Last active
July 9, 2020 17:11
-
-
Save bagnaram/69fbbd30c98e89e30cf2c68794716f7d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Generated by iptables-save v1.8.4 on Thu Jul 9 17:03:50 2020 | |
| *mangle | |
| :PREROUTING ACCEPT [293475:52298412] | |
| :INPUT ACCEPT [293475:52298412] | |
| :FORWARD ACCEPT [0:0] | |
| :OUTPUT ACCEPT [293835:56042136] | |
| :POSTROUTING ACCEPT [293835:56042136] | |
| :KUBE-KUBELET-CANARY - [0:0] | |
| :KUBE-PROXY-CANARY - [0:0] | |
| COMMIT | |
| # Completed on Thu Jul 9 17:03:50 2020 | |
| # Generated by iptables-save v1.8.4 on Thu Jul 9 17:03:50 2020 | |
| *nat | |
| :PREROUTING ACCEPT [0:0] | |
| :INPUT ACCEPT [0:0] | |
| :OUTPUT ACCEPT [1257:75420] | |
| :POSTROUTING ACCEPT [1217:73020] | |
| :DOCKER_OUTPUT - [0:0] | |
| :DOCKER_POSTROUTING - [0:0] | |
| :KIND-MASQ-AGENT - [0:0] | |
| :KUBE-KUBELET-CANARY - [0:0] | |
| :KUBE-MARK-DROP - [0:0] | |
| :KUBE-MARK-MASQ - [0:0] | |
| :KUBE-NODEPORTS - [0:0] | |
| :KUBE-POSTROUTING - [0:0] | |
| :KUBE-PROXY-CANARY - [0:0] | |
| :KUBE-SEP-6E7XQMQ4RAYOWTTM - [0:0] | |
| :KUBE-SEP-JIODJ6JBWSLR2JXY - [0:0] | |
| :KUBE-SEP-PUHFDAMRBZWCPADU - [0:0] | |
| :KUBE-SEP-SF3LG62VAE5ALYDV - [0:0] | |
| :KUBE-SEP-WXWGHGKZOCNYRYI7 - [0:0] | |
| :KUBE-SEP-ZP3FB6NMPNCO4VBJ - [0:0] | |
| :KUBE-SEP-ZXMNUKOKXUTL2MK2 - [0:0] | |
| :KUBE-SERVICES - [0:0] | |
| :KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0] | |
| :KUBE-SVC-JD5MR3NA4I4DYORP - [0:0] | |
| :KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0] | |
| :KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0] | |
| -A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A PREROUTING -d 172.19.0.1/32 -j DOCKER_OUTPUT | |
| -A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A OUTPUT -d 172.19.0.1/32 -j DOCKER_OUTPUT | |
| -A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING | |
| -A POSTROUTING -d 172.19.0.1/32 -j DOCKER_POSTROUTING | |
| -A POSTROUTING -m addrtype ! --dst-type LOCAL -m comment --comment "kind-masq-agent: ensure nat POSTROUTING directs all non-LOCAL destination traffic to our custom KIND-MASQ-AGENT chain" -j KIND-MASQ-AGENT | |
| -A DOCKER_OUTPUT -d 172.19.0.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.11:45815 | |
| -A DOCKER_OUTPUT -d 172.19.0.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.11:41683 | |
| -A DOCKER_POSTROUTING -s 127.0.0.11/32 -p tcp -m tcp --sport 45815 -j SNAT --to-source 172.19.0.1:53 | |
| -A DOCKER_POSTROUTING -s 127.0.0.11/32 -p udp -m udp --sport 41683 -j SNAT --to-source 172.19.0.1:53 | |
| -A KIND-MASQ-AGENT -d 10.244.0.0/16 -m comment --comment "kind-masq-agent: local traffic is not subject to MASQUERADE" -j RETURN | |
| -A KIND-MASQ-AGENT -m comment --comment "kind-masq-agent: outbound traffic is subject to MASQUERADE (must be last in chain)" -j MASQUERADE | |
| -A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000 | |
| -A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000 | |
| -A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE --random-fully | |
| -A KUBE-SEP-6E7XQMQ4RAYOWTTM -s 10.244.0.3/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-6E7XQMQ4RAYOWTTM -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 10.244.0.3:53 | |
| -A KUBE-SEP-JIODJ6JBWSLR2JXY -s 172.19.0.2/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-JIODJ6JBWSLR2JXY -p tcp -m comment --comment "default/kubernetes:https" -m tcp -j DNAT --to-destination 172.19.0.2:6443 | |
| -A KUBE-SEP-PUHFDAMRBZWCPADU -s 10.244.0.4/32 -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-PUHFDAMRBZWCPADU -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 10.244.0.4:9153 | |
| -A KUBE-SEP-SF3LG62VAE5ALYDV -s 10.244.0.4/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-SF3LG62VAE5ALYDV -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 10.244.0.4:53 | |
| -A KUBE-SEP-WXWGHGKZOCNYRYI7 -s 10.244.0.4/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-WXWGHGKZOCNYRYI7 -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 10.244.0.4:53 | |
| -A KUBE-SEP-ZP3FB6NMPNCO4VBJ -s 10.244.0.3/32 -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-ZP3FB6NMPNCO4VBJ -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 10.244.0.3:9153 | |
| -A KUBE-SEP-ZXMNUKOKXUTL2MK2 -s 10.244.0.3/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-ZXMNUKOKXUTL2MK2 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 10.244.0.3:53 | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4 | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-SVC-JD5MR3NA4I4DYORP | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU | |
| -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS | |
| -A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-ZXMNUKOKXUTL2MK2 | |
| -A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SEP-SF3LG62VAE5ALYDV | |
| -A KUBE-SVC-JD5MR3NA4I4DYORP -m comment --comment "kube-system/kube-dns:metrics" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-ZP3FB6NMPNCO4VBJ | |
| -A KUBE-SVC-JD5MR3NA4I4DYORP -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-SEP-PUHFDAMRBZWCPADU | |
| -A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-JIODJ6JBWSLR2JXY | |
| -A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-6E7XQMQ4RAYOWTTM | |
| -A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SEP-WXWGHGKZOCNYRYI7 | |
| COMMIT | |
| # Completed on Thu Jul 9 17:03:50 2020 | |
| # Generated by iptables-save v1.8.4 on Thu Jul 9 17:03:50 2020 | |
| *filter | |
| :INPUT ACCEPT [289223:50895497] | |
| :FORWARD ACCEPT [0:0] | |
| :OUTPUT ACCEPT [289573:54599785] | |
| :KUBE-EXTERNAL-SERVICES - [0:0] | |
| :KUBE-FIREWALL - [0:0] | |
| :KUBE-FORWARD - [0:0] | |
| :KUBE-KUBELET-CANARY - [0:0] | |
| :KUBE-PROXY-CANARY - [0:0] | |
| :KUBE-SERVICES - [0:0] | |
| -A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES | |
| -A INPUT -j KUBE-FIREWALL | |
| -A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD | |
| -A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A OUTPUT -j KUBE-FIREWALL | |
| -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP | |
| -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP | |
| -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT | |
| -A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| -A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| COMMIT | |
| # Completed on Thu Jul 9 17:03:50 2020 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment