【Help】 Regarding the communication strategy and working principle between k8s service nodeport and iptables

General Discussions
1

Environment:
Kubernetes master: 192.168.174.110
Kubernetes work-node-01: 192.168.174.125
Kubernetes work-node-02: 192.168.174.126

Kubernetes version: v1.31.2-1.1
Installation method: kubeadm init
Host OS: Ubuntu 22.04 LTS
CNI and version: calico v3.29.0
CRI and version: containerd://2.0.0

All kube-proxy nodes use the iptables proxy mode.

root@k8s-master-01:/download# kubectl logs kube-proxy-8bsgh -n kube-system
I1 126 06:45:53.566881 1 server_linux.go:66] “Using iptables proxy”

I was able to successfully communicate via a web browser on a laptop by accessing http://192.168.174.110:32670.

Additionally, I checked the iptables rules and did not find any related DNAT rules for port 32670. I also used the command “netstat -nat|grep 32670” on the Kubernetes master host to check for any listening ports related to 32670, but none were found.

So I don’t understand how the 32670 port here directs traffic requests to the final pod node? Please help me explain it, thank you

complete iptables-save rules:

Generated by iptables-save v1.8.7 on Wed Nov 27 21:35:28 2024

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:KUBE-IPTABLES-HINT - [0:0]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-PROXY-CANARY - [0:0]
:cali-POSTROUTING - [0:0]
:cali-PREROUTING - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-to-host-endpoint - [0:0]
-A PREROUTING -m comment --comment “cali:6gwbT8clXdHdC1b1” -j cali-PREROUTING
-A POSTROUTING -m comment --comment “cali:O3lYWMrLQYEMJtB5” -j cali-POSTROUTING
-A cali-POSTROUTING -m comment --comment “cali:NX-7roTexQ3fGRfU” -j RETURN
-A cali-POSTROUTING -m comment --comment “cali:nnqPh8lh2VOogSzX” -j MARK --set-xmark 0x0/0xf0000
-A cali-POSTROUTING -m comment --comment “cali:nquN8Jw8Tz72pcBW” -m conntrack --ctstate DNAT -j cali-to-host-endpoint
-A cali-POSTROUTING -m comment --comment “cali:jWrgvDQ0xEZHmta3” -m comment --comment “Host endpoint policy accepted packet.” -j RETURN
-A cali-PREROUTING -m comment --comment “cali:6BJqBjBC7crtA-7-” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-PREROUTING -m comment --comment “cali:KX7AGNd6rMcDUai6” -j ACCEPT
-A cali-PREROUTING -m comment --comment “cali:wNH7KsA3ILKJBsY9” -j cali-from-host-endpoint
-A cali-PREROUTING -m comment --comment “cali:Cg96MgVuoPm7UMRo” -m comment --comment “Host endpoint policy accepted packet.” -j ACCEPT
COMMIT

Completed on Wed Nov 27 21:35:28 2024

Generated by iptables-save v1.8.7 on Wed Nov 27 21:35:28 2024

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:cali-OUTPUT - [0:0]
:cali-PREROUTING - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-rpf-skip - [0:0]
:cali-to-host-endpoint - [0:0]
-A PREROUTING -m comment --comment “cali:6gwbT8clXdHdC1b1” -j cali-PREROUTING
-A OUTPUT -m comment --comment “cali:tVnHkvAo15HuiPy0” -j cali-OUTPUT
-A cali-OUTPUT -m comment --comment “cali:njdnLwYeGqBJyMxW” -j MARK --set-xmark 0x0/0xf0000
-A cali-OUTPUT -m comment --comment “cali:rz86uTUcEZAfFsh7” -j cali-to-host-endpoint
-A cali-OUTPUT -p udp -m comment --comment “cali:h6IBQLYf-NmXFeY_” -j NOTRACK
-A cali-OUTPUT -m comment --comment “cali:DoQ7AqyOyqExxSea” -j ACCEPT
-A cali-PREROUTING -m comment --comment “cali:XFX5xbM8B9qR10JG” -j MARK --set-xmark 0x0/0xf0000
-A cali-PREROUTING -p udp -m comment --comment “cali:M7WeklUcDzCqHKI_” -j NOTRACK
-A cali-PREROUTING -i cali+ -m comment --comment “cali:pNzLEcwGOZ4YemC-” -j MARK --set-xmark 0x40000/0x40000
-A cali-PREROUTING -m comment --comment “cali:k5-EypuOGdQbMjmG” -j cali-rpf-skip
-A cali-PREROUTING -m comment --comment “cali:ZRno2gPYKT_N2WJV” -m rpfilter --validmark --invert -j DROP
-A cali-PREROUTING -m comment --comment “cali:oBQn3t8RvFIlNu_v” -j cali-from-host-endpoint
-A cali-PREROUTING -m comment --comment “cali:lZy_EB5TkNFykbsd” -j ACCEPT
COMMIT

Completed on Wed Nov 27 21:35:28 2024

Generated by iptables-save v1.8.7 on Wed Nov 27 21:35:28 2024

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:KUBE-EXTERNAL-SERVICES - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-FORWARD - [0:0]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-PROXY-CANARY - [0:0]
:KUBE-PROXY-FIREWALL - [0:0]
:KUBE-SERVICES - [0:0]
:cali-FORWARD - [0:0]
:cali-INPUT - [0:0]
:cali-OUTPUT - [0:0]
:cali-cidr-block - [0:0]
:cali-from-hep-forward - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-from-wl-dispatch - [0:0]
:cali-from-wl-dispatch-5 - [0:0]
:cali-from-wl-dispatch-6 - [0:0]
:cali-fw-cali13445dd5604 - [0:0]
:cali-fw-cali510729528f2 - [0:0]
:cali-fw-cali525e6dbd5dd - [0:0]
:cali-fw-cali668201d770b - [0:0]
:cali-fw-cali6f507a886a3 - [0:0]
:cali-fw-calic4e40d41ba9 - [0:0]
:cali-pi-_FDiLImilezd09cpg5ci - [0:0]
:cali-pri-_4yi5_iSUAwsU8zMHTk - [0:0]
:cali-pri-_kJqfZpgUe7r2t4A-14 - [0:0]
:cali-pri-nzzjLvInId1gPHmQz - [0:0]
:cali-pri-_u2Tn2rSoAPffvE7JO6 - [0:0]
:cali-pri-_ymJUz7yzI6NOKJhG2- - [0:0]
:cali-pri-kns.calico-system - [0:0]
:cali-pri-kns.kube-system - [0:0]
:cali-pro-_4yi5_iSUAwsU8zMHTk - [0:0]
:cali-pro-_kJqfZpgUe7r2t4A-14 - [0:0]
:cali-pro-nzzjLvInId1gPHmQz - [0:0]
:cali-pro-_u2Tn2rSoAPffvE7JO6 - [0:0]
:cali-pro-ymJUz7yzI6NOKJhG2- - [0:0]
:cali-pro-kns.calico-system - [0:0]
:cali-pro-kns.kube-system - [0:0]
:cali-to-hep-forward - [0:0]
:cali-to-host-endpoint - [0:0]
:cali-to-wl-dispatch - [0:0]
:cali-to-wl-dispatch-5 - [0:0]
:cali-to-wl-dispatch-6 - [0:0]
:cali-tw-cali13445dd5604 - [0:0]
:cali-tw-cali510729528f2 - [0:0]
:cali-tw-cali525e6dbd5dd - [0:0]
:cali-tw-cali668201d770b - [0:0]
:cali-tw-cali6f507a886a3 - [0:0]
:cali-tw-calic4e40d41ba9 - [0:0]
:cali-wl-to-host - [0:0]
-A INPUT -m comment --comment “cali:Cz_u1IQiXIMmKD4c” -j cali-INPUT
-A INPUT -m conntrack --ctstate NEW -m comment --comment “kubernetes load balancer firewall” -j KUBE-PROXY-FIREWALL
-A INPUT -m comment --comment “kubernetes health check service ports” -j KUBE-NODEPORTS
-A INPUT -m conntrack --ctstate NEW -m comment --comment “kubernetes externally-visible service portals” -j KUBE-EXTERNAL-SERVICES
-A INPUT -j KUBE-FIREWALL
-A FORWARD -m comment --comment “cali:wUHhoiAYhphO9Mso” -j cali-FORWARD
-A FORWARD -m conntrack --ctstate NEW -m comment --comment “kubernetes load balancer firewall” -j KUBE-PROXY-FIREWALL
-A FORWARD -m comment --comment “kubernetes forwarding rules” -j KUBE-FORWARD
-A FORWARD -m conntrack --ctstate NEW -m comment --comment “kubernetes service portals” -j KUBE-SERVICES
-A FORWARD -m conntrack --ctstate NEW -m comment --comment “kubernetes externally-visible service portals” -j KUBE-EXTERNAL-SERVICES
-A FORWARD -m comment --comment “cali:S93hcgKJrXEqnTfs” -m comment --comment “Policy explicitly accepted packet.” -j ACCEPT
-A FORWARD -m comment --comment “cali:mp77cMpurHhyjLrM” -j MARK --set-xmark 0x10000/0x10000
-A OUTPUT -m comment --comment “cali:tVnHkvAo15HuiPy0” -j cali-OUTPUT
-A OUTPUT -m conntrack --ctstate NEW -m comment --comment “kubernetes load balancer firewall” -j KUBE-PROXY-FIREWALL
-A OUTPUT -m conntrack --ctstate NEW -m comment --comment “kubernetes service portals” -j KUBE-SERVICES
-A OUTPUT -j KUBE-FIREWALL
-A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment “block incoming localnet connections” -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
-A KUBE-FORWARD -m conntrack --ctstate INVALID -m nfacct --nfacct-name ct_state_invalid_dropped_pkts -j DROP
-A KUBE-FORWARD -m comment --comment “kubernetes forwarding rules” -j ACCEPT
-A KUBE-FORWARD -m comment --comment “kubernetes forwarding conntrack rule” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-FORWARD -m comment --comment “cali:vjrMJCRpqwy5oRoX” -j MARK --set-xmark 0x0/0xe0000
-A cali-FORWARD -m comment --comment “cali:A_sPAO0mcxbT9mOV” -j cali-from-hep-forward
-A cali-FORWARD -i cali+ -m comment --comment “cali:8ZoYfO5HKXWbB3pk” -j cali-from-wl-dispatch
-A cali-FORWARD -o cali+ -m comment --comment “cali:jdEuaPBe14V2hutn” -j cali-to-wl-dispatch
-A cali-FORWARD -m comment --comment “cali:12bc6HljsMKsmfr-” -j cali-to-hep-forward
-A cali-FORWARD -m comment --comment “cali:NOSxoaGx8OIstr1z” -j cali-cidr-block
-A cali-INPUT -p udp -m comment --comment “cali:J76FwxInZIsk7uKY” -m comment --comment “Allow IPv4 VXLAN packets from allowed hosts” -m multiport --dports 4789 -m set --match-set cali40all-vxlan-net src -m addrtype --dst-type LOCAL -j ACCEPT
-A cali-INPUT -p udp -m comment --comment “cali:EDCNTTxYfggApx8C” -m comment --comment “Drop IPv4 VXLAN packets from non-allowed hosts” -m multiport --dports 4789 -m addrtype --dst-type LOCAL -j DROP
-A cali-INPUT -i cali+ -m comment --comment “cali:H03xYXARh4e8pwd4” -g cali-wl-to-host
-A cali-INPUT -m comment --comment “cali:MN6K3isIWBigb1Va” -j ACCEPT
-A cali-INPUT -m comment --comment “cali:OSYphBLwOgic22Hz” -j MARK --set-xmark 0x0/0xf0000
-A cali-INPUT -m comment --comment “cali:rmi2_piRVmfeiwVp” -j cali-from-host-endpoint
-A cali-INPUT -m comment --comment “cali:F7Q8zu44qIbOVben” -m comment --comment “Host endpoint policy accepted packet.” -j ACCEPT
-A cali-OUTPUT -m comment --comment “cali:Mq1_rAdXXH3YkrzW” -j ACCEPT
-A cali-OUTPUT -o cali+ -m comment --comment “cali:69FkRTJDvD5Vu6Vl” -j RETURN
-A cali-OUTPUT -p udp -m comment --comment “cali:-QZG79DohFjalQBb” -m comment --comment “Allow IPv4 VXLAN packets to other allowed hosts” -m multiport --dports 4789 -m addrtype --src-type LOCAL -m set --match-set cali40all-vxlan-net dst -j ACCEPT
-A cali-OUTPUT -m comment --comment "cali:iC1pSPgbvgQzkUk" -j MARK --set-xmark 0x0/0xf0000
-A cali-OUTPUT -m comment --comment “cali:4Zh7KtRvt4W5AEBR” -m conntrack ! --ctstate DNAT -j cali-to-host-endpoint
-A cali-OUTPUT -m comment --comment “cali:Y0k-bqjt-5CUqyUq” -m comment --comment “Host endpoint policy accepted packet.” -j ACCEPT
-A cali-from-wl-dispatch -i cali13445dd5604 -m comment --comment “cali:faoxRCREMXMMrfGh” -g cali-fw-cali13445dd5604
-A cali-from-wl-dispatch -i cali5+ -m comment --comment “cali:tER9iUBHNiBFS83P” -g cali-from-wl-dispatch-5
-A cali-from-wl-dispatch -i cali6+ -m comment --comment “cali:gkGCp06_kb-YV6z8” -g cali-from-wl-dispatch-6
-A cali-from-wl-dispatch -i calic4e40d41ba9 -m comment --comment “cali:nt2ClsN30-JNpien” -g cali-fw-calic4e40d41ba9
-A cali-from-wl-dispatch -m comment --comment “cali:NoJ7HenPD-hcY-da” -m comment --comment “Unknown interface” -j DROP
-A cali-from-wl-dispatch-5 -i cali510729528f2 -m comment --comment “cali:uxXT2fAtsrLmsQZS” -g cali-fw-cali510729528f2
-A cali-from-wl-dispatch-5 -i cali525e6dbd5dd -m comment --comment “cali:mkjcCmtXq-4pTeop” -g cali-fw-cali525e6dbd5dd
-A cali-from-wl-dispatch-5 -m comment --comment “cali:8MGVculT2kEPEwsh” -m comment --comment “Unknown interface” -j DROP
-A cali-from-wl-dispatch-6 -i cali668201d770b -m comment --comment “cali:jkTDTCtTilZCgI_t” -g cali-fw-cali668201d770b
-A cali-from-wl-dispatch-6 -i cali6f507a886a3 -m comment --comment “cali:8AvhFIKo6PhPOtoF” -g cali-fw-cali6f507a886a3
-A cali-from-wl-dispatch-6 -m comment --comment “cali:RE5BUJfnXNYp4jht” -m comment --comment “Unknown interface” -j DROP
-A cali-fw-cali13445dd5604 -m comment --comment “cali:PvYHdA3_YqG1j4zT” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali13445dd5604 -m comment --comment “cali:YvEbCCBkMzezINBN” -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali13445dd5604 -m comment --comment “cali:Bje1hp-BzGydOAnX” -j MARK --set-xmark 0x0/0x30000
-A cali-fw-cali13445dd5604 -p udp -m comment --comment “cali:NYRe1fi6vS6rXA0N” -m comment --comment “Drop VXLAN encapped packets originating in workloads” -m multiport --dports 4789 -j DROP
-A cali-fw-cali13445dd5604 -p ipencap -m comment --comment “cali:Bc7KQrRQPX1wH9AH” -m comment --comment “Drop IPinIP encapped packets originating in workloads” -j DROP
-A cali-fw-cali13445dd5604 -m comment --comment “cali:AHnVt1tNHUznwvLB” -j cali-pro-_kJqfZpgUe7r2t4A-14
-A cali-fw-cali13445dd5604 -m comment --comment “cali:nwbUs95shXOYlJCP” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-fw-cali13445dd5604 -m comment --comment “cali:X4__WNi853m440ty” -j cali-pro-_4yi5_iSUAwsU8zMHTk
-A cali-fw-cali13445dd5604 -m comment --comment “cali:_s7n6xCmhw9iwuGA” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-fw-cali13445dd5604 -m comment --comment “cali:KQCZNMZ8qpObYiJz” -m comment --comment “Drop if no profiles matched” -j DROP
-A cali-fw-cali510729528f2 -m comment --comment “cali:CG5VVJZEs6JaX6HT” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali510729528f2 -m comment --comment “cali:jeJc7Keutfkgx9br” -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali510729528f2 -m comment --comment “cali:KCEpJW95o-xcrFc0” -j MARK --set-xmark 0x0/0x30000
-A cali-fw-cali510729528f2 -p udp -m comment --comment “cali:L6Qtf93ixO5SAMlZ” -m comment --comment “Drop VXLAN encapped packets originating in workloads” -m multiport --dports 4789 -j DROP
-A cali-fw-cali510729528f2 -p ipencap -m comment --comment “cali:il6wlNyEeI4XE4Sd” -m comment --comment “Drop IPinIP encapped packets originating in workloads” -j DROP
-A cali-fw-cali510729528f2 -m comment --comment “cali:PZcbO_TEl4pnvoP9” -j cali-pro-kns.kube-system
-A cali-fw-cali510729528f2 -m comment --comment “cali:-Vy06Nz8TteF63nz” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-fw-cali510729528f2 -m comment --comment “cali:ldVPC688k56R8pt4” -j cali-pro-_u2Tn2rSoAPffvE7JO6
-A cali-fw-cali510729528f2 -m comment --comment “cali:NRnNgdxbtrOpuPwK” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-fw-cali510729528f2 -m comment --comment “cali:NyroVoUf1HCSUjm1” -m comment --comment “Drop if no profiles matched” -j DROP
-A cali-fw-cali525e6dbd5dd -m comment --comment “cali:GLQNEFwQaC1x3JIT” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali525e6dbd5dd -m comment --comment “cali:9kefquuhsyVs87Du” -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali525e6dbd5dd -m comment --comment “cali:ZuhmnwWJ1V0d_8l1” -j MARK --set-xmark 0x0/0x30000
-A cali-fw-cali525e6dbd5dd -p udp -m comment --comment “cali:_vP8Ft_5kLliaKY9” -m comment --comment “Drop VXLAN encapped packets originating in workloads” -m multiport --dports 4789 -j DROP
-A cali-fw-cali525e6dbd5dd -p ipencap -m comment --comment “cali:DG0BYCQcmkgmfs9w” -m comment --comment “Drop IPinIP encapped packets originating in workloads” -j DROP
-A cali-fw-cali525e6dbd5dd -m comment --comment “cali:S_cTZmUrDobvIm6Z” -j cali-pro-kns.kube-system
-A cali-fw-cali525e6dbd5dd -m comment --comment “cali:KywNyftw-w6tLqa-” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-fw-cali525e6dbd5dd -m comment --comment “cali:lqyRlWX-Bu5NGrKC” -j cali-pro-_u2Tn2rSoAPffvE7JO6
-A cali-fw-cali525e6dbd5dd -m comment --comment “cali:AzHr1Ff6n251BeOw” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-fw-cali525e6dbd5dd -m comment --comment “cali:89mkN7YXbZZD_dHT” -m comment --comment “Drop if no profiles matched” -j DROP
-A cali-fw-cali668201d770b -m comment --comment “cali:KwMjp_GtiR2_kAEV” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali668201d770b -m comment --comment “cali:2-mrAQ6-ImXA6IQN” -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali668201d770b -m comment --comment “cali:bU85PtwfM8DG_cNb” -j MARK --set-xmark 0x0/0x30000
-A cali-fw-cali668201d770b -p udp -m comment --comment “cali:ZLP9oXBI5b7MnzNL” -m comment --comment “Drop VXLAN encapped packets originating in workloads” -m multiport --dports 4789 -j DROP
-A cali-fw-cali668201d770b -p ipencap -m comment --comment “cali:ATiwiFu1hJhafAsD” -m comment --comment “Drop IPinIP encapped packets originating in workloads” -j DROP
-A cali-fw-cali668201d770b -m comment --comment “cali:xepZWDsJT7CvZ-Xv” -j cali-pro-kns.calico-system
-A cali-fw-cali668201d770b -m comment --comment “cali:8d-rIeg2Depct-DY” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-fw-cali668201d770b -m comment --comment “cali:VkwRn0npIxp3n7wX” -j cali-pro-nzzjLvInId1gPHmQz
-A cali-fw-cali668201d770b -m comment --comment “cali:ha61oFpT5M7FT5t8” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-fw-cali668201d770b -m comment --comment “cali:g4Etexh9DhKznqJv” -m comment --comment “Drop if no profiles matched” -j DROP
-A cali-fw-cali6f507a886a3 -m comment --comment “cali:bBuK5GtX8D39f_NL” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali6f507a886a3 -m comment --comment “cali:Fl4NvlM9rOV4JEih” -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali6f507a886a3 -m comment --comment “cali:xQpEEBx8PyjaMCqA” -j MARK --set-xmark 0x0/0x30000
-A cali-fw-cali6f507a886a3 -p udp -m comment --comment “cali:smqgBHX4Ux-95k_G” -m comment --comment “Drop VXLAN encapped packets originating in workloads” -m multiport --dports 4789 -j DROP
-A cali-fw-cali6f507a886a3 -p ipencap -m comment --comment “cali:j6vfqx0pqQ7lyn6x” -m comment --comment “Drop IPinIP encapped packets originating in workloads” -j DROP
-A cali-fw-cali6f507a886a3 -m comment --comment “cali:TvqwYnqVP-aUMVym” -j cali-pro-_kJqfZpgUe7r2t4A-14
-A cali-fw-cali6f507a886a3 -m comment --comment “cali:3nOsVQEkSmLqdc3B” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-fw-cali6f507a886a3 -m comment --comment “cali:_Lac8C_6di7nZxwn” -j cali-pro-_4yi5_iSUAwsU8zMHTk
-A cali-fw-cali6f507a886a3 -m comment --comment “cali:ojlny3nAyExgcyb4” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-fw-cali6f507a886a3 -m comment --comment “cali:5G0NrkK1TZGre-XQ” -m comment --comment “Drop if no profiles matched” -j DROP
-A cali-fw-calic4e40d41ba9 -m comment --comment “cali:asa5LiJAEKuknYfX” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-calic4e40d41ba9 -m comment --comment “cali:Lk_trZ8atK6k4uxI” -m conntrack --ctstate INVALID -j DROP
-A cali-fw-calic4e40d41ba9 -m comment --comment “cali:BNrY3l0ouV5u2hpc” -j MARK --set-xmark 0x0/0x30000
-A cali-fw-calic4e40d41ba9 -p udp -m comment --comment “cali:VPxLjL2UMXI72bwZ” -m comment --comment “Drop VXLAN encapped packets originating in workloads” -m multiport --dports 4789 -j DROP
-A cali-fw-calic4e40d41ba9 -p ipencap -m comment --comment “cali:h9CJy7K2DugLV2FY” -m comment --comment “Drop IPinIP encapped packets originating in workloads” -j DROP
-A cali-fw-calic4e40d41ba9 -m comment --comment “cali:QKdAZxokWz-0sMuC” -j cali-pro-kns.calico-system
-A cali-fw-calic4e40d41ba9 -m comment --comment “cali:qgasXCBBb_w-C1Y8” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-fw-calic4e40d41ba9 -m comment --comment “cali:3Zzre6q9wMM2ajyj” -j cali-pro-_ymJUz7yzI6NOKJhG2-
-A cali-fw-calic4e40d41ba9 -m comment --comment “cali:jy5-Mn1Adu1pIrBD” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-fw-calic4e40d41ba9 -m comment --comment “cali:dt658MOQ9cow9UkM” -m comment --comment “Drop if no profiles matched” -j DROP
-A cali-pi-_FDiLImilezd09cpg5ci -p tcp -m comment --comment “cali:wH4Z-YLtazvrkIUi” -m comment --comment “Policy calico-apiserver/knp.default.allow-apiserver ingress” -m multiport --dports 5443 -j MARK --set-xmark 0x10000/0x10000
-A cali-pri-_4yi5_iSUAwsU8zMHTk -m comment --comment “cali:ZYnaZZFwsSjfXO4C” -m comment --comment “Profile ksa.calico-apiserver.calico-apiserver ingress”
-A cali-pri-_kJqfZpgUe7r2t4A-14 -m comment --comment “cali:IQx0SzlDGn6BPv0A” -m comment --comment “Profile kns.calico-apiserver ingress” -j MARK --set-xmark 0x10000/0x10000
-A cali-pri-nzzjLvInId1gPHmQz -m comment --comment “cali:UQoEf2WCdU0bPTCb” -m comment --comment “Profile ksa.calico-system.calico-kube-controllers ingress”
-A cali-pri-_u2Tn2rSoAPffvE7JO6 -m comment --comment “cali:WqgznqAQ-uYV0oBx” -m comment --comment “Profile ksa.kube-system.coredns ingress”
-A cali-pri-_ymJUz7yzI6NOKJhG2- -m comment --comment “cali:52zm9tLYY65R0fSD” -m comment --comment “Profile ksa.calico-system.csi-node-driver ingress”
-A cali-pri-kns.calico-system -m comment --comment “cali:hLANj-OVIyT53h_j” -m comment --comment “Profile kns.calico-system ingress” -j MARK --set-xmark 0x10000/0x10000
-A cali-pri-kns.kube-system -m comment --comment “cali:J1TyxtHWd0qaBGK-” -m comment --comment “Profile kns.kube-system ingress” -j MARK --set-xmark 0x10000/0x10000
-A cali-pro-_4yi5_iSUAwsU8zMHTk -m comment --comment “cali:Pp_dQp2FeNabRhyi” -m comment --comment “Profile ksa.calico-apiserver.calico-apiserver egress”
-A cali-pro-_kJqfZpgUe7r2t4A-14 -m comment --comment “cali:_cFTxC141wwWRzyZ” -m comment --comment “Profile kns.calico-apiserver egress” -j MARK --set-xmark 0x10000/0x10000
-A cali-pro-nzzjLvInId1gPHmQz -m comment --comment “cali:5bHxBXLMkJKgC6dk” -m comment --comment “Profile ksa.calico-system.calico-kube-controllers egress”
-A cali-pro-_u2Tn2rSoAPffvE7JO6 -m comment --comment “cali:0-_UPh39dt5XfhmJ” -m comment --comment “Profile ksa.kube-system.coredns egress”
-A cali-pro-_ymJUz7yzI6NOKJhG2- -m comment --comment “cali:yuJvAdyU1LYltt-O” -m comment --comment “Profile ksa.calico-system.csi-node-driver egress”
-A cali-pro-kns.calico-system -m comment --comment “cali:gWxJzCZXxl31NR0P” -m comment --comment “Profile kns.calico-system egress” -j MARK --set-xmark 0x10000/0x10000
-A cali-pro-kns.kube-system -m comment --comment “cali:tgOR2S8DVHZW3F1M” -m comment --comment “Profile kns.kube-system egress” -j MARK --set-xmark 0x10000/0x10000
-A cali-to-wl-dispatch -o cali13445dd5604 -m comment --comment “cali:NsZOQo1gsjs3-L57” -g cali-tw-cali13445dd5604
-A cali-to-wl-dispatch -o cali5+ -m comment --comment “cali:cPAgdGzgDqyeYtlg” -g cali-to-wl-dispatch-5
-A cali-to-wl-dispatch -o cali6+ -m comment --comment “cali:Y5ouiKAa6SItFHfW” -g cali-to-wl-dispatch-6
-A cali-to-wl-dispatch -o calic4e40d41ba9 -m comment --comment “cali:OzevpBx_WiFBCVxQ” -g cali-tw-calic4e40d41ba9
-A cali-to-wl-dispatch -m comment --comment “cali:_9zJPvOaloeWKtvj” -m comment --comment “Unknown interface” -j DROP
-A cali-to-wl-dispatch-5 -o cali510729528f2 -m comment --comment “cali:SwKnIcBQJELIdPDr” -g cali-tw-cali510729528f2
-A cali-to-wl-dispatch-5 -o cali525e6dbd5dd -m comment --comment “cali:deWYY3MhWo5haKr6” -g cali-tw-cali525e6dbd5dd
-A cali-to-wl-dispatch-5 -m comment --comment “cali:5VJ6zqxahPWwmNez” -m comment --comment “Unknown interface” -j DROP
-A cali-to-wl-dispatch-6 -o cali668201d770b -m comment --comment “cali:BNCmZTTTG4dOI8Xk” -g cali-tw-cali668201d770b
-A cali-to-wl-dispatch-6 -o cali6f507a886a3 -m comment --comment “cali:S5Uw7umDK99et5hm” -g cali-tw-cali6f507a886a3
-A cali-to-wl-dispatch-6 -m comment --comment “cali:l1v-o0DL1jd02YtE” -m comment --comment “Unknown interface” -j DROP
-A cali-tw-cali13445dd5604 -m comment --comment “cali:ZjpotW_tqkOlGPsy” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali13445dd5604 -m comment --comment “cali:VFowy4TFx7pLSbN8” -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali13445dd5604 -m comment --comment “cali:m65ZoYCTC3K09Uw3” -j MARK --set-xmark 0x0/0x30000
-A cali-tw-cali13445dd5604 -m comment --comment “cali:25__tQqG-iO9Xk4D” -m comment --comment “Start of tier default” -j MARK --set-xmark 0x0/0x20000
-A cali-tw-cali13445dd5604 -m comment --comment “cali:5SvCeMGbe6GDCS-I” -j cali-pi-_FDiLImilezd09cpg5ci
-A cali-tw-cali13445dd5604 -m comment --comment “cali:F3Lisyg5V668Eimc” -m comment --comment “Return if policy accepted” -j RETURN
-A cali-tw-cali13445dd5604 -m comment --comment “cali:rfCRZjF1zjKhgBRa” -m comment --comment “Drop if no policies passed packet” -j DROP
-A cali-tw-cali13445dd5604 -m comment --comment “cali:9RY_IQs8eMcN00_2” -j cali-pri-_kJqfZpgUe7r2t4A-14
-A cali-tw-cali13445dd5604 -m comment --comment “cali:4QnWcQdlfE0W4tQk” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-tw-cali13445dd5604 -m comment --comment “cali:IM3hiO38o5WvX3kt” -j cali-pri-_4yi5_iSUAwsU8zMHTk
-A cali-tw-cali13445dd5604 -m comment --comment “cali:yOwGZqVOvaSbQB3o” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-tw-cali13445dd5604 -m comment --comment “cali:uuCFVw6IcxjPm-C9” -m comment --comment “Drop if no profiles matched” -j DROP
-A cali-tw-cali510729528f2 -m comment --comment “cali:HVUrh3RjL0y0JQ6r” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali510729528f2 -m comment --comment “cali:OLs-ruhEX6I2cwBP” -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali510729528f2 -m comment --comment “cali:cecdu3GKh8YaIH3R” -j MARK --set-xmark 0x0/0x30000
-A cali-tw-cali510729528f2 -m comment --comment “cali:WeLDkwyXUzfpJ1uG” -j cali-pri-kns.kube-system
-A cali-tw-cali510729528f2 -m comment --comment “cali:er5nYmI5ALt2x9kA” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-tw-cali510729528f2 -m comment --comment “cali:Ab54BJRoFFGPjB6X” -j cali-pri-_u2Tn2rSoAPffvE7JO6
-A cali-tw-cali510729528f2 -m comment --comment “cali:4XG3hE9jNln0gby-” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-tw-cali510729528f2 -m comment --comment “cali:pbHoqBX70iopsTs8” -m comment --comment “Drop if no profiles matched” -j DROP
-A cali-tw-cali525e6dbd5dd -m comment --comment “cali:X4FoxBpZn0Qg_MMq” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali525e6dbd5dd -m comment --comment “cali:tyvILEyYqS59Vx7t” -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali525e6dbd5dd -m comment --comment “cali:H0mM-kO61aO8kENW” -j MARK --set-xmark 0x0/0x30000
-A cali-tw-cali525e6dbd5dd -m comment --comment “cali:BUJpmgaJFaKpaRTm” -j cali-pri-kns.kube-system
-A cali-tw-cali525e6dbd5dd -m comment --comment “cali:p_cPnUgyW6Gwyuld” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-tw-cali525e6dbd5dd -m comment --comment “cali:zeov2W0DNZnEo1Dl” -j cali-pri-_u2Tn2rSoAPffvE7JO6
-A cali-tw-cali525e6dbd5dd -m comment --comment “cali:NW1I2oxdt31lzQpj” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-tw-cali525e6dbd5dd -m comment --comment “cali:9lnrAfr7GnJyQqAf” -m comment --comment “Drop if no profiles matched” -j DROP
-A cali-tw-cali668201d770b -m comment --comment “cali:6qTUD8tF3KKI7lpo” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali668201d770b -m comment --comment “cali:dRzgMlc-vxvNOib" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali668201d770b -m comment --comment “cali:xdupzLBUu-OqI6nH” -j MARK --set-xmark 0x0/0x30000
-A cali-tw-cali668201d770b -m comment --comment “cali:o4vGYXrOUG0oc6ss” -j cali-pri-kns.calico-system
-A cali-tw-cali668201d770b -m comment --comment “cali:P2QdzNCjDY93iSlU” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-tw-cali668201d770b -m comment --comment “cali:iLm69qPHcBhQF2t8” -j cali-pri-nzzjLvInId1gPHmQz
-A cali-tw-cali668201d770b -m comment --comment “cali:fHcNYqftYLLwNqnl” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-tw-cali668201d770b -m comment --comment “cali:KktEeXMH0y1otaBp” -m comment --comment “Drop if no profiles matched” -j DROP
-A cali-tw-cali6f507a886a3 -m comment --comment “cali:xL4A4UQ4HCHR6rbZ” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali6f507a886a3 -m comment --comment “cali:FbW9_MN5KtBADeqV” -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali6f507a886a3 -m comment --comment “cali:40gaxvEIquTcakTV” -j MARK --set-xmark 0x0/0x30000
-A cali-tw-cali6f507a886a3 -m comment --comment “cali:r_hYqF4W20HSkai1” -m comment --comment “Start of tier default” -j MARK --set-xmark 0x0/0x20000
-A cali-tw-cali6f507a886a3 -m comment --comment "cali:-mx-2PAUC-mQzma” -j cali-pi-_FDiLImilezd09cpg5ci
-A cali-tw-cali6f507a886a3 -m comment --comment “cali:T3zh9_QucMdlWkP-” -m comment --comment “Return if policy accepted” -j RETURN
-A cali-tw-cali6f507a886a3 -m comment --comment “cali:zhlwfCIOB4zzqK5" -m comment --comment “Drop if no policies passed packet” -j DROP
-A cali-tw-cali6f507a886a3 -m comment --comment "cali:jOFjOlZ4NiSEnAH” -j cali-pri-_kJqfZpgUe7r2t4A-14
-A cali-tw-cali6f507a886a3 -m comment --comment “cali:IwQqdams4h2zMSuD” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-tw-cali6f507a886a3 -m comment --comment “cali:eexPDdM1Q_3Hl12I” -j cali-pri-_4yi5_iSUAwsU8zMHTk
-A cali-tw-cali6f507a886a3 -m comment --comment “cali:FoPl3lRR7SZd4B7V” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-tw-cali6f507a886a3 -m comment --comment “cali:gAc_Ohwg7VVHFtKE” -m comment --comment “Drop if no profiles matched” -j DROP
-A cali-tw-calic4e40d41ba9 -m comment --comment “cali:iln_rtntXEBzDh36” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-calic4e40d41ba9 -m comment --comment “cali:4pNs7DazlPbFQsc5” -m conntrack --ctstate INVALID -j DROP
-A cali-tw-calic4e40d41ba9 -m comment --comment “cali:bk51OjP4aEG_qufz” -j MARK --set-xmark 0x0/0x30000
-A cali-tw-calic4e40d41ba9 -m comment --comment “cali:ugnQAR80dC9kc4Sk” -j cali-pri-kns.calico-system
-A cali-tw-calic4e40d41ba9 -m comment --comment “cali:q_A5DcMUNTEMqULx” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-tw-calic4e40d41ba9 -m comment --comment “cali:jhl8alRPg6VX0boe” -j cali-pri-_ymJUz7yzI6NOKJhG2-
-A cali-tw-calic4e40d41ba9 -m comment --comment “cali:P72ADTQ_94Nj83eJ” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-tw-calic4e40d41ba9 -m comment --comment “cali:etuzgaTarbsgA9II” -m comment --comment “Drop if no profiles matched” -j DROP
-A cali-wl-to-host -m comment --comment “cali:Ee9Sbo10IpVujdIY” -j cali-from-wl-dispatch
-A cali-wl-to-host -m comment --comment “cali:nSZbcOoG1xPONxb8” -m comment --comment “Configured DefaultEndpointToHostAction” -j ACCEPT
COMMIT

Completed on Wed Nov 27 21:35:28 2024

Generated by iptables-save v1.8.7 on Wed Nov 27 21:35:28 2024

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:KUBE-EXT-CG5I4G2RS3ZVWGLK - [0:0]
:KUBE-EXT-EDNDUDH2C75GIR6O - [0:0]
:KUBE-EXT-KBK63ZDRC2H2A4NZ - [0:0]
:KUBE-EXT-USSPT3VGI3BECJVH - [0:0]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-MARK-MASQ - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-PROXY-CANARY - [0:0]
:KUBE-SEP-3NBHWQ4X7EMHCZMG - [0:0]
:KUBE-SEP-5O7LL2TTYR3B565K - [0:0]
:KUBE-SEP-5Y2H5KJDVMBVUFUE - [0:0]
:KUBE-SEP-63XWT66BXUCGZMHX - [0:0]
:KUBE-SEP-7ZSOEBX7262XRR45 - [0:0]
:KUBE-SEP-AGWTGSJZ2KVAYSQA - [0:0]
:KUBE-SEP-COARL4UR2NSNLDGO - [0:0]
:KUBE-SEP-E3ZZNUM7W24RHZHF - [0:0]
:KUBE-SEP-EITIJ3MQ7JZ2N5IS - [0:0]
:KUBE-SEP-EQYJQVPP5RAKERV3 - [0:0]
:KUBE-SEP-FWUJK7A6CJC7QTMN - [0:0]
:KUBE-SEP-GNEJUGLT6X5IVBVR - [0:0]
:KUBE-SEP-LZTNY462IKFEUZMW - [0:0]
:KUBE-SEP-PXLNR36ENJNDIJKG - [0:0]
:KUBE-SEP-QSRQYLIAFED5ON5X - [0:0]
:KUBE-SEP-VNNVCEOK3BC5WXSP - [0:0]
:KUBE-SEP-WJWEB5WRXZSYPLN6 - [0:0]
:KUBE-SEP-WXBWGEIKKE3BLWDL - [0:0]
:KUBE-SEP-Z3OJH2DTZFAWKAZ4 - [0:0]
:KUBE-SEP-ZI5O4S2QUBAR5BN2 - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-SVC-CG5I4G2RS3ZVWGLK - [0:0]
:KUBE-SVC-EDNDUDH2C75GIR6O - [0:0]
:KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
:KUBE-SVC-EZYNCFY2F7N6OQA2 - [0:0]
:KUBE-SVC-I24EZXP75AX5E7TU - [0:0]
:KUBE-SVC-JD5MR3NA4I4DYORP - [0:0]
:KUBE-SVC-KBK63ZDRC2H2A4NZ - [0:0]
:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
:KUBE-SVC-RK657RLKDNVNU64O - [0:0]
:KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
:KUBE-SVC-USSPT3VGI3BECJVH - [0:0]
:cali-OUTPUT - [0:0]
:cali-POSTROUTING - [0:0]
:cali-PREROUTING - [0:0]
:cali-fip-dnat - [0:0]
:cali-fip-snat - [0:0]
:cali-nat-outgoing - [0:0]
-A PREROUTING -m comment --comment “cali:6gwbT8clXdHdC1b1” -j cali-PREROUTING
-A PREROUTING -m comment --comment “kubernetes service portals” -j KUBE-SERVICES
-A OUTPUT -m comment --comment “cali:tVnHkvAo15HuiPy0” -j cali-OUTPUT
-A OUTPUT -m comment --comment “kubernetes service portals” -j KUBE-SERVICES
-A POSTROUTING -m comment --comment “kubernetes postrouting rules” -j KUBE-POSTROUTING
-A POSTROUTING -m comment --comment “cali:0i8pjzKKPyA34aQD” -j cali-POSTROUTING
-A KUBE-EXT-CG5I4G2RS3ZVWGLK -m comment --comment “masquerade traffic for ingress-nginx/ingress-nginx-controller:http external destinations” -j KUBE-MARK-MASQ
-A KUBE-EXT-CG5I4G2RS3ZVWGLK -j KUBE-SVC-CG5I4G2RS3ZVWGLK
-A KUBE-EXT-EDNDUDH2C75GIR6O -m comment --comment “masquerade traffic for ingress-nginx/ingress-nginx-controller:https external destinations” -j KUBE-MARK-MASQ
-A KUBE-EXT-EDNDUDH2C75GIR6O -j KUBE-SVC-EDNDUDH2C75GIR6O
-A KUBE-EXT-KBK63ZDRC2H2A4NZ -m comment --comment “masquerade traffic for test-k8s/test-web-port-01 external destinations” -j KUBE-MARK-MASQ
-A KUBE-EXT-KBK63ZDRC2H2A4NZ -j KUBE-SVC-KBK63ZDRC2H2A4NZ
-A KUBE-EXT-USSPT3VGI3BECJVH -m comment --comment “masquerade traffic for test-k8s/test-web-port external destinations” -j KUBE-MARK-MASQ
-A KUBE-EXT-USSPT3VGI3BECJVH -j KUBE-SVC-USSPT3VGI3BECJVH
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-NODEPORTS -d 127.0.0.0/8 -p tcp -m comment --comment “test-k8s/test-web-port-01” -m nfacct --nfacct-name localhost_nps_accepted_pkts -j KUBE-EXT-KBK63ZDRC2H2A4NZ
-A KUBE-NODEPORTS -p tcp -m comment --comment “test-k8s/test-web-port-01” -j KUBE-EXT-KBK63ZDRC2H2A4NZ
-A KUBE-NODEPORTS -d 127.0.0.0/8 -p tcp -m comment --comment “test-k8s/test-web-port” -m nfacct --nfacct-name localhost_nps_accepted_pkts -j KUBE-EXT-USSPT3VGI3BECJVH
-A KUBE-NODEPORTS -p tcp -m comment --comment “test-k8s/test-web-port” -j KUBE-EXT-USSPT3VGI3BECJVH
-A KUBE-NODEPORTS -d 127.0.0.0/8 -p tcp -m comment --comment “ingress-nginx/ingress-nginx-controller:http” -m nfacct --nfacct-name localhost_nps_accepted_pkts -j KUBE-EXT-CG5I4G2RS3ZVWGLK
-A KUBE-NODEPORTS -p tcp -m comment --comment “ingress-nginx/ingress-nginx-controller:http” -j KUBE-EXT-CG5I4G2RS3ZVWGLK
-A KUBE-NODEPORTS -d 127.0.0.0/8 -p tcp -m comment --comment “ingress-nginx/ingress-nginx-controller:https” -m nfacct --nfacct-name localhost_nps_accepted_pkts -j KUBE-EXT-EDNDUDH2C75GIR6O
-A KUBE-NODEPORTS -p tcp -m comment --comment “ingress-nginx/ingress-nginx-controller:https” -j KUBE-EXT-EDNDUDH2C75GIR6O
-A KUBE-POSTROUTING -j RETURN
-A KUBE-POSTROUTING -j MARK --set-xmark 0x4000/0x0
-A KUBE-POSTROUTING -m comment --comment “kubernetes service traffic requiring SNAT” -j MASQUERADE --random-fully
-A KUBE-SEP-3NBHWQ4X7EMHCZMG -s 10.244.151.130/32 -m comment --comment “kube-system/kube-dns:metrics” -j KUBE-MARK-MASQ
-A KUBE-SEP-3NBHWQ4X7EMHCZMG -p tcp -m comment --comment “kube-system/kube-dns:metrics” -m tcp -j DNAT --to-destination 10.244.151.130:9153
-A KUBE-SEP-5O7LL2TTYR3B565K -s 192.168.174.125/32 -m comment --comment “calico-system/calico-typha:calico-typha” -j KUBE-MARK-MASQ
-A KUBE-SEP-5O7LL2TTYR3B565K -p tcp -m comment --comment “calico-system/calico-typha:calico-typha” -m tcp -j DNAT --to-destination 192.168.174.125:5473
-A KUBE-SEP-5Y2H5KJDVMBVUFUE -s 10.244.44.245/32 -m comment --comment “ingress-nginx/ingress-nginx-controller-admission:https-webhook” -j KUBE-MARK-MASQ
-A KUBE-SEP-5Y2H5KJDVMBVUFUE -p tcp -m comment --comment “ingress-nginx/ingress-nginx-controller-admission:https-webhook” -m tcp -j DNAT --to-destination 10.244.44.245:8443
-A KUBE-SEP-63XWT66BXUCGZMHX -s 10.244.151.130/32 -m comment --comment “kube-system/kube-dns:dns” -j KUBE-MARK-MASQ
-A KUBE-SEP-63XWT66BXUCGZMHX -p udp -m comment --comment “kube-system/kube-dns:dns” -m udp -j DNAT --to-destination 10.244.151.130:53
-A KUBE-SEP-7ZSOEBX7262XRR45 -s 10.244.154.248/32 -m comment --comment “test-k8s/test-web-port-01” -j KUBE-MARK-MASQ
-A KUBE-SEP-7ZSOEBX7262XRR45 -p tcp -m comment --comment “test-k8s/test-web-port-01” -m tcp -j DNAT --to-destination 10.244.154.248:80
-A KUBE-SEP-AGWTGSJZ2KVAYSQA -s 192.168.174.126/32 -m comment --comment “calico-system/calico-typha:calico-typha” -j KUBE-MARK-MASQ
-A KUBE-SEP-AGWTGSJZ2KVAYSQA -p tcp -m comment --comment “calico-system/calico-typha:calico-typha” -m tcp -j DNAT --to-destination 192.168.174.126:5473
-A KUBE-SEP-COARL4UR2NSNLDGO -s 10.244.44.245/32 -m comment --comment “ingress-nginx/ingress-nginx-controller:http” -j KUBE-MARK-MASQ
-A KUBE-SEP-COARL4UR2NSNLDGO -p tcp -m comment --comment “ingress-nginx/ingress-nginx-controller:http” -m tcp -j DNAT --to-destination 10.244.44.245:80
-A KUBE-SEP-E3ZZNUM7W24RHZHF -s 192.168.174.110/32 -m comment --comment “default/kubernetes:https” -j KUBE-MARK-MASQ
-A KUBE-SEP-E3ZZNUM7W24RHZHF -p tcp -m comment --comment “default/kubernetes:https” -m tcp -j DNAT --to-destination 192.168.174.110:6443
-A KUBE-SEP-EITIJ3MQ7JZ2N5IS -s 10.244.151.133/32 -m comment --comment “kube-system/kube-dns:metrics” -j KUBE-MARK-MASQ
-A KUBE-SEP-EITIJ3MQ7JZ2N5IS -p tcp -m comment --comment “kube-system/kube-dns:metrics” -m tcp -j DNAT --to-destination 10.244.151.133:9153
-A KUBE-SEP-EQYJQVPP5RAKERV3 -s 10.244.44.248/32 -m comment --comment “test-k8s/test-web-port-01” -j KUBE-MARK-MASQ
-A KUBE-SEP-EQYJQVPP5RAKERV3 -p tcp -m comment --comment “test-k8s/test-web-port-01” -m tcp -j DNAT --to-destination 10.244.44.248:80
-A KUBE-SEP-FWUJK7A6CJC7QTMN -s 10.244.151.132/32 -m comment --comment “calico-apiserver/calico-api:apiserver” -j KUBE-MARK-MASQ
-A KUBE-SEP-FWUJK7A6CJC7QTMN -p tcp -m comment --comment “calico-apiserver/calico-api:apiserver” -m tcp -j DNAT --to-destination 10.244.151.132:5443
-A KUBE-SEP-GNEJUGLT6X5IVBVR -s 10.244.151.130/32 -m comment --comment “kube-system/kube-dns:dns-tcp” -j KUBE-MARK-MASQ
-A KUBE-SEP-GNEJUGLT6X5IVBVR -p tcp -m comment --comment “kube-system/kube-dns:dns-tcp” -m tcp -j DNAT --to-destination 10.244.151.130:53
-A KUBE-SEP-LZTNY462IKFEUZMW -s 10.244.151.131/32 -m comment --comment “calico-apiserver/calico-api:apiserver” -j KUBE-MARK-MASQ
-A KUBE-SEP-LZTNY462IKFEUZMW -p tcp -m comment --comment “calico-apiserver/calico-api:apiserver” -m tcp -j DNAT --to-destination 10.244.151.131:5443
-A KUBE-SEP-PXLNR36ENJNDIJKG -s 10.244.44.247/32 -m comment --comment “test-k8s/test-web-port” -j KUBE-MARK-MASQ
-A KUBE-SEP-PXLNR36ENJNDIJKG -p tcp -m comment --comment “test-k8s/test-web-port” -m tcp -j DNAT --to-destination 10.244.44.247:80
-A KUBE-SEP-QSRQYLIAFED5ON5X -s 10.244.151.133/32 -m comment --comment “kube-system/kube-dns:dns-tcp” -j KUBE-MARK-MASQ
-A KUBE-SEP-QSRQYLIAFED5ON5X -p tcp -m comment --comment “kube-system/kube-dns:dns-tcp” -m tcp -j DNAT --to-destination 10.244.151.133:53
-A KUBE-SEP-VNNVCEOK3BC5WXSP -s 10.244.154.246/32 -m comment --comment “test-k8s/test-web-port” -j KUBE-MARK-MASQ
-A KUBE-SEP-VNNVCEOK3BC5WXSP -p tcp -m comment --comment “test-k8s/test-web-port” -m tcp -j DNAT --to-destination 10.244.154.246:80
-A KUBE-SEP-WJWEB5WRXZSYPLN6 -s 10.244.151.133/32 -m comment --comment “kube-system/kube-dns:dns” -j KUBE-MARK-MASQ
-A KUBE-SEP-WJWEB5WRXZSYPLN6 -p udp -m comment --comment “kube-system/kube-dns:dns” -m udp -j DNAT --to-destination 10.244.151.133:53
-A KUBE-SEP-WXBWGEIKKE3BLWDL -s 10.244.44.245/32 -m comment --comment “ingress-nginx/ingress-nginx-controller:https” -j KUBE-MARK-MASQ
-A KUBE-SEP-WXBWGEIKKE3BLWDL -p tcp -m comment --comment “ingress-nginx/ingress-nginx-controller:https” -m tcp -j DNAT --to-destination 10.244.44.245:443
-A KUBE-SEP-Z3OJH2DTZFAWKAZ4 -s 10.244.154.249/32 -m comment --comment “test-k8s/test-web-port-01” -j KUBE-MARK-MASQ
-A KUBE-SEP-Z3OJH2DTZFAWKAZ4 -p tcp -m comment --comment “test-k8s/test-web-port-01” -m tcp -j DNAT --to-destination 10.244.154.249:80
-A KUBE-SEP-ZI5O4S2QUBAR5BN2 -s 10.244.154.247/32 -m comment --comment “test-k8s/test-web-port” -j KUBE-MARK-MASQ
-A KUBE-SEP-ZI5O4S2QUBAR5BN2 -p tcp -m comment --comment “test-k8s/test-web-port” -m tcp -j DNAT --to-destination 10.244.154.247:80
-A KUBE-SERVICES -d 10.106.245.165/32 -p tcp -m comment --comment “ingress-nginx/ingress-nginx-controller-admission:https-webhook cluster IP” -j KUBE-SVC-EZYNCFY2F7N6OQA2
-A KUBE-SERVICES -d 10.111.120.103/32 -p tcp -m comment --comment “test-k8s/test-web-port-01 cluster IP” -j KUBE-SVC-KBK63ZDRC2H2A4NZ
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment “kube-system/kube-dns:dns-tcp cluster IP” -j KUBE-SVC-ERIFXISQEP7F7OF4
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment “kube-system/kube-dns:metrics cluster IP” -j KUBE-SVC-JD5MR3NA4I4DYORP
-A KUBE-SERVICES -d 10.106.101.205/32 -p tcp -m comment --comment “calico-system/calico-typha:calico-typha cluster IP” -j KUBE-SVC-RK657RLKDNVNU64O
-A KUBE-SERVICES -d 10.102.84.150/32 -p tcp -m comment --comment “calico-apiserver/calico-api:apiserver cluster IP” -j KUBE-SVC-I24EZXP75AX5E7TU
-A KUBE-SERVICES -d 10.97.87.241/32 -p tcp -m comment --comment “test-k8s/test-web-port cluster IP” -j KUBE-SVC-USSPT3VGI3BECJVH
-A KUBE-SERVICES -d 10.96.0.1/32 -p tcp -m comment --comment “default/kubernetes:https cluster IP” -j KUBE-SVC-NPX46M4PTMTKRN6Y
-A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m comment --comment “kube-system/kube-dns:dns cluster IP” -j KUBE-SVC-TCOU7JCQXEZGVUNU
-A KUBE-SERVICES -d 10.105.17.117/32 -p tcp -m comment --comment “ingress-nginx/ingress-nginx-controller:http cluster IP” -j KUBE-SVC-CG5I4G2RS3ZVWGLK
-A KUBE-SERVICES -d 10.105.17.117/32 -p tcp -m comment --comment “ingress-nginx/ingress-nginx-controller:https cluster IP” -j KUBE-SVC-EDNDUDH2C75GIR6O
-A KUBE-SERVICES -m comment --comment “kubernetes service nodeports; NOTE: this must be the last rule in this chain” -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-SVC-CG5I4G2RS3ZVWGLK ! -s 10.244.0.0/16 -d 10.105.17.117/32 -p tcp -m comment --comment “ingress-nginx/ingress-nginx-controller:http cluster IP” -j KUBE-MARK-MASQ
-A KUBE-SVC-CG5I4G2RS3ZVWGLK -m comment --comment “ingress-nginx/ingress-nginx-controller:http → 10.244.44.245:80” -j KUBE-SEP-COARL4UR2NSNLDGO
-A KUBE-SVC-EDNDUDH2C75GIR6O ! -s 10.244.0.0/16 -d 10.105.17.117/32 -p tcp -m comment --comment “ingress-nginx/ingress-nginx-controller:https cluster IP” -j KUBE-MARK-MASQ
-A KUBE-SVC-EDNDUDH2C75GIR6O -m comment --comment “ingress-nginx/ingress-nginx-controller:https → 10.244.44.245:443” -j KUBE-SEP-WXBWGEIKKE3BLWDL
-A KUBE-SVC-ERIFXISQEP7F7OF4 ! -s 10.244.0.0/16 -d 10.96.0.10/32 -p tcp -m comment --comment “kube-system/kube-dns:dns-tcp cluster IP” -j KUBE-MARK-MASQ
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment “kube-system/kube-dns:dns-tcp → 10.244.151.130:53” -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-GNEJUGLT6X5IVBVR
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment “kube-system/kube-dns:dns-tcp → 10.244.151.133:53” -j KUBE-SEP-QSRQYLIAFED5ON5X
-A KUBE-SVC-EZYNCFY2F7N6OQA2 ! -s 10.244.0.0/16 -d 10.106.245.165/32 -p tcp -m comment --comment “ingress-nginx/ingress-nginx-controller-admission:https-webhook cluster IP” -j KUBE-MARK-MASQ
-A KUBE-SVC-EZYNCFY2F7N6OQA2 -m comment --comment “ingress-nginx/ingress-nginx-controller-admission:https-webhook → 10.244.44.245:8443” -j KUBE-SEP-5Y2H5KJDVMBVUFUE
-A KUBE-SVC-I24EZXP75AX5E7TU ! -s 10.244.0.0/16 -d 10.102.84.150/32 -p tcp -m comment --comment “calico-apiserver/calico-api:apiserver cluster IP” -j KUBE-MARK-MASQ
-A KUBE-SVC-I24EZXP75AX5E7TU -m comment --comment “calico-apiserver/calico-api:apiserver → 10.244.151.131:5443” -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-LZTNY462IKFEUZMW
-A KUBE-SVC-I24EZXP75AX5E7TU -m comment --comment “calico-apiserver/calico-api:apiserver → 10.244.151.132:5443” -j KUBE-SEP-FWUJK7A6CJC7QTMN
-A KUBE-SVC-JD5MR3NA4I4DYORP ! -s 10.244.0.0/16 -d 10.96.0.10/32 -p tcp -m comment --comment “kube-system/kube-dns:metrics cluster IP” -j KUBE-MARK-MASQ
-A KUBE-SVC-JD5MR3NA4I4DYORP -m comment --comment “kube-system/kube-dns:metrics → 10.244.151.130:9153” -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-3NBHWQ4X7EMHCZMG
-A KUBE-SVC-JD5MR3NA4I4DYORP -m comment --comment “kube-system/kube-dns:metrics → 10.244.151.133:9153” -j KUBE-SEP-EITIJ3MQ7JZ2N5IS
-A KUBE-SVC-KBK63ZDRC2H2A4NZ ! -s 10.244.0.0/16 -d 10.111.120.103/32 -p tcp -m comment --comment “test-k8s/test-web-port-01 cluster IP” -j KUBE-MARK-MASQ
-A KUBE-SVC-KBK63ZDRC2H2A4NZ -m comment --comment “test-k8s/test-web-port-01 → 10.244.154.248:80” -m statistic --mode random --probability 0.33333333349 -j KUBE-SEP-7ZSOEBX7262XRR45
-A KUBE-SVC-KBK63ZDRC2H2A4NZ -m comment --comment “test-k8s/test-web-port-01 → 10.244.154.249:80” -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-Z3OJH2DTZFAWKAZ4
-A KUBE-SVC-KBK63ZDRC2H2A4NZ -m comment --comment “test-k8s/test-web-port-01 → 10.244.44.248:80” -j KUBE-SEP-EQYJQVPP5RAKERV3
-A KUBE-SVC-NPX46M4PTMTKRN6Y ! -s 10.244.0.0/16 -d 10.96.0.1/32 -p tcp -m comment --comment “default/kubernetes:https cluster IP” -j KUBE-MARK-MASQ
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment “default/kubernetes:https → 192.168.174.110:6443” -j KUBE-SEP-E3ZZNUM7W24RHZHF
-A KUBE-SVC-RK657RLKDNVNU64O ! -s 10.244.0.0/16 -d 10.106.101.205/32 -p tcp -m comment --comment “calico-system/calico-typha:calico-typha cluster IP” -j KUBE-MARK-MASQ
-A KUBE-SVC-RK657RLKDNVNU64O -m comment --comment “calico-system/calico-typha:calico-typha → 192.168.174.125:5473” -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-5O7LL2TTYR3B565K
-A KUBE-SVC-RK657RLKDNVNU64O -m comment --comment “calico-system/calico-typha:calico-typha → 192.168.174.126:5473” -j KUBE-SEP-AGWTGSJZ2KVAYSQA
-A KUBE-SVC-TCOU7JCQXEZGVUNU ! -s 10.244.0.0/16 -d 10.96.0.10/32 -p udp -m comment --comment “kube-system/kube-dns:dns cluster IP” -j KUBE-MARK-MASQ
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment “kube-system/kube-dns:dns → 10.244.151.130:53” -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-63XWT66BXUCGZMHX
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment “kube-system/kube-dns:dns → 10.244.151.133:53” -j KUBE-SEP-WJWEB5WRXZSYPLN6
-A KUBE-SVC-USSPT3VGI3BECJVH ! -s 10.244.0.0/16 -d 10.97.87.241/32 -p tcp -m comment --comment “test-k8s/test-web-port cluster IP” -j KUBE-MARK-MASQ
-A KUBE-SVC-USSPT3VGI3BECJVH -m comment --comment “test-k8s/test-web-port → 10.244.154.246:80” -m statistic --mode random --probability 0.33333333349 -j KUBE-SEP-VNNVCEOK3BC5WXSP
-A KUBE-SVC-USSPT3VGI3BECJVH -m comment --comment “test-k8s/test-web-port → 10.244.154.247:80” -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-ZI5O4S2QUBAR5BN2
-A KUBE-SVC-USSPT3VGI3BECJVH -m comment --comment “test-k8s/test-web-port → 10.244.44.247:80” -j KUBE-SEP-PXLNR36ENJNDIJKG
-A cali-OUTPUT -m comment --comment “cali:GBTAv2p5CwevEyJm” -j cali-fip-dnat
-A cali-POSTROUTING -m comment --comment “cali:Z-c7XtVd2Bq7s_hA” -j cali-fip-snat
-A cali-POSTROUTING -m comment --comment “cali:nYKhEzDlr11Jccal” -j cali-nat-outgoing
-A cali-POSTROUTING -o vxlan.calico -m comment --comment “cali:e9dnSgSVNmIcpVhP” -m addrtype ! --src-type LOCAL --limit-iface-out -m addrtype --src-type LOCAL -j MASQUERADE --random-fully
-A cali-PREROUTING -m comment --comment “cali:r6XmIziWUJsdOK6Z” -j cali-fip-dnat
-A cali-nat-outgoing -m comment --comment “cali:flqWnvo8yq4ULQLa” -m set --match-set cali40masq-ipam-pools src -m set ! --match-set cali40all-ipam-pools dst -j MASQUERADE --random-fully
COMMIT

Completed on Wed Nov 27 21:35:28 2024

2

Look at iptables on the nodes, not the master.

3

@thockin

Hi, thanks for replying to my message

Environment:
Kubernetes master: 192.168.174.110
Kubernetes work-node-01: 192.168.174.125
Kubernetes work-node-02: 192.168.174.126

nodeport is available on all nodes. Why do you say you need to access worker nodes
I can access the web page normally at the following addresses
#http://master:32670
#http://work-node-01:32670
#http://work-node-02:32670

I run it on all the master and worker nodes,
netstat-nat |grep 32670 and iptabs-save |grep 32670 do not find the configuration of 32670, do not know how this 32670 communication works, how is it converted to the final pod node

I exported the iptables strategy in the post above, you can refer to it, thanks!

4

It is in iptables on the nodes that have those IP addresses. I promise.

Source: I wrote the code.

5

@thockin

Hi, thanks for replying to my message

I look at the iptables policy again, I only find these relevant configuration of NAT translation, but I didn’t understand in http://192.168.174.110:32670, is how to transform the port 32670, I don’t see a policy for port 32670 in the iptables configuration

I don’t understand is that in http://192.168.174.110:32670, in communication with the 32670 port, the port 32670 how is processed, how finally forwarded to each Pod node

I did not find a policy for port 32670 in the iptables configuration on the master and worker nodes

image
image1405×466 20.6 KB

Here are the relevant firewall policies I found
This is the NAT chain of the firewall

iptables-save

-A PREROUTING -m comment --comment “kubernetes service portals” -j KUBE-SERVICES

-A KUBE-SERVICES -m comment --comment “kubernetes service nodeports; NOTE: this must be the last rule in this chain” -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS

-A KUBE-NODEPORTS -p tcp -m comment --comment “test-k8s/test-web-port” -j KUBE-EXT-USSPT3VGI3BECJVH

-A KUBE-NODEPORTS -p tcp -m comment --comment “test-k8s/test-web-port-01” -j KUBE-EXT-KBK63ZDRC2H2A4NZ

-A KUBE-EXT-USSPT3VGI3BECJVH -m comment --comment “masquerade traffic for test-k8s/test-web-port external destinations” -j KUBE-MARK-MASQ

-A KUBE-EXT-USSPT3VGI3BECJVH -j KUBE-SVC-USSPT3VGI3BECJVH

-A KUBE-EXT-KBK63ZDRC2H2A4NZ -m comment --comment “masquerade traffic for test-k8s/test-web-port-01 external destinations” -j KUBE-MARK-MASQ

-A KUBE-EXT-KBK63ZDRC2H2A4NZ -j KUBE-SVC-KBK63ZDRC2H2A4NZ

-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000

-A KUBE-SVC-USSPT3VGI3BECJVH ! -s 10.244.0.0/16 -d 10.97.87.241/32 -p tcp -m comment --comment “test-k8s/test-web-port cluster IP” -j KUBE-MARK-MASQ

-A KUBE-SVC-USSPT3VGI3BECJVH -m comment --comment “test-k8s/test-web-port → 10.244.154.246:80” -m statistic --mode random --probability 0.33333333349 -j KUBE-SEP-VNNVCEOK3BC5WXSP

-A KUBE-SVC-USSPT3VGI3BECJVH -m comment --comment “test-k8s/test-web-port → 10.244.154.247:80” -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-ZI5O4S2QUBAR5BN2

-A KUBE-SVC-USSPT3VGI3BECJVH -m comment --comment “test-k8s/test-web-port → 10.244.44.247:80” -j KUBE-SEP-PXLNR36ENJNDIJKG

-A KUBE-SVC-KBK63ZDRC2H2A4NZ ! -s 10.244.0.0/16 -d 10.111.120.103/32 -p tcp -m comment --comment “test-k8s/test-web-port-01 cluster IP” -j KUBE-MARK-MASQ

-A KUBE-SVC-KBK63ZDRC2H2A4NZ -m comment --comment “test-k8s/test-web-port-01 → 10.244.154.248:80” -m statistic --mode random --probability 0.33333333349 -j KUBE-SEP-7ZSOEBX7262XRR45

-A KUBE-SVC-KBK63ZDRC2H2A4NZ -m comment --comment “test-k8s/test-web-port-01 → 10.244.154.249:80” -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-Z3OJH2DTZFAWKAZ4

-A KUBE-SVC-KBK63ZDRC2H2A4NZ -m comment --comment “test-k8s/test-web-port-01 → 10.244.44.248:80” -j KUBE-SEP-EQYJQVPP5RAKERV3

-A KUBE-SEP-VNNVCEOK3BC5WXSP -s 10.244.154.246/32 -m comment --comment “test-k8s/test-web-port” -j KUBE-MARK-MASQ

-A KUBE-SEP-VNNVCEOK3BC5WXSP -p tcp -m comment --comment “test-k8s/test-web-port” -m tcp -j DNAT --to-destination 10.244.154.246:80

-A KUBE-SEP-ZI5O4S2QUBAR5BN2 -s 10.244.154.247/32 -m comment --comment “test-k8s/test-web-port” -j KUBE-MARK-MASQ

-A KUBE-SEP-ZI5O4S2QUBAR5BN2 -p tcp -m comment --comment “test-k8s/test-web-port” -m tcp -j DNAT --to-destination 10.244.154.247:80

-A KUBE-SEP-PXLNR36ENJNDIJKG -s 10.244.44.247/32 -m comment --comment “test-k8s/test-web-port” -j KUBE-MARK-MASQ

-A KUBE-SEP-PXLNR36ENJNDIJKG -p tcp -m comment --comment “test-k8s/test-web-port” -m tcp -j DNAT --to-destination 10.244.44.247:80

-A KUBE-SEP-7ZSOEBX7262XRR45 -s 10.244.154.248/32 -m comment --comment “test-k8s/test-web-port-01” -j KUBE-MARK-MASQ

-A KUBE-SEP-7ZSOEBX7262XRR45 -p tcp -m comment --comment “test-k8s/test-web-port-01” -m tcp -j DNAT --to-destination 10.244.154.248:80

-A KUBE-SEP-Z3OJH2DTZFAWKAZ4 -s 10.244.154.249/32 -m comment --comment “test-k8s/test-web-port-01” -j KUBE-MARK-MASQ

-A KUBE-SEP-Z3OJH2DTZFAWKAZ4 -p tcp -m comment --comment “test-k8s/test-web-port-01” -m tcp -j DNAT --to-destination 10.244.154.249:80

-A KUBE-SEP-EQYJQVPP5RAKERV3 -s 10.244.44.248/32 -m comment --comment “test-k8s/test-web-port-01” -j KUBE-MARK-MASQ

-A KUBE-SEP-EQYJQVPP5RAKERV3 -p tcp -m comment --comment “test-k8s/test-web-port-01” -m tcp -j DNAT --to-destination 10.244.44.248:80

6

Notice that none of those NODEPORT rules have ports. I think you have incompatible iptables binaries in play – perhaps one in the kube-proxy container and one on the host.

7

@thockin

Hi, thank you for your reply and help

All master and worker nodes were hosted with ubuntu 22.04 as the operating system and shipped with iptables v1.8.7

root@k8s-master-01:/download# iptables -V
iptables v1.8.7 (nf_tables)

image
image1387×457 20.5 KB

kubectl get deployments,pods,service -n kube-system -o wide

image
image1710×403 41.4 KB

I went into the pod/kube-proxy-9mjqv container and found the entry for 32670 in the iptables policy inside the container

kubectl exec -it pod/kube-proxy-9mjqv -n kube-system – sh

-A KUBE-NODEPORTS -p tcp -m comment --comment “test-k8s/test-web-port” -m tcp --dport 32670 -j KUBE-EXT-USSPT3VGI3BECJVH

Now I have a new question,
When visiting http://master-ip:32670, the request arrives at the master host, how is it forwarded to the pod/kube-proxy-9mjqv container, and then continues to match the iptables rules inside that container。

According to the configuration we discussed earlier, there is no 32670 listener or associated iptables configuration on the master host

8

I tested on a laptop with a different network segment than the k8s cluster

9

Unless something here is WILDLY different than anything I have seen before:

Kube-proxy runs in host-net mode. The iptables rules are the same in both context but the commandline tool you are using to read them (iptables-save) has different versions and incompatibility. This is know issue as iptables has evolved - there’s not much that k8s can really do here.

It works inside the pod context because that is the version of the tool that wrote the rules into the kernel. It fails in the node context because that tool is misinterpreting the rules that were written.

10

@thockin

Hi, thank you for your reply and help

I found an article on the Internet,https://github.com/kubernetes/kubernetes/pull/108496。

In the new version of kube-proxy, the port listening has been removed, so after configuring the nodeport of service, it is impossible to query through netstat-nat, right?

This is the situation now, I can’t see the nodeport port listening through netstat-nat, but I can access http://master-ip:32670 normally。

image
image1387×457 20.5 KB

What I am wondering is how the request on port 32670 was routed to the pod node when I requested http://master-ip:32670. I matched the iptables policy on the master node and did some analysis

image
image673×901 134 KB

I refer to this iptables flowchart to match the rules

raw(PREROUTING) => mangle(PREROUTING) = > nat PREROUTING

image
image1165×909 44.8 KB

image
image1500×870 52 KB

From the above iptables rule, when requesting http://master-ip:32670, I did not understand how to distinguish the nodeport-32670 request through the iptalbes rule and dispatch the nodeport-32670 request on the specified port to the specified pod node

I did not find a firewall policy matching nodeport 32670 in the iptables rule on the master node, so I do not understand how the request on nodeport 32670 is forwarded to the final pod node

PS: Not the kube-proxy container on the master node

When I requested http://master-ip:32670 on one of the test laptops, the request should be received by the master-IP host node first, and should match the iptables rules on the master host node first, right?

11

Again, there could be a version mismatch in iptables tools, which makes it show the wrong information. If you can’t see a rule that matches the port, but the port works, then that is almost certainly why.

If you look from inside the kube-proxy container, you will find a rule which matches on that port.

That rule will jump to a chain which (eventually) uses probability to jump to an endpoint chain, which will DNAT to the pod IP.

1 Like
12

@thockin

Hi, thank you for your reply and help

Is there a compatibility list of iptables and k8s related components that can be queried?

13

I do not have such a list on hand. Dan might - check the sig-network slack or mailing list?

In short - don’t use the host’s iptables to mutate iptables rules which were written by kube-proxy.

14

thank you for your reply and help