API tools faq
paste
Advertisement
Guest User

node ip tables

a guest
Jan 15th, 2021
205
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.79 KB | None | 0 0
raw download clone embed print report
  1. # Generated by iptables-save v1.6.0 on Fri Jan 15 17:31:19 2021
  2. *raw
  3. :PREROUTING ACCEPT [270:30339]
  4. :OUTPUT ACCEPT [253:43767]
  5. -A PREROUTING -d 169.254.20.10/32 -p udp -m udp --dport 53 -j NOTRACK
  6. -A PREROUTING -d 169.254.20.10/32 -p tcp -m tcp --dport 53 -j NOTRACK
  7. -A OUTPUT -s 169.254.20.10/32 -p udp -m udp --sport 53 -j NOTRACK
  8. -A OUTPUT -s 169.254.20.10/32 -p tcp -m tcp --sport 53 -j NOTRACK
  9. COMMIT
  10. # Completed on Fri Jan 15 17:31:19 2021
  11. # Generated by iptables-save v1.6.0 on Fri Jan 15 17:31:19 2021
  12. *nat
  13. :PREROUTING ACCEPT [0:0]
  14. :INPUT ACCEPT [0:0]
  15. :OUTPUT ACCEPT [39:2340]
  16. :POSTROUTING ACCEPT [29:1740]
  17. :DOCKER - [0:0]
  18. :KUBE-MARK-DROP - [0:0]
  19. :KUBE-MARK-MASQ - [0:0]
  20. :KUBE-NODEPORTS - [0:0]
  21. :KUBE-POSTROUTING - [0:0]
  22. :KUBE-SEP-2HA5TZC4IRJHZTCK - [0:0]
  23. :KUBE-SEP-422ARSXEMT65DMO3 - [0:0]
  24. :KUBE-SEP-7LER77DVHYCXPSW7 - [0:0]
  25. :KUBE-SEP-AFCCFOKTEURLEF4M - [0:0]
  26. :KUBE-SEP-ALQTRHCKDRO63XYJ - [0:0]
  27. :KUBE-SEP-AXYSTSVUFD26FOJT - [0:0]
  28. :KUBE-SEP-BJBTFEPEVIQ5DWH7 - [0:0]
  29. :KUBE-SEP-E26B7IBY35UOOL5X - [0:0]
  30. :KUBE-SEP-E5AJ7SMD4N6IABHF - [0:0]
  31. :KUBE-SEP-ENBFHXAAZ3V67RLH - [0:0]
  32. :KUBE-SEP-ESSITLOJZJMNLUID - [0:0]
  33. :KUBE-SEP-GXHHKOPUDMXRKSXD - [0:0]
  34. :KUBE-SEP-I6T2TXN3D36S6GQI - [0:0]
  35. :KUBE-SEP-J4YWKECJNT5JIGX4 - [0:0]
  36. :KUBE-SEP-L7UULNY5HKKVVJNM - [0:0]
  37. :KUBE-SEP-LAHH7QPLEAC4IYW6 - [0:0]
  38. :KUBE-SEP-ONANHDFYT3LJDUUS - [0:0]
  39. :KUBE-SEP-QAMAEZD76Z4XHHC3 - [0:0]
  40. :KUBE-SEP-RQQBQZBLXJLIS4XR - [0:0]
  41. :KUBE-SEP-T5JK32PCSUGR3PRV - [0:0]
  42. :KUBE-SEP-TV3U67EFPF6RYKGW - [0:0]
  43. :KUBE-SEP-UNHMTT7BF3FQAUBW - [0:0]
  44. :KUBE-SEP-WGFTNBDV6SMMGVGC - [0:0]
  45. :KUBE-SEP-ZYPAAOI74HAROTEV - [0:0]
  46. :KUBE-SERVICES - [0:0]
  47. :KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
  48. :KUBE-SVC-GRVIJZ6QHJZF73YT - [0:0]
  49. :KUBE-SVC-IFO32E4YIRUTZPGJ - [0:0]
  50. :KUBE-SVC-JD5MR3NA4I4DYORP - [0:0]
  51. :KUBE-SVC-JV6T3AKDQP7UY5J7 - [0:0]
  52. :KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
  53. :KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
  54. :KUBE-SVC-U7X4VZNLLMJVC6JR - [0:0]
  55. -A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
  56. -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
  57. -A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
  58. -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
  59. -A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
  60. -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
  61. -A POSTROUTING ! -d 100.64.0.0/10 -m comment --comment "kubenet: SNAT for outbound traffic from cluster" -m addrtype ! --dst-type LOCAL -j MASQUERADE
  62. -A DOCKER -i docker0 -j RETURN
  63. -A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
  64. -A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
  65. -A KUBE-NODEPORTS -p tcp -m comment --comment "ingress-nginx-ext/ingress-nginx-ext:http" -m tcp --dport 30393 -j KUBE-MARK-MASQ
  66. -A KUBE-NODEPORTS -p tcp -m comment --comment "ingress-nginx-ext/ingress-nginx-ext:http" -m tcp --dport 30393 -j KUBE-SVC-U7X4VZNLLMJVC6JR
  67. -A KUBE-NODEPORTS -p tcp -m comment --comment "ingress-nginx-ext/ingress-nginx-ext:https" -m tcp --dport 30674 -j KUBE-MARK-MASQ
  68. -A KUBE-NODEPORTS -p tcp -m comment --comment "ingress-nginx-ext/ingress-nginx-ext:https" -m tcp --dport 30674 -j KUBE-SVC-JV6T3AKDQP7UY5J7
  69. -A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE
  70. -A KUBE-SEP-2HA5TZC4IRJHZTCK -s 100.96.3.8/32 -j KUBE-MARK-MASQ
  71. -A KUBE-SEP-2HA5TZC4IRJHZTCK -p tcp -m tcp -j DNAT --to-destination 100.96.3.8:80
  72. -A KUBE-SEP-422ARSXEMT65DMO3 -s 100.96.3.5/32 -j KUBE-MARK-MASQ
  73. -A KUBE-SEP-422ARSXEMT65DMO3 -p tcp -m tcp -j DNAT --to-destination 100.96.3.5:80
  74. -A KUBE-SEP-7LER77DVHYCXPSW7 -s 100.96.3.11/32 -j KUBE-MARK-MASQ
  75. -A KUBE-SEP-7LER77DVHYCXPSW7 -p tcp -m tcp -j DNAT --to-destination 100.96.3.11:80
  76. -A KUBE-SEP-AFCCFOKTEURLEF4M -s 100.96.3.4/32 -j KUBE-MARK-MASQ
  77. -A KUBE-SEP-AFCCFOKTEURLEF4M -p tcp -m recent --set --name KUBE-SEP-AFCCFOKTEURLEF4M --mask 255.255.255.255 --rsource -m tcp -j DNAT --to-destination 100.96.3.4:9090
  78. -A KUBE-SEP-ALQTRHCKDRO63XYJ -s 100.96.3.10/32 -j KUBE-MARK-MASQ
  79. -A KUBE-SEP-ALQTRHCKDRO63XYJ -p tcp -m tcp -j DNAT --to-destination 100.96.3.10:80
  80. -A KUBE-SEP-AXYSTSVUFD26FOJT -s 100.96.3.10/32 -j KUBE-MARK-MASQ
  81. -A KUBE-SEP-AXYSTSVUFD26FOJT -p tcp -m tcp -j DNAT --to-destination 100.96.3.10:80
  82. -A KUBE-SEP-BJBTFEPEVIQ5DWH7 -s 100.96.3.14/32 -j KUBE-MARK-MASQ
  83. -A KUBE-SEP-BJBTFEPEVIQ5DWH7 -p tcp -m tcp -j DNAT --to-destination 100.96.3.14:53
  84. -A KUBE-SEP-E26B7IBY35UOOL5X -s 100.96.3.14/32 -j KUBE-MARK-MASQ
  85. -A KUBE-SEP-E26B7IBY35UOOL5X -p tcp -m tcp -j DNAT --to-destination 100.96.3.14:10054
  86. -A KUBE-SEP-E5AJ7SMD4N6IABHF -s 100.96.3.13/32 -j KUBE-MARK-MASQ
  87. -A KUBE-SEP-E5AJ7SMD4N6IABHF -p udp -m udp -j DNAT --to-destination 100.96.3.13:53
  88. -A KUBE-SEP-ENBFHXAAZ3V67RLH -s 172.20.48.195/32 -j KUBE-MARK-MASQ
  89. -A KUBE-SEP-ENBFHXAAZ3V67RLH -p tcp -m tcp -j DNAT --to-destination 172.20.48.195:443
  90. -A KUBE-SEP-ESSITLOJZJMNLUID -s 100.96.3.7/32 -j KUBE-MARK-MASQ
  91. -A KUBE-SEP-ESSITLOJZJMNLUID -p tcp -m tcp -j DNAT --to-destination 100.96.3.7:6443
  92. -A KUBE-SEP-GXHHKOPUDMXRKSXD -s 100.96.3.5/32 -j KUBE-MARK-MASQ
  93. -A KUBE-SEP-GXHHKOPUDMXRKSXD -p tcp -m tcp -j DNAT --to-destination 100.96.3.5:80
  94. -A KUBE-SEP-I6T2TXN3D36S6GQI -s 100.96.3.8/32 -j KUBE-MARK-MASQ
  95. -A KUBE-SEP-I6T2TXN3D36S6GQI -p tcp -m tcp -j DNAT --to-destination 100.96.3.8:80
  96. -A KUBE-SEP-J4YWKECJNT5JIGX4 -s 100.96.3.13/32 -j KUBE-MARK-MASQ
  97. -A KUBE-SEP-J4YWKECJNT5JIGX4 -p tcp -m tcp -j DNAT --to-destination 100.96.3.13:10054
  98. -A KUBE-SEP-L7UULNY5HKKVVJNM -s 100.96.3.11/32 -j KUBE-MARK-MASQ
  99. -A KUBE-SEP-L7UULNY5HKKVVJNM -p tcp -m tcp -j DNAT --to-destination 100.96.3.11:80
  100. -A KUBE-SEP-LAHH7QPLEAC4IYW6 -s 100.96.3.2/32 -j KUBE-MARK-MASQ
  101. -A KUBE-SEP-LAHH7QPLEAC4IYW6 -p tcp -m tcp -j DNAT --to-destination 100.96.3.2:80
  102. -A KUBE-SEP-ONANHDFYT3LJDUUS -s 100.96.3.9/32 -j KUBE-MARK-MASQ
  103. -A KUBE-SEP-ONANHDFYT3LJDUUS -p tcp -m recent --set --name KUBE-SEP-ONANHDFYT3LJDUUS --mask 255.255.255.255 --rsource -m tcp -j DNAT --to-destination 100.96.3.9:9090
  104. -A KUBE-SEP-QAMAEZD76Z4XHHC3 -s 100.96.3.2/32 -j KUBE-MARK-MASQ
  105. -A KUBE-SEP-QAMAEZD76Z4XHHC3 -p tcp -m tcp -j DNAT --to-destination 100.96.3.2:80
  106. -A KUBE-SEP-RQQBQZBLXJLIS4XR -s 100.96.3.3/32 -j KUBE-MARK-MASQ
  107. -A KUBE-SEP-RQQBQZBLXJLIS4XR -p tcp -m tcp -j DNAT --to-destination 100.96.3.3:80
  108. -A KUBE-SEP-T5JK32PCSUGR3PRV -s 172.20.118.103/32 -j KUBE-MARK-MASQ
  109. -A KUBE-SEP-T5JK32PCSUGR3PRV -p tcp -m tcp -j DNAT --to-destination 172.20.118.103:443
  110. -A KUBE-SEP-TV3U67EFPF6RYKGW -s 100.96.3.14/32 -j KUBE-MARK-MASQ
  111. -A KUBE-SEP-TV3U67EFPF6RYKGW -p udp -m udp -j DNAT --to-destination 100.96.3.14:53
  112. -A KUBE-SEP-UNHMTT7BF3FQAUBW -s 172.20.84.163/32 -j KUBE-MARK-MASQ
  113. -A KUBE-SEP-UNHMTT7BF3FQAUBW -p tcp -m tcp -j DNAT --to-destination 172.20.84.163:443
  114. -A KUBE-SEP-WGFTNBDV6SMMGVGC -s 100.96.3.3/32 -j KUBE-MARK-MASQ
  115. -A KUBE-SEP-WGFTNBDV6SMMGVGC -p tcp -m tcp -j DNAT --to-destination 100.96.3.3:80
  116. -A KUBE-SEP-ZYPAAOI74HAROTEV -s 100.96.3.13/32 -j KUBE-MARK-MASQ
  117. -A KUBE-SEP-ZYPAAOI74HAROTEV -p tcp -m tcp -j DNAT --to-destination 100.96.3.13:53
  118. -A KUBE-SERVICES ! -s 100.96.0.0/11 -d 100.64.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-MARK-MASQ
  119. -A KUBE-SERVICES -d 100.64.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
  120. -A KUBE-SERVICES ! -s 100.96.0.0/11 -d 100.64.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 10054 -j KUBE-MARK-MASQ
  121. -A KUBE-SERVICES -d 100.64.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 10054 -j KUBE-SVC-JD5MR3NA4I4DYORP
  122. -A KUBE-SERVICES ! -s 100.96.0.0/11 -d 100.71.5.156/32 -p tcp -m comment --comment "monitoring/prometheus-k8s:web cluster IP" -m tcp --dport 9090 -j KUBE-MARK-MASQ
  123. -A KUBE-SERVICES -d 100.71.5.156/32 -p tcp -m comment --comment "monitoring/prometheus-k8s:web cluster IP" -m tcp --dport 9090 -j KUBE-SVC-IFO32E4YIRUTZPGJ
  124. -A KUBE-SERVICES ! -s 100.96.0.0/11 -d 100.67.11.39/32 -p tcp -m comment --comment "monitoring/prometheus-adapter:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
  125. -A KUBE-SERVICES -d 100.67.11.39/32 -p tcp -m comment --comment "monitoring/prometheus-adapter:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-GRVIJZ6QHJZF73YT
  126. -A KUBE-SERVICES ! -s 100.96.0.0/11 -d 100.64.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
  127. -A KUBE-SERVICES -d 100.64.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
  128. -A KUBE-SERVICES ! -s 100.96.0.0/11 -d 100.64.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-MARK-MASQ
  129. -A KUBE-SERVICES -d 100.64.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
  130. -A KUBE-SERVICES ! -s 100.96.0.0/11 -d 100.66.141.150/32 -p tcp -m comment --comment "ingress-nginx-ext/ingress-nginx-ext:http cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
  131. -A KUBE-SERVICES -d 100.66.141.150/32 -p tcp -m comment --comment "ingress-nginx-ext/ingress-nginx-ext:http cluster IP" -m tcp --dport 80 -j KUBE-SVC-U7X4VZNLLMJVC6JR
  132. -A KUBE-SERVICES ! -s 100.96.0.0/11 -d 100.66.141.150/32 -p tcp -m comment --comment "ingress-nginx-ext/ingress-nginx-ext:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
  133. -A KUBE-SERVICES -d 100.66.141.150/32 -p tcp -m comment --comment "ingress-nginx-ext/ingress-nginx-ext:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-JV6T3AKDQP7UY5J7
  134. -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
  135. -A KUBE-SVC-ERIFXISQEP7F7OF4 -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-ZYPAAOI74HAROTEV
  136. -A KUBE-SVC-ERIFXISQEP7F7OF4 -j KUBE-SEP-BJBTFEPEVIQ5DWH7
  137. -A KUBE-SVC-GRVIJZ6QHJZF73YT -j KUBE-SEP-ESSITLOJZJMNLUID
  138. -A KUBE-SVC-IFO32E4YIRUTZPGJ -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-AFCCFOKTEURLEF4M --mask 255.255.255.255 --rsource -j KUBE-SEP-AFCCFOKTEURLEF4M
  139. -A KUBE-SVC-IFO32E4YIRUTZPGJ -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-ONANHDFYT3LJDUUS --mask 255.255.255.255 --rsource -j KUBE-SEP-ONANHDFYT3LJDUUS
  140. -A KUBE-SVC-IFO32E4YIRUTZPGJ -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-AFCCFOKTEURLEF4M
  141. -A KUBE-SVC-IFO32E4YIRUTZPGJ -j KUBE-SEP-ONANHDFYT3LJDUUS
  142. -A KUBE-SVC-JD5MR3NA4I4DYORP -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-J4YWKECJNT5JIGX4
  143. -A KUBE-SVC-JD5MR3NA4I4DYORP -j KUBE-SEP-E26B7IBY35UOOL5X
  144. -A KUBE-SVC-JV6T3AKDQP7UY5J7 -m statistic --mode random --probability 0.16667000018 -j KUBE-SEP-ALQTRHCKDRO63XYJ
  145. -A KUBE-SVC-JV6T3AKDQP7UY5J7 -m statistic --mode random --probability 0.20000000019 -j KUBE-SEP-7LER77DVHYCXPSW7
  146. -A KUBE-SVC-JV6T3AKDQP7UY5J7 -m statistic --mode random --probability 0.25000000000 -j KUBE-SEP-QAMAEZD76Z4XHHC3
  147. -A KUBE-SVC-JV6T3AKDQP7UY5J7 -m statistic --mode random --probability 0.33332999982 -j KUBE-SEP-WGFTNBDV6SMMGVGC
  148. -A KUBE-SVC-JV6T3AKDQP7UY5J7 -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-GXHHKOPUDMXRKSXD
  149. -A KUBE-SVC-JV6T3AKDQP7UY5J7 -j KUBE-SEP-I6T2TXN3D36S6GQI
  150. -A KUBE-SVC-NPX46M4PTMTKRN6Y -m statistic --mode random --probability 0.33332999982 -j KUBE-SEP-T5JK32PCSUGR3PRV
  151. -A KUBE-SVC-NPX46M4PTMTKRN6Y -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-ENBFHXAAZ3V67RLH
  152. -A KUBE-SVC-NPX46M4PTMTKRN6Y -j KUBE-SEP-UNHMTT7BF3FQAUBW
  153. -A KUBE-SVC-TCOU7JCQXEZGVUNU -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-E5AJ7SMD4N6IABHF
  154. -A KUBE-SVC-TCOU7JCQXEZGVUNU -j KUBE-SEP-TV3U67EFPF6RYKGW
  155. -A KUBE-SVC-U7X4VZNLLMJVC6JR -m statistic --mode random --probability 0.16667000018 -j KUBE-SEP-AXYSTSVUFD26FOJT
  156. -A KUBE-SVC-U7X4VZNLLMJVC6JR -m statistic --mode random --probability 0.20000000019 -j KUBE-SEP-L7UULNY5HKKVVJNM
  157. -A KUBE-SVC-U7X4VZNLLMJVC6JR -m statistic --mode random --probability 0.25000000000 -j KUBE-SEP-LAHH7QPLEAC4IYW6
  158. -A KUBE-SVC-U7X4VZNLLMJVC6JR -m statistic --mode random --probability 0.33332999982 -j KUBE-SEP-RQQBQZBLXJLIS4XR
  159. -A KUBE-SVC-U7X4VZNLLMJVC6JR -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-422ARSXEMT65DMO3
  160. -A KUBE-SVC-U7X4VZNLLMJVC6JR -j KUBE-SEP-2HA5TZC4IRJHZTCK
  161. COMMIT
  162. # Completed on Fri Jan 15 17:31:19 2021
  163. # Generated by iptables-save v1.6.0 on Fri Jan 15 17:31:19 2021
  164. *filter
  165. :INPUT ACCEPT [729:93366]
  166. :FORWARD DROP [0:0]
  167. :OUTPUT ACCEPT [704:116687]
  168. :DOCKER - [0:0]
  169. :DOCKER-ISOLATION-STAGE-1 - [0:0]
  170. :DOCKER-ISOLATION-STAGE-2 - [0:0]
  171. :DOCKER-USER - [0:0]
  172. :KUBE-EXTERNAL-SERVICES - [0:0]
  173. :KUBE-FIREWALL - [0:0]
  174. :KUBE-FORWARD - [0:0]
  175. :KUBE-SERVICES - [0:0]
  176. -A INPUT -d 169.254.20.10/32 -p udp -m udp --dport 53 -j ACCEPT
  177. -A INPUT -d 169.254.20.10/32 -p tcp -m tcp --dport 53 -j ACCEPT
  178. -A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
  179. -A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
  180. -A INPUT -j KUBE-FIREWALL
  181. -A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
  182. -A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
  183. -A FORWARD -j DOCKER-USER
  184. -A FORWARD -j DOCKER-ISOLATION-STAGE-1
  185. -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  186. -A FORWARD -o docker0 -j DOCKER
  187. -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
  188. -A FORWARD -i docker0 -o docker0 -j ACCEPT
  189. -A FORWARD -p tcp -j ACCEPT
  190. -A FORWARD -p udp -j ACCEPT
  191. -A FORWARD -p icmp -j ACCEPT
  192. -A OUTPUT -s 169.254.20.10/32 -p udp -m udp --sport 53 -j ACCEPT
  193. -A OUTPUT -s 169.254.20.10/32 -p tcp -m tcp --sport 53 -j ACCEPT
  194. -A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
  195. -A OUTPUT -j KUBE-FIREWALL
  196. -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
  197. -A DOCKER-ISOLATION-STAGE-1 -j RETURN
  198. -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
  199. -A DOCKER-ISOLATION-STAGE-2 -j RETURN
  200. -A DOCKER-USER -j RETURN
  201. -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
  202. -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
  203. -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
  204. -A KUBE-FORWARD -s 100.96.0.0/11 -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  205. -A KUBE-FORWARD -d 100.96.0.0/11 -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  206. -A KUBE-SERVICES -d 100.69.245.97/32 -p tcp -m comment --comment "monitoring/grafana:http has no endpoints" -m tcp --dport 3000 -j REJECT --reject-with icmp-port-unreachable
  207. COMMIT
  208. # Completed on Fri Jan 15 17:31:19 2021
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!