Created
May 7, 2018 15:06
-
-
Save seanknox/4349d941fac6a88d3409264165eb00c0 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Generated by iptables-save v1.6.1 on Mon May 7 15:06:25 2018 | |
| *filter | |
| :INPUT ACCEPT [172:68334] | |
| :FORWARD ACCEPT [0:0] | |
| :OUTPUT ACCEPT [183:40154] | |
| :KUBE-EXTERNAL-SERVICES - [0:0] | |
| :KUBE-FIREWALL - [0:0] | |
| :KUBE-FORWARD - [0:0] | |
| :KUBE-SERVICES - [0:0] | |
| -A INPUT -j KUBE-FIREWALL | |
| -A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES | |
| -A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD | |
| -A OUTPUT -j KUBE-FIREWALL | |
| -A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP | |
| -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT | |
| -A KUBE-FORWARD -s 10.1.0.0/16 -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| -A KUBE-FORWARD -d 10.1.0.0/16 -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| -A KUBE-SERVICES -d 10.0.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns has no endpoints" -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable | |
| -A KUBE-SERVICES -d 10.0.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp has no endpoints" -m tcp --dport 53 -j REJECT --reject-with icmp-port-unreachable | |
| -A KUBE-SERVICES -d 10.0.0.152/32 -p tcp -m comment --comment "kube-system/kubernetes-dashboard: has no endpoints" -m tcp --dport 443 -j REJECT --reject-with icmp-port-unreachable | |
| COMMIT | |
| # Completed on Mon May 7 15:06:25 2018 | |
| # Generated by iptables-save v1.6.1 on Mon May 7 15:06:25 2018 | |
| *nat | |
| :PREROUTING ACCEPT [0:0] | |
| :INPUT ACCEPT [0:0] | |
| :OUTPUT ACCEPT [19:1321] | |
| :POSTROUTING ACCEPT [11:841] | |
| :KUBE-MARK-DROP - [0:0] | |
| :KUBE-MARK-MASQ - [0:0] | |
| :KUBE-NODEPORTS - [0:0] | |
| :KUBE-POSTROUTING - [0:0] | |
| :KUBE-SEP-CCILLTQCS7S5E74J - [0:0] | |
| :KUBE-SEP-LDZPZH6QQAWGC3G7 - [0:0] | |
| :KUBE-SEP-RQJU6ECEAXEVCCX7 - [0:0] | |
| :KUBE-SEP-SLVSRMP67MEV6CFQ - [0:0] | |
| :KUBE-SEP-XLJSDJ5GAQLXCELM - [0:0] | |
| :KUBE-SERVICES - [0:0] | |
| :KUBE-SVC-4N57TFCL4MD7ZTDA - [0:0] | |
| :KUBE-SVC-BJM46V3U5RZHCFRZ - [0:0] | |
| :KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0] | |
| -A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING | |
| -A POSTROUTING ! -d 10.0.0.0/15 -m iprange ! --dst-range 168.63.129.16-168.63.129.16 -m addrtype ! --dst-type LOCAL -j MASQUERADE | |
| -A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000 | |
| -A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000 | |
| -A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE | |
| -A KUBE-SEP-CCILLTQCS7S5E74J -s 10.0.10.248/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-CCILLTQCS7S5E74J -p tcp -m comment --comment "default/kubernetes:https" -m recent --set --name KUBE-SEP-CCILLTQCS7S5E74J --mask 255.255.255.255 --rsource -m tcp -j DNAT --to-destination 10.0.10.248:6443 | |
| -A KUBE-SEP-LDZPZH6QQAWGC3G7 -s 10.1.0.18/32 -m comment --comment "kube-system/heapster:" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-LDZPZH6QQAWGC3G7 -p tcp -m comment --comment "kube-system/heapster:" -m tcp -j DNAT --to-destination 10.1.0.18:8082 | |
| -A KUBE-SEP-RQJU6ECEAXEVCCX7 -s 10.0.10.249/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-RQJU6ECEAXEVCCX7 -p tcp -m comment --comment "default/kubernetes:https" -m recent --set --name KUBE-SEP-RQJU6ECEAXEVCCX7 --mask 255.255.255.255 --rsource -m tcp -j DNAT --to-destination 10.0.10.249:6443 | |
| -A KUBE-SEP-SLVSRMP67MEV6CFQ -s 10.0.10.247/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-SLVSRMP67MEV6CFQ -p tcp -m comment --comment "default/kubernetes:https" -m recent --set --name KUBE-SEP-SLVSRMP67MEV6CFQ --mask 255.255.255.255 --rsource -m tcp -j DNAT --to-destination 10.0.10.247:6443 | |
| -A KUBE-SEP-XLJSDJ5GAQLXCELM -s 10.1.0.91/32 -m comment --comment "default/nginx:" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-XLJSDJ5GAQLXCELM -p tcp -m comment --comment "default/nginx:" -m tcp -j DNAT --to-destination 10.1.0.91:80 | |
| -A KUBE-SERVICES ! -s 10.1.0.0/16 -d 10.0.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.0.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y | |
| -A KUBE-SERVICES ! -s 10.1.0.0/16 -d 10.0.0.57/32 -p tcp -m comment --comment "kube-system/heapster: cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.0.0.57/32 -p tcp -m comment --comment "kube-system/heapster: cluster IP" -m tcp --dport 80 -j KUBE-SVC-BJM46V3U5RZHCFRZ | |
| -A KUBE-SERVICES ! -s 10.1.0.0/16 -d 10.0.0.68/32 -p tcp -m comment --comment "default/nginx: cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.0.0.68/32 -p tcp -m comment --comment "default/nginx: cluster IP" -m tcp --dport 80 -j KUBE-SVC-4N57TFCL4MD7ZTDA | |
| -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS | |
| -A KUBE-SVC-4N57TFCL4MD7ZTDA -m comment --comment "default/nginx:" -j KUBE-SEP-XLJSDJ5GAQLXCELM | |
| -A KUBE-SVC-BJM46V3U5RZHCFRZ -m comment --comment "kube-system/heapster:" -j KUBE-SEP-LDZPZH6QQAWGC3G7 | |
| -A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-SLVSRMP67MEV6CFQ --mask 255.255.255.255 --rsource -j KUBE-SEP-SLVSRMP67MEV6CFQ | |
| -A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-CCILLTQCS7S5E74J --mask 255.255.255.255 --rsource -j KUBE-SEP-CCILLTQCS7S5E74J | |
| -A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-RQJU6ECEAXEVCCX7 --mask 255.255.255.255 --rsource -j KUBE-SEP-RQJU6ECEAXEVCCX7 | |
| -A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m statistic --mode random --probability 0.33332999982 -j KUBE-SEP-SLVSRMP67MEV6CFQ | |
| -A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-CCILLTQCS7S5E74J | |
| -A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-RQJU6ECEAXEVCCX7 | |
| COMMIT | |
| # Completed on Mon May 7 15:06:25 2018 | |
| # Generated by iptables-save v1.6.1 on Mon May 7 15:06:25 2018 | |
| *security | |
| :INPUT ACCEPT [7127:4803440] | |
| :FORWARD ACCEPT [0:0] | |
| :OUTPUT ACCEPT [8458:1405124] | |
| -A OUTPUT -d 168.63.129.16/32 -p tcp -m owner --uid-owner 0 -j ACCEPT | |
| -A OUTPUT -d 168.63.129.16/32 -p tcp -m conntrack --ctstate INVALID,NEW -j ACCEPT | |
| COMMIT | |
| # Completed on Mon May 7 15:06:25 2018 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment