pingles · December 1, 2016 18:40
diff --git a/ip-link.txt b/ip-link.txt
 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether 06:51:19:2f:5f:2f brd ff:ff:ff:ff:ff:ff
 3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:ee:61:d2:e0 brd ff:ff:ff:ff:ff:ff
 23: cali6cc6f782621@docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP mode DEFAULT group default 
    link/ether 62:da:0e:8e:66:d9 brd ff:ff:ff:ff:ff:ff
 25: calic711b41d174@docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP mode DEFAULT group default 
    link/ether 32:be:91:79:f4:c9 brd ff:ff:ff:ff:ff:ff
diff --git a/iptables-filter.txt b/iptables-filter.txt
 Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   55 15842 felix-INPUT  all  --  any    any     anywhere             anywhere
  323  151K KUBE-FIREWALL  all  --  any    any     anywhere             anywhere

 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 felix-FORWARD  all  --  any    any     anywhere             anywhere

 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   63 10580 felix-OUTPUT  all  --  any    any     anywhere             anywhere
 3711  303K KUBE-FIREWALL  all  --  any    any     anywhere             anywhere
 3431  244K KUBE-SERVICES  all  --  any    any     anywhere             anywhere             /* kubernetes service portals */

 Chain DOCKER (0 references)
 pkts bytes target     prot opt in     out     source               destination

 Chain DOCKER-ISOLATION (0 references)
 pkts bytes target     prot opt in     out     source               destination

 Chain KUBE-FIREWALL (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     anywhere             anywhere             /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000

 Chain KUBE-SERVICES (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     udp  --  any    any     anywhere             100.64.0.10          /* kube-system/kube-dns:dns has no endpoints */ udp dpt:domain reject-with icmp-port-unreachable    
    0     0 REJECT     tcp  --  any    any     anywhere             100.64.0.10          /* kube-system/kube-dns:dns-tcp has no endpoints */ tcp dpt:domain reject-with icmp-port-unreachable

 Chain felix-FAILSAFE-IN (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh

 Chain felix-FAILSAFE-OUT (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:2379
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:2380
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:4001
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:afs3-callback

 Chain felix-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  cali+  any     anywhere             anywhere             ctstate INVALID
    0     0 DROP       all  --  any    cali+   anywhere             anywhere             ctstate INVALID
    0     0 ACCEPT     all  --  cali+  any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  any    cali+   anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 felix-FROM-ENDPOINT  all  --  cali+  any     anywhere             anywhere
    0     0 felix-TO-ENDPOINT  all  --  any    cali+   anywhere             anywhere
    0     0 ACCEPT     all  --  cali+  any     anywhere             anywhere
    0     0 ACCEPT     all  --  any    cali+   anywhere             anywhere

 Chain felix-FROM-ENDPOINT (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 felix-from-c711b41d174  all  --  calic711b41d174 any     anywhere             anywhere            [goto]
    0     0 felix-from-6cc6f782621  all  --  cali6cc6f782621 any     anywhere             anywhere            [goto]
    0     0 DROP       all  --  any    any     anywhere             anywhere             /* From unknown endpoint */

 Chain felix-FROM-HOST-IF (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  any    any     anywhere             anywhere             /* Unknown interface, return */

 Chain felix-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID
   55 15842 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 felix-FROM-HOST-IF  all  --  !cali+ any     anywhere             anywhere            [goto]
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp spt:bootpc dpt:bootps
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:domain
    0     0 felix-FROM-ENDPOINT  all  --  any    any     anywhere             anywhere

 Chain felix-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID
   36  8698 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
   27  1882 felix-TO-HOST-IF  all  --  any    !cali+  anywhere             anywhere            [goto]

 Chain felix-TO-ENDPOINT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 felix-to-c711b41d174  all  --  any    calic711b41d174  anywhere             anywhere            [goto]
    0     0 felix-to-6cc6f782621  all  --  any    cali6cc6f782621  anywhere             anywhere            [goto]
    0     0 DROP       all  --  any    any     anywhere             anywhere             /* To unknown endpoint */

 Chain felix-TO-HOST-IF (1 references)
 pkts bytes target     prot opt in     out     source               destination
   27  1882 RETURN     all  --  any    any     anywhere             anywhere             /* Unknown interface, return */

 Chain felix-from-6cc6f782621 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MARK       all  --  any    any     anywhere             anywhere             MARK and 0xfeffffff
    0     0 DROP       all  --  any    any     anywhere             anywhere             MAC ! 2A:B2:17:DE:5F:B4 /* Incorrect source MAC */
    0     0 felix-p-_0f05888047b5982-o  all  --  any    any     anywhere             anywhere
    0     0 RETURN     all  --  any    any     anywhere             anywhere             mark match 0x1000000/0x1000000 /* Profile accepted packet */
    0     0 DROP       all  --  any    any     anywhere             anywhere             /* Packet did not match any profile (endpoint eth0) */

 Chain felix-from-c711b41d174 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MARK       all  --  any    any     anywhere             anywhere             MARK and 0xfeffffff
    0     0 DROP       all  --  any    any     anywhere             anywhere             MAC ! CE:C4:49:39:50:3A /* Incorrect source MAC */
    0     0 felix-p-_0f05888047b5982-o  all  --  any    any     anywhere             anywhere
    0     0 RETURN     all  --  any    any     anywhere             anywhere             mark match 0x1000000/0x1000000 /* Profile accepted packet */
    0     0 DROP       all  --  any    any     anywhere             anywhere             /* Packet did not match any profile (endpoint eth0) */

 Chain felix-p-_0f05888047b5982-i (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     anywhere             anywhere             /* WARNING Missing chain */

 Chain felix-p-_0f05888047b5982-o (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     anywhere             anywhere             /* WARNING Missing chain */

diff --git a/iptables-nat.txt b/iptables-nat.txt
 Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 felix-PREROUTING  all  --  any    any     anywhere             anywhere            
  372 25883 KUBE-SERVICES  all  --  any    any     anywhere             anywhere             /* kubernetes service portals */
   18  1108 DOCKER     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type LOCAL

 Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 4519  309K KUBE-SERVICES  all  --  any    any     anywhere             anywhere             /* kubernetes service portals */
    0     0 DOCKER     all  --  any    any     anywhere            !loopback/8           ADDRTYPE match dst-type LOCAL

 Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  165 11442 felix-POSTROUTING  all  --  any    any     anywhere             anywhere            
 4626  315K KUBE-POSTROUTING  all  --  any    any     anywhere             anywhere             /* kubernetes postrouting rules */
  112  7088 MASQUERADE  all  --  any    !docker0  ip-172-17-0-0.eu-west-1.compute.internal/16  anywhere            
    0     0 RETURN     all  --  any    any     ip-192-168-0-0.eu-west-1.compute.internal/16  ip-192-168-0-0.eu-west-1.compute.internal/16 
    0     0 MASQUERADE  all  --  any    any     ip-192-168-0-0.eu-west-1.compute.internal/16 !base-address.mcast.net/4 
    0     0 MASQUERADE  all  --  any    any    !ip-192-168-0-0.eu-west-1.compute.internal/16  ip-192-168-0-0.eu-west-1.compute.internal/16 

 Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 any     anywhere             anywhere            

 Chain KUBE-MARK-DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  any    any     anywhere             anywhere             MARK or 0x8000

 Chain KUBE-MARK-MASQ (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  any    any     anywhere             anywhere             MARK or 0x4000

 Chain KUBE-NODEPORTS (1 references)
 pkts bytes target     prot opt in     out     source               destination         

 Chain KUBE-POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  any    any     anywhere             anywhere             /* kubernetes service traffic requiring SNAT */ mark match 0x4000/0x4000

 Chain KUBE-SEP-BUKAGQA2UQPZNZBS (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-MARK-MASQ  all  --  any    any     ip-172-20-11-171.eu-west-1.compute.internal  anywhere             /* default/kubernetes:https */
    0     0 DNAT       tcp  --  any    any     anywhere             anywhere             /* default/kubernetes:https */ recent: SET name: KUBE-SEP-BUKAGQA2UQPZNZBS side: source mask: 255.255.255.255 tcp to:172.20.11.171:443

 Chain KUBE-SERVICES (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-SVC-NPX46M4PTMTKRN6Y  tcp  --  any    any     anywhere             100.64.0.1           /* default/kubernetes:https cluster IP */ tcp dpt:https
    0     0 KUBE-SVC-TCOU7JCQXEZGVUNU  udp  --  any    any     anywhere             100.64.0.10          /* kube-system/kube-dns:dns cluster IP */ udp dpt:domain
    0     0 KUBE-SVC-ERIFXISQEP7F7OF4  tcp  --  any    any     anywhere             100.64.0.10          /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:domain
    0     0 KUBE-NODEPORTS  all  --  any    any     anywhere             anywhere             /* kubernetes service nodeports; NOTE: this must be the last rule in this chain */ ADDRTYPE match dst-type LOCAL

 Chain KUBE-SVC-ERIFXISQEP7F7OF4 (1 references)
 pkts bytes target     prot opt in     out     source               destination         

 Chain KUBE-SVC-NPX46M4PTMTKRN6Y (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-SEP-BUKAGQA2UQPZNZBS  all  --  any    any     anywhere             anywhere             /* default/kubernetes:https */ recent: CHECK seconds: 180 reap name: KUBE-SEP-BUKAGQA2UQPZNZBS side: source mask: 255.255.255.255
    0     0 KUBE-SEP-BUKAGQA2UQPZNZBS  all  --  any    any     anywhere             anywhere             /* default/kubernetes:https */

 Chain KUBE-SVC-TCOU7JCQXEZGVUNU (1 references)
 pkts bytes target     prot opt in     out     source               destination         

 Chain felix-FIP-DNAT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

 Chain felix-FIP-SNAT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

 Chain felix-POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  165 11442 felix-FIP-SNAT  all  --  any    any     anywhere             anywhere            

 Chain felix-PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 felix-FIP-DNAT  all  --  any    any     anywhere             anywhere
	1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
	link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
	2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP mode DEFAULT group default qlen 1000
	link/ether 06:51:19:2f:5f:2f brd ff:ff:ff:ff:ff:ff
	3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
	link/ether 02:42:ee:61:d2:e0 brd ff:ff:ff:ff:ff:ff
	23: cali6cc6f782621@docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP mode DEFAULT group default
	link/ether 62:da:0e:8e:66:d9 brd ff:ff:ff:ff:ff:ff
	25: calic711b41d174@docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP mode DEFAULT group default
	link/ether 32:be:91:79:f4:c9 brd ff:ff:ff:ff:ff:ff
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	pkts bytes target prot opt in out source destination
	55 15842 felix-INPUT all -- any any anywhere anywhere
	323 151K KUBE-FIREWALL all -- any any anywhere anywhere

	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	pkts bytes target prot opt in out source destination
	0 0 felix-FORWARD all -- any any anywhere anywhere

	Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
	pkts bytes target prot opt in out source destination
	63 10580 felix-OUTPUT all -- any any anywhere anywhere
	3711 303K KUBE-FIREWALL all -- any any anywhere anywhere
	3431 244K KUBE-SERVICES all -- any any anywhere anywhere /* kubernetes service portals */

	Chain DOCKER (0 references)
	pkts bytes target prot opt in out source destination

	Chain DOCKER-ISOLATION (0 references)
	pkts bytes target prot opt in out source destination

	Chain KUBE-FIREWALL (2 references)
	pkts bytes target prot opt in out source destination
	0 0 DROP all -- any any anywhere anywhere /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000

	Chain KUBE-SERVICES (1 references)
	pkts bytes target prot opt in out source destination
	0 0 REJECT udp -- any any anywhere 100.64.0.10 /* kube-system/kube-dns:dns has no endpoints */ udp dpt:domain reject-with icmp-port-unreachable
	0 0 REJECT tcp -- any any anywhere 100.64.0.10 /* kube-system/kube-dns:dns-tcp has no endpoints */ tcp dpt:domain reject-with icmp-port-unreachable

	Chain felix-FAILSAFE-IN (0 references)
	pkts bytes target prot opt in out source destination
	0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh

	Chain felix-FAILSAFE-OUT (0 references)
	pkts bytes target prot opt in out source destination
	0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:2379
	0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:2380
	0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:4001
	0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:afs3-callback

	Chain felix-FORWARD (1 references)
	pkts bytes target prot opt in out source destination
	0 0 DROP all -- cali+ any anywhere anywhere ctstate INVALID
	0 0 DROP all -- any cali+ anywhere anywhere ctstate INVALID
	0 0 ACCEPT all -- cali+ any anywhere anywhere ctstate RELATED,ESTABLISHED
	0 0 ACCEPT all -- any cali+ anywhere anywhere ctstate RELATED,ESTABLISHED
	0 0 felix-FROM-ENDPOINT all -- cali+ any anywhere anywhere
	0 0 felix-TO-ENDPOINT all -- any cali+ anywhere anywhere
	0 0 ACCEPT all -- cali+ any anywhere anywhere
	0 0 ACCEPT all -- any cali+ anywhere anywhere

	Chain felix-FROM-ENDPOINT (2 references)
	pkts bytes target prot opt in out source destination
	0 0 felix-from-c711b41d174 all -- calic711b41d174 any anywhere anywhere [goto]
	0 0 felix-from-6cc6f782621 all -- cali6cc6f782621 any anywhere anywhere [goto]
	0 0 DROP all -- any any anywhere anywhere /* From unknown endpoint */

	Chain felix-FROM-HOST-IF (1 references)
	pkts bytes target prot opt in out source destination
	0 0 RETURN all -- any any anywhere anywhere /* Unknown interface, return */

	Chain felix-INPUT (1 references)
	pkts bytes target prot opt in out source destination
	0 0 DROP all -- any any anywhere anywhere ctstate INVALID
	55 15842 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
	0 0 felix-FROM-HOST-IF all -- !cali+ any anywhere anywhere [goto]
	0 0 ACCEPT udp -- any any anywhere anywhere udp spt:bootpc dpt:bootps
	0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:domain
	0 0 felix-FROM-ENDPOINT all -- any any anywhere anywhere

	Chain felix-OUTPUT (1 references)
	pkts bytes target prot opt in out source destination
	0 0 DROP all -- any any anywhere anywhere ctstate INVALID
	36 8698 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
	27 1882 felix-TO-HOST-IF all -- any !cali+ anywhere anywhere [goto]

	Chain felix-TO-ENDPOINT (1 references)
	pkts bytes target prot opt in out source destination
	0 0 felix-to-c711b41d174 all -- any calic711b41d174 anywhere anywhere [goto]
	0 0 felix-to-6cc6f782621 all -- any cali6cc6f782621 anywhere anywhere [goto]
	0 0 DROP all -- any any anywhere anywhere /* To unknown endpoint */

	Chain felix-TO-HOST-IF (1 references)
	pkts bytes target prot opt in out source destination
	27 1882 RETURN all -- any any anywhere anywhere /* Unknown interface, return */

	Chain felix-from-6cc6f782621 (1 references)
	pkts bytes target prot opt in out source destination
	0 0 MARK all -- any any anywhere anywhere MARK and 0xfeffffff
	0 0 DROP all -- any any anywhere anywhere MAC ! 2A:B2:17:DE:5F:B4 /* Incorrect source MAC */
	0 0 felix-p-_0f05888047b5982-o all -- any any anywhere anywhere
	0 0 RETURN all -- any any anywhere anywhere mark match 0x1000000/0x1000000 /* Profile accepted packet */
	0 0 DROP all -- any any anywhere anywhere /* Packet did not match any profile (endpoint eth0) */

	Chain felix-from-c711b41d174 (1 references)
	pkts bytes target prot opt in out source destination
	0 0 MARK all -- any any anywhere anywhere MARK and 0xfeffffff
	0 0 DROP all -- any any anywhere anywhere MAC ! CE:C4:49:39:50:3A /* Incorrect source MAC */
	0 0 felix-p-_0f05888047b5982-o all -- any any anywhere anywhere
	0 0 RETURN all -- any any anywhere anywhere mark match 0x1000000/0x1000000 /* Profile accepted packet */
	0 0 DROP all -- any any anywhere anywhere /* Packet did not match any profile (endpoint eth0) */

	Chain felix-p-_0f05888047b5982-i (2 references)
	pkts bytes target prot opt in out source destination
	0 0 DROP all -- any any anywhere anywhere /* WARNING Missing chain */

	Chain felix-p-_0f05888047b5982-o (2 references)
	pkts bytes target prot opt in out source destination
	0 0 DROP all -- any any anywhere anywhere /* WARNING Missing chain */
	Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
	pkts bytes target prot opt in out source destination
	0 0 felix-PREROUTING all -- any any anywhere anywhere
	372 25883 KUBE-SERVICES all -- any any anywhere anywhere /* kubernetes service portals */
	18 1108 DOCKER all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL

	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	pkts bytes target prot opt in out source destination

	Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
	pkts bytes target prot opt in out source destination
	4519 309K KUBE-SERVICES all -- any any anywhere anywhere /* kubernetes service portals */
	0 0 DOCKER all -- any any anywhere !loopback/8 ADDRTYPE match dst-type LOCAL

	Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
	pkts bytes target prot opt in out source destination
	165 11442 felix-POSTROUTING all -- any any anywhere anywhere
	4626 315K KUBE-POSTROUTING all -- any any anywhere anywhere /* kubernetes postrouting rules */
	112 7088 MASQUERADE all -- any !docker0 ip-172-17-0-0.eu-west-1.compute.internal/16 anywhere
	0 0 RETURN all -- any any ip-192-168-0-0.eu-west-1.compute.internal/16 ip-192-168-0-0.eu-west-1.compute.internal/16
	0 0 MASQUERADE all -- any any ip-192-168-0-0.eu-west-1.compute.internal/16 !base-address.mcast.net/4
	0 0 MASQUERADE all -- any any !ip-192-168-0-0.eu-west-1.compute.internal/16 ip-192-168-0-0.eu-west-1.compute.internal/16

	Chain DOCKER (2 references)
	pkts bytes target prot opt in out source destination
	0 0 RETURN all -- docker0 any anywhere anywhere

	Chain KUBE-MARK-DROP (0 references)
	pkts bytes target prot opt in out source destination
	0 0 MARK all -- any any anywhere anywhere MARK or 0x8000

	Chain KUBE-MARK-MASQ (1 references)
	pkts bytes target prot opt in out source destination
	0 0 MARK all -- any any anywhere anywhere MARK or 0x4000

	Chain KUBE-NODEPORTS (1 references)
	pkts bytes target prot opt in out source destination

	Chain KUBE-POSTROUTING (1 references)
	pkts bytes target prot opt in out source destination
	0 0 MASQUERADE all -- any any anywhere anywhere /* kubernetes service traffic requiring SNAT */ mark match 0x4000/0x4000

	Chain KUBE-SEP-BUKAGQA2UQPZNZBS (2 references)
	pkts bytes target prot opt in out source destination
	0 0 KUBE-MARK-MASQ all -- any any ip-172-20-11-171.eu-west-1.compute.internal anywhere /* default/kubernetes:https */
	0 0 DNAT tcp -- any any anywhere anywhere /* default/kubernetes:https */ recent: SET name: KUBE-SEP-BUKAGQA2UQPZNZBS side: source mask: 255.255.255.255 tcp to:172.20.11.171:443

	Chain KUBE-SERVICES (2 references)
	pkts bytes target prot opt in out source destination
	0 0 KUBE-SVC-NPX46M4PTMTKRN6Y tcp -- any any anywhere 100.64.0.1 /* default/kubernetes:https cluster IP */ tcp dpt:https
	0 0 KUBE-SVC-TCOU7JCQXEZGVUNU udp -- any any anywhere 100.64.0.10 /* kube-system/kube-dns:dns cluster IP */ udp dpt:domain
	0 0 KUBE-SVC-ERIFXISQEP7F7OF4 tcp -- any any anywhere 100.64.0.10 /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:domain
	0 0 KUBE-NODEPORTS all -- any any anywhere anywhere /* kubernetes service nodeports; NOTE: this must be the last rule in this chain */ ADDRTYPE match dst-type LOCAL

	Chain KUBE-SVC-ERIFXISQEP7F7OF4 (1 references)
	pkts bytes target prot opt in out source destination

	Chain KUBE-SVC-NPX46M4PTMTKRN6Y (1 references)
	pkts bytes target prot opt in out source destination
	0 0 KUBE-SEP-BUKAGQA2UQPZNZBS all -- any any anywhere anywhere /* default/kubernetes:https */ recent: CHECK seconds: 180 reap name: KUBE-SEP-BUKAGQA2UQPZNZBS side: source mask: 255.255.255.255
	0 0 KUBE-SEP-BUKAGQA2UQPZNZBS all -- any any anywhere anywhere /* default/kubernetes:https */

	Chain KUBE-SVC-TCOU7JCQXEZGVUNU (1 references)
	pkts bytes target prot opt in out source destination

	Chain felix-FIP-DNAT (1 references)
	pkts bytes target prot opt in out source destination

	Chain felix-FIP-SNAT (1 references)
	pkts bytes target prot opt in out source destination

	Chain felix-POSTROUTING (1 references)
	pkts bytes target prot opt in out source destination
	165 11442 felix-FIP-SNAT all -- any any anywhere anywhere

	Chain felix-PREROUTING (1 references)
	pkts bytes target prot opt in out source destination
	0 0 felix-FIP-DNAT all -- any any anywhere anywhere