openstacker · March 7, 2018 11:41
diff --git a/iptables with kubelet-calico-node on master b/iptables with kubelet-calico-node on master
 [fedora@k8scluster-sc7jximdohmh-master-0 ~]$ sudo iptables-save
 # Generated by iptables-save v1.6.1 on Wed Mar  7 11:37:22 2018
 *raw
 :PREROUTING ACCEPT [10483777:3604394961]
 :OUTPUT ACCEPT [10334074:3606348870]
 :cali-OUTPUT - [0:0]
 :cali-PREROUTING - [0:0]
 :cali-failsafe-in - [0:0]
 :cali-failsafe-out - [0:0]
 :cali-from-host-endpoint - [0:0]
 :cali-to-host-endpoint - [0:0]
 -A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
 -A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
 -A cali-OUTPUT -m comment --comment "cali:WX1xZBEtmbS0Rhjs" -j MARK --set-xmark 0x0/0xf000000
 -A cali-OUTPUT -m comment --comment "cali:iE00ZyllJNXfrlg_" -j cali-to-host-endpoint
 -A cali-OUTPUT -m comment --comment "cali:Asois4hxp1rUxwJS" -m mark --mark 0x1000000/0x1000000 -j ACCEPT
 -A cali-PREROUTING -m comment --comment "cali:zatSDPVUhhPCk6Iy" -j MARK --set-xmark 0x0/0xf000000
 -A cali-PREROUTING -i cali+ -m comment --comment "cali:-ES4EW0vxFmM81t8" -j MARK --set-xmark 0x4000000/0x4000000
 -A cali-PREROUTING -m comment --comment "cali:VE1J3S_1t9q8GAsm" -m mark --mark 0x0/0x4000000 -j cali-from-host-endpoint
 -A cali-PREROUTING -m comment --comment "cali:VX8l4jKL9w89GXz5" -m mark --mark 0x1000000/0x1000000 -j ACCEPT
 -A cali-failsafe-in -p tcp -m comment --comment "cali:wWFQM43tJU7wwnFZ" -m multiport --dports 22 -j ACCEPT
 -A cali-failsafe-in -p udp -m comment --comment "cali:LwNV--R8MjeUYacw" -m multiport --dports 68 -j ACCEPT
 -A cali-failsafe-out -p tcp -m comment --comment "cali:73bZKoyDfOpFwC2T" -m multiport --dports 2379 -j ACCEPT
 -A cali-failsafe-out -p tcp -m comment --comment "cali:QMFuWo6o-d9yOpNm" -m multiport --dports 2380 -j ACCEPT
 -A cali-failsafe-out -p tcp -m comment --comment "cali:Kup7QkrsdmfGX0uL" -m multiport --dports 4001 -j ACCEPT
 -A cali-failsafe-out -p tcp -m comment --comment "cali:xYYr5PEqDf_Pqfkv" -m multiport --dports 7001 -j ACCEPT
 -A cali-failsafe-out -p udp -m comment --comment "cali:nbWBvu4OtudVY60Q" -m multiport --dports 53 -j ACCEPT
 -A cali-failsafe-out -p udp -m comment --comment "cali:UxFu5cDK5En6dT3Y" -m multiport --dports 67 -j ACCEPT
 COMMIT
 # Completed on Wed Mar  7 11:37:22 2018
 # Generated by iptables-save v1.6.1 on Wed Mar  7 11:37:22 2018
 *mangle
 :PREROUTING ACCEPT [32446:1946007]
 :INPUT ACCEPT [10474420:3603388609]
 :FORWARD ACCEPT [9117:972706]
 :OUTPUT ACCEPT [10334132:3606356094]
 :POSTROUTING ACCEPT [10343249:3607328800]
 :cali-PREROUTING - [0:0]
 :cali-failsafe-in - [0:0]
 :cali-from-host-endpoint - [0:0]
 -A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
 -A cali-PREROUTING -m comment --comment "cali:6BJqBjBC7crtA-7-" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A cali-PREROUTING -m comment --comment "cali:nE3PUa5RSRqBBvwx" -m mark --mark 0x1000000/0x1000000 -j ACCEPT
 -A cali-PREROUTING -i cali+ -m comment --comment "cali:qgFofvzQe6yJPouQ" -j ACCEPT
 -A cali-PREROUTING -m comment --comment "cali:o178eO5vvpj8e65z" -j cali-from-host-endpoint
 -A cali-PREROUTING -m comment --comment "cali:5TQcm-i_T8rVGEEa" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x1000000/0x1000000 -j ACCEPT
 -A cali-failsafe-in -p tcp -m comment --comment "cali:wWFQM43tJU7wwnFZ" -m multiport --dports 22 -j ACCEPT
 -A cali-failsafe-in -p udp -m comment --comment "cali:LwNV--R8MjeUYacw" -m multiport --dports 68 -j ACCEPT
 COMMIT
 # Completed on Wed Mar  7 11:37:22 2018
 # Generated by iptables-save v1.6.1 on Wed Mar  7 11:37:22 2018
 *nat
 :PREROUTING ACCEPT [0:0]
 :INPUT ACCEPT [0:0]
 :OUTPUT ACCEPT [16:1250]
 :POSTROUTING ACCEPT [16:1250]
 :DOCKER - [0:0]
 :KUBE-MARK-DROP - [0:0]
 :KUBE-MARK-MASQ - [0:0]
 :KUBE-NODEPORTS - [0:0]
 :KUBE-POSTROUTING - [0:0]
 :KUBE-SEP-4NTD5M5FOBN4R56B - [0:0]
 :KUBE-SEP-SXLTXYXAD2FEWW55 - [0:0]
 :KUBE-SEP-ULTUBRFA3EUPFEEI - [0:0]
 :KUBE-SEP-UTYTW7K6ZF7IQYCQ - [0:0]
 :KUBE-SEP-XQAW2FTO4OYRZLRP - [0:0]
 :KUBE-SEP-ZTOJJD34BQHKTZ7Y - [0:0]
 :KUBE-SERVICES - [0:0]
 :KUBE-SVC-BJM46V3U5RZHCFRZ - [0:0]
 :KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
 :KUBE-SVC-JD5MR3NA4I4DYORP - [0:0]
 :KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
 :KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
 :KUBE-SVC-XGLOHA7QRQ3V22RZ - [0:0]
 :cali-OUTPUT - [0:0]
 :cali-POSTROUTING - [0:0]
 :cali-PREROUTING - [0:0]
 :cali-fip-dnat - [0:0]
 :cali-fip-snat - [0:0]
 :cali-nat-outgoing - [0:0]
 -A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
 -A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
 -A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -m comment --comment "cali:O3lYWMrLQYEMJtB5" -j cali-POSTROUTING
 -A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
 -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
 -A DOCKER -i docker0 -j RETURN
 -A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
 -A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
 -A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE
 -A KUBE-SEP-4NTD5M5FOBN4R56B -s 192.168.160.130/32 -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-MARK-MASQ
 -A KUBE-SEP-4NTD5M5FOBN4R56B -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 192.168.160.130:9153
 -A KUBE-SEP-SXLTXYXAD2FEWW55 -s 192.168.160.130/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
 -A KUBE-SEP-SXLTXYXAD2FEWW55 -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 192.168.160.130:53
 -A KUBE-SEP-ULTUBRFA3EUPFEEI -s 192.168.160.128/32 -m comment --comment "kube-system/kubernetes-dashboard:" -j KUBE-MARK-MASQ
 -A KUBE-SEP-ULTUBRFA3EUPFEEI -p tcp -m comment --comment "kube-system/kubernetes-dashboard:" -m tcp -j DNAT --to-destination 192.168.160.128:8443
 -A KUBE-SEP-UTYTW7K6ZF7IQYCQ -s 192.168.160.129/32 -m comment --comment "kube-system/heapster:" -j KUBE-MARK-MASQ
 -A KUBE-SEP-UTYTW7K6ZF7IQYCQ -p tcp -m comment --comment "kube-system/heapster:" -m tcp -j DNAT --to-destination 192.168.160.129:8082
 -A KUBE-SEP-XQAW2FTO4OYRZLRP -s 10.0.0.11/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ
 -A KUBE-SEP-XQAW2FTO4OYRZLRP -p tcp -m comment --comment "default/kubernetes:https" -m recent --set --name KUBE-SEP-XQAW2FTO4OYRZLRP --mask 255.255.255.255 --rsource -m tcp -j DNAT --to-destination 10.0.0.11:6443
 -A KUBE-SEP-ZTOJJD34BQHKTZ7Y -s 192.168.160.130/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
 -A KUBE-SEP-ZTOJJD34BQHKTZ7Y -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 192.168.160.130:53
 -A KUBE-SERVICES -d 10.254.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-SVC-JD5MR3NA4I4DYORP
 -A KUBE-SERVICES -d 10.254.237.81/32 -p tcp -m comment --comment "kube-system/heapster: cluster IP" -m tcp --dport 80 -j KUBE-SVC-BJM46V3U5RZHCFRZ
 -A KUBE-SERVICES -d 10.254.14.198/32 -p tcp -m comment --comment "kube-system/kubernetes-dashboard: cluster IP" -m tcp --dport 443 -j KUBE-SVC-XGLOHA7QRQ3V22RZ
 -A KUBE-SERVICES -d 10.254.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
 -A KUBE-SERVICES -d 10.254.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
 -A KUBE-SERVICES -d 10.254.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
 -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
 -A KUBE-SVC-BJM46V3U5RZHCFRZ -m comment --comment "kube-system/heapster:" -j KUBE-SEP-UTYTW7K6ZF7IQYCQ
 -A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SEP-ZTOJJD34BQHKTZ7Y
 -A KUBE-SVC-JD5MR3NA4I4DYORP -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-SEP-4NTD5M5FOBN4R56B
 -A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-XQAW2FTO4OYRZLRP --mask 255.255.255.255 --rsource -j KUBE-SEP-XQAW2FTO4OYRZLRP
 -A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-XQAW2FTO4OYRZLRP
 -A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SEP-SXLTXYXAD2FEWW55
 -A KUBE-SVC-XGLOHA7QRQ3V22RZ -m comment --comment "kube-system/kubernetes-dashboard:" -j KUBE-SEP-ULTUBRFA3EUPFEEI
 -A cali-OUTPUT -m comment --comment "cali:GBTAv2p5CwevEyJm" -j cali-fip-dnat
 -A cali-POSTROUTING -m comment --comment "cali:Z-c7XtVd2Bq7s_hA" -j cali-fip-snat
 -A cali-POSTROUTING -m comment --comment "cali:nYKhEzDlr11Jccal" -j cali-nat-outgoing
 -A cali-PREROUTING -m comment --comment "cali:r6XmIziWUJsdOK6Z" -j cali-fip-dnat
 -A cali-nat-outgoing -m comment --comment "cali:Wd76s91357Uv7N3v" -m set --match-set cali4-masq-ipam-pools src -m set ! --match-set cali4-all-ipam-pools dst -j MASQUERADE
 COMMIT
 # Completed on Wed Mar  7 11:37:22 2018
 # Generated by iptables-save v1.6.1 on Wed Mar  7 11:37:22 2018
 *filter
 :INPUT ACCEPT [1389:415024]
 :FORWARD DROP [0:0]
 :OUTPUT ACCEPT [1391:487595]
 :DOCKER - [0:0]
 :DOCKER-ISOLATION - [0:0]
 :KUBE-FIREWALL - [0:0]
 :KUBE-FORWARD - [0:0]
 :KUBE-SERVICES - [0:0]
 :cali-FORWARD - [0:0]
 :cali-INPUT - [0:0]
 :cali-OUTPUT - [0:0]
 :cali-failsafe-in - [0:0]
 :cali-failsafe-out - [0:0]
 :cali-from-host-endpoint - [0:0]
 :cali-from-wl-dispatch - [0:0]
 :cali-to-host-endpoint - [0:0]
 :cali-to-wl-dispatch - [0:0]
 :cali-wl-to-host - [0:0]
 -A INPUT -m comment --comment "cali:Cz_u1IQiXIMmKD4c" -j cali-INPUT
 -A INPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
 -A INPUT -j KUBE-FIREWALL
 -A FORWARD -m comment --comment "cali:wUHhoiAYhphO9Mso" -j cali-FORWARD
 -A FORWARD -m comment --comment "kubernetes forward rules" -j KUBE-FORWARD
 -A FORWARD -j DOCKER-ISOLATION
 -A FORWARD -o docker0 -j DOCKER
 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
 -A FORWARD -i docker0 -o docker0 -j ACCEPT
 -A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
 -A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
 -A OUTPUT -j KUBE-FIREWALL
 -A DOCKER-ISOLATION -j RETURN
 -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
 -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
 -A cali-FORWARD -i cali+ -m comment --comment "cali:X3vB2lGcBrfkYquC" -j cali-from-wl-dispatch
 -A cali-FORWARD -o cali+ -m comment --comment "cali:UtJ9FnhBnFbyQMvU" -j cali-to-wl-dispatch
 -A cali-FORWARD -i cali+ -m comment --comment "cali:Tt19HcSdA5YIGSsw" -j ACCEPT
 -A cali-FORWARD -o cali+ -m comment --comment "cali:9LzfFCvnpC5_MYXm" -j ACCEPT
 -A cali-FORWARD -m comment --comment "cali:7AofLLOqCM5j36rM" -j MARK --set-xmark 0x0/0xe000000
 -A cali-FORWARD -m comment --comment "cali:QM1_joSl7tL76Az7" -m mark --mark 0x0/0x1000000 -j cali-from-host-endpoint
 -A cali-FORWARD -m comment --comment "cali:C1QSog3bk0AykjAO" -j cali-to-host-endpoint
 -A cali-FORWARD -m comment --comment "cali:DmFiPAmzcisqZcvo" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x1000000/0x1000000 -j ACCEPT
 -A cali-INPUT -m comment --comment "cali:i7okJZpS8VxaJB3n" -m mark --mark 0x1000000/0x1000000 -j ACCEPT
 -A cali-INPUT -i cali+ -m comment --comment "cali:JaoDb6CLdcGw8g0Y" -g cali-wl-to-host
 -A cali-INPUT -m comment --comment "cali:c5eKVW2VdKQ_LiSM" -j MARK --set-xmark 0x0/0xf000000
 -A cali-INPUT -m comment --comment "cali:hwQKYSlSCkpE_9uN" -j cali-from-host-endpoint
 -A cali-INPUT -m comment --comment "cali:ttp8-serzKCP-bKZ" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x1000000/0x1000000 -j ACCEPT
 -A cali-OUTPUT -m comment --comment "cali:YQSSJIsRcHjFbXaI" -m mark --mark 0x1000000/0x1000000 -j ACCEPT
 -A cali-OUTPUT -o cali+ -m comment --comment "cali:KRjBsKsBcFBYKCEw" -j RETURN
 -A cali-OUTPUT -m comment --comment "cali:3VKAQBcyUUW5kS_j" -j MARK --set-xmark 0x0/0xf000000
 -A cali-OUTPUT -m comment --comment "cali:Z1mBCSH1XHM6qq0k" -j cali-to-host-endpoint
 -A cali-OUTPUT -m comment --comment "cali:N0jyWt2RfBedKw3L" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x1000000/0x1000000 -j ACCEPT
 -A cali-failsafe-in -p tcp -m comment --comment "cali:wWFQM43tJU7wwnFZ" -m multiport --dports 22 -j ACCEPT
 -A cali-failsafe-in -p udp -m comment --comment "cali:LwNV--R8MjeUYacw" -m multiport --dports 68 -j ACCEPT
 -A cali-failsafe-out -p tcp -m comment --comment "cali:73bZKoyDfOpFwC2T" -m multiport --dports 2379 -j ACCEPT
 -A cali-failsafe-out -p tcp -m comment --comment "cali:QMFuWo6o-d9yOpNm" -m multiport --dports 2380 -j ACCEPT
 -A cali-failsafe-out -p tcp -m comment --comment "cali:Kup7QkrsdmfGX0uL" -m multiport --dports 4001 -j ACCEPT
 -A cali-failsafe-out -p tcp -m comment --comment "cali:xYYr5PEqDf_Pqfkv" -m multiport --dports 7001 -j ACCEPT
 -A cali-failsafe-out -p udp -m comment --comment "cali:nbWBvu4OtudVY60Q" -m multiport --dports 53 -j ACCEPT
 -A cali-failsafe-out -p udp -m comment --comment "cali:UxFu5cDK5En6dT3Y" -m multiport --dports 67 -j ACCEPT
 -A cali-from-wl-dispatch -m comment --comment "cali:zTj6P0TIgYvgz-md" -m comment --comment "Unknown interface" -j DROP
 -A cali-to-wl-dispatch -m comment --comment "cali:7KNphB1nNHw80nIO" -m comment --comment "Unknown interface" -j DROP
 -A cali-wl-to-host -m comment --comment "cali:Ee9Sbo10IpVujdIY" -j cali-from-wl-dispatch
 -A cali-wl-to-host -m comment --comment "cali:nSZbcOoG1xPONxb8" -m comment --comment "Configured DefaultEndpointToHostAction" -j ACCEPT
 COMMIT
 # Completed on Wed Mar  7 11:37:22 2018
	[fedora@k8scluster-sc7jximdohmh-master-0 ~]$ sudo iptables-save
	# Generated by iptables-save v1.6.1 on Wed Mar 7 11:37:22 2018
	*raw
	:PREROUTING ACCEPT [10483777:3604394961]
	:OUTPUT ACCEPT [10334074:3606348870]
	:cali-OUTPUT - [0:0]
	:cali-PREROUTING - [0:0]
	:cali-failsafe-in - [0:0]
	:cali-failsafe-out - [0:0]
	:cali-from-host-endpoint - [0:0]
	:cali-to-host-endpoint - [0:0]
	-A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
	-A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
	-A cali-OUTPUT -m comment --comment "cali:WX1xZBEtmbS0Rhjs" -j MARK --set-xmark 0x0/0xf000000
	-A cali-OUTPUT -m comment --comment "cali:iE00ZyllJNXfrlg_" -j cali-to-host-endpoint
	-A cali-OUTPUT -m comment --comment "cali:Asois4hxp1rUxwJS" -m mark --mark 0x1000000/0x1000000 -j ACCEPT
	-A cali-PREROUTING -m comment --comment "cali:zatSDPVUhhPCk6Iy" -j MARK --set-xmark 0x0/0xf000000
	-A cali-PREROUTING -i cali+ -m comment --comment "cali:-ES4EW0vxFmM81t8" -j MARK --set-xmark 0x4000000/0x4000000
	-A cali-PREROUTING -m comment --comment "cali:VE1J3S_1t9q8GAsm" -m mark --mark 0x0/0x4000000 -j cali-from-host-endpoint
	-A cali-PREROUTING -m comment --comment "cali:VX8l4jKL9w89GXz5" -m mark --mark 0x1000000/0x1000000 -j ACCEPT
	-A cali-failsafe-in -p tcp -m comment --comment "cali:wWFQM43tJU7wwnFZ" -m multiport --dports 22 -j ACCEPT
	-A cali-failsafe-in -p udp -m comment --comment "cali:LwNV--R8MjeUYacw" -m multiport --dports 68 -j ACCEPT
	-A cali-failsafe-out -p tcp -m comment --comment "cali:73bZKoyDfOpFwC2T" -m multiport --dports 2379 -j ACCEPT
	-A cali-failsafe-out -p tcp -m comment --comment "cali:QMFuWo6o-d9yOpNm" -m multiport --dports 2380 -j ACCEPT
	-A cali-failsafe-out -p tcp -m comment --comment "cali:Kup7QkrsdmfGX0uL" -m multiport --dports 4001 -j ACCEPT
	-A cali-failsafe-out -p tcp -m comment --comment "cali:xYYr5PEqDf_Pqfkv" -m multiport --dports 7001 -j ACCEPT
	-A cali-failsafe-out -p udp -m comment --comment "cali:nbWBvu4OtudVY60Q" -m multiport --dports 53 -j ACCEPT
	-A cali-failsafe-out -p udp -m comment --comment "cali:UxFu5cDK5En6dT3Y" -m multiport --dports 67 -j ACCEPT
	COMMIT
	# Completed on Wed Mar 7 11:37:22 2018
	# Generated by iptables-save v1.6.1 on Wed Mar 7 11:37:22 2018
	*mangle
	:PREROUTING ACCEPT [32446:1946007]
	:INPUT ACCEPT [10474420:3603388609]
	:FORWARD ACCEPT [9117:972706]
	:OUTPUT ACCEPT [10334132:3606356094]
	:POSTROUTING ACCEPT [10343249:3607328800]
	:cali-PREROUTING - [0:0]
	:cali-failsafe-in - [0:0]
	:cali-from-host-endpoint - [0:0]
	-A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
	-A cali-PREROUTING -m comment --comment "cali:6BJqBjBC7crtA-7-" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A cali-PREROUTING -m comment --comment "cali:nE3PUa5RSRqBBvwx" -m mark --mark 0x1000000/0x1000000 -j ACCEPT
	-A cali-PREROUTING -i cali+ -m comment --comment "cali:qgFofvzQe6yJPouQ" -j ACCEPT
	-A cali-PREROUTING -m comment --comment "cali:o178eO5vvpj8e65z" -j cali-from-host-endpoint
	-A cali-PREROUTING -m comment --comment "cali:5TQcm-i_T8rVGEEa" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x1000000/0x1000000 -j ACCEPT
	-A cali-failsafe-in -p tcp -m comment --comment "cali:wWFQM43tJU7wwnFZ" -m multiport --dports 22 -j ACCEPT
	-A cali-failsafe-in -p udp -m comment --comment "cali:LwNV--R8MjeUYacw" -m multiport --dports 68 -j ACCEPT
	COMMIT
	# Completed on Wed Mar 7 11:37:22 2018
	# Generated by iptables-save v1.6.1 on Wed Mar 7 11:37:22 2018
	*nat
	:PREROUTING ACCEPT [0:0]
	:INPUT ACCEPT [0:0]
	:OUTPUT ACCEPT [16:1250]
	:POSTROUTING ACCEPT [16:1250]
	:DOCKER - [0:0]
	:KUBE-MARK-DROP - [0:0]
	:KUBE-MARK-MASQ - [0:0]
	:KUBE-NODEPORTS - [0:0]
	:KUBE-POSTROUTING - [0:0]
	:KUBE-SEP-4NTD5M5FOBN4R56B - [0:0]
	:KUBE-SEP-SXLTXYXAD2FEWW55 - [0:0]
	:KUBE-SEP-ULTUBRFA3EUPFEEI - [0:0]
	:KUBE-SEP-UTYTW7K6ZF7IQYCQ - [0:0]
	:KUBE-SEP-XQAW2FTO4OYRZLRP - [0:0]
	:KUBE-SEP-ZTOJJD34BQHKTZ7Y - [0:0]
	:KUBE-SERVICES - [0:0]
	:KUBE-SVC-BJM46V3U5RZHCFRZ - [0:0]
	:KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
	:KUBE-SVC-JD5MR3NA4I4DYORP - [0:0]
	:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
	:KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
	:KUBE-SVC-XGLOHA7QRQ3V22RZ - [0:0]
	:cali-OUTPUT - [0:0]
	:cali-POSTROUTING - [0:0]
	:cali-PREROUTING - [0:0]
	:cali-fip-dnat - [0:0]
	:cali-fip-snat - [0:0]
	:cali-nat-outgoing - [0:0]
	-A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
	-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
	-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
	-A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
	-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
	-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
	-A POSTROUTING -m comment --comment "cali:O3lYWMrLQYEMJtB5" -j cali-POSTROUTING
	-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
	-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
	-A DOCKER -i docker0 -j RETURN
	-A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
	-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
	-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE
	-A KUBE-SEP-4NTD5M5FOBN4R56B -s 192.168.160.130/32 -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-MARK-MASQ
	-A KUBE-SEP-4NTD5M5FOBN4R56B -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 192.168.160.130:9153
	-A KUBE-SEP-SXLTXYXAD2FEWW55 -s 192.168.160.130/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
	-A KUBE-SEP-SXLTXYXAD2FEWW55 -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 192.168.160.130:53
	-A KUBE-SEP-ULTUBRFA3EUPFEEI -s 192.168.160.128/32 -m comment --comment "kube-system/kubernetes-dashboard:" -j KUBE-MARK-MASQ
	-A KUBE-SEP-ULTUBRFA3EUPFEEI -p tcp -m comment --comment "kube-system/kubernetes-dashboard:" -m tcp -j DNAT --to-destination 192.168.160.128:8443
	-A KUBE-SEP-UTYTW7K6ZF7IQYCQ -s 192.168.160.129/32 -m comment --comment "kube-system/heapster:" -j KUBE-MARK-MASQ
	-A KUBE-SEP-UTYTW7K6ZF7IQYCQ -p tcp -m comment --comment "kube-system/heapster:" -m tcp -j DNAT --to-destination 192.168.160.129:8082
	-A KUBE-SEP-XQAW2FTO4OYRZLRP -s 10.0.0.11/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ
	-A KUBE-SEP-XQAW2FTO4OYRZLRP -p tcp -m comment --comment "default/kubernetes:https" -m recent --set --name KUBE-SEP-XQAW2FTO4OYRZLRP --mask 255.255.255.255 --rsource -m tcp -j DNAT --to-destination 10.0.0.11:6443
	-A KUBE-SEP-ZTOJJD34BQHKTZ7Y -s 192.168.160.130/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
	-A KUBE-SEP-ZTOJJD34BQHKTZ7Y -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 192.168.160.130:53
	-A KUBE-SERVICES -d 10.254.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-SVC-JD5MR3NA4I4DYORP
	-A KUBE-SERVICES -d 10.254.237.81/32 -p tcp -m comment --comment "kube-system/heapster: cluster IP" -m tcp --dport 80 -j KUBE-SVC-BJM46V3U5RZHCFRZ
	-A KUBE-SERVICES -d 10.254.14.198/32 -p tcp -m comment --comment "kube-system/kubernetes-dashboard: cluster IP" -m tcp --dport 443 -j KUBE-SVC-XGLOHA7QRQ3V22RZ
	-A KUBE-SERVICES -d 10.254.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
	-A KUBE-SERVICES -d 10.254.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
	-A KUBE-SERVICES -d 10.254.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
	-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
	-A KUBE-SVC-BJM46V3U5RZHCFRZ -m comment --comment "kube-system/heapster:" -j KUBE-SEP-UTYTW7K6ZF7IQYCQ
	-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SEP-ZTOJJD34BQHKTZ7Y
	-A KUBE-SVC-JD5MR3NA4I4DYORP -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-SEP-4NTD5M5FOBN4R56B
	-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-XQAW2FTO4OYRZLRP --mask 255.255.255.255 --rsource -j KUBE-SEP-XQAW2FTO4OYRZLRP
	-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-XQAW2FTO4OYRZLRP
	-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SEP-SXLTXYXAD2FEWW55
	-A KUBE-SVC-XGLOHA7QRQ3V22RZ -m comment --comment "kube-system/kubernetes-dashboard:" -j KUBE-SEP-ULTUBRFA3EUPFEEI
	-A cali-OUTPUT -m comment --comment "cali:GBTAv2p5CwevEyJm" -j cali-fip-dnat
	-A cali-POSTROUTING -m comment --comment "cali:Z-c7XtVd2Bq7s_hA" -j cali-fip-snat
	-A cali-POSTROUTING -m comment --comment "cali:nYKhEzDlr11Jccal" -j cali-nat-outgoing
	-A cali-PREROUTING -m comment --comment "cali:r6XmIziWUJsdOK6Z" -j cali-fip-dnat
	-A cali-nat-outgoing -m comment --comment "cali:Wd76s91357Uv7N3v" -m set --match-set cali4-masq-ipam-pools src -m set ! --match-set cali4-all-ipam-pools dst -j MASQUERADE
	COMMIT
	# Completed on Wed Mar 7 11:37:22 2018
	# Generated by iptables-save v1.6.1 on Wed Mar 7 11:37:22 2018
	*filter
	:INPUT ACCEPT [1389:415024]
	:FORWARD DROP [0:0]
	:OUTPUT ACCEPT [1391:487595]
	:DOCKER - [0:0]
	:DOCKER-ISOLATION - [0:0]
	:KUBE-FIREWALL - [0:0]
	:KUBE-FORWARD - [0:0]
	:KUBE-SERVICES - [0:0]
	:cali-FORWARD - [0:0]
	:cali-INPUT - [0:0]
	:cali-OUTPUT - [0:0]
	:cali-failsafe-in - [0:0]
	:cali-failsafe-out - [0:0]
	:cali-from-host-endpoint - [0:0]
	:cali-from-wl-dispatch - [0:0]
	:cali-to-host-endpoint - [0:0]
	:cali-to-wl-dispatch - [0:0]
	:cali-wl-to-host - [0:0]
	-A INPUT -m comment --comment "cali:Cz_u1IQiXIMmKD4c" -j cali-INPUT
	-A INPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
	-A INPUT -j KUBE-FIREWALL
	-A FORWARD -m comment --comment "cali:wUHhoiAYhphO9Mso" -j cali-FORWARD
	-A FORWARD -m comment --comment "kubernetes forward rules" -j KUBE-FORWARD
	-A FORWARD -j DOCKER-ISOLATION
	-A FORWARD -o docker0 -j DOCKER
	-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
	-A FORWARD -i docker0 -o docker0 -j ACCEPT
	-A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
	-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
	-A OUTPUT -j KUBE-FIREWALL
	-A DOCKER-ISOLATION -j RETURN
	-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
	-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
	-A cali-FORWARD -i cali+ -m comment --comment "cali:X3vB2lGcBrfkYquC" -j cali-from-wl-dispatch
	-A cali-FORWARD -o cali+ -m comment --comment "cali:UtJ9FnhBnFbyQMvU" -j cali-to-wl-dispatch
	-A cali-FORWARD -i cali+ -m comment --comment "cali:Tt19HcSdA5YIGSsw" -j ACCEPT
	-A cali-FORWARD -o cali+ -m comment --comment "cali:9LzfFCvnpC5_MYXm" -j ACCEPT
	-A cali-FORWARD -m comment --comment "cali:7AofLLOqCM5j36rM" -j MARK --set-xmark 0x0/0xe000000
	-A cali-FORWARD -m comment --comment "cali:QM1_joSl7tL76Az7" -m mark --mark 0x0/0x1000000 -j cali-from-host-endpoint
	-A cali-FORWARD -m comment --comment "cali:C1QSog3bk0AykjAO" -j cali-to-host-endpoint
	-A cali-FORWARD -m comment --comment "cali:DmFiPAmzcisqZcvo" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x1000000/0x1000000 -j ACCEPT
	-A cali-INPUT -m comment --comment "cali:i7okJZpS8VxaJB3n" -m mark --mark 0x1000000/0x1000000 -j ACCEPT
	-A cali-INPUT -i cali+ -m comment --comment "cali:JaoDb6CLdcGw8g0Y" -g cali-wl-to-host
	-A cali-INPUT -m comment --comment "cali:c5eKVW2VdKQ_LiSM" -j MARK --set-xmark 0x0/0xf000000
	-A cali-INPUT -m comment --comment "cali:hwQKYSlSCkpE_9uN" -j cali-from-host-endpoint
	-A cali-INPUT -m comment --comment "cali:ttp8-serzKCP-bKZ" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x1000000/0x1000000 -j ACCEPT
	-A cali-OUTPUT -m comment --comment "cali:YQSSJIsRcHjFbXaI" -m mark --mark 0x1000000/0x1000000 -j ACCEPT
	-A cali-OUTPUT -o cali+ -m comment --comment "cali:KRjBsKsBcFBYKCEw" -j RETURN
	-A cali-OUTPUT -m comment --comment "cali:3VKAQBcyUUW5kS_j" -j MARK --set-xmark 0x0/0xf000000
	-A cali-OUTPUT -m comment --comment "cali:Z1mBCSH1XHM6qq0k" -j cali-to-host-endpoint
	-A cali-OUTPUT -m comment --comment "cali:N0jyWt2RfBedKw3L" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x1000000/0x1000000 -j ACCEPT
	-A cali-failsafe-in -p tcp -m comment --comment "cali:wWFQM43tJU7wwnFZ" -m multiport --dports 22 -j ACCEPT
	-A cali-failsafe-in -p udp -m comment --comment "cali:LwNV--R8MjeUYacw" -m multiport --dports 68 -j ACCEPT
	-A cali-failsafe-out -p tcp -m comment --comment "cali:73bZKoyDfOpFwC2T" -m multiport --dports 2379 -j ACCEPT
	-A cali-failsafe-out -p tcp -m comment --comment "cali:QMFuWo6o-d9yOpNm" -m multiport --dports 2380 -j ACCEPT
	-A cali-failsafe-out -p tcp -m comment --comment "cali:Kup7QkrsdmfGX0uL" -m multiport --dports 4001 -j ACCEPT
	-A cali-failsafe-out -p tcp -m comment --comment "cali:xYYr5PEqDf_Pqfkv" -m multiport --dports 7001 -j ACCEPT
	-A cali-failsafe-out -p udp -m comment --comment "cali:nbWBvu4OtudVY60Q" -m multiport --dports 53 -j ACCEPT
	-A cali-failsafe-out -p udp -m comment --comment "cali:UxFu5cDK5En6dT3Y" -m multiport --dports 67 -j ACCEPT
	-A cali-from-wl-dispatch -m comment --comment "cali:zTj6P0TIgYvgz-md" -m comment --comment "Unknown interface" -j DROP
	-A cali-to-wl-dispatch -m comment --comment "cali:7KNphB1nNHw80nIO" -m comment --comment "Unknown interface" -j DROP
	-A cali-wl-to-host -m comment --comment "cali:Ee9Sbo10IpVujdIY" -j cali-from-wl-dispatch
	-A cali-wl-to-host -m comment --comment "cali:nSZbcOoG1xPONxb8" -m comment --comment "Configured DefaultEndpointToHostAction" -j ACCEPT
	COMMIT
	# Completed on Wed Mar 7 11:37:22 2018
No results found