Iptables
iptables
通常就是指linux上的防火墙,主要分为netfilter和iptables两个组件。netfilter为内核空间的组件,iptables为用户空间的组件,提供添加,删除查询防火墙规则的功能。
k8s的service通过iptables来做后端pod的转发和路由
环境准备
1 2 3 4 5 6 7 # 创建集群 kind create cluster --name iptables --image kindest/node:v1.23.5 # 安装traefik # https://doc.traefik.io/traefik/getting-started/install-traefik/#use-the-helm-chart helm repo add traefik https://helm.traefik.io/traefik helm repo update helm install traefik traefik/traefik
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 # 集群就绪后的iptables规则 root@iptables-control-plane:/# iptables-save # Generated by iptables-save v1.8.4 on Wed Sep 28 06:24:53 2022 *mangle :PREROUTING ACCEPT [1789547:356082101] :INPUT ACCEPT [1789547:356082101] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1784288:301003801] :POSTROUTING ACCEPT [1784288:301003801] :KUBE-KUBELET-CANARY - [0:0] :KUBE-PROXY-CANARY - [0:0] COMMIT # Completed on Wed Sep 28 06:24:53 2022 # Generated by iptables-save v1.8.4 on Wed Sep 28 06:24:53 2022 *filter :INPUT ACCEPT [1717:265397] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1722:288167] :KUBE-EXTERNAL-SERVICES - [0:0] :KUBE-FIREWALL - [0:0] :KUBE-FORWARD - [0:0] :KUBE-KUBELET-CANARY - [0:0] :KUBE-NODEPORTS - [0:0] :KUBE-PROXY-CANARY - [0:0] :KUBE-SERVICES - [0:0] -A INPUT -m comment --comment "kubernetes health check service ports" -j KUBE-NODEPORTS -A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES -A INPUT -j KUBE-FIREWALL -A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD -A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES -A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES -A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES -A OUTPUT -j KUBE-FIREWALL -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT -A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Wed Sep 28 06:24:53 2022 # Generated by iptables-save v1.8.4 on Wed Sep 28 06:24:53 2022 *nat :PREROUTING ACCEPT [1:60] :INPUT ACCEPT [1:60] :OUTPUT ACCEPT [26:1560] :POSTROUTING ACCEPT [26:1560] :DOCKER_OUTPUT - [0:0] :DOCKER_POSTROUTING - [0:0] :KIND-MASQ-AGENT - [0:0] :KUBE-KUBELET-CANARY - [0:0] :KUBE-MARK-DROP - [0:0] :KUBE-MARK-MASQ - [0:0] :KUBE-NODEPORTS - [0:0] :KUBE-POSTROUTING - [0:0] :KUBE-PROXY-CANARY - [0:0] :KUBE-SEP-242VRRB6CJESMF7F - [0:0] :KUBE-SEP-2KMBOYXVR33SDSC2 - [0:0] :KUBE-SEP-6E7XQMQ4RAYOWTTM - [0:0] :KUBE-SEP-OJCTP5LCEHQJ3D72 - [0:0] :KUBE-SEP-PUHFDAMRBZWCPADU - [0:0] :KUBE-SEP-SF3LG62VAE5ALYDV - [0:0] :KUBE-SEP-WXWGHGKZOCNYRYI7 - [0:0] :KUBE-SEP-ZP3FB6NMPNCO4VBJ - [0:0] :KUBE-SEP-ZXMNUKOKXUTL2MK2 - [0:0] :KUBE-SERVICES - [0:0] :KUBE-SVC-3CRYVFGPLWYNKULQ - [0:0] :KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0] :KUBE-SVC-JD5MR3NA4I4DYORP - [0:0] :KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0] :KUBE-SVC-QWNV66JT3UNCF3AW - [0:0] :KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0] -A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES -A PREROUTING -d 192.168.31.191/32 -j DOCKER_OUTPUT -A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES -A OUTPUT -d 192.168.31.191/32 -j DOCKER_OUTPUT -A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING -A POSTROUTING -d 192.168.31.191/32 -j DOCKER_POSTROUTING -A POSTROUTING -m addrtype ! --dst-type LOCAL -m comment --comment "kind-masq-agent: ensure nat POSTROUTING directs all non-LOCAL destination traffic to our custom KIND-MASQ-AGENT chain" -j KIND-MASQ-AGENT -A DOCKER_OUTPUT -d 192.168.31.191/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.11:42845 -A DOCKER_OUTPUT -d 192.168.31.191/32 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.11:50410 -A DOCKER_POSTROUTING -s 127.0.0.11/32 -p tcp -m tcp --sport 42845 -j SNAT --to-source 192.168.31.191:53 -A DOCKER_POSTROUTING -s 127.0.0.11/32 -p udp -m udp --sport 50410 -j SNAT --to-source 192.168.31.191:53 -A KIND-MASQ-AGENT -d 10.244.0.0/16 -m comment --comment "kind-masq-agent: local traffic is not subject to MASQUERADE" -j RETURN -A KIND-MASQ-AGENT -m comment --comment "kind-masq-agent: outbound traffic is subject to MASQUERADE (must be last in chain)" -j MASQUERADE -A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000 -A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000 -A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN -A KUBE-POSTROUTING -j MARK --set-xmark 0x4000/0x0 -A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE --random-fully -A KUBE-SEP-242VRRB6CJESMF7F -s 10.244.0.5/32 -m comment --comment "default/traefik:web" -j KUBE-MARK-MASQ -A KUBE-SEP-242VRRB6CJESMF7F -p tcp -m comment --comment "default/traefik:web" -m tcp -j DNAT --to-destination 10.244.0.5:8000 -A KUBE-SEP-2KMBOYXVR33SDSC2 -s 10.244.0.5/32 -m comment --comment "default/traefik:websecure" -j KUBE-MARK-MASQ -A KUBE-SEP-2KMBOYXVR33SDSC2 -p tcp -m comment --comment "default/traefik:websecure" -m tcp -j DNAT --to-destination 10.244.0.5:8443 -A KUBE-SEP-6E7XQMQ4RAYOWTTM -s 10.244.0.3/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ -A KUBE-SEP-6E7XQMQ4RAYOWTTM -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 10.244.0.3:53 -A KUBE-SEP-OJCTP5LCEHQJ3D72 -s 172.18.0.5/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ -A KUBE-SEP-OJCTP5LCEHQJ3D72 -p tcp -m comment --comment "default/kubernetes:https" -m tcp -j DNAT --to-destination 172.18.0.5:6443 -A KUBE-SEP-PUHFDAMRBZWCPADU -s 10.244.0.4/32 -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-MARK-MASQ -A KUBE-SEP-PUHFDAMRBZWCPADU -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 10.244.0.4:9153 -A KUBE-SEP-SF3LG62VAE5ALYDV -s 10.244.0.4/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ -A KUBE-SEP-SF3LG62VAE5ALYDV -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 10.244.0.4:53 -A KUBE-SEP-WXWGHGKZOCNYRYI7 -s 10.244.0.4/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ -A KUBE-SEP-WXWGHGKZOCNYRYI7 -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 10.244.0.4:53 -A KUBE-SEP-ZP3FB6NMPNCO4VBJ -s 10.244.0.3/32 -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-MARK-MASQ -A KUBE-SEP-ZP3FB6NMPNCO4VBJ -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 10.244.0.3:9153 -A KUBE-SEP-ZXMNUKOKXUTL2MK2 -s 10.244.0.3/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ -A KUBE-SEP-ZXMNUKOKXUTL2MK2 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 10.244.0.3:53 -A KUBE-SERVICES -d 10.96.237.231/32 -p tcp -m comment --comment "default/traefik:web cluster IP" -m tcp --dport 80 -j KUBE-SVC-3CRYVFGPLWYNKULQ -A KUBE-SERVICES -d 10.96.237.231/32 -p tcp -m comment --comment "default/traefik:websecure cluster IP" -m tcp --dport 443 -j KUBE-SVC-QWNV66JT3UNCF3AW -A KUBE-SERVICES -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y -A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU -A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4 -A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-SVC-JD5MR3NA4I4DYORP -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS -A KUBE-SVC-3CRYVFGPLWYNKULQ ! -s 10.244.0.0/16 -d 10.96.237.231/32 -p tcp -m comment --comment "default/traefik:web cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ -A KUBE-SVC-3CRYVFGPLWYNKULQ -m comment --comment "default/traefik:web" -j KUBE-SEP-242VRRB6CJESMF7F -A KUBE-SVC-ERIFXISQEP7F7OF4 ! -s 10.244.0.0/16 -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-MARK-MASQ -A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-ZXMNUKOKXUTL2MK2 -A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SEP-SF3LG62VAE5ALYDV -A KUBE-SVC-JD5MR3NA4I4DYORP ! -s 10.244.0.0/16 -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-MARK-MASQ -A KUBE-SVC-JD5MR3NA4I4DYORP -m comment --comment "kube-system/kube-dns:metrics" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-ZP3FB6NMPNCO4VBJ -A KUBE-SVC-JD5MR3NA4I4DYORP -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-SEP-PUHFDAMRBZWCPADU -A KUBE-SVC-NPX46M4PTMTKRN6Y ! -s 10.244.0.0/16 -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ -A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-OJCTP5LCEHQJ3D72 -A KUBE-SVC-QWNV66JT3UNCF3AW ! -s 10.244.0.0/16 -d 10.96.237.231/32 -p tcp -m comment --comment "default/traefik:websecure cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ -A KUBE-SVC-QWNV66JT3UNCF3AW -m comment --comment "default/traefik:websecure" -j KUBE-SEP-2KMBOYXVR33SDSC2 -A KUBE-SVC-TCOU7JCQXEZGVUNU ! -s 10.244.0.0/16 -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-MARK-MASQ -A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-6E7XQMQ4RAYOWTTM -A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SEP-WXWGHGKZOCNYRYI7 COMMIT # Completed on Wed Sep 28 06:24:53 2022
service
有如下的映射关系
10.96.237.231:80
10.244.0.5:8000
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 # kubectl describe svc traefik Name: traefik Namespace: default Labels: app.kubernetes.io/instance=traefik app.kubernetes.io/managed-by=Helm app.kubernetes.io/name=traefik helm.sh/chart=traefik-10.25.0 Annotations: meta.helm.sh/release-name: traefik meta.helm.sh/release-namespace: default Selector: app.kubernetes.io/instance=traefik,app.kubernetes.io/name=traefik Type: ClusterIP IP Family Policy: SingleStack IP Families: IPv4 IP: 10.96.237.231 IPs: 10.96.237.231 Port: web 80/TCP TargetPort: web/TCP Endpoints: 10.244.0.5:8000 Port: websecure 443/TCP TargetPort: websecure/TCP Endpoints: 10.244.0.5:8443
1 2 3 # kubectl get svc traefik -owide NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR traefik ClusterIP 10.96.237.231 <none> 80/TCP,443/TCP 3m25s app.kubernetes.io/instance=traefik,app.kubernetes.io/name=traefik
iptables
入网流量
1. nat表
PREROUTING -> KUBE-SERVICES ->
KUBE-SVC-3CRYVFGPLWYNKULQ ->
KUBE-SEP-242VRRB6CJESMF7F -> DNAT
1 2 3 4 5 # PREROUTING Chain PREROUTING (policy ACCEPT 13 packets, 780 bytes) pkts bytes target prot opt in out source destination 98 6678 KUBE-SERVICES all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes service portals */ 6 490 DOCKER_OUTPUT all -- * * 0.0.0.0/0 192.168.31.191
1 2 3 4 5 6 7 8 9 10 # KUBE-SERVICES Chain KUBE-SERVICES (2 references) pkts bytes target prot opt in out source destination 0 0 KUBE-SVC-3CRYVFGPLWYNKULQ tcp -- * * 0.0.0.0/0 10.96.237.231 /* default/traefik:web cluster IP */ tcp dpt:80 0 0 KUBE-SVC-QWNV66JT3UNCF3AW tcp -- * * 0.0.0.0/0 10.96.237.231 /* default/traefik:websecure cluster IP */ tcp dpt:443 0 0 KUBE-SVC-NPX46M4PTMTKRN6Y tcp -- * * 0.0.0.0/0 10.96.0.1 /* default/kubernetes:https cluster IP */ tcp dpt:443 24 2108 KUBE-SVC-TCOU7JCQXEZGVUNU udp -- * * 0.0.0.0/0 10.96.0.10 /* kube-system/kube-dns:dns cluster IP */ udp dpt:53 0 0 KUBE-SVC-ERIFXISQEP7F7OF4 tcp -- * * 0.0.0.0/0 10.96.0.10 /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:53 0 0 KUBE-SVC-JD5MR3NA4I4DYORP tcp -- * * 0.0.0.0/0 10.96.0.10 /* kube-system/kube-dns:metrics cluster IP */ tcp dpt:9153 1233 73980 KUBE-NODEPORTS all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes service nodeports; NOTE: this must be the last rule in this chain */ ADDRTYPE match dst-type LOCAL
1 2 3 4 5 # KUBE-SVC-3CRYVFGPLWYNKULQ Chain KUBE-SVC-3CRYVFGPLWYNKULQ (1 references) pkts bytes target prot opt in out source destination 0 0 KUBE-MARK-MASQ tcp -- * * !10.244.0.0/16 10.96.237.231 /* default/traefik:web cluster IP */ tcp dpt:80 0 0 KUBE-SEP-242VRRB6CJESMF7F all -- * * 0.0.0.0/0 0.0.0.0/0 /* default/traefik:web */
1 2 3 4 5 # KUBE-SEP-242VRRB6CJESMF7F Chain KUBE-SEP-242VRRB6CJESMF7F (1 references) pkts bytes target prot opt in out source destination 0 0 KUBE-MARK-MASQ all -- * * 10.244.0.5 0.0.0.0/0 /* default/traefik:web */ 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* default/traefik:web */ tcp to:10.244.0.5:8000
2. filter表
INPUT -> KUBE-NODEPORTS ->
KUBE-EXTERNAL-SERVICES -> KUBE-FIREWALL
1 2 3 4 5 6 # INPUT Chain INPUT (policy ACCEPT 166K packets, 27M bytes) pkts bytes target prot opt in out source destination 1954K 383M KUBE-NODEPORTS all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes health check service ports */ 17707 1063K KUBE-EXTERNAL-SERVICES all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW /* kubernetes externally-visible service portals */ 1975K 389M KUBE-FIREWALL all -- * * 0.0.0.0/0 0.0.0.0/0
1 2 3 # KUBE-NODEPORTS Chain KUBE-NODEPORTS (1 references) pkts bytes target prot opt in out source destination
1 2 3 # KUBE-EXTERNAL-SERVICES Chain KUBE-EXTERNAL-SERVICES (2 references) pkts bytes target prot opt in out source destination
1 2 3 4 5 # KUBE-FIREWALL Chain KUBE-FIREWALL (2 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000 0 0 DROP all -- * * !127.0.0.0/8 127.0.0.0/8 /* block incoming localnet connections */ ! ctstate RELATED,ESTABLISHED,DNAT
出网流量
1. nat表
OUTPUT -> KUBE-SERVICES
ps KUBE-SERVICES链中的规则
1 2 3 4 5 # OUTPUT Chain OUTPUT (policy ACCEPT 3020 packets, 181K bytes) pkts bytes target prot opt in out source destination 23756 1426K KUBE-SERVICES all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes service portals */ 48 3294 DOCKER_OUTPUT all -- * * 0.0.0.0/0 192.168.31.191
2. filter表
OUTPUT -> KUBE-SERVICES ->
KUBE-FIREWALL
1 2 3 4 5 # OUTPUT Chain OUTPUT (policy ACCEPT 166K packets, 28M bytes) pkts bytes target prot opt in out source destination 22875 1373K KUBE-SERVICES all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW /* kubernetes service portals */ 1970K 335M KUBE-FIREWALL all -- * * 0.0.0.0/0 0.0.0.0/0
1 2 3 # KUBE-SERVICES Chain KUBE-SERVICES (2 references) pkts bytes target prot opt in out source destination
1 2 3 4 5 # KUBE-FIREWALL Chain KUBE-FIREWALL (2 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000 0 0 DROP all -- * * !127.0.0.0/8 127.0.0.0/8 /* block incoming localnet connections */ ! ctstate RELATED,ESTABLISHED,DNAT
3. nat表
POSTROUTING -> KUBE-POSTROUTING ->
MASQUERADE
1 2 3 4 5 6 # POSTROUTING Chain POSTROUTING (policy ACCEPT 3038 packets, 183K bytes) pkts bytes target prot opt in out source destination 23934 1438K KUBE-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes postrouting rules */ 0 0 DOCKER_POSTROUTING all -- * * 0.0.0.0/0 192.168.31.191 5518 332K KIND-MASQ-AGENT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type !LOCAL /* kind-masq-agent: ensure nat POSTROUTING directs all non-LOCAL destination traffic to our custom KIND-MASQ-AGENT chain */
1 2 3 4 5 6 # KUBE-POSTROUTING Chain KUBE-POSTROUTING (1 references) pkts bytes target prot opt in out source destination 3050 184K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 mark match ! 0x4000/0x4000 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK xor 0x4000 0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes service traffic requiring SNAT */ random-fully
1 2 3 4 5 # DOCKER_POSTROUTING Chain DOCKER_POSTROUTING (1 references) pkts bytes target prot opt in out source destination 0 0 SNAT tcp -- * * 127.0.0.11 0.0.0.0/0 tcp spt:42845 to:192.168.31.191:53 0 0 SNAT udp -- * * 127.0.0.11 0.0.0.0/0 udp spt:50410 to:192.168.31.191:53
1 2 3 4 5 # KIND-MASQ-AGENT Chain KIND-MASQ-AGENT (1 references) pkts bytes target prot opt in out source destination 5422 326K RETURN all -- * * 0.0.0.0/0 10.244.0.0/16 /* kind-masq-agent: local traffic is not subject to MASQUERADE */ 96 6326 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* kind-masq-agent: outbound traffic is subject to MASQUERADE (must be last in chain) */
