Created
July 6, 2020 21:29
-
-
Save bcollard/8ff28dcef4dbe721baa6db5efadd4117 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Generated by iptables-save v1.4.21 on Mon Jul 6 23:27:33 2020 | |
| *mangle | |
| :PREROUTING ACCEPT [1225324166:749240379988] | |
| :INPUT ACCEPT [951846450:560418749160] | |
| :FORWARD ACCEPT [266819969:188434886516] | |
| :OUTPUT ACCEPT [967892150:693991002622] | |
| :POSTROUTING ACCEPT [1234583540:882408320640] | |
| :KUBE-KUBELET-CANARY - [0:0] | |
| :KUBE-PROXY-CANARY - [0:0] | |
| COMMIT | |
| # Completed on Mon Jul 6 23:27:33 2020 | |
| # Generated by iptables-save v1.4.21 on Mon Jul 6 23:27:33 2020 | |
| *filter | |
| :INPUT ACCEPT [820841:886377949] | |
| :FORWARD ACCEPT [0:0] | |
| :OUTPUT ACCEPT [828708:1034012465] | |
| :DOCKER - [0:0] | |
| :DOCKER-ISOLATION-STAGE-1 - [0:0] | |
| :DOCKER-ISOLATION-STAGE-2 - [0:0] | |
| :DOCKER-USER - [0:0] | |
| :KUBE-EXTERNAL-SERVICES - [0:0] | |
| :KUBE-FIREWALL - [0:0] | |
| :KUBE-FORWARD - [0:0] | |
| :KUBE-KUBELET-CANARY - [0:0] | |
| :KUBE-PROXY-CANARY - [0:0] | |
| :KUBE-SERVICES - [0:0] | |
| :WEAVE-NPC - [0:0] | |
| :WEAVE-NPC-DEFAULT - [0:0] | |
| :WEAVE-NPC-EGRESS - [0:0] | |
| :WEAVE-NPC-EGRESS-ACCEPT - [0:0] | |
| :WEAVE-NPC-EGRESS-CUSTOM - [0:0] | |
| :WEAVE-NPC-EGRESS-DEFAULT - [0:0] | |
| :WEAVE-NPC-INGRESS - [0:0] | |
| -A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES | |
| -A INPUT -j KUBE-FIREWALL | |
| -A INPUT -i weave -j WEAVE-NPC-EGRESS | |
| -A INPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 6784 -m addrtype ! --src-type LOCAL -m conntrack ! --ctstate RELATED,ESTABLISHED -m comment --comment "Block non-local access to Weave Net control port" -j DROP | |
| -A FORWARD -j DOCKER-ISOLATION-STAGE-1 | |
| -A FORWARD -j DOCKER-USER | |
| -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| -A FORWARD -o docker0 -j DOCKER | |
| -A FORWARD -i docker0 ! -o docker0 -j ACCEPT | |
| -A FORWARD -i docker0 -o docker0 -j ACCEPT | |
| -A FORWARD -i weave -m comment --comment "NOTE: this must go before \'-j KUBE-FORWARD\'" -j WEAVE-NPC-EGRESS | |
| -A FORWARD -o weave -m comment --comment "NOTE: this must go before \'-j KUBE-FORWARD\'" -j WEAVE-NPC | |
| -A FORWARD -o weave -m state --state NEW -j NFLOG --nflog-group 86 | |
| -A FORWARD -o weave -j DROP | |
| -A FORWARD -i weave ! -o weave -j ACCEPT | |
| -A FORWARD -o weave -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| -A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD | |
| -A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A OUTPUT -j KUBE-FIREWALL | |
| -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 | |
| -A DOCKER-ISOLATION-STAGE-1 -j RETURN | |
| -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP | |
| -A DOCKER-ISOLATION-STAGE-2 -j RETURN | |
| -A DOCKER-USER -j RETURN | |
| -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP | |
| -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP | |
| -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT | |
| -A KUBE-FORWARD -s 10.244.0.0/16 -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| -A KUBE-FORWARD -d 10.244.0.0/16 -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| -A KUBE-SERVICES -d 10.102.215.99/32 -p tcp -m comment --comment "r3/clamav:http has no endpoints" -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable | |
| -A WEAVE-NPC -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| -A WEAVE-NPC -d 224.0.0.0/4 -j ACCEPT | |
| -A WEAVE-NPC -m physdev --physdev-out vethwe-bridge --physdev-is-bridged -j ACCEPT | |
| -A WEAVE-NPC -m state --state NEW -j WEAVE-NPC-DEFAULT | |
| -A WEAVE-NPC -m state --state NEW -j WEAVE-NPC-INGRESS | |
| -A WEAVE-NPC-DEFAULT -m set --match-set weave-r(s/Q_wl%o8qJ:lv*9FuT]2%v dst -m comment --comment "DefaultAllow ingress isolation for namespace: weave" -j ACCEPT | |
| -A WEAVE-NPC-DEFAULT -m set --match-set weave-7={.RcJ/?nQ0V4GWgKrvZI0zp dst -m comment --comment "DefaultAllow ingress isolation for namespace: cicd" -j ACCEPT | |
| -A WEAVE-NPC-DEFAULT -m set --match-set weave-;rGqyMIl1HN^cfDki~Z$3]6!N dst -m comment --comment "DefaultAllow ingress isolation for namespace: default" -j ACCEPT | |
| -A WEAVE-NPC-DEFAULT -m set --match-set weave-]B*(W?)t*z5O17G044[gUo#$l dst -m comment --comment "DefaultAllow ingress isolation for namespace: kube-node-lease" -j ACCEPT | |
| -A WEAVE-NPC-DEFAULT -m set --match-set weave-Rzff}h:=]JaaJl/G;(XJpGjZ[ dst -m comment --comment "DefaultAllow ingress isolation for namespace: kube-public" -j ACCEPT | |
| -A WEAVE-NPC-DEFAULT -m set --match-set weave-sUW$VjPE$uO_^RMf6jH:lBKmx dst -m comment --comment "DefaultAllow ingress isolation for namespace: logging" -j ACCEPT | |
| -A WEAVE-NPC-DEFAULT -m set --match-set weave-tMk6Dh2:+Aq9sz3GtyPLSgQGO dst -m comment --comment "DefaultAllow ingress isolation for namespace: monitoring" -j ACCEPT | |
| -A WEAVE-NPC-DEFAULT -m set --match-set weave-t4SJ7UI13[ANR;kZS_UJuw|9r dst -m comment --comment "DefaultAllow ingress isolation for namespace: apim" -j ACCEPT | |
| -A WEAVE-NPC-DEFAULT -m set --match-set weave-P.B|!ZhkAr5q=XZ?3}tMBA+0 dst -m comment --comment "DefaultAllow ingress isolation for namespace: kube-system" -j ACCEPT | |
| -A WEAVE-NPC-DEFAULT -m set --match-set weave-Njk2noLbnK!8W;m_9Cxuj|Ets dst -m comment --comment "DefaultAllow ingress isolation for namespace: r3" -j ACCEPT | |
| -A WEAVE-NPC-EGRESS -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| -A WEAVE-NPC-EGRESS -m physdev --physdev-in vethwe-bridge --physdev-is-bridged -j RETURN | |
| -A WEAVE-NPC-EGRESS -m addrtype --dst-type LOCAL -j RETURN | |
| -A WEAVE-NPC-EGRESS -d 224.0.0.0/4 -j RETURN | |
| -A WEAVE-NPC-EGRESS -m state --state NEW -j WEAVE-NPC-EGRESS-DEFAULT | |
| -A WEAVE-NPC-EGRESS -m state --state NEW -m mark ! --mark 0x40000/0x40000 -j WEAVE-NPC-EGRESS-CUSTOM | |
| -A WEAVE-NPC-EGRESS -m state --state NEW -m mark ! --mark 0x40000/0x40000 -j NFLOG --nflog-group 86 | |
| -A WEAVE-NPC-EGRESS-ACCEPT -j MARK --set-xmark 0x40000/0x40000 | |
| -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-*LqWNA$LMTgLfs@6{[i%y%^Yt src -m comment --comment "DefaultAllow egress isolation for namespace: weave" -j WEAVE-NPC-EGRESS-ACCEPT | |
| -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-*LqWNA$LMTgLfs@6{[i%y%^Yt src -m comment --comment "DefaultAllow egress isolation for namespace: weave" -j RETURN | |
| -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-y4_Z.lF1cDJyO$=@9|vsgpGPU src -m comment --comment "DefaultAllow egress isolation for namespace: cicd" -j WEAVE-NPC-EGRESS-ACCEPT | |
| -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-y4_Z.lF1cDJyO$=@9|vsgpGPU src -m comment --comment "DefaultAllow egress isolation for namespace: cicd" -j RETURN | |
| -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-s_+ChJId4Uy_$}G;WdH|~TK)I src -m comment --comment "DefaultAllow egress isolation for namespace: default" -j WEAVE-NPC-EGRESS-ACCEPT | |
| -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-s_+ChJId4Uy_$}G;WdH|~TK)I src -m comment --comment "DefaultAllow egress isolation for namespace: default" -j RETURN | |
| -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-sui%__gZ}{kX~oZgI_Ttqp=Dp src -m comment --comment "DefaultAllow egress isolation for namespace: kube-node-lease" -j WEAVE-NPC-EGRESS-ACCEPT | |
| -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-sui%__gZ}{kX~oZgI_Ttqp=Dp src -m comment --comment "DefaultAllow egress isolation for namespace: kube-node-lease" -j RETURN | |
| -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-41s)5vQ^o/xWGz6a20N:~?#|E src -m comment --comment "DefaultAllow egress isolation for namespace: kube-public" -j WEAVE-NPC-EGRESS-ACCEPT | |
| -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-41s)5vQ^o/xWGz6a20N:~?#|E src -m comment --comment "DefaultAllow egress isolation for namespace: kube-public" -j RETURN | |
| -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-ZZ}Ng+Td[Z*[f:eghkx.(pu_s src -m comment --comment "DefaultAllow egress isolation for namespace: logging" -j WEAVE-NPC-EGRESS-ACCEPT | |
| -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-ZZ}Ng+Td[Z*[f:eghkx.(pu_s src -m comment --comment "DefaultAllow egress isolation for namespace: logging" -j RETURN | |
| -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-cKT4=+;yzwiz8x@;C{fjHV6$0 src -m comment --comment "DefaultAllow egress isolation for namespace: monitoring" -j WEAVE-NPC-EGRESS-ACCEPT | |
| -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-cKT4=+;yzwiz8x@;C{fjHV6$0 src -m comment --comment "DefaultAllow egress isolation for namespace: monitoring" -j RETURN | |
| -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-|c{!MZMM((|7Q.UfTjJCG#CNK src -m comment --comment "DefaultAllow egress isolation for namespace: apim" -j WEAVE-NPC-EGRESS-ACCEPT | |
| -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-|c{!MZMM((|7Q.UfTjJCG#CNK src -m comment --comment "DefaultAllow egress isolation for namespace: apim" -j RETURN | |
| -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-E1ney4o[ojNrLk.6rOHi;7MPE src -m comment --comment "DefaultAllow egress isolation for namespace: kube-system" -j WEAVE-NPC-EGRESS-ACCEPT | |
| -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-E1ney4o[ojNrLk.6rOHi;7MPE src -m comment --comment "DefaultAllow egress isolation for namespace: kube-system" -j RETURN | |
| -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-Q;Nva[*7GXRvP?Ti8k?o(Vdg[ src -m comment --comment "DefaultAllow egress isolation for namespace: r3" -j WEAVE-NPC-EGRESS-ACCEPT | |
| -A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-Q;Nva[*7GXRvP?Ti8k?o(Vdg[ src -m comment --comment "DefaultAllow egress isolation for namespace: r3" -j RETURN | |
| -A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-=I~EKeq~[g;[#IRZQN85vbxRs src -m set --match-set weave-tOJqtq[!|VUp_6aFowu*[qv{L dst -m tcp --dport 27017 -m comment --comment "namespaces: selector: role=apimapp.kubernetes.io/instance=gravitee-am,app.kubernetes.io/name=am -> pods: namespace: r3, selector: app=mongodb-replicaset,release=mongodb-replicaset (ingress)" -j ACCEPT | |
| -A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-GevUfGdD*u7du69DYnLmev.x6 src -m set --match-set weave-+jnZS[]Z64A][Ja0PnUZmk7)Y dst -m tcp --dport 389 -m comment --comment "namespaces: selector: role=apimapp.kubernetes.io/component=gateway,app.kubernetes.io/instance=gravitee-am,app.kubernetes.io/name=am -> pods: namespace: r3, selector: app.kubernetes.io/instance=openldap,app.kubernetes.io/name=openldap (ingress)" -j ACCEPT | |
| -A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-|LSW_{T;OT2F@p!~fygG.)/*f src -m set --match-set weave-tOJqtq[!|VUp_6aFowu*[qv{L dst -m tcp --dport 27017 -m comment --comment "namespaces: selector: role=apimapp.kubernetes.io/instance=gravitee-apim,app.kubernetes.io/name=apim -> pods: namespace: r3, selector: app=mongodb-replicaset,release=mongodb-replicaset (ingress)" -j ACCEPT | |
| -A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-tOJqtq[!|VUp_6aFowu*[qv{L src -m set --match-set weave-tOJqtq[!|VUp_6aFowu*[qv{L dst -m tcp --dport 27017 -m comment --comment "pods: namespace: r3, selector: app=mongodb-replicaset,release=mongodb-replicaset -> pods: namespace: r3, selector: app=mongodb-replicaset,release=mongodb-replicaset (ingress)" -j ACCEPT | |
| -A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-/T{ix:Dnc;#o%2j_yov_{JYhR src -m set --match-set weave-tOJqtq[!|VUp_6aFowu*[qv{L dst -m tcp --dport 9216 -m comment --comment "namespaces: selector: role=monitoringapp=prometheus -> pods: namespace: r3, selector: app=mongodb-replicaset,release=mongodb-replicaset (ingress)" -j ACCEPT | |
| -A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-a?ihW7n]znKew(kIwLO*6AyTf src -m set --match-set weave-tOJqtq[!|VUp_6aFowu*[qv{L dst -m tcp --dport 9216 -m comment --comment "namespaces: selector: role=monitoringrelease=prometheus-operator -> pods: namespace: r3, selector: app=mongodb-replicaset,release=mongodb-replicaset (ingress)" -j ACCEPT | |
| -A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-mgL+c)c:%Z1z;A8W]8pzzGnT3 src -m set --match-set weave-tOJqtq[!|VUp_6aFowu*[qv{L dst -m tcp --dport 27017 -m comment --comment "namespaces: selector: role=r3app.kubernetes.io/instance=api-asset -> pods: namespace: r3, selector: app=mongodb-replicaset,release=mongodb-replicaset (ingress)" -j ACCEPT | |
| -A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-@!a6G}8u/sEQnet[C=xhoLq3q src -m set --match-set weave-tOJqtq[!|VUp_6aFowu*[qv{L dst -m tcp --dport 27017 -m comment --comment "namespaces: selector: role=r3app.kubernetes.io/instance=api-authorization -> pods: namespace: r3, selector: app=mongodb-replicaset,release=mongodb-replicaset (ingress)" -j ACCEPT | |
| -A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-pvA7apr]2t2%|d@t[dz]Vb@9L src -m set --match-set weave-tOJqtq[!|VUp_6aFowu*[qv{L dst -m tcp --dport 27017 -m comment --comment "namespaces: selector: role=r3app.kubernetes.io/instance=api-calibration -> pods: namespace: r3, selector: app=mongodb-replicaset,release=mongodb-replicaset (ingress)" -j ACCEPT | |
| -A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-u[1F.d+?H91/=/TO@gng6anK2 src -m set --match-set weave-tOJqtq[!|VUp_6aFowu*[qv{L dst -m tcp --dport 27017 -m comment --comment "namespaces: selector: role=r3app.kubernetes.io/instance=api-launcher -> pods: namespace: r3, selector: app=mongodb-replicaset,release=mongodb-replicaset (ingress)" -j ACCEPT | |
| -A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-(iK5IuIyY1C|PWioTo::8c+0n src -m set --match-set weave-tOJqtq[!|VUp_6aFowu*[qv{L dst -m tcp --dport 27017 -m comment --comment "namespaces: selector: role=r3app.kubernetes.io/instance=api-procedure -> pods: namespace: r3, selector: app=mongodb-replicaset,release=mongodb-replicaset (ingress)" -j ACCEPT | |
| COMMIT | |
| # Completed on Mon Jul 6 23:27:33 2020 | |
| # Generated by iptables-save v1.4.21 on Mon Jul 6 23:27:33 2020 | |
| *nat | |
| :PREROUTING ACCEPT [17906:2413114] | |
| :INPUT ACCEPT [9377:1798375] | |
| :OUTPUT ACCEPT [10029:1134821] | |
| :POSTROUTING ACCEPT [10021:1134341] | |
| :DOCKER - [0:0] | |
| :KUBE-KUBELET-CANARY - [0:0] | |
| :KUBE-MARK-DROP - [0:0] | |
| :KUBE-MARK-MASQ - [0:0] | |
| :KUBE-NODEPORTS - [0:0] | |
| :KUBE-POSTROUTING - [0:0] | |
| :KUBE-PROXY-CANARY - [0:0] | |
| :KUBE-SEP-2S6DASD4W7F4NEBC - [0:0] | |
| :KUBE-SEP-3YAZEBSDVJLOULND - [0:0] | |
| :KUBE-SEP-4T5DCZHOW2QMSPVW - [0:0] | |
| :KUBE-SEP-4TYTJM4FFSFEMOHR - [0:0] | |
| :KUBE-SEP-63VA3ON2ISZ6UJPS - [0:0] | |
| :KUBE-SEP-6KVK3XNSNKTRVNGO - [0:0] | |
| :KUBE-SEP-75YLDJA2B6OZ2O2R - [0:0] | |
| :KUBE-SEP-7L5GUJU52NTXWSCJ - [0:0] | |
| :KUBE-SEP-AJYU35V72R343ZFR - [0:0] | |
| :KUBE-SEP-ANPJDUKMVEBH7QHA - [0:0] | |
| :KUBE-SEP-AV6KMHJS2JK6CKTQ - [0:0] | |
| :KUBE-SEP-AYMTXCIZWVJ6BI3G - [0:0] | |
| :KUBE-SEP-B2L5DF3H6FDNYIM2 - [0:0] | |
| :KUBE-SEP-BKPXTG77Y2YD3NB2 - [0:0] | |
| :KUBE-SEP-BXXB6ZDBTRAXPAB5 - [0:0] | |
| :KUBE-SEP-CSBWBPNXVN62G5CO - [0:0] | |
| :KUBE-SEP-CVIXE6S6EIBM2OFA - [0:0] | |
| :KUBE-SEP-DKCE76E3MDOLEX6W - [0:0] | |
| :KUBE-SEP-E5ZF5T3ASP53QTDU - [0:0] | |
| :KUBE-SEP-EFWV4G6Q3IQBNYTL - [0:0] | |
| :KUBE-SEP-GMMNYWPGJAM5HIEO - [0:0] | |
| :KUBE-SEP-GTN4I762XFV4KUCM - [0:0] | |
| :KUBE-SEP-H2PD4GUAWYW2OK35 - [0:0] | |
| :KUBE-SEP-HKPOOSMJE7KM6UO7 - [0:0] | |
| :KUBE-SEP-HVBQUYD2XFH4LLQU - [0:0] | |
| :KUBE-SEP-IXFN4DLB2BBSTIFH - [0:0] | |
| :KUBE-SEP-IYXI7SJ3BFWOKMAJ - [0:0] | |
| :KUBE-SEP-J5NZFUY5JCZGQOZF - [0:0] | |
| :KUBE-SEP-JEJOR4FNE4KNVPN3 - [0:0] | |
| :KUBE-SEP-JETPDJ7CO3KEEBTC - [0:0] | |
| :KUBE-SEP-JJUC4J25APHWTUHC - [0:0] | |
| :KUBE-SEP-JL33X43AEBDBETUC - [0:0] | |
| :KUBE-SEP-JRGZMD4XF4F6SRP7 - [0:0] | |
| :KUBE-SEP-KOA3OWOZTCLKZW5C - [0:0] | |
| :KUBE-SEP-KZGA7W5QYB7GKIHG - [0:0] | |
| :KUBE-SEP-L6342LEWMP3V2Q5C - [0:0] | |
| :KUBE-SEP-LQKB6S4TIM5UKILP - [0:0] | |
| :KUBE-SEP-LR43ENYQK2GRHNVF - [0:0] | |
| :KUBE-SEP-M4357IBKZBG7H2UW - [0:0] | |
| :KUBE-SEP-MBVNEAYRFLQWKDTX - [0:0] | |
| :KUBE-SEP-MXHRTNQY3JZP3FJJ - [0:0] | |
| :KUBE-SEP-NGM4PSOAGQKLKFA2 - [0:0] | |
| :KUBE-SEP-NVD3EZLSM5FJDSZT - [0:0] | |
| :KUBE-SEP-OBVDS4LWPZRTXQ7K - [0:0] | |
| :KUBE-SEP-ODEPH6ITPXZUHZZB - [0:0] | |
| :KUBE-SEP-OFUUGNN4LJNY5MSJ - [0:0] | |
| :KUBE-SEP-OK4CRJJQZI7QWJVQ - [0:0] | |
| :KUBE-SEP-PK3QBUANGW2S5RGW - [0:0] | |
| :KUBE-SEP-PMEE6ENYRASSAHEV - [0:0] | |
| :KUBE-SEP-PNXQMCZRZTTM6QFD - [0:0] | |
| :KUBE-SEP-PVTJZQ4DUYKC64KY - [0:0] | |
| :KUBE-SEP-QUWLLAYJBUJRX6E5 - [0:0] | |
| :KUBE-SEP-RM2PTGRKGRQRNT75 - [0:0] | |
| :KUBE-SEP-RXAPQNPOYQJO4USF - [0:0] | |
| :KUBE-SEP-SNE52AZXQVA7PMZD - [0:0] | |
| :KUBE-SEP-SPIK36MQH2QQRD5D - [0:0] | |
| :KUBE-SEP-T73LSMKBTI52H63Y - [0:0] | |
| :KUBE-SEP-UBSLGD3ZYBHN2FDL - [0:0] | |
| :KUBE-SEP-UIND2X4FA2J4ZUPS - [0:0] | |
| :KUBE-SEP-UK3KLGHSBTRBBMXZ - [0:0] | |
| :KUBE-SEP-UYNRDGENKE5LEFE3 - [0:0] | |
| :KUBE-SEP-VLHBJRJ5HK5R26CJ - [0:0] | |
| :KUBE-SEP-WOZYEXW7ODELQWIW - [0:0] | |
| :KUBE-SEP-X3IWXKMYJPJCUVDJ - [0:0] | |
| :KUBE-SEP-XCLA7OEYBYLOK43A - [0:0] | |
| :KUBE-SEP-XPQEE5CQY2ZKZBIJ - [0:0] | |
| :KUBE-SEP-ZGH6FGGOCNDZWSEI - [0:0] | |
| :KUBE-SERVICES - [0:0] | |
| :KUBE-SVC-2B5LVZX5JHYO5PF4 - [0:0] | |
| :KUBE-SVC-3JGEEGNJMPX2I6CL - [0:0] | |
| :KUBE-SVC-3TKROK7TFNNU6EV6 - [0:0] | |
| :KUBE-SVC-4PEI37TLUGLSBT7N - [0:0] | |
| :KUBE-SVC-5P3R55X2C5H2OL6U - [0:0] | |
| :KUBE-SVC-6B6FPPEANAPAEIEN - [0:0] | |
| :KUBE-SVC-6YHVEA3D6WDTDA2S - [0:0] | |
| :KUBE-SVC-7KQQLYAMWXMG3W4M - [0:0] | |
| :KUBE-SVC-AG2U4SG7BPQCLJXJ - [0:0] | |
| :KUBE-SVC-AOTPSVISNGZOGMPC - [0:0] | |
| :KUBE-SVC-AXCBBDKKT3DGKXXJ - [0:0] | |
| :KUBE-SVC-BBLYE442NYHEJ2N6 - [0:0] | |
| :KUBE-SVC-BGNAPBWJFSTY2UHJ - [0:0] | |
| :KUBE-SVC-CN5C75M45X3WQKE6 - [0:0] | |
| :KUBE-SVC-CZKPXAOE6F4YWCUP - [0:0] | |
| :KUBE-SVC-DCQOVMY6WOVKMSF5 - [0:0] | |
| :KUBE-SVC-DI5MTXCTXM3YSCCP - [0:0] | |
| :KUBE-SVC-DO4OF7TIBVKAP42M - [0:0] | |
| :KUBE-SVC-EHTBSGHSW6EATAW5 - [0:0] | |
| :KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0] | |
| :KUBE-SVC-GVULDYDKHKR6MDP2 - [0:0] | |
| :KUBE-SVC-J3MLTGOJ3F3RMVAT - [0:0] | |
| :KUBE-SVC-JD5MR3NA4I4DYORP - [0:0] | |
| :KUBE-SVC-JJS2LOLYIWRFNBV3 - [0:0] | |
| :KUBE-SVC-JN7W2HMMIP4QAU56 - [0:0] | |
| :KUBE-SVC-NKXCO3Q27V544JIS - [0:0] | |
| :KUBE-SVC-NOMGXN2DVURWP4VZ - [0:0] | |
| :KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0] | |
| :KUBE-SVC-NQNXLNJTTKGC6RSJ - [0:0] | |
| :KUBE-SVC-O3B24R5A4HJH6WGO - [0:0] | |
| :KUBE-SVC-OOJKQW2KWCS3OZRL - [0:0] | |
| :KUBE-SVC-P7AMZE6D2BI2A5AR - [0:0] | |
| :KUBE-SVC-QA7MADU7K7GLLV66 - [0:0] | |
| :KUBE-SVC-QHKWB2NGEYGIPMWM - [0:0] | |
| :KUBE-SVC-QL2PIO6RVKDOA22E - [0:0] | |
| :KUBE-SVC-QVXD2GNPIDECX2QA - [0:0] | |
| :KUBE-SVC-RJ5NZTLPTVOCJNIO - [0:0] | |
| :KUBE-SVC-RJMXSHAFEOHA2UMQ - [0:0] | |
| :KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0] | |
| :KUBE-SVC-TYNKIQDMC64ECKMF - [0:0] | |
| :KUBE-SVC-UWXAAW5NUPFEOJRG - [0:0] | |
| :KUBE-SVC-VKZ6ULCAJSF2BP35 - [0:0] | |
| :KUBE-SVC-WKYDCVKTYQQLHVUO - [0:0] | |
| :KUBE-SVC-XDRCER67H2Z2AUHW - [0:0] | |
| :KUBE-SVC-XUWFLEYT3KN4CP3H - [0:0] | |
| :KUBE-SVC-YOVTPXTZTGVL67U6 - [0:0] | |
| :KUBE-SVC-ZROXDTOXSXYGW2D5 - [0:0] | |
| :KUBE-SVC-ZSK4HNYHPUYVCS3E - [0:0] | |
| :KUBE-XLB-AOTPSVISNGZOGMPC - [0:0] | |
| :KUBE-XLB-JJS2LOLYIWRFNBV3 - [0:0] | |
| :WEAVE - [0:0] | |
| -A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER | |
| -A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER | |
| -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE | |
| -A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING | |
| -A POSTROUTING -j WEAVE | |
| -A DOCKER -i docker0 -j RETURN | |
| -A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000 | |
| -A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000 | |
| -A KUBE-NODEPORTS -s 127.0.0.0/8 -p tcp -m comment --comment "kube-system/nginx-ingress-controller-controller:http" -m tcp --dport 32241 -j KUBE-MARK-MASQ | |
| -A KUBE-NODEPORTS -p tcp -m comment --comment "kube-system/nginx-ingress-controller-controller:http" -m tcp --dport 32241 -j KUBE-XLB-JJS2LOLYIWRFNBV3 | |
| -A KUBE-NODEPORTS -s 127.0.0.0/8 -p tcp -m comment --comment "kube-system/nginx-ingress-controller-controller:https" -m tcp --dport 30796 -j KUBE-MARK-MASQ | |
| -A KUBE-NODEPORTS -p tcp -m comment --comment "kube-system/nginx-ingress-controller-controller:https" -m tcp --dport 30796 -j KUBE-XLB-AOTPSVISNGZOGMPC | |
| -A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE | |
| -A KUBE-SEP-2S6DASD4W7F4NEBC -s 10.40.0.10/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-2S6DASD4W7F4NEBC -p tcp -m tcp -j DNAT --to-destination 10.40.0.10:5432 | |
| -A KUBE-SEP-3YAZEBSDVJLOULND -s 10.42.0.22/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-3YAZEBSDVJLOULND -p tcp -m tcp -j DNAT --to-destination 10.42.0.22:9898 | |
| -A KUBE-SEP-4T5DCZHOW2QMSPVW -s 10.42.0.23/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-4T5DCZHOW2QMSPVW -p tcp -m tcp -j DNAT --to-destination 10.42.0.23:8080 | |
| -A KUBE-SEP-4TYTJM4FFSFEMOHR -s 10.244.176.1/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-4TYTJM4FFSFEMOHR -p tcp -m tcp -j DNAT --to-destination 10.244.176.1:8092 | |
| -A KUBE-SEP-63VA3ON2ISZ6UJPS -s 10.244.192.2/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-63VA3ON2ISZ6UJPS -p tcp -m tcp -j DNAT --to-destination 10.244.192.2:10254 | |
| -A KUBE-SEP-6KVK3XNSNKTRVNGO -s 10.44.0.8/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-6KVK3XNSNKTRVNGO -p tcp -m tcp -j DNAT --to-destination 10.44.0.8:9000 | |
| -A KUBE-SEP-75YLDJA2B6OZ2O2R -s 10.125.141.16/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-75YLDJA2B6OZ2O2R -p tcp -m tcp -j DNAT --to-destination 10.125.141.16:9100 | |
| -A KUBE-SEP-7L5GUJU52NTXWSCJ -s 10.32.0.9/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-7L5GUJU52NTXWSCJ -p tcp -m tcp -j DNAT --to-destination 10.32.0.9:5601 | |
| -A KUBE-SEP-AJYU35V72R343ZFR -s 10.42.0.16/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-AJYU35V72R343ZFR -p tcp -m tcp -j DNAT --to-destination 10.42.0.16:8080 | |
| -A KUBE-SEP-ANPJDUKMVEBH7QHA -s 10.244.128.1/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-ANPJDUKMVEBH7QHA -p tcp -m tcp -j DNAT --to-destination 10.244.128.1:389 | |
| -A KUBE-SEP-AV6KMHJS2JK6CKTQ -s 10.244.192.1/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-AV6KMHJS2JK6CKTQ -p tcp -m tcp -j DNAT --to-destination 10.244.192.1:9153 | |
| -A KUBE-SEP-AYMTXCIZWVJ6BI3G -s 10.125.141.46/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-AYMTXCIZWVJ6BI3G -p tcp -m tcp -j DNAT --to-destination 10.125.141.46:9100 | |
| -A KUBE-SEP-B2L5DF3H6FDNYIM2 -s 10.125.140.162/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-B2L5DF3H6FDNYIM2 -p tcp -m tcp -j DNAT --to-destination 10.125.140.162:9100 | |
| -A KUBE-SEP-BKPXTG77Y2YD3NB2 -s 10.125.140.229/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-BKPXTG77Y2YD3NB2 -p tcp -m tcp -j DNAT --to-destination 10.125.140.229:9100 | |
| -A KUBE-SEP-BXXB6ZDBTRAXPAB5 -s 10.42.0.9/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-BXXB6ZDBTRAXPAB5 -p tcp -m tcp -j DNAT --to-destination 10.42.0.9:8080 | |
| -A KUBE-SEP-CSBWBPNXVN62G5CO -s 10.36.0.11/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-CSBWBPNXVN62G5CO -p tcp -m tcp -j DNAT --to-destination 10.36.0.11:9000 | |
| -A KUBE-SEP-CVIXE6S6EIBM2OFA -s 10.40.0.14/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-CVIXE6S6EIBM2OFA -p tcp -m tcp -j DNAT --to-destination 10.40.0.14:8080 | |
| -A KUBE-SEP-DKCE76E3MDOLEX6W -s 10.125.140.230/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-DKCE76E3MDOLEX6W -p tcp -m tcp -j DNAT --to-destination 10.125.140.230:9100 | |
| -A KUBE-SEP-E5ZF5T3ASP53QTDU -s 10.244.192.1/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-E5ZF5T3ASP53QTDU -p udp -m udp -j DNAT --to-destination 10.244.192.1:53 | |
| -A KUBE-SEP-EFWV4G6Q3IQBNYTL -s 10.244.192.5/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-EFWV4G6Q3IQBNYTL -p tcp -m tcp -j DNAT --to-destination 10.244.192.5:8080 | |
| -A KUBE-SEP-GMMNYWPGJAM5HIEO -s 10.40.0.11/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-GMMNYWPGJAM5HIEO -p tcp -m tcp -j DNAT --to-destination 10.40.0.11:8080 | |
| -A KUBE-SEP-GTN4I762XFV4KUCM -s 10.125.140.103/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-GTN4I762XFV4KUCM -p tcp -m tcp -j DNAT --to-destination 10.125.140.103:9100 | |
| -A KUBE-SEP-H2PD4GUAWYW2OK35 -s 10.40.0.16/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-H2PD4GUAWYW2OK35 -p tcp -m tcp -j DNAT --to-destination 10.40.0.16:8080 | |
| -A KUBE-SEP-HKPOOSMJE7KM6UO7 -s 10.244.192.7/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-HKPOOSMJE7KM6UO7 -p tcp -m tcp -j DNAT --to-destination 10.244.192.7:8083 | |
| -A KUBE-SEP-HVBQUYD2XFH4LLQU -s 10.40.0.13/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-HVBQUYD2XFH4LLQU -p tcp -m tcp -j DNAT --to-destination 10.40.0.13:9108 | |
| -A KUBE-SEP-IXFN4DLB2BBSTIFH -s 10.244.192.4/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-IXFN4DLB2BBSTIFH -p tcp -m tcp -j DNAT --to-destination 10.244.192.4:8080 | |
| -A KUBE-SEP-IYXI7SJ3BFWOKMAJ -s 10.42.0.26/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-IYXI7SJ3BFWOKMAJ -p tcp -m tcp -j DNAT --to-destination 10.42.0.26:8080 | |
| -A KUBE-SEP-J5NZFUY5JCZGQOZF -s 10.42.0.6/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-J5NZFUY5JCZGQOZF -p tcp -m tcp -j DNAT --to-destination 10.42.0.6:4040 | |
| -A KUBE-SEP-JEJOR4FNE4KNVPN3 -s 10.44.0.2/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-JEJOR4FNE4KNVPN3 -p tcp -m tcp -j DNAT --to-destination 10.44.0.2:5000 | |
| -A KUBE-SEP-JETPDJ7CO3KEEBTC -s 10.42.0.10/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-JETPDJ7CO3KEEBTC -p tcp -m tcp -j DNAT --to-destination 10.42.0.10:11211 | |
| -A KUBE-SEP-JJUC4J25APHWTUHC -s 10.40.0.4/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-JJUC4J25APHWTUHC -p tcp -m tcp -j DNAT --to-destination 10.40.0.4:9093 | |
| -A KUBE-SEP-JL33X43AEBDBETUC -s 10.42.0.22/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-JL33X43AEBDBETUC -p tcp -m tcp -j DNAT --to-destination 10.42.0.22:9999 | |
| -A KUBE-SEP-JRGZMD4XF4F6SRP7 -s 10.42.0.7/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-JRGZMD4XF4F6SRP7 -p tcp -m tcp -j DNAT --to-destination 10.42.0.7:9000 | |
| -A KUBE-SEP-KOA3OWOZTCLKZW5C -s 10.36.0.5/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-KOA3OWOZTCLKZW5C -p tcp -m tcp -j DNAT --to-destination 10.36.0.5:80 | |
| -A KUBE-SEP-KZGA7W5QYB7GKIHG -s 10.244.192.6/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-KZGA7W5QYB7GKIHG -p tcp -m tcp -j DNAT --to-destination 10.244.192.6:8082 | |
| -A KUBE-SEP-L6342LEWMP3V2Q5C -s 10.244.32.1/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-L6342LEWMP3V2Q5C -p udp -m udp -j DNAT --to-destination 10.244.32.1:53 | |
| -A KUBE-SEP-LQKB6S4TIM5UKILP -s 10.42.0.18/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-LQKB6S4TIM5UKILP -p tcp -m tcp -j DNAT --to-destination 10.42.0.18:3030 | |
| -A KUBE-SEP-LR43ENYQK2GRHNVF -s 10.36.0.4/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-LR43ENYQK2GRHNVF -p tcp -m tcp -j DNAT --to-destination 10.36.0.4:9000 | |
| -A KUBE-SEP-M4357IBKZBG7H2UW -s 10.244.192.1/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-M4357IBKZBG7H2UW -p tcp -m tcp -j DNAT --to-destination 10.244.192.1:53 | |
| -A KUBE-SEP-MBVNEAYRFLQWKDTX -s 10.244.176.2/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-MBVNEAYRFLQWKDTX -p tcp -m tcp -j DNAT --to-destination 10.244.176.2:8093 | |
| -A KUBE-SEP-MXHRTNQY3JZP3FJJ -s 10.42.0.8/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-MXHRTNQY3JZP3FJJ -p tcp -m tcp -j DNAT --to-destination 10.42.0.8:9200 | |
| -A KUBE-SEP-NGM4PSOAGQKLKFA2 -s 10.42.0.13/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-NGM4PSOAGQKLKFA2 -p tcp -m tcp -j DNAT --to-destination 10.42.0.13:8080 | |
| -A KUBE-SEP-NVD3EZLSM5FJDSZT -s 10.42.0.24/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-NVD3EZLSM5FJDSZT -p tcp -m tcp -j DNAT --to-destination 10.42.0.24:80 | |
| -A KUBE-SEP-OBVDS4LWPZRTXQ7K -s 10.244.192.9/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-OBVDS4LWPZRTXQ7K -p tcp -m tcp -j DNAT --to-destination 10.244.192.9:3030 | |
| -A KUBE-SEP-ODEPH6ITPXZUHZZB -s 10.40.0.10/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-ODEPH6ITPXZUHZZB -p tcp -m tcp -j DNAT --to-destination 10.40.0.10:9187 | |
| -A KUBE-SEP-OFUUGNN4LJNY5MSJ -s 10.244.192.2/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-OFUUGNN4LJNY5MSJ -p tcp -m tcp -j DNAT --to-destination 10.244.192.2:443 | |
| -A KUBE-SEP-OK4CRJJQZI7QWJVQ -s 10.36.0.6/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-OK4CRJJQZI7QWJVQ -p tcp -m tcp -j DNAT --to-destination 10.36.0.6:9090 | |
| -A KUBE-SEP-PK3QBUANGW2S5RGW -s 10.244.32.2/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-PK3QBUANGW2S5RGW -p tcp -m tcp -j DNAT --to-destination 10.244.32.2:8082 | |
| -A KUBE-SEP-PMEE6ENYRASSAHEV -s 10.40.0.9/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-PMEE6ENYRASSAHEV -p tcp -m tcp -j DNAT --to-destination 10.40.0.9:8080 | |
| -A KUBE-SEP-PNXQMCZRZTTM6QFD -s 10.125.140.229/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-PNXQMCZRZTTM6QFD -p tcp -m tcp -j DNAT --to-destination 10.125.140.229:6443 | |
| -A KUBE-SEP-PVTJZQ4DUYKC64KY -s 10.40.0.21/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-PVTJZQ4DUYKC64KY -p tcp -m tcp -j DNAT --to-destination 10.40.0.21:8080 | |
| -A KUBE-SEP-QUWLLAYJBUJRX6E5 -s 10.244.192.12/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-QUWLLAYJBUJRX6E5 -p tcp -m tcp -j DNAT --to-destination 10.244.192.12:8080 | |
| -A KUBE-SEP-RM2PTGRKGRQRNT75 -s 10.36.0.2/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-RM2PTGRKGRQRNT75 -p tcp -m tcp -j DNAT --to-destination 10.36.0.2:80 | |
| -A KUBE-SEP-RXAPQNPOYQJO4USF -s 10.244.192.3/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-RXAPQNPOYQJO4USF -p tcp -m tcp -j DNAT --to-destination 10.244.192.3:8080 | |
| -A KUBE-SEP-SNE52AZXQVA7PMZD -s 10.244.32.1/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-SNE52AZXQVA7PMZD -p tcp -m tcp -j DNAT --to-destination 10.244.32.1:53 | |
| -A KUBE-SEP-SPIK36MQH2QQRD5D -s 10.244.192.2/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-SPIK36MQH2QQRD5D -p tcp -m tcp -j DNAT --to-destination 10.244.192.2:80 | |
| -A KUBE-SEP-T73LSMKBTI52H63Y -s 10.42.0.21/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-T73LSMKBTI52H63Y -p tcp -m tcp -j DNAT --to-destination 10.42.0.21:3000 | |
| -A KUBE-SEP-UBSLGD3ZYBHN2FDL -s 10.40.0.22/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-UBSLGD3ZYBHN2FDL -p tcp -m tcp -j DNAT --to-destination 10.40.0.22:8080 | |
| -A KUBE-SEP-UIND2X4FA2J4ZUPS -s 10.40.0.18/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-UIND2X4FA2J4ZUPS -p tcp -m tcp -j DNAT --to-destination 10.40.0.18:80 | |
| -A KUBE-SEP-UK3KLGHSBTRBBMXZ -s 10.244.32.1/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-UK3KLGHSBTRBBMXZ -p tcp -m tcp -j DNAT --to-destination 10.244.32.1:9153 | |
| -A KUBE-SEP-UYNRDGENKE5LEFE3 -s 10.244.128.2/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-UYNRDGENKE5LEFE3 -p tcp -m tcp -j DNAT --to-destination 10.244.128.2:8083 | |
| -A KUBE-SEP-VLHBJRJ5HK5R26CJ -s 10.32.0.2/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-VLHBJRJ5HK5R26CJ -p tcp -m tcp -j DNAT --to-destination 10.32.0.2:80 | |
| -A KUBE-SEP-WOZYEXW7ODELQWIW -s 10.44.0.3/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-WOZYEXW7ODELQWIW -p tcp -m tcp -j DNAT --to-destination 10.44.0.3:9000 | |
| -A KUBE-SEP-X3IWXKMYJPJCUVDJ -s 10.36.0.3/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-X3IWXKMYJPJCUVDJ -p tcp -m tcp -j DNAT --to-destination 10.36.0.3:4873 | |
| -A KUBE-SEP-XCLA7OEYBYLOK43A -s 10.40.0.9/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-XCLA7OEYBYLOK43A -p tcp -m tcp -j DNAT --to-destination 10.40.0.9:8443 | |
| -A KUBE-SEP-XPQEE5CQY2ZKZBIJ -s 10.36.0.8/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-XPQEE5CQY2ZKZBIJ -p tcp -m tcp -j DNAT --to-destination 10.36.0.8:9200 | |
| -A KUBE-SEP-ZGH6FGGOCNDZWSEI -s 10.244.192.13/32 -j KUBE-MARK-MASQ | |
| -A KUBE-SEP-ZGH6FGGOCNDZWSEI -p tcp -m tcp -j DNAT --to-destination 10.244.192.13:8080 | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.111.237.88/32 -p tcp -m comment --comment "kube-system/nginx-ingress-controller-default-backend:http cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.111.237.88/32 -p tcp -m comment --comment "kube-system/nginx-ingress-controller-default-backend:http cluster IP" -m tcp --dport 80 -j KUBE-SVC-QVXD2GNPIDECX2QA | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.111.169.118/32 -p tcp -m comment --comment "cicd/kubeapps-internal-assetsvc:http cluster IP" -m tcp --dport 8080 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.111.169.118/32 -p tcp -m comment --comment "cicd/kubeapps-internal-assetsvc:http cluster IP" -m tcp --dport 8080 -j KUBE-SVC-3JGEEGNJMPX2I6CL | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.109.96.146/32 -p tcp -m comment --comment "apim/gravitee-am-management-api:management-api cluster IP" -m tcp --dport 83 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.109.96.146/32 -p tcp -m comment --comment "apim/gravitee-am-management-api:management-api cluster IP" -m tcp --dport 83 -j KUBE-SVC-VKZ6ULCAJSF2BP35 | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.108.196.80/32 -p tcp -m comment --comment "cicd/chartmuseum-chartmuseum:http cluster IP" -m tcp --dport 8080 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.108.196.80/32 -p tcp -m comment --comment "cicd/chartmuseum-chartmuseum:http cluster IP" -m tcp --dport 8080 -j KUBE-SVC-5P3R55X2C5H2OL6U | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.105.164.201/32 -p tcp -m comment --comment "r3/ads-doc-svc:http cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.105.164.201/32 -p tcp -m comment --comment "r3/ads-doc-svc:http cluster IP" -m tcp --dport 80 -j KUBE-SVC-UWXAAW5NUPFEOJRG | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.100.25.164/32 -p tcp -m comment --comment "r3/api-launcher:http cluster IP" -m tcp --dport 8080 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.100.25.164/32 -p tcp -m comment --comment "r3/api-launcher:http cluster IP" -m tcp --dport 8080 -j KUBE-SVC-EHTBSGHSW6EATAW5 | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-SVC-JD5MR3NA4I4DYORP | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.110.61.145/32 -p tcp -m comment --comment "apim/gravitee-apim-gateway:gateway cluster IP" -m tcp --dport 82 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.110.61.145/32 -p tcp -m comment --comment "apim/gravitee-apim-gateway:gateway cluster IP" -m tcp --dport 82 -j KUBE-SVC-6YHVEA3D6WDTDA2S | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.96.28.83/32 -p tcp -m comment --comment "r3/verdaccio-verdaccio: cluster IP" -m tcp --dport 4873 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.96.28.83/32 -p tcp -m comment --comment "r3/verdaccio-verdaccio: cluster IP" -m tcp --dport 4873 -j KUBE-SVC-CN5C75M45X3WQKE6 | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.106.247.248/32 -p tcp -m comment --comment "r3/postgresql:tcp-postgresql cluster IP" -m tcp --dport 5432 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.106.247.248/32 -p tcp -m comment --comment "r3/postgresql:tcp-postgresql cluster IP" -m tcp --dport 5432 -j KUBE-SVC-NOMGXN2DVURWP4VZ | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.102.7.105/32 -p tcp -m comment --comment "r3/api-asset:http cluster IP" -m tcp --dport 8080 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.102.7.105/32 -p tcp -m comment --comment "r3/api-asset:http cluster IP" -m tcp --dport 8080 -j KUBE-SVC-RJMXSHAFEOHA2UMQ | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.103.154.219/32 -p tcp -m comment --comment "r3/postgresql-metrics:http-metrics cluster IP" -m tcp --dport 9187 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.103.154.219/32 -p tcp -m comment --comment "r3/postgresql-metrics:http-metrics cluster IP" -m tcp --dport 9187 -j KUBE-SVC-NKXCO3Q27V544JIS | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.106.24.108/32 -p tcp -m comment --comment "cicd/fluxcd:http cluster IP" -m tcp --dport 3030 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.106.24.108/32 -p tcp -m comment --comment "cicd/fluxcd:http cluster IP" -m tcp --dport 3030 -j KUBE-SVC-QHKWB2NGEYGIPMWM | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.102.236.192/32 -p tcp -m comment --comment "r3/elasticsearch-cerebro:http cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.102.236.192/32 -p tcp -m comment --comment "r3/elasticsearch-cerebro:http cluster IP" -m tcp --dport 80 -j KUBE-SVC-AXCBBDKKT3DGKXXJ | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.97.108.34/32 -p tcp -m comment --comment "apim/gravitee-apim-api:api cluster IP" -m tcp --dport 83 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.97.108.34/32 -p tcp -m comment --comment "apim/gravitee-apim-api:api cluster IP" -m tcp --dport 83 -j KUBE-SVC-DO4OF7TIBVKAP42M | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4 | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.99.53.17/32 -p tcp -m comment --comment "cicd/kubeapps-internal-kubeops:http cluster IP" -m tcp --dport 8080 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.99.53.17/32 -p tcp -m comment --comment "cicd/kubeapps-internal-kubeops:http cluster IP" -m tcp --dport 8080 -j KUBE-SVC-BBLYE442NYHEJ2N6 | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.100.214.223/32 -p tcp -m comment --comment "monitoring/prometheus-operator-prometheus-node-exporter:metrics cluster IP" -m tcp --dport 9100 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.100.214.223/32 -p tcp -m comment --comment "monitoring/prometheus-operator-prometheus-node-exporter:metrics cluster IP" -m tcp --dport 9100 -j KUBE-SVC-4PEI37TLUGLSBT7N | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.106.182.95/32 -p tcp -m comment --comment "r3/openldap:ldap-port cluster IP" -m tcp --dport 389 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.106.182.95/32 -p tcp -m comment --comment "r3/openldap:ldap-port cluster IP" -m tcp --dport 389 -j KUBE-SVC-O3B24R5A4HJH6WGO | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.101.171.147/32 -p tcp -m comment --comment "r3/minio-minio-chart:service cluster IP" -m tcp --dport 9000 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.101.171.147/32 -p tcp -m comment --comment "r3/minio-minio-chart:service cluster IP" -m tcp --dport 9000 -j KUBE-SVC-CZKPXAOE6F4YWCUP | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.105.20.79/32 -p tcp -m comment --comment "apim/gravitee-am-management-ui:management-ui cluster IP" -m tcp --dport 8002 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.105.20.79/32 -p tcp -m comment --comment "apim/gravitee-am-management-ui:management-ui cluster IP" -m tcp --dport 8002 -j KUBE-SVC-2B5LVZX5JHYO5PF4 | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.108.43.114/32 -p tcp -m comment --comment "monitoring/prometheus-operator-operator:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.108.43.114/32 -p tcp -m comment --comment "monitoring/prometheus-operator-operator:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-XUWFLEYT3KN4CP3H | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.105.0.92/32 -p tcp -m comment --comment "cicd/kubeapps-internal-dashboard:http cluster IP" -m tcp --dport 8080 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.105.0.92/32 -p tcp -m comment --comment "cicd/kubeapps-internal-dashboard:http cluster IP" -m tcp --dport 8080 -j KUBE-SVC-DI5MTXCTXM3YSCCP | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.108.30.145/32 -p tcp -m comment --comment "monitoring/prometheus-operator-grafana:service cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.108.30.145/32 -p tcp -m comment --comment "monitoring/prometheus-operator-grafana:service cluster IP" -m tcp --dport 80 -j KUBE-SVC-ZROXDTOXSXYGW2D5 | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.98.114.207/32 -p tcp -m comment --comment "kube-system/nginx-ingress-controller-controller-metrics:metrics cluster IP" -m tcp --dport 9913 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.98.114.207/32 -p tcp -m comment --comment "kube-system/nginx-ingress-controller-controller-metrics:metrics cluster IP" -m tcp --dport 9913 -j KUBE-SVC-QL2PIO6RVKDOA22E | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.97.62.134/32 -p tcp -m comment --comment "r3/r3-podinfo:http cluster IP" -m tcp --dport 9898 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.97.62.134/32 -p tcp -m comment --comment "r3/r3-podinfo:http cluster IP" -m tcp --dport 9898 -j KUBE-SVC-3TKROK7TFNNU6EV6 | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.96.187.209/32 -p tcp -m comment --comment "monitoring/prometheus-operator-prometheus:web cluster IP" -m tcp --dport 9090 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.96.187.209/32 -p tcp -m comment --comment "monitoring/prometheus-operator-prometheus:web cluster IP" -m tcp --dport 9090 -j KUBE-SVC-RJ5NZTLPTVOCJNIO | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.97.62.134/32 -p tcp -m comment --comment "r3/r3-podinfo:grpc cluster IP" -m tcp --dport 9999 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.97.62.134/32 -p tcp -m comment --comment "r3/r3-podinfo:grpc cluster IP" -m tcp --dport 9999 -j KUBE-SVC-6B6FPPEANAPAEIEN | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.108.43.114/32 -p tcp -m comment --comment "monitoring/prometheus-operator-operator:http cluster IP" -m tcp --dport 8080 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.108.43.114/32 -p tcp -m comment --comment "monitoring/prometheus-operator-operator:http cluster IP" -m tcp --dport 8080 -j KUBE-SVC-XDRCER67H2Z2AUHW | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.105.54.214/32 -p tcp -m comment --comment "r3/elasticsearch-exporter:http cluster IP" -m tcp --dport 9108 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.105.54.214/32 -p tcp -m comment --comment "r3/elasticsearch-exporter:http cluster IP" -m tcp --dport 9108 -j KUBE-SVC-J3MLTGOJ3F3RMVAT | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.109.33.189/32 -p tcp -m comment --comment "weave/weave-scope-app:app cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.109.33.189/32 -p tcp -m comment --comment "weave/weave-scope-app:app cluster IP" -m tcp --dport 80 -j KUBE-SVC-TYNKIQDMC64ECKMF | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.99.51.254/32 -p tcp -m comment --comment "apim/gravitee-apim-ui:ui cluster IP" -m tcp --dport 8002 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.99.51.254/32 -p tcp -m comment --comment "apim/gravitee-apim-ui:ui cluster IP" -m tcp --dport 8002 -j KUBE-SVC-YOVTPXTZTGVL67U6 | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.110.33.102/32 -p tcp -m comment --comment "kube-system/nginx-ingress-controller-controller:http cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.110.33.102/32 -p tcp -m comment --comment "kube-system/nginx-ingress-controller-controller:http cluster IP" -m tcp --dport 80 -j KUBE-SVC-JJS2LOLYIWRFNBV3 | |
| -A KUBE-SERVICES -d 10.125.140.229/32 -p tcp -m comment --comment "kube-system/nginx-ingress-controller-controller:http external IP" -m tcp --dport 80 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.125.140.229/32 -p tcp -m comment --comment "kube-system/nginx-ingress-controller-controller:http external IP" -m tcp --dport 80 -m physdev ! --physdev-is-in -m addrtype ! --src-type LOCAL -j KUBE-SVC-JJS2LOLYIWRFNBV3 | |
| -A KUBE-SERVICES -d 10.125.140.229/32 -p tcp -m comment --comment "kube-system/nginx-ingress-controller-controller:http external IP" -m tcp --dport 80 -m addrtype --dst-type LOCAL -j KUBE-SVC-JJS2LOLYIWRFNBV3 | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.100.222.10/32 -p tcp -m comment --comment "cicd/kubeapps:http cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.100.222.10/32 -p tcp -m comment --comment "cicd/kubeapps:http cluster IP" -m tcp --dport 80 -j KUBE-SVC-DCQOVMY6WOVKMSF5 | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.96.181.21/32 -p tcp -m comment --comment "r3/api-calibration:http cluster IP" -m tcp --dport 8080 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.96.181.21/32 -p tcp -m comment --comment "r3/api-calibration:http cluster IP" -m tcp --dport 8080 -j KUBE-SVC-JN7W2HMMIP4QAU56 | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.109.116.10/32 -p tcp -m comment --comment "cicd/fluxcd-memcached:memcached cluster IP" -m tcp --dport 11211 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.109.116.10/32 -p tcp -m comment --comment "cicd/fluxcd-memcached:memcached cluster IP" -m tcp --dport 11211 -j KUBE-SVC-ZSK4HNYHPUYVCS3E | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.96.8.236/32 -p tcp -m comment --comment "apim/gravitee-am-gateway:gateway cluster IP" -m tcp --dport 82 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.96.8.236/32 -p tcp -m comment --comment "apim/gravitee-am-gateway:gateway cluster IP" -m tcp --dport 82 -j KUBE-SVC-QA7MADU7K7GLLV66 | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.106.150.19/32 -p tcp -m comment --comment "logging/kibana: cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.106.150.19/32 -p tcp -m comment --comment "logging/kibana: cluster IP" -m tcp --dport 443 -j KUBE-SVC-BGNAPBWJFSTY2UHJ | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.110.33.102/32 -p tcp -m comment --comment "kube-system/nginx-ingress-controller-controller:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.110.33.102/32 -p tcp -m comment --comment "kube-system/nginx-ingress-controller-controller:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-AOTPSVISNGZOGMPC | |
| -A KUBE-SERVICES -d 10.125.140.229/32 -p tcp -m comment --comment "kube-system/nginx-ingress-controller-controller:https external IP" -m tcp --dport 443 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.125.140.229/32 -p tcp -m comment --comment "kube-system/nginx-ingress-controller-controller:https external IP" -m tcp --dport 443 -m physdev ! --physdev-is-in -m addrtype ! --src-type LOCAL -j KUBE-SVC-AOTPSVISNGZOGMPC | |
| -A KUBE-SERVICES -d 10.125.140.229/32 -p tcp -m comment --comment "kube-system/nginx-ingress-controller-controller:https external IP" -m tcp --dport 443 -m addrtype --dst-type LOCAL -j KUBE-SVC-AOTPSVISNGZOGMPC | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.99.170.120/32 -p tcp -m comment --comment "monitoring/prometheus-operator-kube-state-metrics:http cluster IP" -m tcp --dport 8080 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.99.170.120/32 -p tcp -m comment --comment "monitoring/prometheus-operator-kube-state-metrics:http cluster IP" -m tcp --dport 8080 -j KUBE-SVC-NQNXLNJTTKGC6RSJ | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.108.60.130/32 -p tcp -m comment --comment "r3/tk-doc-website:http cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.108.60.130/32 -p tcp -m comment --comment "r3/tk-doc-website:http cluster IP" -m tcp --dport 80 -j KUBE-SVC-GVULDYDKHKR6MDP2 | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.97.87.135/32 -p tcp -m comment --comment "r3/api-authorization:http cluster IP" -m tcp --dport 8080 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.97.87.135/32 -p tcp -m comment --comment "r3/api-authorization:http cluster IP" -m tcp --dport 8080 -j KUBE-SVC-AG2U4SG7BPQCLJXJ | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.111.232.6/32 -p tcp -m comment --comment "r3/elasticsearch-stack-client:http cluster IP" -m tcp --dport 9200 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.111.232.6/32 -p tcp -m comment --comment "r3/elasticsearch-stack-client:http cluster IP" -m tcp --dport 9200 -j KUBE-SVC-OOJKQW2KWCS3OZRL | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.108.143.224/32 -p tcp -m comment --comment "cicd/helmoperator-helm-operator:http cluster IP" -m tcp --dport 3030 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.108.143.224/32 -p tcp -m comment --comment "cicd/helmoperator-helm-operator:http cluster IP" -m tcp --dport 3030 -j KUBE-SVC-P7AMZE6D2BI2A5AR | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.105.53.104/32 -p tcp -m comment --comment "monitoring/prometheus-operator-alertmanager:web cluster IP" -m tcp --dport 9093 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.105.53.104/32 -p tcp -m comment --comment "monitoring/prometheus-operator-alertmanager:web cluster IP" -m tcp --dport 9093 -j KUBE-SVC-7KQQLYAMWXMG3W4M | |
| -A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.96.96.77/32 -p tcp -m comment --comment "kube-system/local-docker-registry:registry cluster IP" -m tcp --dport 5000 -j KUBE-MARK-MASQ | |
| -A KUBE-SERVICES -d 10.96.96.77/32 -p tcp -m comment --comment "kube-system/local-docker-registry:registry cluster IP" -m tcp --dport 5000 -j KUBE-SVC-WKYDCVKTYQQLHVUO | |
| -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS | |
| -A KUBE-SVC-2B5LVZX5JHYO5PF4 -j KUBE-SEP-VLHBJRJ5HK5R26CJ | |
| -A KUBE-SVC-3JGEEGNJMPX2I6CL -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-PVTJZQ4DUYKC64KY | |
| -A KUBE-SVC-3JGEEGNJMPX2I6CL -j KUBE-SEP-AJYU35V72R343ZFR | |
| -A KUBE-SVC-3TKROK7TFNNU6EV6 -j KUBE-SEP-3YAZEBSDVJLOULND | |
| -A KUBE-SVC-4PEI37TLUGLSBT7N -m statistic --mode random --probability 0.16666666651 -j KUBE-SEP-GTN4I762XFV4KUCM | |
| -A KUBE-SVC-4PEI37TLUGLSBT7N -m statistic --mode random --probability 0.20000000019 -j KUBE-SEP-B2L5DF3H6FDNYIM2 | |
| -A KUBE-SVC-4PEI37TLUGLSBT7N -m statistic --mode random --probability 0.25000000000 -j KUBE-SEP-BKPXTG77Y2YD3NB2 | |
| -A KUBE-SVC-4PEI37TLUGLSBT7N -m statistic --mode random --probability 0.33333333349 -j KUBE-SEP-DKCE76E3MDOLEX6W | |
| -A KUBE-SVC-4PEI37TLUGLSBT7N -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-75YLDJA2B6OZ2O2R | |
| -A KUBE-SVC-4PEI37TLUGLSBT7N -j KUBE-SEP-AYMTXCIZWVJ6BI3G | |
| -A KUBE-SVC-5P3R55X2C5H2OL6U -j KUBE-SEP-IYXI7SJ3BFWOKMAJ | |
| -A KUBE-SVC-6B6FPPEANAPAEIEN -j KUBE-SEP-JL33X43AEBDBETUC | |
| -A KUBE-SVC-6YHVEA3D6WDTDA2S -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-KZGA7W5QYB7GKIHG | |
| -A KUBE-SVC-6YHVEA3D6WDTDA2S -j KUBE-SEP-PK3QBUANGW2S5RGW | |
| -A KUBE-SVC-7KQQLYAMWXMG3W4M -j KUBE-SEP-JJUC4J25APHWTUHC | |
| -A KUBE-SVC-AG2U4SG7BPQCLJXJ -j KUBE-SEP-EFWV4G6Q3IQBNYTL | |
| -A KUBE-SVC-AOTPSVISNGZOGMPC -j KUBE-SEP-OFUUGNN4LJNY5MSJ | |
| -A KUBE-SVC-AXCBBDKKT3DGKXXJ -j KUBE-SEP-JRGZMD4XF4F6SRP7 | |
| -A KUBE-SVC-BBLYE442NYHEJ2N6 -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-H2PD4GUAWYW2OK35 | |
| -A KUBE-SVC-BBLYE442NYHEJ2N6 -j KUBE-SEP-4T5DCZHOW2QMSPVW | |
| -A KUBE-SVC-BGNAPBWJFSTY2UHJ -j KUBE-SEP-7L5GUJU52NTXWSCJ | |
| -A KUBE-SVC-CN5C75M45X3WQKE6 -j KUBE-SEP-X3IWXKMYJPJCUVDJ | |
| -A KUBE-SVC-CZKPXAOE6F4YWCUP -m statistic --mode random --probability 0.25000000000 -j KUBE-SEP-CSBWBPNXVN62G5CO | |
| -A KUBE-SVC-CZKPXAOE6F4YWCUP -m statistic --mode random --probability 0.33333333349 -j KUBE-SEP-LR43ENYQK2GRHNVF | |
| -A KUBE-SVC-CZKPXAOE6F4YWCUP -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-WOZYEXW7ODELQWIW | |
| -A KUBE-SVC-CZKPXAOE6F4YWCUP -j KUBE-SEP-6KVK3XNSNKTRVNGO | |
| -A KUBE-SVC-DCQOVMY6WOVKMSF5 -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-GMMNYWPGJAM5HIEO | |
| -A KUBE-SVC-DCQOVMY6WOVKMSF5 -j KUBE-SEP-NGM4PSOAGQKLKFA2 | |
| -A KUBE-SVC-DI5MTXCTXM3YSCCP -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-CVIXE6S6EIBM2OFA | |
| -A KUBE-SVC-DI5MTXCTXM3YSCCP -j KUBE-SEP-BXXB6ZDBTRAXPAB5 | |
| -A KUBE-SVC-DO4OF7TIBVKAP42M -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-UYNRDGENKE5LEFE3 | |
| -A KUBE-SVC-DO4OF7TIBVKAP42M -j KUBE-SEP-HKPOOSMJE7KM6UO7 | |
| -A KUBE-SVC-EHTBSGHSW6EATAW5 -j KUBE-SEP-ZGH6FGGOCNDZWSEI | |
| -A KUBE-SVC-ERIFXISQEP7F7OF4 -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-M4357IBKZBG7H2UW | |
| -A KUBE-SVC-ERIFXISQEP7F7OF4 -j KUBE-SEP-SNE52AZXQVA7PMZD | |
| -A KUBE-SVC-GVULDYDKHKR6MDP2 -j KUBE-SEP-KOA3OWOZTCLKZW5C | |
| -A KUBE-SVC-J3MLTGOJ3F3RMVAT -j KUBE-SEP-HVBQUYD2XFH4LLQU | |
| -A KUBE-SVC-JD5MR3NA4I4DYORP -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-AV6KMHJS2JK6CKTQ | |
| -A KUBE-SVC-JD5MR3NA4I4DYORP -j KUBE-SEP-UK3KLGHSBTRBBMXZ | |
| -A KUBE-SVC-JJS2LOLYIWRFNBV3 -j KUBE-SEP-SPIK36MQH2QQRD5D | |
| -A KUBE-SVC-JN7W2HMMIP4QAU56 -j KUBE-SEP-IXFN4DLB2BBSTIFH | |
| -A KUBE-SVC-NKXCO3Q27V544JIS -j KUBE-SEP-ODEPH6ITPXZUHZZB | |
| -A KUBE-SVC-NOMGXN2DVURWP4VZ -j KUBE-SEP-2S6DASD4W7F4NEBC | |
| -A KUBE-SVC-NPX46M4PTMTKRN6Y -j KUBE-SEP-PNXQMCZRZTTM6QFD | |
| -A KUBE-SVC-NQNXLNJTTKGC6RSJ -j KUBE-SEP-UBSLGD3ZYBHN2FDL | |
| -A KUBE-SVC-O3B24R5A4HJH6WGO -j KUBE-SEP-ANPJDUKMVEBH7QHA | |
| -A KUBE-SVC-OOJKQW2KWCS3OZRL -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-XPQEE5CQY2ZKZBIJ | |
| -A KUBE-SVC-OOJKQW2KWCS3OZRL -j KUBE-SEP-MXHRTNQY3JZP3FJJ | |
| -A KUBE-SVC-P7AMZE6D2BI2A5AR -j KUBE-SEP-LQKB6S4TIM5UKILP | |
| -A KUBE-SVC-QA7MADU7K7GLLV66 -j KUBE-SEP-4TYTJM4FFSFEMOHR | |
| -A KUBE-SVC-QHKWB2NGEYGIPMWM -j KUBE-SEP-OBVDS4LWPZRTXQ7K | |
| -A KUBE-SVC-QL2PIO6RVKDOA22E -j KUBE-SEP-63VA3ON2ISZ6UJPS | |
| -A KUBE-SVC-QVXD2GNPIDECX2QA -j KUBE-SEP-RXAPQNPOYQJO4USF | |
| -A KUBE-SVC-RJ5NZTLPTVOCJNIO -j KUBE-SEP-OK4CRJJQZI7QWJVQ | |
| -A KUBE-SVC-RJMXSHAFEOHA2UMQ -j KUBE-SEP-QUWLLAYJBUJRX6E5 | |
| -A KUBE-SVC-TCOU7JCQXEZGVUNU -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-E5ZF5T3ASP53QTDU | |
| -A KUBE-SVC-TCOU7JCQXEZGVUNU -j KUBE-SEP-L6342LEWMP3V2Q5C | |
| -A KUBE-SVC-TYNKIQDMC64ECKMF -j KUBE-SEP-J5NZFUY5JCZGQOZF | |
| -A KUBE-SVC-UWXAAW5NUPFEOJRG -j KUBE-SEP-RM2PTGRKGRQRNT75 | |
| -A KUBE-SVC-VKZ6ULCAJSF2BP35 -j KUBE-SEP-MBVNEAYRFLQWKDTX | |
| -A KUBE-SVC-WKYDCVKTYQQLHVUO -j KUBE-SEP-JEJOR4FNE4KNVPN3 | |
| -A KUBE-SVC-XDRCER67H2Z2AUHW -j KUBE-SEP-PMEE6ENYRASSAHEV | |
| -A KUBE-SVC-XUWFLEYT3KN4CP3H -j KUBE-SEP-XCLA7OEYBYLOK43A | |
| -A KUBE-SVC-YOVTPXTZTGVL67U6 -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-UIND2X4FA2J4ZUPS | |
| -A KUBE-SVC-YOVTPXTZTGVL67U6 -j KUBE-SEP-NVD3EZLSM5FJDSZT | |
| -A KUBE-SVC-ZROXDTOXSXYGW2D5 -j KUBE-SEP-T73LSMKBTI52H63Y | |
| -A KUBE-SVC-ZSK4HNYHPUYVCS3E -j KUBE-SEP-JETPDJ7CO3KEEBTC | |
| -A KUBE-XLB-AOTPSVISNGZOGMPC -s 10.244.0.0/16 -m comment --comment "Redirect pods trying to reach external loadbalancer VIP to clusterIP" -j KUBE-SVC-AOTPSVISNGZOGMPC | |
| -A KUBE-XLB-AOTPSVISNGZOGMPC -m comment --comment "masquerade LOCAL traffic for kube-system/nginx-ingress-controller-controller:https LB IP" -m addrtype --src-type LOCAL -j KUBE-MARK-MASQ | |
| -A KUBE-XLB-AOTPSVISNGZOGMPC -m comment --comment "route LOCAL traffic for kube-system/nginx-ingress-controller-controller:https LB IP to service chain" -m addrtype --src-type LOCAL -j KUBE-SVC-AOTPSVISNGZOGMPC | |
| -A KUBE-XLB-AOTPSVISNGZOGMPC -m comment --comment "kube-system/nginx-ingress-controller-controller:https has no local endpoints" -j KUBE-MARK-DROP | |
| -A KUBE-XLB-JJS2LOLYIWRFNBV3 -s 10.244.0.0/16 -m comment --comment "Redirect pods trying to reach external loadbalancer VIP to clusterIP" -j KUBE-SVC-JJS2LOLYIWRFNBV3 | |
| -A KUBE-XLB-JJS2LOLYIWRFNBV3 -m comment --comment "masquerade LOCAL traffic for kube-system/nginx-ingress-controller-controller:http LB IP" -m addrtype --src-type LOCAL -j KUBE-MARK-MASQ | |
| -A KUBE-XLB-JJS2LOLYIWRFNBV3 -m comment --comment "route LOCAL traffic for kube-system/nginx-ingress-controller-controller:http LB IP to service chain" -m addrtype --src-type LOCAL -j KUBE-SVC-JJS2LOLYIWRFNBV3 | |
| -A KUBE-XLB-JJS2LOLYIWRFNBV3 -m comment --comment "kube-system/nginx-ingress-controller-controller:http has no local endpoints" -j KUBE-MARK-DROP | |
| -A WEAVE -s 10.32.0.0/12 -d 224.0.0.0/4 -j RETURN | |
| -A WEAVE ! -s 10.32.0.0/12 -d 10.32.0.0/12 -j MASQUERADE | |
| -A WEAVE -s 10.32.0.0/12 ! -d 10.32.0.0/12 -j MASQUERADE | |
| -A WEAVE -s 10.244.0.0/16 -d 224.0.0.0/4 -j RETURN | |
| -A WEAVE ! -s 10.244.0.0/16 -d 10.244.0.0/16 -j MASQUERADE | |
| -A WEAVE -s 10.244.0.0/16 ! -d 10.244.0.0/16 -j MASQUERADE | |
| COMMIT | |
| # Completed on Mon Jul 6 23:27:33 2020 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment