bradfitz/iptables-legacy-save.txt

## iptables-legacy-save.txt
root@kc1b:~# iptables-legacy-save
# Generated by iptables-save v1.8.2 on Sun Sep  8 09:23:15 2019
*raw
:PREROUTING ACCEPT [88168023:13613243271]
:OUTPUT ACCEPT [86121993:13224156217]
:CILIUM_OUTPUT_raw - [0:0]
:CILIUM_PRE_raw - [0:0]
-A PREROUTING -m comment --comment "cilium-feeder: CILIUM_PRE_raw" -j CILIUM_PRE_raw
-A OUTPUT -m comment --comment "cilium-feeder: CILIUM_OUTPUT_raw" -j CILIUM_OUTPUT_raw
-A CILIUM_OUTPUT_raw ! -s 10.217.0.29/32 -m mark --mark 0xa00/0xfffffeff -m comment --comment "cilium: NOTRACK for proxy return traffic" -j NOTRACK
-A CILIUM_PRE_raw ! -d 10.217.0.29/32 -m mark --mark 0x200/0xf00 -m comment --comment "cilium: NOTRACK for proxy traffic" -j NOTRACK
COMMIT
# Completed on Sun Sep  8 09:23:15 2019
# Generated by iptables-save v1.8.2 on Sun Sep  8 09:23:15 2019
*mangle
:PREROUTING ACCEPT [88168009:13613241958]
:INPUT ACCEPT [86512439:13152063506]
:FORWARD ACCEPT [1035685:273432333]
:OUTPUT ACCEPT [86121981:13224155263]
:POSTROUTING ACCEPT [87157665:13497587324]
:CILIUM_POST_mangle - [0:0]
:CILIUM_PRE_mangle - [0:0]
-A PREROUTING -m comment --comment "cilium-feeder: CILIUM_PRE_mangle" -j CILIUM_PRE_mangle
-A POSTROUTING -m comment --comment "cilium-feeder: CILIUM_POST_mangle" -j CILIUM_POST_mangle
-A CILIUM_POST_mangle -o cilium_host -m mark ! --mark 0xe00/0xf00 -m mark ! --mark 0xd00/0xf00 -m comment --comment "cilium: clear masq bit for pkts to cilium_host" -j MARK --set-xmark 0x0/0x4000
-A CILIUM_PRE_mangle -m socket --transparent --nowildcard -m comment --comment "cilium: mark transparent proxy traffic to be routed locally" -j MARK --set-xmark 0x200/0xffffffff
-A CILIUM_PRE_mangle -p tcp -m mark --mark 0xddb20200 -m comment --comment "cilium: TPROXY to host cilium-dns-egress proxy" -j TPROXY --on-port 45789 --on-ip 0.0.0.0 --tproxy-mark 0x200/0xffffffff
-A CILIUM_PRE_mangle -p udp -m mark --mark 0xddb20200 -m comment --comment "cilium: TPROXY to host cilium-dns-egress proxy" -j TPROXY --on-port 45789 --on-ip 0.0.0.0 --tproxy-mark 0x200/0xffffffff
COMMIT
# Completed on Sun Sep  8 09:23:15 2019
# Generated by iptables-save v1.8.2 on Sun Sep  8 09:23:15 2019
*nat
:PREROUTING ACCEPT [174523:35259604]
:INPUT ACCEPT [109687:15761458]
:OUTPUT ACCEPT [114497:7359358]
:POSTROUTING ACCEPT [89577:5983822]
:CILIUM_OUTPUT_nat - [0:0]
:CILIUM_POST_nat - [0:0]
:CILIUM_PRE_nat - [0:0]
:KUBE-MARK-MASQ - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-SEP-2UHBERGWYDVUJ74C - [0:0]
:KUBE-SEP-2ZIVNNPMTRU6LIDF - [0:0]
:KUBE-SEP-5NQOPFYL7XEFTR4A - [0:0]
:KUBE-SEP-6DHWFT3LTV2SHQ4J - [0:0]
:KUBE-SEP-CH7GLVQ3Y7ZBODHU - [0:0]
:KUBE-SEP-QAGO6SPTZUAQYUTZ - [0:0]
:KUBE-SEP-SAP4NBLYMG3BUFJ6 - [0:0]
:KUBE-SEP-T7IH2TQ6NABU4JUF - [0:0]
:KUBE-SEP-WDWVOPOZSF45TEG5 - [0:0]
:KUBE-SEP-WTX54YZAJ5LLCCL2 - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
:KUBE-SVC-JD5MR3NA4I4DYORP - [0:0]
:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
:KUBE-SVC-PHN7LEQGJ7MTK4OH - [0:0]
:KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
-A PREROUTING -m comment --comment "cilium-feeder: CILIUM_PRE_nat" -j CILIUM_PRE_nat
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -m comment --comment "cilium-feeder: CILIUM_OUTPUT_nat" -j CILIUM_OUTPUT_nat
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A POSTROUTING -m comment --comment "cilium-feeder: CILIUM_POST_nat" -j CILIUM_POST_nat
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
-A CILIUM_POST_nat -s 10.217.0.0/24 ! -d 10.217.0.0/24 ! -o cilium_+ -m comment --comment "cilium masquerade non-cluster" -j MASQUERADE
-A CILIUM_POST_nat ! -o cilium_host -m comment --comment "exclude non-cilium_host traffic from masquerade" -j RETURN
-A CILIUM_POST_nat -m mark --mark 0xa00/0xe00 -m comment --comment "exclude proxy return traffic from masquarade" -j ACCEPT
-A CILIUM_POST_nat ! -s 10.217.0.29/32 ! -d 10.217.0.0/24 -o cilium_host -m comment --comment "cilium host->cluster masquerade" -j SNAT --to-source 10.217.0.29
-A CILIUM_POST_nat -s 127.0.0.1/32 -o cilium_host -m comment --comment "cilium host->cluster from 127.0.0.1 masquerade" -j SNAT --to-source 10.217.0.29
-A CILIUM_POST_nat -s 10.217.0.0/24 -m comment --comment "cilium hostport loopback masquerade" -j SNAT --to-source 10.217.0.29
-A CILIUM_POST_nat ! -s 10.0.0.0/8 -o cilium_host -m conntrack --ctstate DNAT -m comment --comment "cilium hostport cluster masquerade" -j SNAT --to-source 10.217.0.29
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE
-A KUBE-SEP-2UHBERGWYDVUJ74C -s 10.0.9.12/32 -j KUBE-MARK-MASQ
-A KUBE-SEP-2UHBERGWYDVUJ74C -p tcp -m tcp -j DNAT --to-destination 10.0.9.12:6443
-A KUBE-SEP-2ZIVNNPMTRU6LIDF -s 10.0.9.13/32 -j KUBE-MARK-MASQ
-A KUBE-SEP-2ZIVNNPMTRU6LIDF -p tcp -m tcp -j DNAT --to-destination 10.0.9.13:6443
-A KUBE-SEP-5NQOPFYL7XEFTR4A -s 10.217.0.236/32 -j KUBE-MARK-MASQ
-A KUBE-SEP-5NQOPFYL7XEFTR4A -p tcp -m tcp -j DNAT --to-destination 10.217.0.236:53
-A KUBE-SEP-6DHWFT3LTV2SHQ4J -s 10.217.0.24/32 -j KUBE-MARK-MASQ
-A KUBE-SEP-6DHWFT3LTV2SHQ4J -p tcp -m tcp -j DNAT --to-destination 10.217.0.24:53
-A KUBE-SEP-CH7GLVQ3Y7ZBODHU -s 10.217.0.24/32 -j KUBE-MARK-MASQ
-A KUBE-SEP-CH7GLVQ3Y7ZBODHU -p udp -m udp -j DNAT --to-destination 10.217.0.24:53
-A KUBE-SEP-QAGO6SPTZUAQYUTZ -s 10.217.5.127/32 -j KUBE-MARK-MASQ
-A KUBE-SEP-QAGO6SPTZUAQYUTZ -p tcp -m tcp -j DNAT --to-destination 10.217.5.127:8080
-A KUBE-SEP-SAP4NBLYMG3BUFJ6 -s 10.0.9.11/32 -j KUBE-MARK-MASQ
-A KUBE-SEP-SAP4NBLYMG3BUFJ6 -p tcp -m tcp -j DNAT --to-destination 10.0.9.11:6443
-A KUBE-SEP-T7IH2TQ6NABU4JUF -s 10.217.0.236/32 -j KUBE-MARK-MASQ
-A KUBE-SEP-T7IH2TQ6NABU4JUF -p udp -m udp -j DNAT --to-destination 10.217.0.236:53
-A KUBE-SEP-WDWVOPOZSF45TEG5 -s 10.217.0.24/32 -j KUBE-MARK-MASQ
-A KUBE-SEP-WDWVOPOZSF45TEG5 -p tcp -m tcp -j DNAT --to-destination 10.217.0.24:9153
-A KUBE-SEP-WTX54YZAJ5LLCCL2 -s 10.217.0.236/32 -j KUBE-MARK-MASQ
-A KUBE-SEP-WTX54YZAJ5LLCCL2 -p tcp -m tcp -j DNAT --to-destination 10.217.0.236:9153
-A KUBE-SERVICES ! -s 10.217.0.0/16 -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
-A KUBE-SERVICES ! -s 10.217.0.0/16 -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
-A KUBE-SERVICES ! -s 10.217.0.0/16 -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-SVC-JD5MR3NA4I4DYORP
-A KUBE-SERVICES ! -s 10.217.0.0/16 -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
-A KUBE-SERVICES ! -s 10.217.0.0/16 -d 10.111.26.104/32 -p tcp -m comment --comment "heptio-sonobuoy/sonobuoy-master: cluster IP" -m tcp --dport 8080 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.111.26.104/32 -p tcp -m comment --comment "heptio-sonobuoy/sonobuoy-master: cluster IP" -m tcp --dport 8080 -j KUBE-SVC-PHN7LEQGJ7MTK4OH
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-5NQOPFYL7XEFTR4A
-A KUBE-SVC-ERIFXISQEP7F7OF4 -j KUBE-SEP-6DHWFT3LTV2SHQ4J
-A KUBE-SVC-JD5MR3NA4I4DYORP -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-WTX54YZAJ5LLCCL2
-A KUBE-SVC-JD5MR3NA4I4DYORP -j KUBE-SEP-WDWVOPOZSF45TEG5
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m statistic --mode random --probability 0.33332999982 -j KUBE-SEP-SAP4NBLYMG3BUFJ6
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-2UHBERGWYDVUJ74C
-A KUBE-SVC-NPX46M4PTMTKRN6Y -j KUBE-SEP-2ZIVNNPMTRU6LIDF
-A KUBE-SVC-PHN7LEQGJ7MTK4OH -j KUBE-SEP-QAGO6SPTZUAQYUTZ
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-T7IH2TQ6NABU4JUF
-A KUBE-SVC-TCOU7JCQXEZGVUNU -j KUBE-SEP-CH7GLVQ3Y7ZBODHU
COMMIT
# Completed on Sun Sep  8 09:23:15 2019
# Generated by iptables-save v1.8.2 on Sun Sep  8 09:23:15 2019
*filter
:INPUT ACCEPT [10482641:1551475109]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10434037:1497777321]
:CILIUM_FORWARD - [0:0]
:CILIUM_INPUT - [0:0]
:CILIUM_OUTPUT - [0:0]
:KUBE-EXTERNAL-SERVICES - [0:0]
:KUBE-FORWARD - [0:0]
:KUBE-SERVICES - [0:0]
-A INPUT -m comment --comment "cilium-feeder: CILIUM_INPUT" -j CILIUM_INPUT
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
-A FORWARD -m comment --comment "cilium-feeder: CILIUM_FORWARD" -j CILIUM_FORWARD
-A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
-A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -m comment --comment "cilium-feeder: CILIUM_OUTPUT" -j CILIUM_OUTPUT
-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A CILIUM_FORWARD -o cilium_host -m comment --comment "cilium: any->cluster on cilium_host forward accept" -j ACCEPT
-A CILIUM_FORWARD -i lxc+ -m comment --comment "cilium: cluster->any on lxc+ forward accept" -j ACCEPT
-A CILIUM_OUTPUT -m mark ! --mark 0xe00/0xf00 -m mark ! --mark 0xd00/0xf00 -m mark ! --mark 0xa00/0xe00 -m comment --comment "cilium: host->any mark as from host" -j MARK --set-xmark 0xc00/0xf00
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
-A KUBE-FORWARD -s 10.217.0.0/16 -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A KUBE-FORWARD -d 10.217.0.0/16 -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sun Sep  8 09:23:15 2019
	root@kc1b:~# iptables-legacy-save
	# Generated by iptables-save v1.8.2 on Sun Sep 8 09:23:15 2019
	*raw
	:PREROUTING ACCEPT [88168023:13613243271]
	:OUTPUT ACCEPT [86121993:13224156217]
	:CILIUM_OUTPUT_raw - [0:0]
	:CILIUM_PRE_raw - [0:0]
	-A PREROUTING -m comment --comment "cilium-feeder: CILIUM_PRE_raw" -j CILIUM_PRE_raw
	-A OUTPUT -m comment --comment "cilium-feeder: CILIUM_OUTPUT_raw" -j CILIUM_OUTPUT_raw
	-A CILIUM_OUTPUT_raw ! -s 10.217.0.29/32 -m mark --mark 0xa00/0xfffffeff -m comment --comment "cilium: NOTRACK for proxy return traffic" -j NOTRACK
	-A CILIUM_PRE_raw ! -d 10.217.0.29/32 -m mark --mark 0x200/0xf00 -m comment --comment "cilium: NOTRACK for proxy traffic" -j NOTRACK
	COMMIT
	# Completed on Sun Sep 8 09:23:15 2019
	# Generated by iptables-save v1.8.2 on Sun Sep 8 09:23:15 2019
	*mangle
	:PREROUTING ACCEPT [88168009:13613241958]
	:INPUT ACCEPT [86512439:13152063506]
	:FORWARD ACCEPT [1035685:273432333]
	:OUTPUT ACCEPT [86121981:13224155263]
	:POSTROUTING ACCEPT [87157665:13497587324]
	:CILIUM_POST_mangle - [0:0]
	:CILIUM_PRE_mangle - [0:0]
	-A PREROUTING -m comment --comment "cilium-feeder: CILIUM_PRE_mangle" -j CILIUM_PRE_mangle
	-A POSTROUTING -m comment --comment "cilium-feeder: CILIUM_POST_mangle" -j CILIUM_POST_mangle
	-A CILIUM_POST_mangle -o cilium_host -m mark ! --mark 0xe00/0xf00 -m mark ! --mark 0xd00/0xf00 -m comment --comment "cilium: clear masq bit for pkts to cilium_host" -j MARK --set-xmark 0x0/0x4000
	-A CILIUM_PRE_mangle -m socket --transparent --nowildcard -m comment --comment "cilium: mark transparent proxy traffic to be routed locally" -j MARK --set-xmark 0x200/0xffffffff
	-A CILIUM_PRE_mangle -p tcp -m mark --mark 0xddb20200 -m comment --comment "cilium: TPROXY to host cilium-dns-egress proxy" -j TPROXY --on-port 45789 --on-ip 0.0.0.0 --tproxy-mark 0x200/0xffffffff
	-A CILIUM_PRE_mangle -p udp -m mark --mark 0xddb20200 -m comment --comment "cilium: TPROXY to host cilium-dns-egress proxy" -j TPROXY --on-port 45789 --on-ip 0.0.0.0 --tproxy-mark 0x200/0xffffffff
	COMMIT
	# Completed on Sun Sep 8 09:23:15 2019
	# Generated by iptables-save v1.8.2 on Sun Sep 8 09:23:15 2019
	*nat
	:PREROUTING ACCEPT [174523:35259604]
	:INPUT ACCEPT [109687:15761458]
	:OUTPUT ACCEPT [114497:7359358]
	:POSTROUTING ACCEPT [89577:5983822]
	:CILIUM_OUTPUT_nat - [0:0]
	:CILIUM_POST_nat - [0:0]
	:CILIUM_PRE_nat - [0:0]
	:KUBE-MARK-MASQ - [0:0]
	:KUBE-NODEPORTS - [0:0]
	:KUBE-POSTROUTING - [0:0]
	:KUBE-SEP-2UHBERGWYDVUJ74C - [0:0]
	:KUBE-SEP-2ZIVNNPMTRU6LIDF - [0:0]
	:KUBE-SEP-5NQOPFYL7XEFTR4A - [0:0]
	:KUBE-SEP-6DHWFT3LTV2SHQ4J - [0:0]
	:KUBE-SEP-CH7GLVQ3Y7ZBODHU - [0:0]
	:KUBE-SEP-QAGO6SPTZUAQYUTZ - [0:0]
	:KUBE-SEP-SAP4NBLYMG3BUFJ6 - [0:0]
	:KUBE-SEP-T7IH2TQ6NABU4JUF - [0:0]
	:KUBE-SEP-WDWVOPOZSF45TEG5 - [0:0]
	:KUBE-SEP-WTX54YZAJ5LLCCL2 - [0:0]
	:KUBE-SERVICES - [0:0]
	:KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
	:KUBE-SVC-JD5MR3NA4I4DYORP - [0:0]
	:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
	:KUBE-SVC-PHN7LEQGJ7MTK4OH - [0:0]
	:KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
	-A PREROUTING -m comment --comment "cilium-feeder: CILIUM_PRE_nat" -j CILIUM_PRE_nat
	-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
	-A OUTPUT -m comment --comment "cilium-feeder: CILIUM_OUTPUT_nat" -j CILIUM_OUTPUT_nat
	-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
	-A POSTROUTING -m comment --comment "cilium-feeder: CILIUM_POST_nat" -j CILIUM_POST_nat
	-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
	-A CILIUM_POST_nat -s 10.217.0.0/24 ! -d 10.217.0.0/24 ! -o cilium_+ -m comment --comment "cilium masquerade non-cluster" -j MASQUERADE
	-A CILIUM_POST_nat ! -o cilium_host -m comment --comment "exclude non-cilium_host traffic from masquerade" -j RETURN
	-A CILIUM_POST_nat -m mark --mark 0xa00/0xe00 -m comment --comment "exclude proxy return traffic from masquarade" -j ACCEPT
	-A CILIUM_POST_nat ! -s 10.217.0.29/32 ! -d 10.217.0.0/24 -o cilium_host -m comment --comment "cilium host->cluster masquerade" -j SNAT --to-source 10.217.0.29
	-A CILIUM_POST_nat -s 127.0.0.1/32 -o cilium_host -m comment --comment "cilium host->cluster from 127.0.0.1 masquerade" -j SNAT --to-source 10.217.0.29
	-A CILIUM_POST_nat -s 10.217.0.0/24 -m comment --comment "cilium hostport loopback masquerade" -j SNAT --to-source 10.217.0.29
	-A CILIUM_POST_nat ! -s 10.0.0.0/8 -o cilium_host -m conntrack --ctstate DNAT -m comment --comment "cilium hostport cluster masquerade" -j SNAT --to-source 10.217.0.29
	-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
	-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE
	-A KUBE-SEP-2UHBERGWYDVUJ74C -s 10.0.9.12/32 -j KUBE-MARK-MASQ
	-A KUBE-SEP-2UHBERGWYDVUJ74C -p tcp -m tcp -j DNAT --to-destination 10.0.9.12:6443
	-A KUBE-SEP-2ZIVNNPMTRU6LIDF -s 10.0.9.13/32 -j KUBE-MARK-MASQ
	-A KUBE-SEP-2ZIVNNPMTRU6LIDF -p tcp -m tcp -j DNAT --to-destination 10.0.9.13:6443
	-A KUBE-SEP-5NQOPFYL7XEFTR4A -s 10.217.0.236/32 -j KUBE-MARK-MASQ
	-A KUBE-SEP-5NQOPFYL7XEFTR4A -p tcp -m tcp -j DNAT --to-destination 10.217.0.236:53
	-A KUBE-SEP-6DHWFT3LTV2SHQ4J -s 10.217.0.24/32 -j KUBE-MARK-MASQ
	-A KUBE-SEP-6DHWFT3LTV2SHQ4J -p tcp -m tcp -j DNAT --to-destination 10.217.0.24:53
	-A KUBE-SEP-CH7GLVQ3Y7ZBODHU -s 10.217.0.24/32 -j KUBE-MARK-MASQ
	-A KUBE-SEP-CH7GLVQ3Y7ZBODHU -p udp -m udp -j DNAT --to-destination 10.217.0.24:53
	-A KUBE-SEP-QAGO6SPTZUAQYUTZ -s 10.217.5.127/32 -j KUBE-MARK-MASQ
	-A KUBE-SEP-QAGO6SPTZUAQYUTZ -p tcp -m tcp -j DNAT --to-destination 10.217.5.127:8080
	-A KUBE-SEP-SAP4NBLYMG3BUFJ6 -s 10.0.9.11/32 -j KUBE-MARK-MASQ
	-A KUBE-SEP-SAP4NBLYMG3BUFJ6 -p tcp -m tcp -j DNAT --to-destination 10.0.9.11:6443
	-A KUBE-SEP-T7IH2TQ6NABU4JUF -s 10.217.0.236/32 -j KUBE-MARK-MASQ
	-A KUBE-SEP-T7IH2TQ6NABU4JUF -p udp -m udp -j DNAT --to-destination 10.217.0.236:53
	-A KUBE-SEP-WDWVOPOZSF45TEG5 -s 10.217.0.24/32 -j KUBE-MARK-MASQ
	-A KUBE-SEP-WDWVOPOZSF45TEG5 -p tcp -m tcp -j DNAT --to-destination 10.217.0.24:9153
	-A KUBE-SEP-WTX54YZAJ5LLCCL2 -s 10.217.0.236/32 -j KUBE-MARK-MASQ
	-A KUBE-SEP-WTX54YZAJ5LLCCL2 -p tcp -m tcp -j DNAT --to-destination 10.217.0.236:9153
	-A KUBE-SERVICES ! -s 10.217.0.0/16 -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-MARK-MASQ
	-A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
	-A KUBE-SERVICES ! -s 10.217.0.0/16 -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-MARK-MASQ
	-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
	-A KUBE-SERVICES ! -s 10.217.0.0/16 -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-MARK-MASQ
	-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-SVC-JD5MR3NA4I4DYORP
	-A KUBE-SERVICES ! -s 10.217.0.0/16 -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
	-A KUBE-SERVICES -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
	-A KUBE-SERVICES ! -s 10.217.0.0/16 -d 10.111.26.104/32 -p tcp -m comment --comment "heptio-sonobuoy/sonobuoy-master: cluster IP" -m tcp --dport 8080 -j KUBE-MARK-MASQ
	-A KUBE-SERVICES -d 10.111.26.104/32 -p tcp -m comment --comment "heptio-sonobuoy/sonobuoy-master: cluster IP" -m tcp --dport 8080 -j KUBE-SVC-PHN7LEQGJ7MTK4OH
	-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
	-A KUBE-SVC-ERIFXISQEP7F7OF4 -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-5NQOPFYL7XEFTR4A
	-A KUBE-SVC-ERIFXISQEP7F7OF4 -j KUBE-SEP-6DHWFT3LTV2SHQ4J
	-A KUBE-SVC-JD5MR3NA4I4DYORP -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-WTX54YZAJ5LLCCL2
	-A KUBE-SVC-JD5MR3NA4I4DYORP -j KUBE-SEP-WDWVOPOZSF45TEG5
	-A KUBE-SVC-NPX46M4PTMTKRN6Y -m statistic --mode random --probability 0.33332999982 -j KUBE-SEP-SAP4NBLYMG3BUFJ6
	-A KUBE-SVC-NPX46M4PTMTKRN6Y -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-2UHBERGWYDVUJ74C
	-A KUBE-SVC-NPX46M4PTMTKRN6Y -j KUBE-SEP-2ZIVNNPMTRU6LIDF
	-A KUBE-SVC-PHN7LEQGJ7MTK4OH -j KUBE-SEP-QAGO6SPTZUAQYUTZ
	-A KUBE-SVC-TCOU7JCQXEZGVUNU -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-T7IH2TQ6NABU4JUF
	-A KUBE-SVC-TCOU7JCQXEZGVUNU -j KUBE-SEP-CH7GLVQ3Y7ZBODHU
	COMMIT
	# Completed on Sun Sep 8 09:23:15 2019
	# Generated by iptables-save v1.8.2 on Sun Sep 8 09:23:15 2019
	*filter
	:INPUT ACCEPT [10482641:1551475109]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [10434037:1497777321]
	:CILIUM_FORWARD - [0:0]
	:CILIUM_INPUT - [0:0]
	:CILIUM_OUTPUT - [0:0]
	:KUBE-EXTERNAL-SERVICES - [0:0]
	:KUBE-FORWARD - [0:0]
	:KUBE-SERVICES - [0:0]
	-A INPUT -m comment --comment "cilium-feeder: CILIUM_INPUT" -j CILIUM_INPUT
	-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
	-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
	-A FORWARD -m comment --comment "cilium-feeder: CILIUM_FORWARD" -j CILIUM_FORWARD
	-A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
	-A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
	-A OUTPUT -m comment --comment "cilium-feeder: CILIUM_OUTPUT" -j CILIUM_OUTPUT
	-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
	-A CILIUM_FORWARD -o cilium_host -m comment --comment "cilium: any->cluster on cilium_host forward accept" -j ACCEPT
	-A CILIUM_FORWARD -i lxc+ -m comment --comment "cilium: cluster->any on lxc+ forward accept" -j ACCEPT
	-A CILIUM_OUTPUT -m mark ! --mark 0xe00/0xf00 -m mark ! --mark 0xd00/0xf00 -m mark ! --mark 0xa00/0xe00 -m comment --comment "cilium: host->any mark as from host" -j MARK --set-xmark 0xc00/0xf00
	-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
	-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
	-A KUBE-FORWARD -s 10.217.0.0/16 -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A KUBE-FORWARD -d 10.217.0.0/16 -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	COMMIT
	# Completed on Sun Sep 8 09:23:15 2019