Last active
September 3, 2019 13:15
-
-
Save ericlake/155292e9bddafad6914a7a2569735fe7 to your computer and use it in GitHub Desktop.
Initial rules from a fresh build with kube-proxy, calico, iptables, and ipvs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Chain INPUT (policy DROP) | |
target prot opt source destination | |
cali-INPUT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:Cz_u1IQiXIMmKD4c */ | |
KUBE-FIREWALL all -- 0.0.0.0/0 0.0.0.0/0 | |
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 | |
ACCEPT all -- 10.100.36.128/25 0.0.0.0/0 | |
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED | |
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 | |
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 | |
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6443 /* K8s API port */ | |
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:8083:8084 /* Twistlock ports */ | |
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:9001:9022 /* Portworx TCP ports */ | |
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:32678:32679 /* Portworx Lighthouse management UI ports */ | |
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:9002 /* Portworx UDP port */ | |
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 0 | |
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3 | |
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 | |
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11 | |
Chain FORWARD (policy ACCEPT) | |
target prot opt source destination | |
cali-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 /* cali:wUHhoiAYhphO9Mso */ | |
KUBE-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules */ | |
DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0 | |
DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0 | |
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED | |
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 | |
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 | |
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 | |
Chain OUTPUT (policy ACCEPT) | |
target prot opt source destination | |
cali-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:tVnHkvAo15HuiPy0 */ | |
KUBE-FIREWALL all -- 0.0.0.0/0 0.0.0.0/0 | |
Chain DOCKER (1 references) | |
target prot opt source destination | |
Chain DOCKER-ISOLATION-STAGE-1 (1 references) | |
target prot opt source destination | |
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0 | |
RETURN all -- 0.0.0.0/0 0.0.0.0/0 | |
Chain DOCKER-ISOLATION-STAGE-2 (1 references) | |
target prot opt source destination | |
DROP all -- 0.0.0.0/0 0.0.0.0/0 | |
RETURN all -- 0.0.0.0/0 0.0.0.0/0 | |
Chain DOCKER-USER (1 references) | |
target prot opt source destination | |
RETURN all -- 0.0.0.0/0 0.0.0.0/0 | |
Chain KUBE-FIREWALL (2 references) | |
target prot opt source destination | |
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000 | |
Chain KUBE-FORWARD (1 references) | |
target prot opt source destination | |
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules */ mark match 0x4000/0x4000 | |
ACCEPT all -- 10.233.64.0/18 0.0.0.0/0 /* kubernetes forwarding conntrack pod source rule */ ctstate RELATED,ESTABLISHED | |
ACCEPT all -- 0.0.0.0/0 10.233.64.0/18 /* kubernetes forwarding conntrack pod destination rule */ ctstate RELATED,ESTABLISHED | |
Chain cali-FORWARD (1 references) | |
target prot opt source destination | |
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:vjrMJCRpqwy5oRoX */ MARK and 0xfff1ffff | |
cali-from-hep-forward all -- 0.0.0.0/0 0.0.0.0/0 /* cali:A_sPAO0mcxbT9mOV */ mark match 0x0/0x10000 | |
cali-from-wl-dispatch all -- 0.0.0.0/0 0.0.0.0/0 /* cali:8ZoYfO5HKXWbB3pk */ | |
cali-to-wl-dispatch all -- 0.0.0.0/0 0.0.0.0/0 /* cali:jdEuaPBe14V2hutn */ | |
cali-to-hep-forward all -- 0.0.0.0/0 0.0.0.0/0 /* cali:12bc6HljsMKsmfr- */ | |
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:MH9kMp5aNICL-Olv */ /* Policy explicitly accepted packet. */ mark match 0x10000/0x10000 | |
Chain cali-INPUT (1 references) | |
target prot opt source destination | |
ACCEPT 4 -- 0.0.0.0/0 0.0.0.0/0 /* cali:PajejrV4aFdkZojI */ /* Allow IPIP packets from Calico hosts */ match-set cali40all-hosts-net src ADDRTYPE match dst-type LOCAL | |
DROP 4 -- 0.0.0.0/0 0.0.0.0/0 /* cali:_wjq-Yrma8Ly1Svo */ /* Drop IPIP packets from non-Calico hosts */ | |
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:ss8lEMQsXi-s6qYT */ MARK and 0xfffff | |
cali-forward-check all -- 0.0.0.0/0 0.0.0.0/0 /* cali:PgIW-V0nEjwPhF_8 */ | |
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:QMJlDwlS0OjHyfMN */ mark match ! 0x0/0xfff00000 | |
cali-wl-to-host all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:nDRe73txrna-aZjG */ | |
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:iX2AYvqGXaVqwkro */ mark match 0x10000/0x10000 | |
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:bhpnxD5IRtBP8KW0 */ MARK and 0xfff0ffff | |
cali-from-host-endpoint all -- 0.0.0.0/0 0.0.0.0/0 /* cali:H5_bccAbHV0sooVy */ | |
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:inBL01YlfurT0dbI */ /* Host endpoint policy accepted packet. */ mark match 0x10000/0x10000 | |
Chain cali-OUTPUT (1 references) | |
target prot opt source destination | |
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:Mq1_rAdXXH3YkrzW */ mark match 0x10000/0x10000 | |
cali-forward-endpoint-mark all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:5Z67OUUpTOM7Xa1a */ mark match ! 0x0/0xfff00000 | |
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:M2Wf0OehNdig8MHR */ | |
ACCEPT 4 -- 0.0.0.0/0 0.0.0.0/0 /* cali:AJBkLho_0Qd8LNr3 */ /* Allow IPIP packets to other Calico hosts */ match-set cali40all-hosts-net dst ADDRTYPE match src-type LOCAL | |
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:iz2RWXlXJDUfsLpe */ MARK and 0xfff0ffff | |
cali-to-host-endpoint all -- 0.0.0.0/0 0.0.0.0/0 /* cali:hXojbnLundZDgZyw */ | |
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:wankpMDC2Cy1KfBv */ /* Host endpoint policy accepted packet. */ mark match 0x10000/0x10000 | |
Chain cali-failsafe-in (0 references) | |
target prot opt source destination | |
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:wWFQM43tJU7wwnFZ */ multiport dports 22 | |
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 /* cali:LwNV--R8MjeUYacw */ multiport dports 68 | |
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:QOO5NUOqOSS1_Iw0 */ multiport dports 179 | |
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:cwZWoBSwVeIAZmVN */ multiport dports 2379 | |
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:7FbNXT91kugE_upR */ multiport dports 2380 | |
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:ywE9WYUBEpve70WT */ multiport dports 6666 | |
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:l-WQSVBf_lygPR0J */ multiport dports 6667 | |
Chain cali-failsafe-out (0 references) | |
target prot opt source destination | |
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 /* cali:82hjfji-wChFhAqL */ multiport dports 53 | |
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 /* cali:TNM3RfEjbNr72hgH */ multiport dports 67 | |
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:ycxKitIl4u3dK0HR */ multiport dports 179 | |
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:hxjEWyxdkXXkdvut */ multiport dports 2379 | |
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:cA_GLtruuvG88KiO */ multiport dports 2380 | |
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:Sb1hkLYFMrKS6r01 */ multiport dports 6666 | |
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:UwLSebGONJUG4yG- */ multiport dports 6667 | |
Chain cali-forward-check (1 references) | |
target prot opt source destination | |
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:Pbldlb4FaULvpdD8 */ ctstate RELATED,ESTABLISHED | |
cali-set-endpoint-mark tcp -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:ZD-6UxuUtGW-xtzg */ /* To kubernetes NodePort service */ multiport dports 30000:32767 match-set cali40this-host dst | |
cali-set-endpoint-mark udp -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:CbPfUajQ2bFVnDq4 */ /* To kubernetes NodePort service */ multiport dports 30000:32767 match-set cali40this-host dst | |
cali-set-endpoint-mark all -- 0.0.0.0/0 0.0.0.0/0 /* cali:jmhU0ODogX-Zfe5g */ /* To kubernetes service */ ! match-set cali40this-host dst | |
Chain cali-forward-endpoint-mark (1 references) | |
target prot opt source destination | |
cali-from-endpoint-mark all -- 0.0.0.0/0 0.0.0.0/0 /* cali:O0SmFDrnm7KggWqW */ mark match ! 0x100000/0xfff00000 | |
cali-to-wl-dispatch all -- 0.0.0.0/0 0.0.0.0/0 /* cali:aFl0WFKRxDqj8oA6 */ | |
cali-to-hep-forward all -- 0.0.0.0/0 0.0.0.0/0 /* cali:AZKVrO3i_8cLai5f */ | |
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:96HaP1sFtb-NYoYA */ MARK and 0xfffff | |
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:VxO6hyNWz62YEtul */ /* Policy explicitly accepted packet. */ mark match 0x10000/0x10000 | |
Chain cali-from-endpoint-mark (1 references) | |
target prot opt source destination | |
cali-fw-cali461b022d72b all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:9L9hOgtzxuYJ3hJg */ mark match 0x91a00000/0xfff00000 | |
cali-fw-cali7d61c847b92 all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:VUqbxf7nBjMdp-E5 */ mark match 0xaf00000/0xfff00000 | |
cali-fw-calida99fcde832 all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:z7qDG3St1TV4y6cr */ mark match 0xf1600000/0xfff00000 | |
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:TF_ac5GFIGsk1BDU */ /* Unknown interface */ | |
Chain cali-from-hep-forward (1 references) | |
target prot opt source destination | |
Chain cali-from-host-endpoint (1 references) | |
target prot opt source destination | |
Chain cali-from-wl-dispatch (2 references) | |
target prot opt source destination | |
cali-fw-cali461b022d72b all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:eYqYo_69-skjynFL */ | |
cali-fw-cali7d61c847b92 all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:NVRYyhpAX7G6e8TV */ | |
cali-fw-calida99fcde832 all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:4DzwyRlIz4XEwpVQ */ | |
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:AUhMlMSMbpNJAVFo */ /* Unknown interface */ | |
Chain cali-fw-cali461b022d72b (2 references) | |
target prot opt source destination | |
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:DRkYaDBojGrNonEf */ ctstate RELATED,ESTABLISHED | |
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:VhDczR83fqHBoqmn */ ctstate INVALID | |
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:VzRKpau3tSyJlyoZ */ MARK and 0xfffeffff | |
cali-pro-kns.kube-system all -- 0.0.0.0/0 0.0.0.0/0 /* cali:CSUndRNK-k9aqR-X */ | |
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:oMQe09syvdauMKHO */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
cali-pro-_Iv5DLIoH8BjXD9FGvw all -- 0.0.0.0/0 0.0.0.0/0 /* cali:zeODhTZDQ6fzfZsr */ | |
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:RqRnfvxa07AWspMz */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:Y2XXQLNLAoeVc6rL */ /* Drop if no profiles matched */ | |
Chain cali-fw-cali7d61c847b92 (2 references) | |
target prot opt source destination | |
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:FhHpcuxM4QJAYpqG */ ctstate RELATED,ESTABLISHED | |
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:tVzSBA9qoZ76XcyA */ ctstate INVALID | |
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:takjTliU2ASgoHN8 */ MARK and 0xfffeffff | |
cali-pro-kns.kube-system all -- 0.0.0.0/0 0.0.0.0/0 /* cali:gs6mWXUtw3q8oLuC */ | |
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:CqF1f8hMOrzeTtnK */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
cali-pro-_LWv94PMvYKzzY3dhTl all -- 0.0.0.0/0 0.0.0.0/0 /* cali:tj_fjX31LZ68fdb9 */ | |
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:A4Q0WCC-UqKmdUKU */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:21epKlcAIkU3pJvA */ /* Drop if no profiles matched */ | |
Chain cali-fw-calida99fcde832 (2 references) | |
target prot opt source destination | |
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:dvUJ1XYyLuo6ZPgk */ ctstate RELATED,ESTABLISHED | |
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:F0a99AUzMf3rop66 */ ctstate INVALID | |
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:ribR3LojnP6kcsV5 */ MARK and 0xfffeffff | |
cali-pro-kns.cert-manager all -- 0.0.0.0/0 0.0.0.0/0 /* cali:abDgaiy1ZXZ-zbLr */ | |
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:61JVWkgehKKqc_gX */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
cali-pro-_PgPzuEog6NthE7r2PG all -- 0.0.0.0/0 0.0.0.0/0 /* cali:R_ss67kBI0ZCofnP */ | |
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:qUgeKxn57706Beqn */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:yVakR2nTUP7OOtkz */ /* Drop if no profiles matched */ | |
Chain cali-pri-_Iv5DLIoH8BjXD9FGvw (1 references) | |
target prot opt source destination | |
Chain cali-pri-_LWv94PMvYKzzY3dhTl (1 references) | |
target prot opt source destination | |
Chain cali-pri-_PgPzuEog6NthE7r2PG (1 references) | |
target prot opt source destination | |
Chain cali-pri-kns.cert-manager (1 references) | |
target prot opt source destination | |
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:VjKTHGfJJd5MQL70 */ MARK or 0x10000 | |
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:2Z9QPUpCU8jH5jkq */ mark match 0x10000/0x10000 | |
Chain cali-pri-kns.kube-system (2 references) | |
target prot opt source destination | |
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:zoH5gU6U55FKZxEo */ MARK or 0x10000 | |
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:bcGRIJcyOS9dgBiB */ mark match 0x10000/0x10000 | |
Chain cali-pro-_Iv5DLIoH8BjXD9FGvw (1 references) | |
target prot opt source destination | |
Chain cali-pro-_LWv94PMvYKzzY3dhTl (1 references) | |
target prot opt source destination | |
Chain cali-pro-_PgPzuEog6NthE7r2PG (1 references) | |
target prot opt source destination | |
Chain cali-pro-kns.cert-manager (1 references) | |
target prot opt source destination | |
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:mToMu4GtpvEgL8Z3 */ MARK or 0x10000 | |
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:SUxSX6T2k1OVPLgx */ mark match 0x10000/0x10000 | |
Chain cali-pro-kns.kube-system (2 references) | |
target prot opt source destination | |
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:-50oJuMfLVO3LkBk */ MARK or 0x10000 | |
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:ztVPKv1UYejNzm1g */ mark match 0x10000/0x10000 | |
Chain cali-set-endpoint-mark (3 references) | |
target prot opt source destination | |
cali-sm-cali461b022d72b all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:HS92PCi7s9WQalEe */ | |
cali-sm-cali7d61c847b92 all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:9NEtCl8inGIpy_YN */ | |
cali-sm-calida99fcde832 all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:9Q899yq7_UGzxnTO */ | |
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:SOGKocpt5jz7S68_ */ /* Unknown endpoint */ | |
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:ndZLgrJYkvn0CpPE */ /* Non-Cali endpoint mark */ MARK xset 0x100000/0xfff00000 | |
Chain cali-sm-cali461b022d72b (1 references) | |
target prot opt source destination | |
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:BeCkFig4QMXbWL8e */ MARK xset 0x91a00000/0xfff00000 | |
Chain cali-sm-cali7d61c847b92 (1 references) | |
target prot opt source destination | |
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:uB3gnUvoKdJ6cQPc */ MARK xset 0xaf00000/0xfff00000 | |
Chain cali-sm-calida99fcde832 (1 references) | |
target prot opt source destination | |
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:YtQ5yLjztYWCqUCC */ MARK xset 0xf1600000/0xfff00000 | |
Chain cali-to-hep-forward (2 references) | |
target prot opt source destination | |
Chain cali-to-host-endpoint (1 references) | |
target prot opt source destination | |
Chain cali-to-wl-dispatch (2 references) | |
target prot opt source destination | |
cali-tw-cali461b022d72b all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:8gy8pBQ_BP5gaHYr */ | |
cali-tw-cali7d61c847b92 all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:OBLgcQvpBqwEK2OG */ | |
cali-tw-calida99fcde832 all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:UYs0_1NyRChgF34L */ | |
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:r38z6fp_ITVJfs-h */ /* Unknown interface */ | |
Chain cali-tw-cali461b022d72b (1 references) | |
target prot opt source destination | |
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:ZlYZfKLEaFcV9YrQ */ ctstate RELATED,ESTABLISHED | |
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:uMqzIAn8vmrXVjGA */ ctstate INVALID | |
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:HuOApeXoY9EsE6x7 */ MARK and 0xfffeffff | |
cali-pri-kns.kube-system all -- 0.0.0.0/0 0.0.0.0/0 /* cali:IEFNgFCW6A6UbWEB */ | |
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:Wt7Qde0al9Cqkvn3 */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
cali-pri-_Iv5DLIoH8BjXD9FGvw all -- 0.0.0.0/0 0.0.0.0/0 /* cali:1MX2d7oOdNM9vlPj */ | |
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:Zhs60oLryhNxQuAM */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:ECqflxAhTev6Pf-A */ /* Drop if no profiles matched */ | |
Chain cali-tw-cali7d61c847b92 (1 references) | |
target prot opt source destination | |
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:_hsPx9KpWxkyNVSh */ ctstate RELATED,ESTABLISHED | |
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:-Uz092NE-M_s8Gud */ ctstate INVALID | |
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:7ow13bY4SvR1ik6R */ MARK and 0xfffeffff | |
cali-pri-kns.kube-system all -- 0.0.0.0/0 0.0.0.0/0 /* cali:atrLDON_jXmTL1vV */ | |
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:dhEacU-aIFpWyTf7 */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
cali-pri-_LWv94PMvYKzzY3dhTl all -- 0.0.0.0/0 0.0.0.0/0 /* cali:YoGCZI3pOBUXPujV */ | |
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:_19mnnEveKOOhZQK */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:hdHNEAlK4ea_ARs8 */ /* Drop if no profiles matched */ | |
Chain cali-tw-calida99fcde832 (1 references) | |
target prot opt source destination | |
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:0oYHyLJh4IfU0hlT */ ctstate RELATED,ESTABLISHED | |
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:jjSDHRks38MvVcuW */ ctstate INVALID | |
MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:bh3ooIi2Qu-cu2gP */ MARK and 0xfffeffff | |
cali-pri-kns.cert-manager all -- 0.0.0.0/0 0.0.0.0/0 /* cali:qoFyfK3oL0Vm546J */ | |
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:me94awEoNLtSNCjo */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
cali-pri-_PgPzuEog6NthE7r2PG all -- 0.0.0.0/0 0.0.0.0/0 /* cali:or4SynUqZ3-3EvFV */ | |
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:tk858jYRZNY2qdiq */ /* Return if profile accepted */ mark match 0x10000/0x10000 | |
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:p8fENSil492zzmG0 */ /* Drop if no profiles matched */ | |
Chain cali-wl-to-host (1 references) | |
target prot opt source destination | |
cali-from-wl-dispatch all -- 0.0.0.0/0 0.0.0.0/0 /* cali:Ee9Sbo10IpVujdIY */ | |
RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:sO1YJiY1b553biDi */ /* Configured DefaultEndpointToHostAction */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Chain PREROUTING (policy ACCEPT) | |
target prot opt source destination | |
cali-PREROUTING all -- 0.0.0.0/0 0.0.0.0/0 /* cali:6gwbT8clXdHdC1b1 */ | |
KUBE-SERVICES all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes service portals */ | |
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL | |
Chain INPUT (policy ACCEPT) | |
target prot opt source destination | |
Chain OUTPUT (policy ACCEPT) | |
target prot opt source destination | |
cali-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:tVnHkvAo15HuiPy0 */ | |
KUBE-SERVICES all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes service portals */ | |
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL | |
Chain POSTROUTING (policy ACCEPT) | |
target prot opt source destination | |
cali-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0 /* cali:O3lYWMrLQYEMJtB5 */ | |
KUBE-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes postrouting rules */ | |
MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0 | |
Chain DOCKER (2 references) | |
target prot opt source destination | |
RETURN all -- 0.0.0.0/0 0.0.0.0/0 | |
Chain KUBE-FIREWALL (0 references) | |
target prot opt source destination | |
KUBE-MARK-DROP all -- 0.0.0.0/0 0.0.0.0/0 | |
Chain KUBE-LOAD-BALANCER (1 references) | |
target prot opt source destination | |
KUBE-MARK-MASQ all -- 0.0.0.0/0 0.0.0.0/0 | |
Chain KUBE-MARK-DROP (1 references) | |
target prot opt source destination | |
MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK or 0x8000 | |
Chain KUBE-MARK-MASQ (3 references) | |
target prot opt source destination | |
MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK or 0x4000 | |
Chain KUBE-NODE-PORT (1 references) | |
target prot opt source destination | |
KUBE-MARK-MASQ tcp -- 0.0.0.0/0 0.0.0.0/0 /* Kubernetes nodeport TCP port for masquerade purpose */ match-set KUBE-NODE-PORT-TCP dst | |
Chain KUBE-POSTROUTING (1 references) | |
target prot opt source destination | |
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes service traffic requiring SNAT */ mark match 0x4000/0x4000 | |
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 /* Kubernetes endpoints dst ip:port, source ip for solving hairpin purpose */ match-set KUBE-LOOP-BACK dst,dst,src | |
Chain KUBE-SERVICES (2 references) | |
target prot opt source destination | |
KUBE-LOAD-BALANCER all -- 0.0.0.0/0 0.0.0.0/0 /* Kubernetes service lb portal */ match-set KUBE-LOAD-BALANCER dst,dst | |
KUBE-MARK-MASQ all -- !10.233.64.0/18 0.0.0.0/0 /* Kubernetes service cluster ip + port for masquerade purpose */ match-set KUBE-CLUSTER-IP dst,dst | |
KUBE-NODE-PORT all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL | |
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set KUBE-CLUSTER-IP dst,dst | |
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set KUBE-LOAD-BALANCER dst,dst | |
Chain cali-OUTPUT (1 references) | |
target prot opt source destination | |
cali-fip-dnat all -- 0.0.0.0/0 0.0.0.0/0 /* cali:GBTAv2p5CwevEyJm */ | |
Chain cali-POSTROUTING (1 references) | |
target prot opt source destination | |
cali-fip-snat all -- 0.0.0.0/0 0.0.0.0/0 /* cali:Z-c7XtVd2Bq7s_hA */ | |
cali-nat-outgoing all -- 0.0.0.0/0 0.0.0.0/0 /* cali:nYKhEzDlr11Jccal */ | |
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 /* cali:SXWvdsbh4Mw7wOln */ ADDRTYPE match src-type !LOCAL limit-out ADDRTYPE match src-type LOCAL random-fully | |
Chain cali-PREROUTING (1 references) | |
target prot opt source destination | |
cali-fip-dnat all -- 0.0.0.0/0 0.0.0.0/0 /* cali:r6XmIziWUJsdOK6Z */ | |
Chain cali-fip-dnat (2 references) | |
target prot opt source destination | |
Chain cali-fip-snat (1 references) | |
target prot opt source destination | |
Chain cali-nat-outgoing (1 references) | |
target prot opt source destination | |
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 /* cali:flqWnvo8yq4ULQLa */ match-set cali40masq-ipam-pools src ! match-set cali40all-ipam-pools dst random-fully |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
IP Virtual Server version 1.2.1 (size=4096) | |
Prot LocalAddress:Port Scheduler Flags | |
-> RemoteAddress:Port Forward Weight ActiveConn InActConn | |
TCP 147.75.76.10:443 rr | |
-> 10.100.36.129:6443 Masq 1 0 0 | |
-> 10.100.36.135:6443 Masq 1 0 0 | |
-> 10.100.36.137:6443 Masq 1 0 0 | |
TCP 147.75.77.83:30667 rr | |
-> 10.100.36.129:6443 Masq 1 0 0 | |
-> 10.100.36.135:6443 Masq 1 0 0 | |
-> 10.100.36.137:6443 Masq 1 0 0 | |
TCP 10.100.36.131:30667 rr | |
-> 10.100.36.129:6443 Masq 1 0 0 | |
-> 10.100.36.135:6443 Masq 1 0 0 | |
-> 10.100.36.137:6443 Masq 1 0 0 | |
TCP 10.233.0.1:443 rr | |
-> 10.100.36.129:6443 Masq 1 3 0 | |
-> 10.100.36.135:6443 Masq 1 0 0 | |
-> 10.100.36.137:6443 Masq 1 1 0 | |
TCP 10.233.0.3:53 rr | |
-> 10.233.99.3:53 Masq 1 0 0 | |
-> 10.233.115.1:53 Masq 1 0 0 | |
TCP 10.233.0.3:9153 rr | |
-> 10.233.99.3:9153 Masq 1 0 0 | |
-> 10.233.115.1:9153 Masq 1 0 0 | |
TCP 10.233.21.200:443 rr | |
-> 10.233.99.4:443 Masq 1 0 0 | |
TCP 10.233.50.28:44134 rr | |
-> 10.233.65.3:44134 Masq 1 0 0 | |
TCP 10.233.54.42:443 rr | |
-> 10.233.76.1:8443 Masq 1 0 0 | |
TCP 10.233.65.0:30667 rr | |
-> 10.100.36.129:6443 Masq 1 0 0 | |
-> 10.100.36.135:6443 Masq 1 0 0 | |
-> 10.100.36.137:6443 Masq 1 0 0 | |
TCP 127.0.0.1:30667 rr | |
-> 10.100.36.129:6443 Masq 1 0 0 | |
-> 10.100.36.135:6443 Masq 1 0 0 | |
-> 10.100.36.137:6443 Masq 1 0 0 | |
TCP 172.17.0.1:30667 rr | |
-> 10.100.36.129:6443 Masq 1 0 0 | |
-> 10.100.36.135:6443 Masq 1 0 0 | |
-> 10.100.36.137:6443 Masq 1 0 0 | |
UDP 10.233.0.3:53 rr | |
-> 10.233.99.3:53 Masq 1 0 0 | |
-> 10.233.115.1:53 Masq 1 0 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ip6tables -nL | |
Chain INPUT (policy ACCEPT) | |
target prot opt source destination | |
Chain FORWARD (policy ACCEPT) | |
target prot opt source destination | |
Chain OUTPUT (policy ACCEPT) | |
target prot opt source destination | |
ip6tables -nL -t nat | |
Chain PREROUTING (policy ACCEPT) | |
target prot opt source destination | |
Chain INPUT (policy ACCEPT) | |
target prot opt source destination | |
Chain OUTPUT (policy ACCEPT) | |
target prot opt source destination | |
Chain POSTROUTING (policy ACCEPT) | |
target prot opt source destination |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment