Skip to content

Instantly share code, notes, and snippets.

@ericlake
Last active September 3, 2019 13:15
Show Gist options
  • Save ericlake/155292e9bddafad6914a7a2569735fe7 to your computer and use it in GitHub Desktop.
Save ericlake/155292e9bddafad6914a7a2569735fe7 to your computer and use it in GitHub Desktop.
Initial rules from a fresh build with kube-proxy, calico, iptables, and ipvs
Chain INPUT (policy DROP)
target prot opt source destination
cali-INPUT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:Cz_u1IQiXIMmKD4c */
KUBE-FIREWALL all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 10.100.36.128/25 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6443 /* K8s API port */
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:8083:8084 /* Twistlock ports */
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:9001:9022 /* Portworx TCP ports */
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:32678:32679 /* Portworx Lighthouse management UI ports */
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:9002 /* Portworx UDP port */
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11
Chain FORWARD (policy ACCEPT)
target prot opt source destination
cali-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 /* cali:wUHhoiAYhphO9Mso */
KUBE-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules */
DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
cali-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:tVnHkvAo15HuiPy0 */
KUBE-FIREWALL all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain KUBE-FIREWALL (2 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000
Chain KUBE-FORWARD (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules */ mark match 0x4000/0x4000
ACCEPT all -- 10.233.64.0/18 0.0.0.0/0 /* kubernetes forwarding conntrack pod source rule */ ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 10.233.64.0/18 /* kubernetes forwarding conntrack pod destination rule */ ctstate RELATED,ESTABLISHED
Chain cali-FORWARD (1 references)
target prot opt source destination
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:vjrMJCRpqwy5oRoX */ MARK and 0xfff1ffff
cali-from-hep-forward all -- 0.0.0.0/0 0.0.0.0/0 /* cali:A_sPAO0mcxbT9mOV */ mark match 0x0/0x10000
cali-from-wl-dispatch all -- 0.0.0.0/0 0.0.0.0/0 /* cali:8ZoYfO5HKXWbB3pk */
cali-to-wl-dispatch all -- 0.0.0.0/0 0.0.0.0/0 /* cali:jdEuaPBe14V2hutn */
cali-to-hep-forward all -- 0.0.0.0/0 0.0.0.0/0 /* cali:12bc6HljsMKsmfr- */
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:MH9kMp5aNICL-Olv */ /* Policy explicitly accepted packet. */ mark match 0x10000/0x10000
Chain cali-INPUT (1 references)
target prot opt source destination
ACCEPT 4 -- 0.0.0.0/0 0.0.0.0/0 /* cali:PajejrV4aFdkZojI */ /* Allow IPIP packets from Calico hosts */ match-set cali40all-hosts-net src ADDRTYPE match dst-type LOCAL
DROP 4 -- 0.0.0.0/0 0.0.0.0/0 /* cali:_wjq-Yrma8Ly1Svo */ /* Drop IPIP packets from non-Calico hosts */
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:ss8lEMQsXi-s6qYT */ MARK and 0xfffff
cali-forward-check all -- 0.0.0.0/0 0.0.0.0/0 /* cali:PgIW-V0nEjwPhF_8 */
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:QMJlDwlS0OjHyfMN */ mark match ! 0x0/0xfff00000
cali-wl-to-host all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:nDRe73txrna-aZjG */
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:iX2AYvqGXaVqwkro */ mark match 0x10000/0x10000
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:bhpnxD5IRtBP8KW0 */ MARK and 0xfff0ffff
cali-from-host-endpoint all -- 0.0.0.0/0 0.0.0.0/0 /* cali:H5_bccAbHV0sooVy */
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:inBL01YlfurT0dbI */ /* Host endpoint policy accepted packet. */ mark match 0x10000/0x10000
Chain cali-OUTPUT (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:Mq1_rAdXXH3YkrzW */ mark match 0x10000/0x10000
cali-forward-endpoint-mark all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:5Z67OUUpTOM7Xa1a */ mark match ! 0x0/0xfff00000
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:M2Wf0OehNdig8MHR */
ACCEPT 4 -- 0.0.0.0/0 0.0.0.0/0 /* cali:AJBkLho_0Qd8LNr3 */ /* Allow IPIP packets to other Calico hosts */ match-set cali40all-hosts-net dst ADDRTYPE match src-type LOCAL
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:iz2RWXlXJDUfsLpe */ MARK and 0xfff0ffff
cali-to-host-endpoint all -- 0.0.0.0/0 0.0.0.0/0 /* cali:hXojbnLundZDgZyw */
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:wankpMDC2Cy1KfBv */ /* Host endpoint policy accepted packet. */ mark match 0x10000/0x10000
Chain cali-failsafe-in (0 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:wWFQM43tJU7wwnFZ */ multiport dports 22
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 /* cali:LwNV--R8MjeUYacw */ multiport dports 68
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:QOO5NUOqOSS1_Iw0 */ multiport dports 179
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:cwZWoBSwVeIAZmVN */ multiport dports 2379
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:7FbNXT91kugE_upR */ multiport dports 2380
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:ywE9WYUBEpve70WT */ multiport dports 6666
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:l-WQSVBf_lygPR0J */ multiport dports 6667
Chain cali-failsafe-out (0 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 /* cali:82hjfji-wChFhAqL */ multiport dports 53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 /* cali:TNM3RfEjbNr72hgH */ multiport dports 67
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:ycxKitIl4u3dK0HR */ multiport dports 179
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:hxjEWyxdkXXkdvut */ multiport dports 2379
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:cA_GLtruuvG88KiO */ multiport dports 2380
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:Sb1hkLYFMrKS6r01 */ multiport dports 6666
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:UwLSebGONJUG4yG- */ multiport dports 6667
Chain cali-forward-check (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:Pbldlb4FaULvpdD8 */ ctstate RELATED,ESTABLISHED
cali-set-endpoint-mark tcp -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:ZD-6UxuUtGW-xtzg */ /* To kubernetes NodePort service */ multiport dports 30000:32767 match-set cali40this-host dst
cali-set-endpoint-mark udp -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:CbPfUajQ2bFVnDq4 */ /* To kubernetes NodePort service */ multiport dports 30000:32767 match-set cali40this-host dst
cali-set-endpoint-mark all -- 0.0.0.0/0 0.0.0.0/0 /* cali:jmhU0ODogX-Zfe5g */ /* To kubernetes service */ ! match-set cali40this-host dst
Chain cali-forward-endpoint-mark (1 references)
target prot opt source destination
cali-from-endpoint-mark all -- 0.0.0.0/0 0.0.0.0/0 /* cali:O0SmFDrnm7KggWqW */ mark match ! 0x100000/0xfff00000
cali-to-wl-dispatch all -- 0.0.0.0/0 0.0.0.0/0 /* cali:aFl0WFKRxDqj8oA6 */
cali-to-hep-forward all -- 0.0.0.0/0 0.0.0.0/0 /* cali:AZKVrO3i_8cLai5f */
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:96HaP1sFtb-NYoYA */ MARK and 0xfffff
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:VxO6hyNWz62YEtul */ /* Policy explicitly accepted packet. */ mark match 0x10000/0x10000
Chain cali-from-endpoint-mark (1 references)
target prot opt source destination
cali-fw-cali461b022d72b all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:9L9hOgtzxuYJ3hJg */ mark match 0x91a00000/0xfff00000
cali-fw-cali7d61c847b92 all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:VUqbxf7nBjMdp-E5 */ mark match 0xaf00000/0xfff00000
cali-fw-calida99fcde832 all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:z7qDG3St1TV4y6cr */ mark match 0xf1600000/0xfff00000
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:TF_ac5GFIGsk1BDU */ /* Unknown interface */
Chain cali-from-hep-forward (1 references)
target prot opt source destination
Chain cali-from-host-endpoint (1 references)
target prot opt source destination
Chain cali-from-wl-dispatch (2 references)
target prot opt source destination
cali-fw-cali461b022d72b all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:eYqYo_69-skjynFL */
cali-fw-cali7d61c847b92 all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:NVRYyhpAX7G6e8TV */
cali-fw-calida99fcde832 all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:4DzwyRlIz4XEwpVQ */
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:AUhMlMSMbpNJAVFo */ /* Unknown interface */
Chain cali-fw-cali461b022d72b (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:DRkYaDBojGrNonEf */ ctstate RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:VhDczR83fqHBoqmn */ ctstate INVALID
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:VzRKpau3tSyJlyoZ */ MARK and 0xfffeffff
cali-pro-kns.kube-system all -- 0.0.0.0/0 0.0.0.0/0 /* cali:CSUndRNK-k9aqR-X */
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:oMQe09syvdauMKHO */ /* Return if profile accepted */ mark match 0x10000/0x10000
cali-pro-_Iv5DLIoH8BjXD9FGvw all -- 0.0.0.0/0 0.0.0.0/0 /* cali:zeODhTZDQ6fzfZsr */
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:RqRnfvxa07AWspMz */ /* Return if profile accepted */ mark match 0x10000/0x10000
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:Y2XXQLNLAoeVc6rL */ /* Drop if no profiles matched */
Chain cali-fw-cali7d61c847b92 (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:FhHpcuxM4QJAYpqG */ ctstate RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:tVzSBA9qoZ76XcyA */ ctstate INVALID
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:takjTliU2ASgoHN8 */ MARK and 0xfffeffff
cali-pro-kns.kube-system all -- 0.0.0.0/0 0.0.0.0/0 /* cali:gs6mWXUtw3q8oLuC */
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:CqF1f8hMOrzeTtnK */ /* Return if profile accepted */ mark match 0x10000/0x10000
cali-pro-_LWv94PMvYKzzY3dhTl all -- 0.0.0.0/0 0.0.0.0/0 /* cali:tj_fjX31LZ68fdb9 */
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:A4Q0WCC-UqKmdUKU */ /* Return if profile accepted */ mark match 0x10000/0x10000
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:21epKlcAIkU3pJvA */ /* Drop if no profiles matched */
Chain cali-fw-calida99fcde832 (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:dvUJ1XYyLuo6ZPgk */ ctstate RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:F0a99AUzMf3rop66 */ ctstate INVALID
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:ribR3LojnP6kcsV5 */ MARK and 0xfffeffff
cali-pro-kns.cert-manager all -- 0.0.0.0/0 0.0.0.0/0 /* cali:abDgaiy1ZXZ-zbLr */
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:61JVWkgehKKqc_gX */ /* Return if profile accepted */ mark match 0x10000/0x10000
cali-pro-_PgPzuEog6NthE7r2PG all -- 0.0.0.0/0 0.0.0.0/0 /* cali:R_ss67kBI0ZCofnP */
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:qUgeKxn57706Beqn */ /* Return if profile accepted */ mark match 0x10000/0x10000
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:yVakR2nTUP7OOtkz */ /* Drop if no profiles matched */
Chain cali-pri-_Iv5DLIoH8BjXD9FGvw (1 references)
target prot opt source destination
Chain cali-pri-_LWv94PMvYKzzY3dhTl (1 references)
target prot opt source destination
Chain cali-pri-_PgPzuEog6NthE7r2PG (1 references)
target prot opt source destination
Chain cali-pri-kns.cert-manager (1 references)
target prot opt source destination
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:VjKTHGfJJd5MQL70 */ MARK or 0x10000
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:2Z9QPUpCU8jH5jkq */ mark match 0x10000/0x10000
Chain cali-pri-kns.kube-system (2 references)
target prot opt source destination
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:zoH5gU6U55FKZxEo */ MARK or 0x10000
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:bcGRIJcyOS9dgBiB */ mark match 0x10000/0x10000
Chain cali-pro-_Iv5DLIoH8BjXD9FGvw (1 references)
target prot opt source destination
Chain cali-pro-_LWv94PMvYKzzY3dhTl (1 references)
target prot opt source destination
Chain cali-pro-_PgPzuEog6NthE7r2PG (1 references)
target prot opt source destination
Chain cali-pro-kns.cert-manager (1 references)
target prot opt source destination
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:mToMu4GtpvEgL8Z3 */ MARK or 0x10000
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:SUxSX6T2k1OVPLgx */ mark match 0x10000/0x10000
Chain cali-pro-kns.kube-system (2 references)
target prot opt source destination
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:-50oJuMfLVO3LkBk */ MARK or 0x10000
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:ztVPKv1UYejNzm1g */ mark match 0x10000/0x10000
Chain cali-set-endpoint-mark (3 references)
target prot opt source destination
cali-sm-cali461b022d72b all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:HS92PCi7s9WQalEe */
cali-sm-cali7d61c847b92 all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:9NEtCl8inGIpy_YN */
cali-sm-calida99fcde832 all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:9Q899yq7_UGzxnTO */
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:SOGKocpt5jz7S68_ */ /* Unknown endpoint */
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:ndZLgrJYkvn0CpPE */ /* Non-Cali endpoint mark */ MARK xset 0x100000/0xfff00000
Chain cali-sm-cali461b022d72b (1 references)
target prot opt source destination
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:BeCkFig4QMXbWL8e */ MARK xset 0x91a00000/0xfff00000
Chain cali-sm-cali7d61c847b92 (1 references)
target prot opt source destination
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:uB3gnUvoKdJ6cQPc */ MARK xset 0xaf00000/0xfff00000
Chain cali-sm-calida99fcde832 (1 references)
target prot opt source destination
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:YtQ5yLjztYWCqUCC */ MARK xset 0xf1600000/0xfff00000
Chain cali-to-hep-forward (2 references)
target prot opt source destination
Chain cali-to-host-endpoint (1 references)
target prot opt source destination
Chain cali-to-wl-dispatch (2 references)
target prot opt source destination
cali-tw-cali461b022d72b all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:8gy8pBQ_BP5gaHYr */
cali-tw-cali7d61c847b92 all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:OBLgcQvpBqwEK2OG */
cali-tw-calida99fcde832 all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:UYs0_1NyRChgF34L */
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:r38z6fp_ITVJfs-h */ /* Unknown interface */
Chain cali-tw-cali461b022d72b (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:ZlYZfKLEaFcV9YrQ */ ctstate RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:uMqzIAn8vmrXVjGA */ ctstate INVALID
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:HuOApeXoY9EsE6x7 */ MARK and 0xfffeffff
cali-pri-kns.kube-system all -- 0.0.0.0/0 0.0.0.0/0 /* cali:IEFNgFCW6A6UbWEB */
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:Wt7Qde0al9Cqkvn3 */ /* Return if profile accepted */ mark match 0x10000/0x10000
cali-pri-_Iv5DLIoH8BjXD9FGvw all -- 0.0.0.0/0 0.0.0.0/0 /* cali:1MX2d7oOdNM9vlPj */
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:Zhs60oLryhNxQuAM */ /* Return if profile accepted */ mark match 0x10000/0x10000
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:ECqflxAhTev6Pf-A */ /* Drop if no profiles matched */
Chain cali-tw-cali7d61c847b92 (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:_hsPx9KpWxkyNVSh */ ctstate RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:-Uz092NE-M_s8Gud */ ctstate INVALID
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:7ow13bY4SvR1ik6R */ MARK and 0xfffeffff
cali-pri-kns.kube-system all -- 0.0.0.0/0 0.0.0.0/0 /* cali:atrLDON_jXmTL1vV */
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:dhEacU-aIFpWyTf7 */ /* Return if profile accepted */ mark match 0x10000/0x10000
cali-pri-_LWv94PMvYKzzY3dhTl all -- 0.0.0.0/0 0.0.0.0/0 /* cali:YoGCZI3pOBUXPujV */
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:_19mnnEveKOOhZQK */ /* Return if profile accepted */ mark match 0x10000/0x10000
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:hdHNEAlK4ea_ARs8 */ /* Drop if no profiles matched */
Chain cali-tw-calida99fcde832 (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:0oYHyLJh4IfU0hlT */ ctstate RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:jjSDHRks38MvVcuW */ ctstate INVALID
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:bh3ooIi2Qu-cu2gP */ MARK and 0xfffeffff
cali-pri-kns.cert-manager all -- 0.0.0.0/0 0.0.0.0/0 /* cali:qoFyfK3oL0Vm546J */
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:me94awEoNLtSNCjo */ /* Return if profile accepted */ mark match 0x10000/0x10000
cali-pri-_PgPzuEog6NthE7r2PG all -- 0.0.0.0/0 0.0.0.0/0 /* cali:or4SynUqZ3-3EvFV */
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:tk858jYRZNY2qdiq */ /* Return if profile accepted */ mark match 0x10000/0x10000
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:p8fENSil492zzmG0 */ /* Drop if no profiles matched */
Chain cali-wl-to-host (1 references)
target prot opt source destination
cali-from-wl-dispatch all -- 0.0.0.0/0 0.0.0.0/0 /* cali:Ee9Sbo10IpVujdIY */
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:sO1YJiY1b553biDi */ /* Configured DefaultEndpointToHostAction */
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
cali-PREROUTING all -- 0.0.0.0/0 0.0.0.0/0 /* cali:6gwbT8clXdHdC1b1 */
KUBE-SERVICES all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes service portals */
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
cali-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:tVnHkvAo15HuiPy0 */
KUBE-SERVICES all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes service portals */
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
cali-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0 /* cali:O3lYWMrLQYEMJtB5 */
KUBE-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes postrouting rules */
MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain KUBE-FIREWALL (0 references)
target prot opt source destination
KUBE-MARK-DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain KUBE-LOAD-BALANCER (1 references)
target prot opt source destination
KUBE-MARK-MASQ all -- 0.0.0.0/0 0.0.0.0/0
Chain KUBE-MARK-DROP (1 references)
target prot opt source destination
MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK or 0x8000
Chain KUBE-MARK-MASQ (3 references)
target prot opt source destination
MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK or 0x4000
Chain KUBE-NODE-PORT (1 references)
target prot opt source destination
KUBE-MARK-MASQ tcp -- 0.0.0.0/0 0.0.0.0/0 /* Kubernetes nodeport TCP port for masquerade purpose */ match-set KUBE-NODE-PORT-TCP dst
Chain KUBE-POSTROUTING (1 references)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes service traffic requiring SNAT */ mark match 0x4000/0x4000
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 /* Kubernetes endpoints dst ip:port, source ip for solving hairpin purpose */ match-set KUBE-LOOP-BACK dst,dst,src
Chain KUBE-SERVICES (2 references)
target prot opt source destination
KUBE-LOAD-BALANCER all -- 0.0.0.0/0 0.0.0.0/0 /* Kubernetes service lb portal */ match-set KUBE-LOAD-BALANCER dst,dst
KUBE-MARK-MASQ all -- !10.233.64.0/18 0.0.0.0/0 /* Kubernetes service cluster ip + port for masquerade purpose */ match-set KUBE-CLUSTER-IP dst,dst
KUBE-NODE-PORT all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set KUBE-CLUSTER-IP dst,dst
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set KUBE-LOAD-BALANCER dst,dst
Chain cali-OUTPUT (1 references)
target prot opt source destination
cali-fip-dnat all -- 0.0.0.0/0 0.0.0.0/0 /* cali:GBTAv2p5CwevEyJm */
Chain cali-POSTROUTING (1 references)
target prot opt source destination
cali-fip-snat all -- 0.0.0.0/0 0.0.0.0/0 /* cali:Z-c7XtVd2Bq7s_hA */
cali-nat-outgoing all -- 0.0.0.0/0 0.0.0.0/0 /* cali:nYKhEzDlr11Jccal */
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 /* cali:SXWvdsbh4Mw7wOln */ ADDRTYPE match src-type !LOCAL limit-out ADDRTYPE match src-type LOCAL random-fully
Chain cali-PREROUTING (1 references)
target prot opt source destination
cali-fip-dnat all -- 0.0.0.0/0 0.0.0.0/0 /* cali:r6XmIziWUJsdOK6Z */
Chain cali-fip-dnat (2 references)
target prot opt source destination
Chain cali-fip-snat (1 references)
target prot opt source destination
Chain cali-nat-outgoing (1 references)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 /* cali:flqWnvo8yq4ULQLa */ match-set cali40masq-ipam-pools src ! match-set cali40all-ipam-pools dst random-fully
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 147.75.76.10:443 rr
-> 10.100.36.129:6443 Masq 1 0 0
-> 10.100.36.135:6443 Masq 1 0 0
-> 10.100.36.137:6443 Masq 1 0 0
TCP 147.75.77.83:30667 rr
-> 10.100.36.129:6443 Masq 1 0 0
-> 10.100.36.135:6443 Masq 1 0 0
-> 10.100.36.137:6443 Masq 1 0 0
TCP 10.100.36.131:30667 rr
-> 10.100.36.129:6443 Masq 1 0 0
-> 10.100.36.135:6443 Masq 1 0 0
-> 10.100.36.137:6443 Masq 1 0 0
TCP 10.233.0.1:443 rr
-> 10.100.36.129:6443 Masq 1 3 0
-> 10.100.36.135:6443 Masq 1 0 0
-> 10.100.36.137:6443 Masq 1 1 0
TCP 10.233.0.3:53 rr
-> 10.233.99.3:53 Masq 1 0 0
-> 10.233.115.1:53 Masq 1 0 0
TCP 10.233.0.3:9153 rr
-> 10.233.99.3:9153 Masq 1 0 0
-> 10.233.115.1:9153 Masq 1 0 0
TCP 10.233.21.200:443 rr
-> 10.233.99.4:443 Masq 1 0 0
TCP 10.233.50.28:44134 rr
-> 10.233.65.3:44134 Masq 1 0 0
TCP 10.233.54.42:443 rr
-> 10.233.76.1:8443 Masq 1 0 0
TCP 10.233.65.0:30667 rr
-> 10.100.36.129:6443 Masq 1 0 0
-> 10.100.36.135:6443 Masq 1 0 0
-> 10.100.36.137:6443 Masq 1 0 0
TCP 127.0.0.1:30667 rr
-> 10.100.36.129:6443 Masq 1 0 0
-> 10.100.36.135:6443 Masq 1 0 0
-> 10.100.36.137:6443 Masq 1 0 0
TCP 172.17.0.1:30667 rr
-> 10.100.36.129:6443 Masq 1 0 0
-> 10.100.36.135:6443 Masq 1 0 0
-> 10.100.36.137:6443 Masq 1 0 0
UDP 10.233.0.3:53 rr
-> 10.233.99.3:53 Masq 1 0 0
-> 10.233.115.1:53 Masq 1 0 0
ip6tables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ip6tables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment