Skip to content

Instantly share code, notes, and snippets.

@afoninsky

afoninsky/gist:eb4783cd7f33c671a8307706e1408403

Created November 25, 2018 14:00
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save afoninsky/eb4783cd7f33c671a8307706e1408403 to your computer and use it in GitHub Desktop.
Save afoninsky/eb4783cd7f33c671a8307706e1408403 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
gke-streamlayer-sl-n1-standard-2-15ee5b38-41k1 /home/drago # iptables-save | grep MASQ
:KUBE-MARK-MASQ - [0:0]
-A POSTROUTING ! -d 10.0.0.0/8 -m comment --comment "kubenet: SNAT for outbound traffic from cluster" -m addrtype ! --dst-type LOCAL -j MASQUERADE
-A KUBE-FW-3XHAPDZ2SSE6DUFQ -m comment --comment "istio-system/istio-ingressgateway:http2-prometheus loadbalancer IP" -j KUBE-MARK-MASQ
-A KUBE-FW-4BQASKKZBUHVUKPW -m comment --comment "istio-system/istio-ingressgateway:tcp-citadel-grpc-tls loadbalancer IP" -j KUBE-MARK-MASQ
-A KUBE-FW-62L5C2KEOX6ICGVJ -m comment --comment "istio-system/istio-ingressgateway:tcp loadbalancer IP" -j KUBE-MARK-MASQ
-A KUBE-FW-7N6LHPYFOVFT454K -m comment --comment "istio-system/istio-ingressgateway:https loadbalancer IP" -j KUBE-MARK-MASQ
-A KUBE-FW-F4WP6CIDODMYIYVX -m comment --comment "istio-system/istio-ingressgateway:tcp-pilot-grpc-tls loadbalancer IP" -j KUBE-MARK-MASQ
-A KUBE-FW-FNIRFTR6AM2WTDP7 -m comment --comment "istio-system/istio-ingressgateway:http2-grafana loadbalancer IP" -j KUBE-MARK-MASQ
-A KUBE-FW-FWUZ7WRQUHHJNJ54 -m comment --comment "istio-system/istio-ingressgateway:tcp-dns-tls loadbalancer IP" -j KUBE-MARK-MASQ
-A KUBE-FW-G6D3V5KS3PXPUEDS -m comment --comment "istio-system/istio-ingressgateway:http2 loadbalancer IP" -j KUBE-MARK-MASQ
-A KUBE-FW-JOK3WVUIGNVEBCLE -m comment --comment "default/grpc-debug:grpc-debug loadbalancer IP" -j KUBE-MARK-MASQ
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-system/default-http-backend:http" -m tcp --dport 31135 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp-dns-tls" -m tcp --dport 31405 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp" -m tcp --dport 31400 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "istio-system/istio-ingressgateway:http2-grafana" -m tcp --dport 31817 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "istio-system/istio-ingressgateway:http2" -m tcp --dport 31380 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "istio-system/istio-ingressgateway:https" -m tcp --dport 31390 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/grpc-debug:grpc-debug" -m tcp --dport 30427 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp-pilot-grpc-tls" -m tcp --dport 32540 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp-citadel-grpc-tls" -m tcp --dport 31693 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "istio-system/istio-ingressgateway:http2-prometheus" -m tcp --dport 31040 -j KUBE-MARK-MASQ
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE
-A KUBE-SEP-25NQ7U4FCUTNLE62 -s 10.60.1.6/32 -m comment --comment "kube-system/default-http-backend:http" -j KUBE-MARK-MASQ
-A KUBE-SEP-2EZG5ZBRL53P27AT -s 10.60.3.10/32 -m comment --comment "istio-system/istio-ingressgateway:http2-prometheus" -j KUBE-MARK-MASQ
-A KUBE-SEP-2WN4OZMXIFI35TSC -s 10.60.3.10/32 -m comment --comment "istio-system/istio-ingressgateway:tcp-dns-tls" -j KUBE-MARK-MASQ
-A KUBE-SEP-5JJNVEQPJR6HB3DS -s 10.60.2.5/32 -m comment --comment "istio-system/istio-telemetry:prometheus" -j KUBE-MARK-MASQ
-A KUBE-SEP-62LPEBDZIP64IX5J -s 10.60.3.10/32 -m comment --comment "istio-system/istio-ingressgateway:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-7OUT44ZKBI35X6ID -s 10.60.2.6/32 -m comment --comment "istio-system/istio-pilot:grpc-xds" -j KUBE-MARK-MASQ
-A KUBE-SEP-APLYZYUFGU7S2Y63 -s 10.60.3.5/32 -m comment --comment "kube-system/tiller-deploy:tiller" -j KUBE-MARK-MASQ
-A KUBE-SEP-BDDBSNW566PKETPV -s 10.60.3.12/32 -m comment --comment "istio-system/prometheus:http-prometheus" -j KUBE-MARK-MASQ
-A KUBE-SEP-BJJVQWFB7CVQOJQ5 -s 10.60.2.6/32 -m comment --comment "istio-system/istio-pilot:https-xds" -j KUBE-MARK-MASQ
-A KUBE-SEP-BN2USCQFJQBX7YNJ -s 10.60.1.3/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-DVGZ36US7MRYKOXN -s 10.60.3.9/32 -m comment --comment "istio-system/istio-egressgateway:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-FBJJGPEMY4JFOWMY -s 10.60.2.6/32 -m comment --comment "istio-system/istio-pilot:http-monitoring" -j KUBE-MARK-MASQ
-A KUBE-SEP-FIR3RISWQPAVGP4X -s 10.60.3.10/32 -m comment --comment "istio-system/istio-ingressgateway:tcp-pilot-grpc-tls" -j KUBE-MARK-MASQ
-A KUBE-SEP-FJY6ZLQMBO7NATP3 -s 10.60.3.10/32 -m comment --comment "istio-system/istio-ingressgateway:http2-grafana" -j KUBE-MARK-MASQ
-A KUBE-SEP-GXWK7FRCLI2KCWMG -s 10.60.2.5/32 -m comment --comment "istio-system/istio-telemetry:grpc-mixer" -j KUBE-MARK-MASQ
-A KUBE-SEP-HRY2GUJQHHLHR3RU -s 10.60.3.16/32 -m comment --comment "istio-system/istio-galley:http-monitoring" -j KUBE-MARK-MASQ
-A KUBE-SEP-JED7VGHDZFSWKOJ7 -s 10.60.2.2/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-L45HJM7SJEQARAQ7 -s 10.60.3.11/32 -m comment --comment "istio-system/istio-policy:http-monitoring" -j KUBE-MARK-MASQ
-A KUBE-SEP-MPI32QUC6AKGEMO4 -s 10.60.3.16/32 -m comment --comment "istio-system/istio-galley:https-validation" -j KUBE-MARK-MASQ
-A KUBE-SEP-OVX24OUBCYL55J6U -s 10.60.2.5/32 -m comment --comment "istio-system/istio-telemetry:http-monitoring" -j KUBE-MARK-MASQ
-A KUBE-SEP-RLSIVFGRKVKD4VF4 -s 10.60.3.13/32 -m comment --comment "istio-system/istio-citadel:http-monitoring" -j KUBE-MARK-MASQ
-A KUBE-SEP-SP4AFASQ4ZTAKVIF -s 10.60.3.10/32 -m comment --comment "istio-system/istio-ingressgateway:tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-SU4ADNO46GQLME27 -s 10.60.3.13/32 -m comment --comment "istio-system/istio-citadel:grpc-citadel" -j KUBE-MARK-MASQ
-A KUBE-SEP-SZARR2HOAAYTDKJ7 -s 10.60.3.10/32 -m comment --comment "istio-system/istio-ingressgateway:tcp-citadel-grpc-tls" -j KUBE-MARK-MASQ
-A KUBE-SEP-TMGG2MD26L4V733L -s 10.60.3.9/32 -m comment --comment "istio-system/istio-egressgateway:http2" -j KUBE-MARK-MASQ
-A KUBE-SEP-U44PWLLVP5Z2Q6BA -s 10.60.2.5/32 -m comment --comment "istio-system/istio-telemetry:grpc-mixer-mtls" -j KUBE-MARK-MASQ
-A KUBE-SEP-UQR6AZ4SUUDYPROF -s 10.60.2.2/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-VD2NPLBI555NF6OS -s 10.60.3.15/32 -m comment --comment "istio-system/istio-sidecar-injector:" -j KUBE-MARK-MASQ
-A KUBE-SEP-W22AWLQI6T2ZICDK -s 10.60.2.6/32 -m comment --comment "istio-system/istio-pilot:http-legacy-discovery" -j KUBE-MARK-MASQ
-A KUBE-SEP-WWCNEVFBTXEL5I2A -s 10.60.1.2/32 -m comment --comment "kube-system/heapster:" -j KUBE-MARK-MASQ
-A KUBE-SEP-XH6GU7INWI2KKA2F -s 10.60.3.10/32 -m comment --comment "istio-system/istio-ingressgateway:http2" -j KUBE-MARK-MASQ
-A KUBE-SEP-Y4BULGR3IR7BLDEL -s 10.60.3.11/32 -m comment --comment "istio-system/istio-policy:grpc-mixer-mtls" -j KUBE-MARK-MASQ
-A KUBE-SEP-Y7WPAXBPK7FVQ6W7 -s 104.196.212.110/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-YG6UF4HAXUSUXL74 -s 10.60.3.11/32 -m comment --comment "istio-system/istio-policy:grpc-mixer" -j KUBE-MARK-MASQ
-A KUBE-SEP-YHEXDL6SV67JBT52 -s 10.60.1.5/32 -m comment --comment "kube-system/metrics-server:" -j KUBE-MARK-MASQ
-A KUBE-SEP-YSI3BJNIUHZF47VT -s 10.60.1.3/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-ZPY2TEQCSX5FEC3Z -s 10.60.1.7/32 -m comment --comment "default/grpc-debug:grpc-debug" -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.251.62/32 -p tcp -m comment --comment "kube-system/default-http-backend:http cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.252.188/32 -p tcp -m comment --comment "istio-system/istio-egressgateway:http2 cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.254.252/32 -p tcp -m comment --comment "istio-system/istio-citadel:http-monitoring cluster IP" -m tcp --dport 9093 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.255.220/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp-dns-tls cluster IP" -m tcp --dport 853 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.246.16/32 -p tcp -m comment --comment "istio-system/istio-policy:http-monitoring cluster IP" -m tcp --dport 9093 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.240.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.240.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.254.239/32 -p tcp -m comment --comment "istio-system/istio-galley:http-monitoring cluster IP" -m tcp --dport 9093 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.252.188/32 -p tcp -m comment --comment "istio-system/istio-egressgateway:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.241.41/32 -p tcp -m comment --comment "istio-system/istio-telemetry:http-monitoring cluster IP" -m tcp --dport 9093 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.255.224/32 -p tcp -m comment --comment "istio-system/prometheus:http-prometheus cluster IP" -m tcp --dport 9090 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.243.122/32 -p tcp -m comment --comment "istio-system/istio-sidecar-injector: cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.241.41/32 -p tcp -m comment --comment "istio-system/istio-telemetry:grpc-mixer-mtls cluster IP" -m tcp --dport 15004 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.253.117/32 -p tcp -m comment --comment "istio-system/istio-pilot:grpc-xds cluster IP" -m tcp --dport 15010 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.240.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.254.239/32 -p tcp -m comment --comment "istio-system/istio-galley:https-validation cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.255.220/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp cluster IP" -m tcp --dport 31400 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.241.41/32 -p tcp -m comment --comment "istio-system/istio-telemetry:prometheus cluster IP" -m tcp --dport 42422 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.246.16/32 -p tcp -m comment --comment "istio-system/istio-policy:grpc-mixer-mtls cluster IP" -m tcp --dport 15004 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.253.117/32 -p tcp -m comment --comment "istio-system/istio-pilot:http-legacy-discovery cluster IP" -m tcp --dport 8080 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.249.57/32 -p tcp -m comment --comment "kube-system/heapster: cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.247.12/32 -p tcp -m comment --comment "kube-system/metrics-server: cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.254.252/32 -p tcp -m comment --comment "istio-system/istio-citadel:grpc-citadel cluster IP" -m tcp --dport 8060 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.255.220/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:http2-grafana cluster IP" -m tcp --dport 15031 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.255.220/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:http2 cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.255.220/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.241.41/32 -p tcp -m comment --comment "istio-system/istio-telemetry:grpc-mixer cluster IP" -m tcp --dport 9091 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.253.117/32 -p tcp -m comment --comment "istio-system/istio-pilot:http-monitoring cluster IP" -m tcp --dport 9093 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.243.153/32 -p tcp -m comment --comment "default/grpc-debug:grpc-debug cluster IP" -m tcp --dport 50051 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.249.129/32 -p tcp -m comment --comment "kube-system/tiller-deploy:tiller cluster IP" -m tcp --dport 44134 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.255.220/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp-pilot-grpc-tls cluster IP" -m tcp --dport 15011 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.255.220/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp-citadel-grpc-tls cluster IP" -m tcp --dport 8060 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.255.220/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:http2-prometheus cluster IP" -m tcp --dport 15030 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.246.16/32 -p tcp -m comment --comment "istio-system/istio-policy:grpc-mixer cluster IP" -m tcp --dport 9091 -j KUBE-MARK-MASQ
-A KUBE-SERVICES ! -s 10.60.0.0/14 -d 10.63.253.117/32 -p tcp -m comment --comment "istio-system/istio-pilot:https-xds cluster IP" -m tcp --dport 15011 -j KUBE-MARK-MASQ
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment