Created
April 26, 2015 21:19
-
-
Save thoraxe/a875b22f42051d64c267 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Name: docker-registry | |
Labels: docker-registry=default | |
Selector: docker-registry=default | |
IP: 172.30.17.85 | |
Port: <unnamed> 5000/TCP | |
Endpoints: 10.1.0.2:5000 | |
Session Affinity: None | |
No events. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I stopped all the services running on the node (master, sdn-master, sdn-node, node) and restarted iptables and then restarted master, sdn-master, sdn-node (which brings up node). | |
Here's the resulting iptables rules: | |
# Generated by iptables-save v1.4.21 on Sun Apr 26 17:17:08 2015 | |
*nat | |
:PREROUTING ACCEPT [4:329] | |
:INPUT ACCEPT [3:189] | |
:OUTPUT ACCEPT [19:1229] | |
:POSTROUTING ACCEPT [19:1229] | |
:DOCKER - [0:0] | |
:KUBE-PORTALS-CONTAINER - [0:0] | |
:KUBE-PORTALS-HOST - [0:0] | |
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER | |
-A PREROUTING -j KUBE-PORTALS-CONTAINER | |
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER | |
-A OUTPUT -j KUBE-PORTALS-HOST | |
-A POSTROUTING -s 10.1.0.0/24 ! -o lbr0 -j MASQUERADE | |
-A POSTROUTING -s 10.1.0.0/16 ! -d 10.1.0.0/16 -j MASQUERADE | |
-A POSTROUTING -s 10.1.0.3/32 -d 10.1.0.3/32 -p tcp -m tcp --dport 80 -j MASQUERADE | |
-A POSTROUTING -s 10.1.0.3/32 -d 10.1.0.3/32 -p tcp -m tcp --dport 443 -j MASQUERADE | |
-A DOCKER ! -i lbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.1.0.3:80 | |
-A DOCKER ! -i lbr0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.1.0.3:443 | |
COMMIT | |
# Completed on Sun Apr 26 17:17:08 2015 | |
# Generated by iptables-save v1.4.21 on Sun Apr 26 17:17:08 2015 | |
*filter | |
:INPUT ACCEPT [0:0] | |
:FORWARD ACCEPT [0:0] | |
:OUTPUT ACCEPT [1473:448345] | |
:DOCKER - [0:0] | |
:OS_FIREWALL_ALLOW - [0:0] | |
-A INPUT -p udp -m multiport --dports 4789 -m comment --comment "001 vxlan incoming" -j ACCEPT | |
-A INPUT -i lbr0 -m comment --comment "traffic from docker" -j ACCEPT | |
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
-A INPUT -p icmp -j ACCEPT | |
-A INPUT -i lo -j ACCEPT | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | |
-A INPUT -j OS_FIREWALL_ALLOW | |
-A INPUT -j REJECT --reject-with icmp-host-prohibited | |
-A FORWARD -o lbr0 -j DOCKER | |
-A FORWARD -o lbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
-A FORWARD -i lbr0 ! -o lbr0 -j ACCEPT | |
-A FORWARD -i lbr0 -o lbr0 -j ACCEPT | |
-A FORWARD -j REJECT --reject-with icmp-host-prohibited | |
-A DOCKER -d 10.1.0.3/32 ! -i lbr0 -o lbr0 -p tcp -m tcp --dport 80 -j ACCEPT | |
-A DOCKER -d 10.1.0.3/32 ! -i lbr0 -o lbr0 -p tcp -m tcp --dport 443 -j ACCEPT | |
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 4001 -j ACCEPT | |
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT | |
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 10250 -j ACCEPT | |
COMMIT | |
# Completed on Sun Apr 26 17:17:08 2015 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Generated by iptables-save v1.4.21 on Sun Apr 26 17:14:07 2015 | |
*nat | |
:PREROUTING ACCEPT [15:1807] | |
:INPUT ACCEPT [7:447] | |
:OUTPUT ACCEPT [242:15338] | |
:POSTROUTING ACCEPT [242:15338] | |
:DOCKER - [0:0] | |
:KUBE-PORTALS-CONTAINER - [0:0] | |
:KUBE-PORTALS-HOST - [0:0] | |
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER | |
-A PREROUTING -j KUBE-PORTALS-CONTAINER | |
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER | |
-A OUTPUT -j KUBE-PORTALS-HOST | |
-A POSTROUTING -s 10.1.0.0/24 ! -o lbr0 -j MASQUERADE | |
-A POSTROUTING -s 10.1.0.0/16 ! -d 10.1.0.0/16 -j MASQUERADE | |
-A POSTROUTING -s 10.1.0.4/32 -d 10.1.0.4/32 -p tcp -m tcp --dport 443 -j MASQUERADE | |
-A POSTROUTING -s 10.1.0.4/32 -d 10.1.0.4/32 -p tcp -m tcp --dport 80 -j MASQUERADE | |
-A DOCKER ! -i lbr0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.1.0.4:443 | |
-A DOCKER ! -i lbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.1.0.4:80 | |
-A KUBE-PORTALS-CONTAINER -d 172.30.17.2/32 -p tcp -m comment --comment "default/kubernetes:" -m tcp --dport 443 -j REDIRECT --to-ports 51291 | |
-A KUBE-PORTALS-CONTAINER -d 172.30.17.1/32 -p tcp -m comment --comment "default/kubernetes-ro:" -m tcp --dport 80 -j REDIRECT --to-ports 52252 | |
-A KUBE-PORTALS-CONTAINER -d 172.30.17.109/32 -p tcp -m comment --comment "default/router:" -m tcp --dport 80 -j REDIRECT --to-ports 58492 | |
-A KUBE-PORTALS-CONTAINER -d 172.30.17.85/32 -p tcp -m comment --comment "default/docker-registry:" -m tcp --dport 5000 -j REDIRECT --to-ports 46151 | |
-A KUBE-PORTALS-HOST -d 172.30.17.2/32 -p tcp -m comment --comment "default/kubernetes:" -m tcp --dport 443 -j DNAT --to-destination 192.168.133.2:51291 | |
-A KUBE-PORTALS-HOST -d 172.30.17.1/32 -p tcp -m comment --comment "default/kubernetes-ro:" -m tcp --dport 80 -j DNAT --to-destination 192.168.133.2:52252 | |
-A KUBE-PORTALS-HOST -d 172.30.17.109/32 -p tcp -m comment --comment "default/router:" -m tcp --dport 80 -j DNAT --to-destination 192.168.133.2:58492 | |
-A KUBE-PORTALS-HOST -d 172.30.17.85/32 -p tcp -m comment --comment "default/docker-registry:" -m tcp --dport 5000 -j DNAT --to-destination 192.168.133.2:46151 | |
COMMIT | |
# Completed on Sun Apr 26 17:14:07 2015 | |
# Generated by iptables-save v1.4.21 on Sun Apr 26 17:14:07 2015 | |
*filter | |
:INPUT ACCEPT [0:0] | |
:FORWARD ACCEPT [0:0] | |
:OUTPUT ACCEPT [38801:15909757] | |
:DOCKER - [0:0] | |
:OS_FIREWALL_ALLOW - [0:0] | |
-A INPUT -p udp -m multiport --dports 4789 -m comment --comment "001 vxlan incoming" -j ACCEPT | |
-A INPUT -i lbr0 -m comment --comment "traffic from docker" -j ACCEPT | |
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
-A INPUT -p icmp -j ACCEPT | |
-A INPUT -i lo -j ACCEPT | |
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | |
-A INPUT -j OS_FIREWALL_ALLOW | |
-A INPUT -j REJECT --reject-with icmp-host-prohibited | |
-A FORWARD -o lbr0 -j DOCKER | |
-A FORWARD -o lbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
-A FORWARD -i lbr0 ! -o lbr0 -j ACCEPT | |
-A FORWARD -i lbr0 -o lbr0 -j ACCEPT | |
-A FORWARD -j REJECT --reject-with icmp-host-prohibited | |
-A DOCKER -d 10.1.0.4/32 ! -i lbr0 -o lbr0 -p tcp -m tcp --dport 443 -j ACCEPT | |
-A DOCKER -d 10.1.0.4/32 ! -i lbr0 -o lbr0 -p tcp -m tcp --dport 80 -j ACCEPT | |
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 4001 -j ACCEPT | |
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT | |
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 10250 -j ACCEPT | |
COMMIT | |
# Completed on Sun Apr 26 17:14:07 2015 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[root@ose3-master ~]# osc get service | |
NAME LABELS SELECTOR IP PORT(S) | |
docker-registry docker-registry=default docker-registry=default 172.30.17.85 5000/TCP | |
kubernetes component=apiserver,provider=kubernetes <none> 172.30.17.2 443/TCP | |
kubernetes-ro component=apiserver,provider=kubernetes <none> 172.30.17.1 80/TCP | |
router router=router router=router 172.30.17.109 80/TCP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment