Created
December 1, 2016 18:40
-
-
Save pingles/48eba04ed9500c0266ad3d07097781f4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1 | |
| link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 | |
| 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP mode DEFAULT group default qlen 1000 | |
| link/ether 06:51:19:2f:5f:2f brd ff:ff:ff:ff:ff:ff | |
| 3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default | |
| link/ether 02:42:ee:61:d2:e0 brd ff:ff:ff:ff:ff:ff | |
| 23: cali6cc6f782621@docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP mode DEFAULT group default | |
| link/ether 62:da:0e:8e:66:d9 brd ff:ff:ff:ff:ff:ff | |
| 25: calic711b41d174@docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP mode DEFAULT group default | |
| link/ether 32:be:91:79:f4:c9 brd ff:ff:ff:ff:ff:ff |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Chain INPUT (policy ACCEPT 0 packets, 0 bytes) | |
| pkts bytes target prot opt in out source destination | |
| 55 15842 felix-INPUT all -- any any anywhere anywhere | |
| 323 151K KUBE-FIREWALL all -- any any anywhere anywhere | |
| Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 felix-FORWARD all -- any any anywhere anywhere | |
| Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) | |
| pkts bytes target prot opt in out source destination | |
| 63 10580 felix-OUTPUT all -- any any anywhere anywhere | |
| 3711 303K KUBE-FIREWALL all -- any any anywhere anywhere | |
| 3431 244K KUBE-SERVICES all -- any any anywhere anywhere /* kubernetes service portals */ | |
| Chain DOCKER (0 references) | |
| pkts bytes target prot opt in out source destination | |
| Chain DOCKER-ISOLATION (0 references) | |
| pkts bytes target prot opt in out source destination | |
| Chain KUBE-FIREWALL (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 DROP all -- any any anywhere anywhere /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000 | |
| Chain KUBE-SERVICES (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 REJECT udp -- any any anywhere 100.64.0.10 /* kube-system/kube-dns:dns has no endpoints */ udp dpt:domain reject-with icmp-port-unreachable | |
| 0 0 REJECT tcp -- any any anywhere 100.64.0.10 /* kube-system/kube-dns:dns-tcp has no endpoints */ tcp dpt:domain reject-with icmp-port-unreachable | |
| Chain felix-FAILSAFE-IN (0 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh | |
| Chain felix-FAILSAFE-OUT (0 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:2379 | |
| 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:2380 | |
| 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:4001 | |
| 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:afs3-callback | |
| Chain felix-FORWARD (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 DROP all -- cali+ any anywhere anywhere ctstate INVALID | |
| 0 0 DROP all -- any cali+ anywhere anywhere ctstate INVALID | |
| 0 0 ACCEPT all -- cali+ any anywhere anywhere ctstate RELATED,ESTABLISHED | |
| 0 0 ACCEPT all -- any cali+ anywhere anywhere ctstate RELATED,ESTABLISHED | |
| 0 0 felix-FROM-ENDPOINT all -- cali+ any anywhere anywhere | |
| 0 0 felix-TO-ENDPOINT all -- any cali+ anywhere anywhere | |
| 0 0 ACCEPT all -- cali+ any anywhere anywhere | |
| 0 0 ACCEPT all -- any cali+ anywhere anywhere | |
| Chain felix-FROM-ENDPOINT (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 felix-from-c711b41d174 all -- calic711b41d174 any anywhere anywhere [goto] | |
| 0 0 felix-from-6cc6f782621 all -- cali6cc6f782621 any anywhere anywhere [goto] | |
| 0 0 DROP all -- any any anywhere anywhere /* From unknown endpoint */ | |
| Chain felix-FROM-HOST-IF (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 RETURN all -- any any anywhere anywhere /* Unknown interface, return */ | |
| Chain felix-INPUT (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 DROP all -- any any anywhere anywhere ctstate INVALID | |
| 55 15842 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED | |
| 0 0 felix-FROM-HOST-IF all -- !cali+ any anywhere anywhere [goto] | |
| 0 0 ACCEPT udp -- any any anywhere anywhere udp spt:bootpc dpt:bootps | |
| 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:domain | |
| 0 0 felix-FROM-ENDPOINT all -- any any anywhere anywhere | |
| Chain felix-OUTPUT (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 DROP all -- any any anywhere anywhere ctstate INVALID | |
| 36 8698 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED | |
| 27 1882 felix-TO-HOST-IF all -- any !cali+ anywhere anywhere [goto] | |
| Chain felix-TO-ENDPOINT (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 felix-to-c711b41d174 all -- any calic711b41d174 anywhere anywhere [goto] | |
| 0 0 felix-to-6cc6f782621 all -- any cali6cc6f782621 anywhere anywhere [goto] | |
| 0 0 DROP all -- any any anywhere anywhere /* To unknown endpoint */ | |
| Chain felix-TO-HOST-IF (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 27 1882 RETURN all -- any any anywhere anywhere /* Unknown interface, return */ | |
| Chain felix-from-6cc6f782621 (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 MARK all -- any any anywhere anywhere MARK and 0xfeffffff | |
| 0 0 DROP all -- any any anywhere anywhere MAC ! 2A:B2:17:DE:5F:B4 /* Incorrect source MAC */ | |
| 0 0 felix-p-_0f05888047b5982-o all -- any any anywhere anywhere | |
| 0 0 RETURN all -- any any anywhere anywhere mark match 0x1000000/0x1000000 /* Profile accepted packet */ | |
| 0 0 DROP all -- any any anywhere anywhere /* Packet did not match any profile (endpoint eth0) */ | |
| Chain felix-from-c711b41d174 (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 MARK all -- any any anywhere anywhere MARK and 0xfeffffff | |
| 0 0 DROP all -- any any anywhere anywhere MAC ! CE:C4:49:39:50:3A /* Incorrect source MAC */ | |
| 0 0 felix-p-_0f05888047b5982-o all -- any any anywhere anywhere | |
| 0 0 RETURN all -- any any anywhere anywhere mark match 0x1000000/0x1000000 /* Profile accepted packet */ | |
| 0 0 DROP all -- any any anywhere anywhere /* Packet did not match any profile (endpoint eth0) */ | |
| Chain felix-p-_0f05888047b5982-i (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 DROP all -- any any anywhere anywhere /* WARNING Missing chain */ | |
| Chain felix-p-_0f05888047b5982-o (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 DROP all -- any any anywhere anywhere /* WARNING Missing chain */ | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 felix-PREROUTING all -- any any anywhere anywhere | |
| 372 25883 KUBE-SERVICES all -- any any anywhere anywhere /* kubernetes service portals */ | |
| 18 1108 DOCKER all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL | |
| Chain INPUT (policy ACCEPT 0 packets, 0 bytes) | |
| pkts bytes target prot opt in out source destination | |
| Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) | |
| pkts bytes target prot opt in out source destination | |
| 4519 309K KUBE-SERVICES all -- any any anywhere anywhere /* kubernetes service portals */ | |
| 0 0 DOCKER all -- any any anywhere !loopback/8 ADDRTYPE match dst-type LOCAL | |
| Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) | |
| pkts bytes target prot opt in out source destination | |
| 165 11442 felix-POSTROUTING all -- any any anywhere anywhere | |
| 4626 315K KUBE-POSTROUTING all -- any any anywhere anywhere /* kubernetes postrouting rules */ | |
| 112 7088 MASQUERADE all -- any !docker0 ip-172-17-0-0.eu-west-1.compute.internal/16 anywhere | |
| 0 0 RETURN all -- any any ip-192-168-0-0.eu-west-1.compute.internal/16 ip-192-168-0-0.eu-west-1.compute.internal/16 | |
| 0 0 MASQUERADE all -- any any ip-192-168-0-0.eu-west-1.compute.internal/16 !base-address.mcast.net/4 | |
| 0 0 MASQUERADE all -- any any !ip-192-168-0-0.eu-west-1.compute.internal/16 ip-192-168-0-0.eu-west-1.compute.internal/16 | |
| Chain DOCKER (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 RETURN all -- docker0 any anywhere anywhere | |
| Chain KUBE-MARK-DROP (0 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 MARK all -- any any anywhere anywhere MARK or 0x8000 | |
| Chain KUBE-MARK-MASQ (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 MARK all -- any any anywhere anywhere MARK or 0x4000 | |
| Chain KUBE-NODEPORTS (1 references) | |
| pkts bytes target prot opt in out source destination | |
| Chain KUBE-POSTROUTING (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 MASQUERADE all -- any any anywhere anywhere /* kubernetes service traffic requiring SNAT */ mark match 0x4000/0x4000 | |
| Chain KUBE-SEP-BUKAGQA2UQPZNZBS (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 KUBE-MARK-MASQ all -- any any ip-172-20-11-171.eu-west-1.compute.internal anywhere /* default/kubernetes:https */ | |
| 0 0 DNAT tcp -- any any anywhere anywhere /* default/kubernetes:https */ recent: SET name: KUBE-SEP-BUKAGQA2UQPZNZBS side: source mask: 255.255.255.255 tcp to:172.20.11.171:443 | |
| Chain KUBE-SERVICES (2 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 KUBE-SVC-NPX46M4PTMTKRN6Y tcp -- any any anywhere 100.64.0.1 /* default/kubernetes:https cluster IP */ tcp dpt:https | |
| 0 0 KUBE-SVC-TCOU7JCQXEZGVUNU udp -- any any anywhere 100.64.0.10 /* kube-system/kube-dns:dns cluster IP */ udp dpt:domain | |
| 0 0 KUBE-SVC-ERIFXISQEP7F7OF4 tcp -- any any anywhere 100.64.0.10 /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:domain | |
| 0 0 KUBE-NODEPORTS all -- any any anywhere anywhere /* kubernetes service nodeports; NOTE: this must be the last rule in this chain */ ADDRTYPE match dst-type LOCAL | |
| Chain KUBE-SVC-ERIFXISQEP7F7OF4 (1 references) | |
| pkts bytes target prot opt in out source destination | |
| Chain KUBE-SVC-NPX46M4PTMTKRN6Y (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 KUBE-SEP-BUKAGQA2UQPZNZBS all -- any any anywhere anywhere /* default/kubernetes:https */ recent: CHECK seconds: 180 reap name: KUBE-SEP-BUKAGQA2UQPZNZBS side: source mask: 255.255.255.255 | |
| 0 0 KUBE-SEP-BUKAGQA2UQPZNZBS all -- any any anywhere anywhere /* default/kubernetes:https */ | |
| Chain KUBE-SVC-TCOU7JCQXEZGVUNU (1 references) | |
| pkts bytes target prot opt in out source destination | |
| Chain felix-FIP-DNAT (1 references) | |
| pkts bytes target prot opt in out source destination | |
| Chain felix-FIP-SNAT (1 references) | |
| pkts bytes target prot opt in out source destination | |
| Chain felix-POSTROUTING (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 165 11442 felix-FIP-SNAT all -- any any anywhere anywhere | |
| Chain felix-PREROUTING (1 references) | |
| pkts bytes target prot opt in out source destination | |
| 0 0 felix-FIP-DNAT all -- any any anywhere anywhere |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment