k8s service iptables
[root@node1 ~]# ifconfig -a
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.33.3.1 netmask 255.255.255.0 broadcast 0.0.0.0
inet6 fe80::42:edff:fea4:ed64 prefixlen 64 scopeid 0x20<link>
ether 02:42:ed:a4:ed:64 txqueuelen 0 (Ethernet)
RX packets 16880 bytes 1088062 (1.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 17199 bytes 6340445 (6.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
inet6 fe80::9a6a:f8c8:de39:16bd prefixlen 64 scopeid 0x20<link>
ether 08:00:27:8b:c9:3f txqueuelen 1000 (Ethernet)
RX packets 330073 bytes 442100739 (421.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 49060 bytes 3571845 (3.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.8.101 netmask 255.255.255.0 broadcast 172.17.8.255
inet6 fe80::a00:27ff:fe7e:76ba prefixlen 64 scopeid 0x20<link>
ether 08:00:27:7e:76:ba txqueuelen 1000 (Ethernet)
RX packets 90874 bytes 9141082 (8.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 98600 bytes 66696822 (63.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1067035 bytes 246752167 (235.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1067035 bytes 246752167 (235.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth85c18a9: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::c4f7:57ff:feaa:8709 prefixlen 64 scopeid 0x20<link>
ether c6:f7:57:aa:87:09 txqueuelen 0 (Ethernet)
RX packets 7587 bytes 594626 (580.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7703 bytes 2838237 (2.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@node1 ~]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.0242eda4ed64 no veth3c7cbf6
[root@node1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
KUBE-FIREWALL all -- anywhere anywhere
KUBE-EXTERNAL-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes externally-visible service portals */
Chain FORWARD (policy ACCEPT)
target prot opt source destination
KUBE-FORWARD all -- anywhere anywhere /* kubernetes forwarding rules */
DOCKER-ISOLATION all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
KUBE-FIREWALL all -- anywhere anywhere
KUBE-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes service portals */
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain KUBE-EXTERNAL-SERVICES (1 references)
target prot opt source destination
Chain KUBE-FIREWALL (2 references)
target prot opt source destination
DROP all -- anywhere anywhere /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000
Chain KUBE-FORWARD (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* kubernetes forwarding rules */ mark match 0x4000/0x4000
ACCEPT all -- 10.254.0.0/16 anywhere /* kubernetes forwarding conntrack pod source rule */ ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere 10.254.0.0/16 /* kubernetes forwarding conntrack pod destination rule */ ctstate RELATED,ESTABLISHED
Chain KUBE-SERVICES (1 references)
target prot opt source destination
[root@node1 ~]# ifconfig -a
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.33.3.1 netmask 255.255.255.0 broadcast 0.0.0.0
inet6 fe80::42:edff:fea4:ed64 prefixlen 64 scopeid 0x20<link>
ether 02:42:ed:a4:ed:64 txqueuelen 0 (Ethernet)
RX packets 16880 bytes 1088062 (1.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 17199 bytes 6340445 (6.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
inet6 fe80::9a6a:f8c8:de39:16bd prefixlen 64 scopeid 0x20<link>
ether 08:00:27:8b:c9:3f txqueuelen 1000 (Ethernet)
RX packets 330073 bytes 442100739 (421.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 49060 bytes 3571845 (3.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.8.101 netmask 255.255.255.0 broadcast 172.17.8.255
inet6 fe80::a00:27ff:fe7e:76ba prefixlen 64 scopeid 0x20<link>
ether 08:00:27:7e:76:ba txqueuelen 1000 (Ethernet)
RX packets 90874 bytes 9141082 (8.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 98600 bytes 66696822 (63.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1067035 bytes 246752167 (235.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1067035 bytes 246752167 (235.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth85c18a9: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::c4f7:57ff:feaa:8709 prefixlen 64 scopeid 0x20<link>
ether c6:f7:57:aa:87:09 txqueuelen 0 (Ethernet)
RX packets 7587 bytes 594626 (580.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7703 bytes 2838237 (2.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vethe304190: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::6088:b4ff:fe57:70fc prefixlen 64 scopeid 0x20<link>
ether 62:88:b4:57:70:fc txqueuelen 0 (Ethernet)
RX packets 8 bytes 656 (656.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 656 (656.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@node1 ~]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.0242eda4ed64 no veth85c18a9
vethf212988
[root@node1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
KUBE-FIREWALL all -- anywhere anywhere
KUBE-EXTERNAL-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes externally-visible service portals */
Chain FORWARD (policy ACCEPT)
target prot opt source destination
KUBE-FORWARD all -- anywhere anywhere /* kubernetes forwarding rules */
DOCKER-ISOLATION all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
KUBE-FIREWALL all -- anywhere anywhere
KUBE-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes service portals */
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain KUBE-EXTERNAL-SERVICES (1 references)
target prot opt source destination
Chain KUBE-FIREWALL (2 references)
target prot opt source destination
DROP all -- anywhere anywhere /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000
Chain KUBE-FORWARD (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* kubernetes forwarding rules */ mark match 0x4000/0x4000
ACCEPT all -- 10.254.0.0/16 anywhere /* kubernetes forwarding conntrack pod source rule */ ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere 10.254.0.0/16 /* kubernetes forwarding conntrack pod destination rule */ ctstate RELATED,ESTABLISHED
Chain KUBE-SERVICES (1 references)
target prot opt source destination