Skip to content

Instantly share code, notes, and snippets.

@s1061123

s1061123/test.iptables

Last active December 10, 2019 07:44
Show Gist options
  • Save s1061123/01faddf31e57df33dc6047b5ac951b86 to your computer and use it in GitHub Desktop.
Save s1061123/01faddf31e57df33dc6047b5ac951b86 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
test.iptables
[root@tomo-centos ~]# iptables-save
# Generated by iptables-save v1.4.21 on Tue Dec 10 07:44:03 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:MULTUS-EXTERNAL-SERVICES - [0:0]
:MULTUS-FIREWALL - [0:0]
:MULTUS-FORWARD - [0:0]
:MULTUS-SERVICES - [0:0]
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j MULTUS-SERVICES
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j MULTUS-EXTERNAL-SERVICES
-A INPUT -j MULTUS-FIREWALL
-A FORWARD -m comment --comment "kubernetes forwarding rules" -j MULTUS-FORWARD
-A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j MULTUS-SERVICES
-A FORWARD -s 10.56.217.0/24 -j ACCEPT
-A FORWARD -d 10.56.217.0/24 -j ACCEPT
-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j MULTUS-SERVICES
-A OUTPUT -j MULTUS-FIREWALL
-A MULTUS-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
-A MULTUS-FORWARD -m conntrack --ctstate INVALID -j DROP
-A MULTUS-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
-A MULTUS-FORWARD -s 10.56.217.0/24 -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A MULTUS-FORWARD -d 10.56.217.0/24 -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Dec 10 07:44:03 2019
# Generated by iptables-save v1.4.21 on Tue Dec 10 07:44:03 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:MULTUS-MARK-DROP - [0:0]
:MULTUS-MARK-MASQ - [0:0]
:MULTUS-NODEPORTS - [0:0]
:MULTUS-POSTROUTING - [0:0]
:MULTUS-SEP-X7P25DJLXRTQWWLW - [0:0]
:MULTUS-SERVICES - [0:0]
:MULTUS-SVC-BEPXDJBUHFCSYIC3 - [0:0]
-A PREROUTING -m comment --comment "kubernetes service portals" -j MULTUS-SERVICES
-A OUTPUT -m comment --comment "kubernetes service portals" -j MULTUS-SERVICES
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j MULTUS-POSTROUTING
-A POSTROUTING -s 10.56.217.0/24 -d 10.56.217.0/24 -j RETURN
-A POSTROUTING -s 10.56.217.0/24 ! -d 224.0.0.0/4 -j MASQUERADE
-A POSTROUTING ! -s 10.56.217.0/24 -d 10.56.217.0/24 -j RETURN
-A POSTROUTING ! -s 10.56.217.0/24 -d 10.56.217.0/24 -j MASQUERADE
-A MULTUS-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
-A MULTUS-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A MULTUS-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE
-A MULTUS-SEP-X7P25DJLXRTQWWLW -s 10.56.217.19/32 -j MULTUS-MARK-MASQ
-A MULTUS-SEP-X7P25DJLXRTQWWLW -p tcp -m tcp -j DNAT --to-destination 10.56.217.19:80
-A MULTUS-SERVICES ! -s 10.56.217.0/24 -d 10.103.35.161/32 -p tcp -m comment --comment "default/my-nginx: cluster IP" -m tcp --dport 80 -j MULTUS-MARK-MASQ
-A MULTUS-SERVICES -d 10.103.35.161/32 -p tcp -m comment --comment "default/my-nginx: cluster IP" -m tcp --dport 80 -j MULTUS-SVC-BEPXDJBUHFCSYIC3
-A MULTUS-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j MULTUS-NODEPORTS
-A MULTUS-SVC-BEPXDJBUHFCSYIC3 -j MULTUS-SEP-X7P25DJLXRTQWWLW
COMMIT
# Completed on Tue Dec 10 07:44:03 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment