Skip to content

Instantly share code, notes, and snippets.

@ipedrazas

ipedrazas/gist:c93f255a17785a7eb7f2fd83af4c21a9

Last active March 28, 2019 12:30
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save ipedrazas/c93f255a17785a7eb7f2fd83af4c21a9 to your computer and use it in GitHub Desktop.
Save ipedrazas/c93f255a17785a7eb7f2fd83af4c21a9 to your computer and use it in GitHub Desktop.
Download ZIP
service analysis - iptables
Raw
gistfile1.md

-> % svcs -n twistlock

NAME                TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)                      AGE
twistlock-console   ClusterIP   10.103.43.18   <none>        8084/TCP,8083/TCP,8081/TCP   18h

-> % k get ep -n twistlock

NAME                ENDPOINTS                                                  AGE
twistlock-console   10.103.129.17:8081,10.103.129.17:8084,10.103.129.17:8083   18h

ubuntu@192:~$ ifconfig | grep addr:1

inet addr:10.103.129.1  Bcast:0.0.0.0  Mask:255.255.255.0
          inet addr:172.17.0.1  Bcast:172.17.255.255  Mask:255.255.0.0
          inet addr:192.168.10.11  Bcast:192.168.10.255  Mask:255.255.255.0
          inet addr:10.103.129.0  Bcast:0.0.0.0  Mask:255.255.255.255
          inet addr:127.0.0.1  Mask:255.0.0.0

ubuntu@192:~$ sudo iptables -t nat -L KUBE-SERVICES | grep 10.103.43.18

KUBE-MARK-MASQ  tcp  -- !10.103.128.0/17      10.103.43.18         /* twistlock/twistlock-console:communication-port cluster IP */ tcp dpt:8084
KUBE-SVC-NUGF3LQ6TFSOZ2XU  tcp  --  anywhere             10.103.43.18         /* twistlock/twistlock-console:communication-port cluster IP */ tcp dpt:8084
KUBE-MARK-MASQ  tcp  -- !10.103.128.0/17      10.103.43.18         /* twistlock/twistlock-console:mgmt-http cluster IP */ tcp dpt:tproxy
KUBE-SVC-6WZ66WA6PLOSG2HF  tcp  --  anywhere             10.103.43.18         /* twistlock/twistlock-console:mgmt-http cluster IP */ tcp dpt:tproxy
KUBE-MARK-MASQ  tcp  -- !10.103.128.0/17      10.103.43.18         /* twistlock/twistlock-console:management-port-https cluster IP */ tcp dpt:8083
KUBE-SVC-DWPXVHDV3KJE54QM  tcp  --  anywhere             10.103.43.18         /* twistlock/twistlock-console:management-port-https cluster IP */ tcp dpt:8083

ubuntu@192:~$ ifconfig

flannel.1 Link encap:Ethernet  HWaddr 9e:2e:c9:d9:4e:4b
          inet addr:10.103.129.0  Bcast:0.0.0.0  Mask:255.255.255.255
          inet6 addr: fe80::9c2e:c9ff:fed9:4e4b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1400  Metric:1
          RX packets:1010384 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1048654 errors:0 dropped:8 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:95945634 (95.9 MB)  TX bytes:130650389 (130.6 MB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:643266 errors:0 dropped:0 overruns:0 frame:0
          TX packets:643266 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:544466873 (544.4 MB)  TX bytes:544466873 (544.4 MB)

ubuntu@192:~$ sudo iptables-save | grep 10.103.129.17

-A KUBE-SEP-7RPMXMBGWMXFV533 -s 10.103.129.17/32 -m comment --comment "twistlock/twistlock-console:mgmt-http" -j KUBE-MARK-MASQ
-A KUBE-SEP-7RPMXMBGWMXFV533 -p tcp -m comment --comment "twistlock/twistlock-console:mgmt-http" -m tcp -j DNAT --to-destination 10.103.129.17:8081
-A KUBE-SEP-LLDOQJDOFC7PPC2H -s 10.103.129.17/32 -m comment --comment "twistlock/twistlock-console:management-port-https" -j KUBE-MARK-MASQ
-A KUBE-SEP-LLDOQJDOFC7PPC2H -p tcp -m comment --comment "twistlock/twistlock-console:management-port-https" -m tcp -j DNAT --to-destination 10.103.129.17:8083
-A KUBE-SEP-Q4X76AYPHTL5KJFE -s 10.103.129.17/32 -m comment --comment "twistlock/twistlock-console:communication-port" -j KUBE-MARK-MASQ
-A KUBE-SEP-Q4X76AYPHTL5KJFE -p tcp -m comment --comment "twistlock/twistlock-console:communication-port" -m tcp -j DNAT --to-destination 10.103.129.17:8084

ubuntu@192:~$ sudo iptables-save | grep 10.103.43.18

-A KUBE-SERVICES ! -s 10.103.128.0/17 -d 10.103.43.18/32 -p tcp -m comment --comment "twistlock/twistlock-console:communication-port cluster IP" -m tcp --dport 8084 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.103.43.18/32 -p tcp -m comment --comment "twistlock/twistlock-console:communication-port cluster IP" -m tcp --dport 8084 -j KUBE-SVC-NUGF3LQ6TFSOZ2XU
-A KUBE-SERVICES ! -s 10.103.128.0/17 -d 10.103.43.18/32 -p tcp -m comment --comment "twistlock/twistlock-console:mgmt-http cluster IP" -m tcp --dport 8081 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.103.43.18/32 -p tcp -m comment --comment "twistlock/twistlock-console:mgmt-http cluster IP" -m tcp --dport 8081 -j KUBE-SVC-6WZ66WA6PLOSG2HF
-A KUBE-SERVICES ! -s 10.103.128.0/17 -d 10.103.43.18/32 -p tcp -m comment --comment "twistlock/twistlock-console:management-port-https cluster IP" -m tcp --dport 8083 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.103.43.18/32 -p tcp -m comment --comment "twistlock/twistlock-console:management-port-https cluster IP" -m tcp --dport 8083 -j KUBE-SVC-DWPXVHDV3KJE54QM

ubuntu@192:~$ sudo iptables-save | grep KUBE-SEP-7RPMXMBGWMXFV533

:KUBE-SEP-7RPMXMBGWMXFV533 - [0:0]
-A KUBE-SEP-7RPMXMBGWMXFV533 -s 10.103.129.17/32 -m comment --comment "twistlock/twistlock-console:mgmt-http" -j KUBE-MARK-MASQ
-A KUBE-SEP-7RPMXMBGWMXFV533 -p tcp -m comment --comment "twistlock/twistlock-console:mgmt-http" -m tcp -j DNAT --to-destination 10.103.129.17:8081
-A KUBE-SVC-6WZ66WA6PLOSG2HF -m comment --comment "twistlock/twistlock-console:mgmt-http" -j KUBE-SEP-7RPMXMBGWMXFV533

-A KUBE-SVC-6WZ66WA6PLOSG2HF -m comment --comment "twistlock/twistlock-console:mgmt-http" -j KUBE-SEP-7RPMXMBGWMXFV533
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment