Created
February 22, 2017 21:33
-
-
Save hongchaodeng/6cdfed30f0cfdb176f91212441b31c2e to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Generated by iptables-save v1.4.21 on Tue Feb 21 01:00:01 2017 | |
| *nat | |
| :PREROUTING ACCEPT [0:0] | |
| :INPUT ACCEPT [0:0] | |
| :OUTPUT ACCEPT [0:0] | |
| :POSTROUTING ACCEPT [0:0] | |
| :DOCKER - [0:0] | |
| :KUBE-HOSTPORTS - [0:0] | |
| :KUBE-MARK-DROP - [0:0] | |
| :KUBE-MARK-MASQ - [0:0] | |
| :KUBE-NODEPORTS - [0:0] | |
| :KUBE-POSTROUTING - [0:0] | |
| :KUBE-SEP-ABQZTG6NZFP4Z3WA - [0:0] | |
| :KUBE-SEP-EAXDGPFQEDNDEJDI - [0:0] | |
| :KUBE-SEP-EULZ4BQUHPEO3G2O - [0:0] | |
| :KUBE-SEP-GQ4FAGIYB3UG623O - [0:0] | |
| :KUBE-SEP-H7NGHI6GZQD7KURE - [0:0] | |
| :KUBE-SEP-LJKBCVMCNVJFUEGM - [0:0] | |
| :KUBE-SEP-MKDZQU4FZCRJJMC5 - [0:0] | |
| :KUBE-SEP-PDH6ZIXG2YTEFPMC - [0:0] | |
| :KUBE-SEP-QFQC42YORZHIUKHL - [0:0] | |
| :KUBE-SEP-R44IN5GQCDB3O4YM - [0:0] | |
| :KUBE-SEP-S3CTJS23O5GL5TRK - [0:0] | |
| :KUBE-SEP-TIHHYMQ6SH4TA7VL - [0:0] | |
| :KUBE-SEP-TOLJFHLJFK7K3N2P - [0:0] | |
| :KUBE-SEP-U4L7L572ZI26L7Z6 - [0:0] | |
| :KUBE-SEP-WOF6VWKY4HHGH2IO - [0:0] | |
| :KUBE-SERVICES - [0:0] | |
| :KUBE-SVC-225IT4QAT2FU3UBA - [0:0] | |
| :KUBE-SVC-6JIQXM6ICDGWATZS - [0:0] | |
| :KUBE-SVC-6LIS77R47ZMQGWK6 - [0:0] | |
| :KUBE-SVC-BJM46V3U5RZHCFRZ - [0:0] | |
| :KUBE-SVC-CFHOYIAPLJMIRON7 - [0:0] | |
| :KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0] | |
| :KUBE-SVC-FHTFUSEONOHSW5NV - [0:0] | |
| :KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0] | |
| :KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0] | |
| :KUBE-SVC-XGLOHA7QRQ3V22RZ - [0:0] | |
| :KUBE-SVC-XHSWMYELSH7TR5U6 - [0:0] | |
| :KUBE-SVC-XP4WJ6VSLGWALMW5 - [0:0] | |
| :KUBE-SVC-YXOJN5MCKG7MVOMH - [0:0] | |
| -A PREROUTING -m comment --comment "kube hostport portals" -m addrtype --dst-type LOCAL -j KUBE-HOSTPORTS | |
| -A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A OUTPUT -m comment --comment "kube hostport portals" -m addrtype --dst-type LOCAL -j KUBE-HOSTPORTS | |
| -A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING | |
| -A POSTROUTING ! -d 10.0.0.0/8 -m comment --comment "kubenet: SNAT for outbound traffic from cluster" -m addrtype ! --dst-type LOCAL -j MASQUERADE | |
| -A POSTROUTING -s 127.0.0.0/8 -o cbr0 -m comment --comment "SNAT for localhost access to hostports" -j MASQUERADE | |
| -A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000 | |
| -A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000 | |
| -A KUBE-NODEPORTS -p tcp -m comment --comment "kube-system/default-http-backend:http" -m tcp --dport 31240 -j KUBE-MARK-MASQ | |
| -A KUBE-NODEPORTS -p tcp -m comment --comment "kube-system/default-http-backend:http" -m tcp --dport 31240 -j KUBE-SVC-XP4WJ6VSLGWALMW5 | |
| -A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE | |
| -A KUBE-SEP-ABQZTG6NZFP4Z3WA -s 10.216.5.6/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-ABQZTG6NZFP4Z3WA -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 10.216.5.6:53 | |
| -A KUBE-SEP-EAXDGPFQEDNDEJDI -s 10.216.2.17/32 -m comment --comment "kube-system/heapster:" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-EAXDGPFQEDNDEJDI -p tcp -m comment --comment "kube-system/heapster:" -m tcp -j DNAT --to-destination 10.216.2.17:8082 | |
| -A KUBE-SEP-EULZ4BQUHPEO3G2O -s 10.216.4.250/32 -m comment --comment "default/example-etcd-cluster-0000:server" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-EULZ4BQUHPEO3G2O -p tcp -m comment --comment "default/example-etcd-cluster-0000:server" -m tcp -j DNAT --to-destination 10.216.4.250:2380 | |
| -A KUBE-SEP-GQ4FAGIYB3UG623O -s 10.216.1.66/32 -m comment --comment "default/example-etcd-cluster:client" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-GQ4FAGIYB3UG623O -p tcp -m comment --comment "default/example-etcd-cluster:client" -m tcp -j DNAT --to-destination 10.216.1.66:2379 | |
| -A KUBE-SEP-H7NGHI6GZQD7KURE -s 10.216.5.6/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-H7NGHI6GZQD7KURE -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 10.216.5.6:53 | |
| -A KUBE-SEP-LJKBCVMCNVJFUEGM -s 10.216.3.122/32 -m comment --comment "default/example-etcd-cluster:client" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-LJKBCVMCNVJFUEGM -p tcp -m comment --comment "default/example-etcd-cluster:client" -m tcp -j DNAT --to-destination 10.216.3.122:2379 | |
| -A KUBE-SEP-MKDZQU4FZCRJJMC5 -s 10.216.1.66/32 -m comment --comment "default/example-etcd-cluster-0001:server" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-MKDZQU4FZCRJJMC5 -p tcp -m comment --comment "default/example-etcd-cluster-0001:server" -m tcp -j DNAT --to-destination 10.216.1.66:2380 | |
| -A KUBE-SEP-PDH6ZIXG2YTEFPMC -s 10.216.3.122/32 -m comment --comment "default/example-etcd-cluster-0002:client" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-PDH6ZIXG2YTEFPMC -p tcp -m comment --comment "default/example-etcd-cluster-0002:client" -m tcp -j DNAT --to-destination 10.216.3.122:2379 | |
| -A KUBE-SEP-QFQC42YORZHIUKHL -s 10.216.1.66/32 -m comment --comment "default/example-etcd-cluster-0001:client" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-QFQC42YORZHIUKHL -p tcp -m comment --comment "default/example-etcd-cluster-0001:client" -m tcp -j DNAT --to-destination 10.216.1.66:2379 | |
| -A KUBE-SEP-R44IN5GQCDB3O4YM -s 10.216.4.250/32 -m comment --comment "default/example-etcd-cluster-0000:client" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-R44IN5GQCDB3O4YM -p tcp -m comment --comment "default/example-etcd-cluster-0000:client" -m tcp -j DNAT --to-destination 10.216.4.250:2379 | |
| -A KUBE-SEP-S3CTJS23O5GL5TRK -s 104.197.104.58/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-S3CTJS23O5GL5TRK -p tcp -m comment --comment "default/kubernetes:https" -m recent --set --name KUBE-SEP-S3CTJS23O5GL5TRK --mask 255.255.255.255 --rsource -m tcp -j DNAT --to-destination 104.197.104.58:443 | |
| -A KUBE-SEP-TIHHYMQ6SH4TA7VL -s 10.216.5.4/32 -m comment --comment "kube-system/kubernetes-dashboard:" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-TIHHYMQ6SH4TA7VL -p tcp -m comment --comment "kube-system/kubernetes-dashboard:" -m tcp -j DNAT --to-destination 10.216.5.4:9090 | |
| -A KUBE-SEP-TOLJFHLJFK7K3N2P -s 10.216.5.5/32 -m comment --comment "kube-system/default-http-backend:http" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-TOLJFHLJFK7K3N2P -p tcp -m comment --comment "kube-system/default-http-backend:http" -m tcp -j DNAT --to-destination 10.216.5.5:8080 | |
| -A KUBE-SEP-U4L7L572ZI26L7Z6 -s 10.216.3.122/32 -m comment --comment "default/example-etcd-cluster-0002:server" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-U4L7L572ZI26L7Z6 -p tcp -m comment --comment "default/example-etcd-cluster-0002:server" -m tcp -j DNAT --to-destination 10.216.3.122:2380 | |
| -A KUBE-SEP-WOF6VWKY4HHGH2IO -s 10.216.4.250/32 -m comment --comment "default/example-etcd-cluster:client" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-WOF6VWKY4HHGH2IO -p tcp -m comment --comment "default/example-etcd-cluster:client" -m tcp -j DNAT --to-destination 10.216.4.250:2379 | |
| -A KUBE-SERVICES ! -s 10.216.0.0/14 -d 10.219.248.115/32 -p tcp -m comment --comment "default/example-etcd-cluster-0002:server cluster IP" -m tcp --dport 2380 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.219.248.115/32 -p tcp -m comment --comment "default/example-etcd-cluster-0002:server cluster IP" -m tcp --dport 2380 -j KUBE-SVC-6LIS77R47ZMQGWK6 | |
| -A KUBE-SERVICES ! -s 10.216.0.0/14 -d 10.219.255.189/32 -p tcp -m comment --comment "kube-system/kubernetes-dashboard: cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.219.255.189/32 -p tcp -m comment --comment "kube-system/kubernetes-dashboard: cluster IP" -m tcp --dport 80 -j KUBE-SVC-XGLOHA7QRQ3V22RZ | |
| -A KUBE-SERVICES ! -s 10.216.0.0/14 -d 10.219.240.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.219.240.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y | |
| -A KUBE-SERVICES ! -s 10.216.0.0/14 -d 10.219.240.3/32 -p tcp -m comment --comment "default/example-etcd-cluster-0000:server cluster IP" -m tcp --dport 2380 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.219.240.3/32 -p tcp -m comment --comment "default/example-etcd-cluster-0000:server cluster IP" -m tcp --dport 2380 -j KUBE-SVC-CFHOYIAPLJMIRON7 | |
| -A KUBE-SERVICES ! -s 10.216.0.0/14 -d 10.219.240.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.219.240.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU | |
| -A KUBE-SERVICES ! -s 10.216.0.0/14 -d 10.219.248.115/32 -p tcp -m comment --comment "default/example-etcd-cluster-0002:client cluster IP" -m tcp --dport 2379 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.219.248.115/32 -p tcp -m comment --comment "default/example-etcd-cluster-0002:client cluster IP" -m tcp --dport 2379 -j KUBE-SVC-FHTFUSEONOHSW5NV | |
| -A KUBE-SERVICES ! -s 10.216.0.0/14 -d 10.219.250.128/32 -p tcp -m comment --comment "default/example-etcd-cluster:client cluster IP" -m tcp --dport 2379 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.219.250.128/32 -p tcp -m comment --comment "default/example-etcd-cluster:client cluster IP" -m tcp --dport 2379 -j KUBE-SVC-6JIQXM6ICDGWATZS | |
| -A KUBE-SERVICES ! -s 10.216.0.0/14 -d 10.219.240.3/32 -p tcp -m comment --comment "default/example-etcd-cluster-0000:client cluster IP" -m tcp --dport 2379 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.219.240.3/32 -p tcp -m comment --comment "default/example-etcd-cluster-0000:client cluster IP" -m tcp --dport 2379 -j KUBE-SVC-225IT4QAT2FU3UBA | |
| -A KUBE-SERVICES ! -s 10.216.0.0/14 -d 10.219.252.63/32 -p tcp -m comment --comment "default/example-etcd-cluster-0001:server cluster IP" -m tcp --dport 2380 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.219.252.63/32 -p tcp -m comment --comment "default/example-etcd-cluster-0001:server cluster IP" -m tcp --dport 2380 -j KUBE-SVC-YXOJN5MCKG7MVOMH | |
| -A KUBE-SERVICES ! -s 10.216.0.0/14 -d 10.219.245.111/32 -p tcp -m comment --comment "kube-system/default-http-backend:http cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.219.245.111/32 -p tcp -m comment --comment "kube-system/default-http-backend:http cluster IP" -m tcp --dport 80 -j KUBE-SVC-XP4WJ6VSLGWALMW5 | |
| -A KUBE-SERVICES ! -s 10.216.0.0/14 -d 10.219.251.95/32 -p tcp -m comment --comment "kube-system/heapster: cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.219.251.95/32 -p tcp -m comment --comment "kube-system/heapster: cluster IP" -m tcp --dport 80 -j KUBE-SVC-BJM46V3U5RZHCFRZ | |
| -A KUBE-SERVICES ! -s 10.216.0.0/14 -d 10.219.252.63/32 -p tcp -m comment --comment "default/example-etcd-cluster-0001:client cluster IP" -m tcp --dport 2379 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.219.252.63/32 -p tcp -m comment --comment "default/example-etcd-cluster-0001:client cluster IP" -m tcp --dport 2379 -j KUBE-SVC-XHSWMYELSH7TR5U6 | |
| -A KUBE-SERVICES ! -s 10.216.0.0/14 -d 10.219.240.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.219.240.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4 | |
| -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS | |
| -A KUBE-SVC-225IT4QAT2FU3UBA -m comment --comment "default/example-etcd-cluster-0000:client" -j KUBE-SEP-R44IN5GQCDB3O4YM | |
| -A KUBE-SVC-6JIQXM6ICDGWATZS -m comment --comment "default/example-etcd-cluster:client" -m statistic --mode random --probability 0.33332999982 -j KUBE-SEP-GQ4FAGIYB3UG623O | |
| -A KUBE-SVC-6JIQXM6ICDGWATZS -m comment --comment "default/example-etcd-cluster:client" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-LJKBCVMCNVJFUEGM | |
| -A KUBE-SVC-6JIQXM6ICDGWATZS -m comment --comment "default/example-etcd-cluster:client" -j KUBE-SEP-WOF6VWKY4HHGH2IO | |
| -A KUBE-SVC-6LIS77R47ZMQGWK6 -m comment --comment "default/example-etcd-cluster-0002:server" -j KUBE-SEP-U4L7L572ZI26L7Z6 | |
| -A KUBE-SVC-BJM46V3U5RZHCFRZ -m comment --comment "kube-system/heapster:" -j KUBE-SEP-EAXDGPFQEDNDEJDI | |
| -A KUBE-SVC-CFHOYIAPLJMIRON7 -m comment --comment "default/example-etcd-cluster-0000:server" -j KUBE-SEP-EULZ4BQUHPEO3G2O | |
| -A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SEP-H7NGHI6GZQD7KURE | |
| -A KUBE-SVC-FHTFUSEONOHSW5NV -m comment --comment "default/example-etcd-cluster-0002:client" -j KUBE-SEP-PDH6ZIXG2YTEFPMC | |
| -A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-S3CTJS23O5GL5TRK --mask 255.255.255.255 --rsource -j KUBE-SEP-S3CTJS23O5GL5TRK | |
| -A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-S3CTJS23O5GL5TRK | |
| -A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SEP-ABQZTG6NZFP4Z3WA | |
| -A KUBE-SVC-XGLOHA7QRQ3V22RZ -m comment --comment "kube-system/kubernetes-dashboard:" -j KUBE-SEP-TIHHYMQ6SH4TA7VL | |
| -A KUBE-SVC-XHSWMYELSH7TR5U6 -m comment --comment "default/example-etcd-cluster-0001:client" -j KUBE-SEP-QFQC42YORZHIUKHL | |
| -A KUBE-SVC-XP4WJ6VSLGWALMW5 -m comment --comment "kube-system/default-http-backend:http" -j KUBE-SEP-TOLJFHLJFK7K3N2P | |
| -A KUBE-SVC-YXOJN5MCKG7MVOMH -m comment --comment "default/example-etcd-cluster-0001:server" -j KUBE-SEP-MKDZQU4FZCRJJMC5 | |
| COMMIT | |
| # Completed on Tue Feb 21 01:00:01 2017 | |
| # Generated by iptables-save v1.4.21 on Tue Feb 21 01:00:01 2017 | |
| *mangle | |
| :PREROUTING ACCEPT [50136145:12981879145] | |
| :INPUT ACCEPT [6405157:5721764458] | |
| :FORWARD ACCEPT [43793330:7264490140] | |
| :OUTPUT ACCEPT [6166321:1121031603] | |
| :POSTROUTING ACCEPT [49959559:8385515999] | |
| COMMIT | |
| # Completed on Tue Feb 21 01:00:01 2017 | |
| # Generated by iptables-save v1.4.21 on Tue Feb 21 01:00:01 2017 | |
| *filter | |
| :INPUT DROP [0:0] | |
| :FORWARD DROP [0:0] | |
| :OUTPUT DROP [0:0] | |
| :DOCKER - [0:0] | |
| :DOCKER-ISOLATION - [0:0] | |
| :KUBE-FIREWALL - [0:0] | |
| :KUBE-SERVICES - [0:0] | |
| -A INPUT -j KUBE-FIREWALL | |
| -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| -A INPUT -i lo -j ACCEPT | |
| -A INPUT -p icmp -j ACCEPT | |
| -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT | |
| -A INPUT -p tcp -j ACCEPT | |
| -A INPUT -p udp -j ACCEPT | |
| -A INPUT -p icmp -j ACCEPT | |
| -A FORWARD -j DOCKER-ISOLATION | |
| -A FORWARD -o docker0 -j DOCKER | |
| -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| -A FORWARD -i docker0 ! -o docker0 -j ACCEPT | |
| -A FORWARD -i docker0 -o docker0 -j ACCEPT | |
| -A FORWARD -p tcp -j ACCEPT | |
| -A FORWARD -p udp -j ACCEPT | |
| -A FORWARD -p icmp -j ACCEPT | |
| -A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A OUTPUT -j KUBE-FIREWALL | |
| -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | |
| -A OUTPUT -o lo -j ACCEPT | |
| -A DOCKER-ISOLATION -j RETURN | |
| -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP | |
| COMMIT | |
| # Completed on Tue Feb 21 01:00:01 2017 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment