seanknox/iptables-sav.txt

## iptables-sav.txt
# Generated by iptables-save v1.6.1 on Mon May  7 15:06:25 2018
*filter
:INPUT ACCEPT [172:68334]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [183:40154]
:KUBE-EXTERNAL-SERVICES - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-FORWARD - [0:0]
:KUBE-SERVICES - [0:0]
-A INPUT -j KUBE-FIREWALL
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
-A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
-A OUTPUT -j KUBE-FIREWALL
-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
-A KUBE-FORWARD -s 10.1.0.0/16 -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A KUBE-FORWARD -d 10.1.0.0/16 -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A KUBE-SERVICES -d 10.0.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns has no endpoints" -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 10.0.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp has no endpoints" -m tcp --dport 53 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 10.0.0.152/32 -p tcp -m comment --comment "kube-system/kubernetes-dashboard: has no endpoints" -m tcp --dport 443 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Mon May  7 15:06:25 2018
# Generated by iptables-save v1.6.1 on Mon May  7 15:06:25 2018
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [19:1321]
:POSTROUTING ACCEPT [11:841]
:KUBE-MARK-DROP - [0:0]
:KUBE-MARK-MASQ - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-SEP-CCILLTQCS7S5E74J - [0:0]
:KUBE-SEP-LDZPZH6QQAWGC3G7 - [0:0]
:KUBE-SEP-RQJU6ECEAXEVCCX7 - [0:0]
:KUBE-SEP-SLVSRMP67MEV6CFQ - [0:0]
:KUBE-SEP-XLJSDJ5GAQLXCELM - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-SVC-4N57TFCL4MD7ZTDA - [0:0]
:KUBE-SVC-BJM46V3U5RZHCFRZ - [0:0]
:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
-A POSTROUTING ! -d 10.0.0.0/15 -m iprange ! --dst-range 168.63.129.16-168.63.129.16 -m addrtype ! --dst-type LOCAL -j MASQUERADE
-A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE
-A KUBE-SEP-CCILLTQCS7S5E74J -s 10.0.10.248/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-CCILLTQCS7S5E74J -p tcp -m comment --comment "default/kubernetes:https" -m recent --set --name KUBE-SEP-CCILLTQCS7S5E74J --mask 255.255.255.255 --rsource -m tcp -j DNAT --to-destination 10.0.10.248:6443
-A KUBE-SEP-LDZPZH6QQAWGC3G7 -s 10.1.0.18/32 -m comment --comment "kube-system/heapster:" -j KUBE-MARK-MASQ
-A KUBE-SEP-LDZPZH6QQAWGC3G7 -p tcp -m comment --comment "kube-system/heapster:" -m tcp -j DNAT --to-destination 10.1.0.18:8082
-A KUBE-SEP-RQJU6ECEAXEVCCX7 -s 10.0.10.249/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-RQJU6ECEAXEVCCX7 -p tcp -m comment --comment "default/kubernetes:https" -m recent --set --name KUBE-SEP-RQJU6ECEAXEVCCX7 --mask 255.255.255.255 --rsource -m tcp -j DNAT --to-destination 10.0.10.249:6443
-A KUBE-SEP-SLVSRMP67MEV6CFQ -s 10.0.10.247/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-SLVSRMP67MEV6CFQ -p tcp -m comment --comment "default/kubernetes:https" -m recent --set --name KUBE-SEP-SLVSRMP67MEV6CFQ --mask 255.255.255.255 --rsource -m tcp -j DNAT --to-destination 10.0.10.247:6443
-A KUBE-SEP-XLJSDJ5GAQLXCELM -s 10.1.0.91/32 -m comment --comment "default/nginx:" -j KUBE-MARK-MASQ
-A KUBE-SEP-XLJSDJ5GAQLXCELM -p tcp -m comment --comment "default/nginx:" -m tcp -j DNAT --to-destination 10.1.0.91:80
-A KUBE-SERVICES ! -s 10.1.0.0/16 -d 10.0.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.0.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
-A KUBE-SERVICES ! -s 10.1.0.0/16 -d 10.0.0.57/32 -p tcp -m comment --comment "kube-system/heapster: cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.0.0.57/32 -p tcp -m comment --comment "kube-system/heapster: cluster IP" -m tcp --dport 80 -j KUBE-SVC-BJM46V3U5RZHCFRZ
-A KUBE-SERVICES ! -s 10.1.0.0/16 -d 10.0.0.68/32 -p tcp -m comment --comment "default/nginx: cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.0.0.68/32 -p tcp -m comment --comment "default/nginx: cluster IP" -m tcp --dport 80 -j KUBE-SVC-4N57TFCL4MD7ZTDA
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-SVC-4N57TFCL4MD7ZTDA -m comment --comment "default/nginx:" -j KUBE-SEP-XLJSDJ5GAQLXCELM
-A KUBE-SVC-BJM46V3U5RZHCFRZ -m comment --comment "kube-system/heapster:" -j KUBE-SEP-LDZPZH6QQAWGC3G7
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-SLVSRMP67MEV6CFQ --mask 255.255.255.255 --rsource -j KUBE-SEP-SLVSRMP67MEV6CFQ
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-CCILLTQCS7S5E74J --mask 255.255.255.255 --rsource -j KUBE-SEP-CCILLTQCS7S5E74J
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-RQJU6ECEAXEVCCX7 --mask 255.255.255.255 --rsource -j KUBE-SEP-RQJU6ECEAXEVCCX7
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m statistic --mode random --probability 0.33332999982 -j KUBE-SEP-SLVSRMP67MEV6CFQ
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-CCILLTQCS7S5E74J
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-RQJU6ECEAXEVCCX7
COMMIT
# Completed on Mon May  7 15:06:25 2018
# Generated by iptables-save v1.6.1 on Mon May  7 15:06:25 2018
*security
:INPUT ACCEPT [7127:4803440]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8458:1405124]
-A OUTPUT -d 168.63.129.16/32 -p tcp -m owner --uid-owner 0 -j ACCEPT
-A OUTPUT -d 168.63.129.16/32 -p tcp -m conntrack --ctstate INVALID,NEW -j ACCEPT
COMMIT
# Completed on Mon May  7 15:06:25 2018
	# Generated by iptables-save v1.6.1 on Mon May 7 15:06:25 2018
	*filter
	:INPUT ACCEPT [172:68334]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [183:40154]
	:KUBE-EXTERNAL-SERVICES - [0:0]
	:KUBE-FIREWALL - [0:0]
	:KUBE-FORWARD - [0:0]
	:KUBE-SERVICES - [0:0]
	-A INPUT -j KUBE-FIREWALL
	-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
	-A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
	-A OUTPUT -j KUBE-FIREWALL
	-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
	-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
	-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
	-A KUBE-FORWARD -s 10.1.0.0/16 -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A KUBE-FORWARD -d 10.1.0.0/16 -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A KUBE-SERVICES -d 10.0.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns has no endpoints" -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
	-A KUBE-SERVICES -d 10.0.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp has no endpoints" -m tcp --dport 53 -j REJECT --reject-with icmp-port-unreachable
	-A KUBE-SERVICES -d 10.0.0.152/32 -p tcp -m comment --comment "kube-system/kubernetes-dashboard: has no endpoints" -m tcp --dport 443 -j REJECT --reject-with icmp-port-unreachable
	COMMIT
	# Completed on Mon May 7 15:06:25 2018
	# Generated by iptables-save v1.6.1 on Mon May 7 15:06:25 2018
	*nat
	:PREROUTING ACCEPT [0:0]
	:INPUT ACCEPT [0:0]
	:OUTPUT ACCEPT [19:1321]
	:POSTROUTING ACCEPT [11:841]
	:KUBE-MARK-DROP - [0:0]
	:KUBE-MARK-MASQ - [0:0]
	:KUBE-NODEPORTS - [0:0]
	:KUBE-POSTROUTING - [0:0]
	:KUBE-SEP-CCILLTQCS7S5E74J - [0:0]
	:KUBE-SEP-LDZPZH6QQAWGC3G7 - [0:0]
	:KUBE-SEP-RQJU6ECEAXEVCCX7 - [0:0]
	:KUBE-SEP-SLVSRMP67MEV6CFQ - [0:0]
	:KUBE-SEP-XLJSDJ5GAQLXCELM - [0:0]
	:KUBE-SERVICES - [0:0]
	:KUBE-SVC-4N57TFCL4MD7ZTDA - [0:0]
	:KUBE-SVC-BJM46V3U5RZHCFRZ - [0:0]
	:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
	-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
	-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
	-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
	-A POSTROUTING ! -d 10.0.0.0/15 -m iprange ! --dst-range 168.63.129.16-168.63.129.16 -m addrtype ! --dst-type LOCAL -j MASQUERADE
	-A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
	-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
	-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE
	-A KUBE-SEP-CCILLTQCS7S5E74J -s 10.0.10.248/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ
	-A KUBE-SEP-CCILLTQCS7S5E74J -p tcp -m comment --comment "default/kubernetes:https" -m recent --set --name KUBE-SEP-CCILLTQCS7S5E74J --mask 255.255.255.255 --rsource -m tcp -j DNAT --to-destination 10.0.10.248:6443
	-A KUBE-SEP-LDZPZH6QQAWGC3G7 -s 10.1.0.18/32 -m comment --comment "kube-system/heapster:" -j KUBE-MARK-MASQ
	-A KUBE-SEP-LDZPZH6QQAWGC3G7 -p tcp -m comment --comment "kube-system/heapster:" -m tcp -j DNAT --to-destination 10.1.0.18:8082
	-A KUBE-SEP-RQJU6ECEAXEVCCX7 -s 10.0.10.249/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ
	-A KUBE-SEP-RQJU6ECEAXEVCCX7 -p tcp -m comment --comment "default/kubernetes:https" -m recent --set --name KUBE-SEP-RQJU6ECEAXEVCCX7 --mask 255.255.255.255 --rsource -m tcp -j DNAT --to-destination 10.0.10.249:6443
	-A KUBE-SEP-SLVSRMP67MEV6CFQ -s 10.0.10.247/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ
	-A KUBE-SEP-SLVSRMP67MEV6CFQ -p tcp -m comment --comment "default/kubernetes:https" -m recent --set --name KUBE-SEP-SLVSRMP67MEV6CFQ --mask 255.255.255.255 --rsource -m tcp -j DNAT --to-destination 10.0.10.247:6443
	-A KUBE-SEP-XLJSDJ5GAQLXCELM -s 10.1.0.91/32 -m comment --comment "default/nginx:" -j KUBE-MARK-MASQ
	-A KUBE-SEP-XLJSDJ5GAQLXCELM -p tcp -m comment --comment "default/nginx:" -m tcp -j DNAT --to-destination 10.1.0.91:80
	-A KUBE-SERVICES ! -s 10.1.0.0/16 -d 10.0.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
	-A KUBE-SERVICES -d 10.0.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
	-A KUBE-SERVICES ! -s 10.1.0.0/16 -d 10.0.0.57/32 -p tcp -m comment --comment "kube-system/heapster: cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
	-A KUBE-SERVICES -d 10.0.0.57/32 -p tcp -m comment --comment "kube-system/heapster: cluster IP" -m tcp --dport 80 -j KUBE-SVC-BJM46V3U5RZHCFRZ
	-A KUBE-SERVICES ! -s 10.1.0.0/16 -d 10.0.0.68/32 -p tcp -m comment --comment "default/nginx: cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
	-A KUBE-SERVICES -d 10.0.0.68/32 -p tcp -m comment --comment "default/nginx: cluster IP" -m tcp --dport 80 -j KUBE-SVC-4N57TFCL4MD7ZTDA
	-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
	-A KUBE-SVC-4N57TFCL4MD7ZTDA -m comment --comment "default/nginx:" -j KUBE-SEP-XLJSDJ5GAQLXCELM
	-A KUBE-SVC-BJM46V3U5RZHCFRZ -m comment --comment "kube-system/heapster:" -j KUBE-SEP-LDZPZH6QQAWGC3G7
	-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-SLVSRMP67MEV6CFQ --mask 255.255.255.255 --rsource -j KUBE-SEP-SLVSRMP67MEV6CFQ
	-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-CCILLTQCS7S5E74J --mask 255.255.255.255 --rsource -j KUBE-SEP-CCILLTQCS7S5E74J
	-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-RQJU6ECEAXEVCCX7 --mask 255.255.255.255 --rsource -j KUBE-SEP-RQJU6ECEAXEVCCX7
	-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m statistic --mode random --probability 0.33332999982 -j KUBE-SEP-SLVSRMP67MEV6CFQ
	-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-CCILLTQCS7S5E74J
	-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-RQJU6ECEAXEVCCX7
	COMMIT
	# Completed on Mon May 7 15:06:25 2018
	# Generated by iptables-save v1.6.1 on Mon May 7 15:06:25 2018
	*security
	:INPUT ACCEPT [7127:4803440]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [8458:1405124]
	-A OUTPUT -d 168.63.129.16/32 -p tcp -m owner --uid-owner 0 -j ACCEPT
	-A OUTPUT -d 168.63.129.16/32 -p tcp -m conntrack --ctstate INVALID,NEW -j ACCEPT
	COMMIT
	# Completed on Mon May 7 15:06:25 2018