Last active
April 7, 2016 00:53
-
-
Save yifan-gu/4a46657cf4b718f535bc0e1d45d18e38 to your computer and use it in GitHub Desktop.
no services cluster
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Generated by iptables-save v1.4.21 on Wed Apr 6 22:25:09 2016 | |
| *filter | |
| :INPUT ACCEPT [99:83333] | |
| :FORWARD ACCEPT [2:120] | |
| :OUTPUT ACCEPT [89:83230] | |
| :KUBE-SERVICES - [0:0] | |
| -A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| COMMIT | |
| # Completed on Wed Apr 6 22:25:09 2016 | |
| # Generated by iptables-save v1.4.21 on Wed Apr 6 22:25:09 2016 | |
| *nat | |
| :PREROUTING ACCEPT [0:0] | |
| :INPUT ACCEPT [0:0] | |
| :OUTPUT ACCEPT [0:0] | |
| :POSTROUTING ACCEPT [0:0] | |
| :CNI-kubenet - [0:0] | |
| :KUBE-MARK-MASQ - [0:0] | |
| :KUBE-NODEPORTS - [0:0] | |
| :KUBE-POSTROUTING - [0:0] | |
| :KUBE-SEP-CLSAH3PWNEY76FQN - [0:0] | |
| :KUBE-SEP-UDU5ETJFU43KPV77 - [0:0] | |
| :KUBE-SERVICES - [0:0] | |
| :KUBE-SVC-4N57TFCL4MD7ZTDA - [0:0] | |
| :KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0] | |
| :RKT-PFWD-DNAT-391af16e - [0:0] | |
| :RKT-PFWD-SNAT-391af16e - [0:0] | |
| -A PREROUTING -m addrtype --dst-type LOCAL -j RKT-PFWD-DNAT-391af16e | |
| -A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A OUTPUT -m addrtype --dst-type LOCAL -j RKT-PFWD-DNAT-391af16e | |
| -A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A POSTROUTING -s 127.0.0.1/32 ! -d 127.0.0.1/32 -j RKT-PFWD-SNAT-391af16e | |
| -A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING | |
| -A POSTROUTING -s 10.244.0.0/24 -j CNI-kubenet | |
| -A CNI-kubenet -d 10.244.0.0/24 -j ACCEPT | |
| -A CNI-kubenet ! -d 224.0.0.0/4 -j MASQUERADE | |
| -A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000 | |
| -A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE | |
| -A KUBE-SEP-CLSAH3PWNEY76FQN -s 10.244.0.2/32 -m comment --comment "default/nginx:" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-CLSAH3PWNEY76FQN -p tcp -m comment --comment "default/nginx:" -m tcp -j DNAT --to-destination 10.244.0.2:80 | |
| -A KUBE-SEP-UDU5ETJFU43KPV77 -s 10.240.0.2/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-UDU5ETJFU43KPV77 -p tcp -m comment --comment "default/kubernetes:https" -m recent --set --name KUBE-SEP-UDU5ETJFU43KPV77 --mask 255.255.255.255 --rsource -m tcp -j DNAT --to-destination 10.240.0.2:443 | |
| -A KUBE-SERVICES -d 10.0.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y | |
| -A KUBE-SERVICES -d 10.0.177.64/32 -p tcp -m comment --comment "default/nginx: cluster IP" -m tcp --dport 80 -j KUBE-SVC-4N57TFCL4MD7ZTDA | |
| -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS | |
| -A KUBE-SVC-4N57TFCL4MD7ZTDA -m comment --comment "default/nginx:" -j KUBE-SEP-CLSAH3PWNEY76FQN | |
| -A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m recent --rcheck --seconds 180 --reap --name KUBE-SEP-UDU5ETJFU43KPV77 --mask 255.255.255.255 --rsource -j KUBE-SEP-UDU5ETJFU43KPV77 | |
| -A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-UDU5ETJFU43KPV77 | |
| -A RKT-PFWD-DNAT-391af16e -p tcp -m tcp --dport 0 -j DNAT --to-destination 172.16.28.2:80 | |
| -A RKT-PFWD-SNAT-391af16e -s 127.0.0.1/32 -d 172.16.28.2/32 -p tcp -m tcp --dport 0 -j MASQUERADE | |
| COMMIT | |
| # Completed on Wed Apr 6 22:25:09 2016 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Good: | |
| DBG@PREROUTING: IN=cbr0 OUT= PHYSIN=veth77edc239 MAC=5a:6c:21:94:ca:3c:3a:bb:1c:27:b0:f8:08:00 SRC=10.244.1.4 DST=10.0.25.0 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4577 DF PROTO=TCP SPT=57048 DPT=80 WINDOW=28400 RES=0x00 SYN URGP=0 | |
| Bad: | |
| DBG@PREROUTING: IN=cbr0 OUT= MAC=66:f6:b1:fb:25:d3:a2:a6:0d:6f:60:b5:08:00 SRC=10.244.0.5 DST=10.0.56.15 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=14572 DF PROTO=TCP SPT=38046 DPT=80 WINDOW=28400 RES=0x00 SYN URGP=0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Generated by iptables-save v1.4.21 on Wed Apr 6 22:50:59 2016 | |
| *filter | |
| :INPUT ACCEPT [488:407889] | |
| :FORWARD ACCEPT [12:1560] | |
| :OUTPUT ACCEPT [456:395719] | |
| :KUBE-SERVICES - [0:0] | |
| -A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| COMMIT | |
| # Completed on Wed Apr 6 22:50:59 2016 | |
| # Generated by iptables-save v1.4.21 on Wed Apr 6 22:50:59 2016 | |
| *nat | |
| :PREROUTING ACCEPT [1:60] | |
| :INPUT ACCEPT [1:60] | |
| :OUTPUT ACCEPT [1:60] | |
| :POSTROUTING ACCEPT [0:0] | |
| :CNI-kubenet - [0:0] | |
| :KUBE-MARK-MASQ - [0:0] | |
| :KUBE-NODEPORTS - [0:0] | |
| :KUBE-POSTROUTING - [0:0] | |
| :KUBE-SEP-UDU5ETJFU43KPV77 - [0:0] | |
| :KUBE-SEP-UXHBWR5XIMVGXW3H - [0:0] | |
| :KUBE-SERVICES - [0:0] | |
| :KUBE-SVC-4N57TFCL4MD7ZTDA - [0:0] | |
| :KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0] | |
| :RKT-PFWD-DNAT-c5572f2f - [0:0] | |
| :RKT-PFWD-SNAT-c5572f2f - [0:0] | |
| -A PREROUTING -m addrtype --dst-type LOCAL -j RKT-PFWD-DNAT-c5572f2f | |
| -A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A OUTPUT -m addrtype --dst-type LOCAL -j RKT-PFWD-DNAT-c5572f2f | |
| -A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A POSTROUTING -s 127.0.0.1/32 ! -d 127.0.0.1/32 -j RKT-PFWD-SNAT-c5572f2f | |
| -A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING | |
| -A POSTROUTING ! -d 10.0.0.0/8 -m addrtype ! --dst-type LOCAL -j MASQUERADE | |
| -A POSTROUTING -s 10.244.1.0/24 -j CNI-kubenet | |
| -A CNI-kubenet -d 10.244.1.0/24 -j ACCEPT | |
| -A CNI-kubenet ! -d 224.0.0.0/4 -j MASQUERADE | |
| -A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000 | |
| -A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE | |
| -A KUBE-SEP-UDU5ETJFU43KPV77 -s 10.240.0.2/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-UDU5ETJFU43KPV77 -p tcp -m comment --comment "default/kubernetes:https" -m recent --set --name KUBE-SEP-UDU5ETJFU43KPV77 --mask 255.255.255.255 --rsource -m tcp -j DNAT --to-destination 10.240.0.2:443 | |
| -A KUBE-SEP-UXHBWR5XIMVGXW3H -s 10.244.1.2/32 -m comment --comment "default/nginx:" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-UXHBWR5XIMVGXW3H -p tcp -m comment --comment "default/nginx:" -m tcp -j DNAT --to-destination 10.244.1.2:80 | |
| -A KUBE-SERVICES -d 10.0.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y | |
| -A KUBE-SERVICES -d 10.0.249.186/32 -p tcp -m comment --comment "default/nginx: cluster IP" -m tcp --dport 80 -j KUBE-SVC-4N57TFCL4MD7ZTDA | |
| -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS | |
| -A KUBE-SVC-4N57TFCL4MD7ZTDA -m comment --comment "default/nginx:" -j KUBE-SEP-UXHBWR5XIMVGXW3H | |
| -A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m recent --rcheck --seconds 180 --reap --name KUBE-SEP-UDU5ETJFU43KPV77 --mask 255.255.255.255 --rsource -j KUBE-SEP-UDU5ETJFU43KPV77 | |
| -A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-UDU5ETJFU43KPV77 | |
| -A RKT-PFWD-DNAT-c5572f2f -p tcp -m tcp --dport 0 -j DNAT --to-destination 172.16.28.2:80 | |
| -A RKT-PFWD-SNAT-c5572f2f -s 127.0.0.1/32 -d 172.16.28.2/32 -p tcp -m tcp --dport 0 -j MASQUERADE | |
| COMMIT | |
| # Completed on Wed Apr 6 22:50:59 2016 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment