
| -A CILIUM_OUTPUT_raw -o lxc+ -m mark --mark 0xa00/0xfffffeff -m comment --comment "cilium: NOTRACK for proxy return traffic" -j NOTRACK | |
| -A CILIUM_OUTPUT_raw -o cilium_host -m mark --mark 0xa00/0xfffffeff -m comment --comment "cilium: NOTRACK for proxy return traffic" -j NOTRACK | |
| -A CILIUM_PRE_raw -m mark --mark 0x200/0xf00 -m comment --comment "cilium: NOTRACK for proxy traffic" -j NOTRACK | |
| COMMIT | |
| # Completed on Mon Oct 26 11:55:22 2020 | |
| # Generated by iptables-save v1.6.1 on Mon Oct 26 11:55:22 2020 | |
| *mangle | |
| :PREROUTING ACCEPT [5751065:1174679472] | |
| :INPUT ACCEPT [5743201:1174184486] | |
| :FORWARD ACCEPT [7863:494926] | |
| :OUTPUT ACCEPT [5736441:1152388541] | |
| :POSTROUTING ACCEPT [5744304:1152883467] | |
| :CILIUM_POST_mangle - [0:0] | |
| :CILIUM_PRE_mangle - [0:0] | |
| :KUBE-PROXY-CANARY - [0:0] | |
| -A PREROUTING -m comment --comment "cilium-feeder: CILIUM_PRE_mangle" -j CILIUM_PRE_mangle | |
| -A POSTROUTING -m comment --comment "cilium-feeder: CILIUM_POST_mangle" -j CILIUM_POST_mangle | |
| -A CILIUM_PRE_mangle -m socket --transparent -m comment --comment "cilium: any->pod redirect proxied traffic to host proxy" -j MARK --set-xmark 0x200/0xffffffff | |
| -A CILIUM_PRE_mangle -p tcp -m mark --mark 0xa5850200 -m comment --comment "cilium: TPROXY to host cilium-dns-egress proxy" -j TPROXY --on-port 34213 --on-ip 0.0.0.0 --tproxy-mark 0x200/0xffffffff | |
| -A CILIUM_PRE_mangle -p udp -m mark --mark 0xa5850200 -m comment --comment "cilium: TPROXY to host cilium-dns-egress proxy" -j TPROXY --on-port 34213 --on-ip 0.0.0.0 --tproxy-mark 0x200/0xffffffff | |
| COMMIT | |
| # Completed on Mon Oct 26 11:55:22 2020 | |
| # Generated by iptables-save v1.6.1 on Mon Oct 26 11:55:22 2020 | |
| *filter | |
| :INPUT ACCEPT [322781:60622515] | |
| :FORWARD DROP [0:0] | |
| :OUTPUT ACCEPT [322808:64049062] | |
| :CILIUM_FORWARD - [0:0] | |
| :CILIUM_INPUT - [0:0] | |
| :CILIUM_OUTPUT - [0:0] | |
| :DOCKER - [0:0] | |
| :DOCKER-ISOLATION-STAGE-1 - [0:0] | |
| :DOCKER-ISOLATION-STAGE-2 - [0:0] | |
| :DOCKER-USER - [0:0] | |
| :KUBE-EXTERNAL-SERVICES - [0:0] | |
| :KUBE-FORWARD - [0:0] | |
| :KUBE-PROXY-CANARY - [0:0] | |
| :KUBE-SERVICES - [0:0] | |
| -A INPUT -m comment --comment "cilium-feeder: CILIUM_INPUT" -j CILIUM_INPUT | |
| -A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES | |
| -A FORWARD -m comment --comment "cilium-feeder: CILIUM_FORWARD" -j CILIUM_FORWARD | |
| -A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD | |
| -A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A FORWARD -j DOCKER-USER | |
| -A FORWARD -j DOCKER-ISOLATION-STAGE-1 | |
| -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| -A FORWARD -o docker0 -j DOCKER | |
| -A FORWARD -i docker0 ! -o docker0 -j ACCEPT | |
| -A FORWARD -i docker0 -o docker0 -j ACCEPT | |
| -A OUTPUT -m comment --comment "cilium-feeder: CILIUM_OUTPUT" -j CILIUM_OUTPUT | |
| -A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A CILIUM_FORWARD -o cilium_host -m comment --comment "cilium: any->cluster on cilium_host forward accept" -j ACCEPT | |
| -A CILIUM_FORWARD -i cilium_host -m comment --comment "cilium: cluster->any on cilium_host forward accept (nodeport)" -j ACCEPT | |
| -A CILIUM_FORWARD -i lxc+ -m comment --comment "cilium: cluster->any on lxc+ forward accept" -j ACCEPT | |
| -A CILIUM_FORWARD -i cilium_net -m comment --comment "cilium: cluster->any on cilium_net forward accept (nodeport)" -j ACCEPT | |
| -A CILIUM_INPUT -m mark --mark 0x200/0xf00 -m comment --comment "cilium: ACCEPT for proxy traffic" -j ACCEPT | |
| -A CILIUM_OUTPUT -m mark --mark 0xa00/0xfffffeff -m comment --comment "cilium: ACCEPT for proxy return traffic" -j ACCEPT | |
| -A CILIUM_OUTPUT -m mark ! --mark 0xe00/0xf00 -m mark ! --mark 0xd00/0xf00 -m mark ! --mark 0xa00/0xe00 -m comment --comment "cilium: host->any mark as from host" -j MARK --set-xmark 0xc00/0xf00 | |
| -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 5000 -j ACCEPT | |
| -A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8500 -j ACCEPT | |
| -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 | |
| -A DOCKER-ISOLATION-STAGE-1 -j RETURN | |
| -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP | |
| -A DOCKER-ISOLATION-STAGE-2 -j RETURN | |
| -A DOCKER-USER -j RETURN | |
| -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP | |
| -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT | |
| -A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| -A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| -A KUBE-SERVICES -d 172.20.0.2/32 -p tcp -m comment --comment "default/httpd-svc: has no endpoints" -m tcp --dport 8080 -j REJECT --reject-with icmp-port-unreachable | |
| COMMIT | |
| # Completed on Mon Oct 26 11:55:22 2020 | |
| # Generated by iptables-save v1.6.1 on Mon Oct 26 11:55:22 2020 | |
| *nat | |
| :PREROUTING ACCEPT [150:8885] | |
| :INPUT ACCEPT [116:7613] | |
| :OUTPUT ACCEPT [277:14634] | |
| :POSTROUTING ACCEPT [311:15906] | |
| :CILIUM_OUTPUT_nat - [0:0] | |
| :CILIUM_POST_nat - [0:0] | |
| :CILIUM_PRE_nat - [0:0] | |
| :DOCKER - [0:0] | |
| :KUBE-MARK-MASQ - [0:0] | |
| :KUBE-NODEPORTS - [0:0] | |
| :KUBE-POSTROUTING - [0:0] | |
| :KUBE-PROXY-CANARY - [0:0] | |
| :KUBE-SEP-6ZABQ6YXW7L2SHYE - [0:0] | |
| :KUBE-SEP-F5OAV7OZYY2HSAKM - [0:0] | |
| :KUBE-SEP-LAJV5HEI6NEQK2ZY - [0:0] | |
| :KUBE-SEP-O3X64GOT7U6BJEI3 - [0:0] | |
| :KUBE-SEP-VE62UVKPQP64HJEE - [0:0] | |
| :KUBE-SEP-YWNJRSBV6TE5OQB4 - [0:0] | |
| :KUBE-SERVICES - [0:0] | |
| :KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0] | |
| :KUBE-SVC-JD5MR3NA4I4DYORP - [0:0] | |
| :KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0] | |
| :KUBE-SVC-O2VVSMQ5IRTISXSG - [0:0] | |
| :KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0] | |
| -A PREROUTING -m comment --comment "cilium-feeder: CILIUM_PRE_nat" -j CILIUM_PRE_nat | |
| -A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER | |
| -A OUTPUT -m comment --comment "cilium-feeder: CILIUM_OUTPUT_nat" -j CILIUM_OUTPUT_nat | |
| -A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER | |
| -A POSTROUTING -m comment --comment "cilium-feeder: CILIUM_POST_nat" -j CILIUM_POST_nat | |
| -A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING | |
| -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE | |
| -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 5000 -j MASQUERADE | |
| -A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 8500 -j MASQUERADE | |
| -A CILIUM_POST_nat -s 10.16.0.0/16 ! -d 10.16.0.0/16 ! -o cilium_+ -m comment --comment "cilium masquerade non-cluster" -j MASQUERADE | |
| -A CILIUM_POST_nat ! -o cilium_host -m comment --comment "exclude non-cilium_host traffic from masquerade" -j RETURN | |
| -A CILIUM_POST_nat -m mark --mark 0xa00/0xe00 -m comment --comment "exclude proxy return traffic from masquarade" -j ACCEPT | |
| -A CILIUM_POST_nat ! -s 10.16.199.90/32 ! -d 10.16.0.0/16 -o cilium_host -m comment --comment "cilium host->cluster masquerade" -j SNAT --to-source 10.16.199.90 | |
| -A CILIUM_POST_nat -s 127.0.0.1/32 -o cilium_host -m comment --comment "cilium host->cluster from 127.0.0.1 masquerade" -j SNAT --to-source 10.16.199.90 | |
| -A CILIUM_POST_nat -o cilium_host -m mark --mark 0xf00/0xf00 -m conntrack --ctstate DNAT -m comment --comment "hairpin traffic that originated from a local pod" -j SNAT --to-source 10.16.199.90 | |
| -A DOCKER -i docker0 -j RETURN | |
| -A DOCKER ! -i docker0 -p tcp -m tcp --dport 5000 -j DNAT --to-destination 172.17.0.2:5000 | |
| -A DOCKER ! -i docker0 -p tcp -m tcp --dport 8500 -j DNAT --to-destination 172.17.0.3:8500 | |
| -A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000 | |
| -A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE | |
| -A KUBE-SEP-6ZABQ6YXW7L2SHYE -s 10.17.95.89/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-6ZABQ6YXW7L2SHYE -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 10.17.95.89:53 | |
| -A KUBE-SEP-F5OAV7OZYY2HSAKM -s 10.16.121.247/32 -m comment --comment "default/myapp-clusterip:http" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-F5OAV7OZYY2HSAKM -p tcp -m comment --comment "default/myapp-clusterip:http" -m tcp -j DNAT --to-destination 10.16.121.247:80 | |
| -A KUBE-SEP-LAJV5HEI6NEQK2ZY -s 10.17.95.89/32 -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-LAJV5HEI6NEQK2ZY -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 10.17.95.89:9153 | |
| -A KUBE-SEP-O3X64GOT7U6BJEI3 -s 192.168.33.11/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-O3X64GOT7U6BJEI3 -p tcp -m comment --comment "default/kubernetes:https" -m tcp -j DNAT --to-destination 192.168.33.11:6443 | |
| -A KUBE-SEP-VE62UVKPQP64HJEE -s 10.17.95.89/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-VE62UVKPQP64HJEE -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 10.17.95.89:53 | |
| -A KUBE-SEP-YWNJRSBV6TE5OQB4 -s 10.17.167.198/32 -m comment --comment "default/myapp-clusterip:http" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-YWNJRSBV6TE5OQB4 -p tcp -m comment --comment "default/myapp-clusterip:http" -m tcp -j DNAT --to-destination 10.17.167.198:80 | |
| -A KUBE-SERVICES ! -s 10.16.0.0/12 -d 172.20.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 172.20.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y | |
| -A KUBE-SERVICES ! -s 10.16.0.0/12 -d 172.20.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 172.20.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU | |
| -A KUBE-SERVICES ! -s 10.16.0.0/12 -d 172.20.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 172.20.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4 | |
| -A KUBE-SERVICES ! -s 10.16.0.0/12 -d 172.20.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 172.20.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-SVC-JD5MR3NA4I4DYORP | |
| -A KUBE-SERVICES ! -s 10.16.0.0/12 -d 172.20.0.158/32 -p tcp -m comment --comment "default/myapp-clusterip:http cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 172.20.0.158/32 -p tcp -m comment --comment "default/myapp-clusterip:http cluster IP" -m tcp --dport 80 -j KUBE-SVC-O2VVSMQ5IRTISXSG | |
| -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS | |
| -A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SEP-6ZABQ6YXW7L2SHYE | |
| -A KUBE-SVC-JD5MR3NA4I4DYORP -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-SEP-LAJV5HEI6NEQK2ZY | |
| -A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-O3X64GOT7U6BJEI3 | |
| -A KUBE-SVC-O2VVSMQ5IRTISXSG -m comment --comment "default/myapp-clusterip:http" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-F5OAV7OZYY2HSAKM | |
| -A KUBE-SVC-O2VVSMQ5IRTISXSG -m comment --comment "default/myapp-clusterip:http" -j KUBE-SEP-YWNJRSBV6TE5OQB4 | |
| -A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SEP-VE62UVKPQP64HJEE | |
| COMMIT | |
| # Completed on Mon Oct 26 11:55:22 2020 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment