【求助】关于k8s service nodeport与iptables通讯策略及工作原理问题

环境:
k8s master: 192.168.174.110
k8s work-node-01: 192.168.174.125
k8s work-node-02: 192.168.174/126

Kubernetes version: v1.31.2-1.1
Installation method: kubeadm init
Host OS: Ubuntu 22.04 LTS
CNI and version: calico v3.29.0
CRI and version: containerd://2.0.0

所有kube-proxy节点使用的是iptables proxy模式
root@k8s-master-01:/download# kubectl logs kube-proxy-8bsgh -n kube-system
I1126 06:45:53.566881 1 server_linux.go:66] “Using iptables proxy”

我在一台笔记本上通过浏览器访问http://192.168.174.110:32670是可以正常通讯成功的。

另外我看了iptables规则,也没有发现有关32670相关的DNAT规则,并且我在k8s master宿主机上通过netstat -nat|grep 32670也没有发现相关监听的端口

所以我不清楚这里的32670端口是怎么把流量请求到最终的pod节点上的?请大神帮我解释下,感谢

type or paste code here

iptables规则

Generated by iptables-save v1.8.7 on Wed Nov 27 21:35:28 2024

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:KUBE-IPTABLES-HINT - [0:0]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-PROXY-CANARY - [0:0]
:cali-POSTROUTING - [0:0]
:cali-PREROUTING - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-to-host-endpoint - [0:0]
-A PREROUTING -m comment --comment “cali:6gwbT8clXdHdC1b1” -j cali-PREROUTING
-A POSTROUTING -m comment --comment “cali:O3lYWMrLQYEMJtB5” -j cali-POSTROUTING
-A cali-POSTROUTING -m comment --comment “cali:NX-7roTexQ3fGRfU” -j RETURN
-A cali-POSTROUTING -m comment --comment “cali:nnqPh8lh2VOogSzX” -j MARK --set-xmark 0x0/0xf0000
-A cali-POSTROUTING -m comment --comment “cali:nquN8Jw8Tz72pcBW” -m conntrack --ctstate DNAT -j cali-to-host-endpoint
-A cali-POSTROUTING -m comment --comment “cali:jWrgvDQ0xEZHmta3” -m comment --comment “Host endpoint policy accepted packet.” -j RETURN
-A cali-PREROUTING -m comment --comment “cali:6BJqBjBC7crtA-7-” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-PREROUTING -m comment --comment “cali:KX7AGNd6rMcDUai6” -j ACCEPT
-A cali-PREROUTING -m comment --comment “cali:wNH7KsA3ILKJBsY9” -j cali-from-host-endpoint
-A cali-PREROUTING -m comment --comment “cali:Cg96MgVuoPm7UMRo” -m comment --comment “Host endpoint policy accepted packet.” -j ACCEPT
COMMIT

Completed on Wed Nov 27 21:35:28 2024

Generated by iptables-save v1.8.7 on Wed Nov 27 21:35:28 2024

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:cali-OUTPUT - [0:0]
:cali-PREROUTING - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-rpf-skip - [0:0]
:cali-to-host-endpoint - [0:0]
-A PREROUTING -m comment --comment “cali:6gwbT8clXdHdC1b1” -j cali-PREROUTING
-A OUTPUT -m comment --comment “cali:tVnHkvAo15HuiPy0” -j cali-OUTPUT
-A cali-OUTPUT -m comment --comment “cali:njdnLwYeGqBJyMxW” -j MARK --set-xmark 0x0/0xf0000
-A cali-OUTPUT -m comment --comment “cali:rz86uTUcEZAfFsh7” -j cali-to-host-endpoint
-A cali-OUTPUT -p udp -m comment --comment “cali:h6IBQLYf-NmXFeY_” -j NOTRACK
-A cali-OUTPUT -m comment --comment “cali:DoQ7AqyOyqExxSea” -j ACCEPT
-A cali-PREROUTING -m comment --comment “cali:XFX5xbM8B9qR10JG” -j MARK --set-xmark 0x0/0xf0000
-A cali-PREROUTING -p udp -m comment --comment “cali:M7WeklUcDzCqHKI_” -j NOTRACK
-A cali-PREROUTING -i cali+ -m comment --comment “cali:pNzLEcwGOZ4YemC-” -j MARK --set-xmark 0x40000/0x40000
-A cali-PREROUTING -m comment --comment “cali:k5-EypuOGdQbMjmG” -j cali-rpf-skip
-A cali-PREROUTING -m comment --comment “cali:ZRno2gPYKT_N2WJV” -m rpfilter --validmark --invert -j DROP
-A cali-PREROUTING -m comment --comment “cali:oBQn3t8RvFIlNu_v” -j cali-from-host-endpoint
-A cali-PREROUTING -m comment --comment “cali:lZy_EB5TkNFykbsd” -j ACCEPT
COMMIT

Completed on Wed Nov 27 21:35:28 2024

Generated by iptables-save v1.8.7 on Wed Nov 27 21:35:28 2024

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:KUBE-EXTERNAL-SERVICES - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-FORWARD - [0:0]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-PROXY-CANARY - [0:0]
:KUBE-PROXY-FIREWALL - [0:0]
:KUBE-SERVICES - [0:0]
:cali-FORWARD - [0:0]
:cali-INPUT - [0:0]
:cali-OUTPUT - [0:0]
:cali-cidr-block - [0:0]
:cali-from-hep-forward - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-from-wl-dispatch - [0:0]
:cali-from-wl-dispatch-5 - [0:0]
:cali-from-wl-dispatch-6 - [0:0]
:cali-fw-cali13445dd5604 - [0:0]
:cali-fw-cali510729528f2 - [0:0]
:cali-fw-cali525e6dbd5dd - [0:0]
:cali-fw-cali668201d770b - [0:0]
:cali-fw-cali6f507a886a3 - [0:0]
:cali-fw-calic4e40d41ba9 - [0:0]
:cali-pi-_FDiLImilezd09cpg5ci - [0:0]
:cali-pri-_4yi5_iSUAwsU8zMHTk - [0:0]
:cali-pri-_kJqfZpgUe7r2t4A-14 - [0:0]
:cali-pri-nzzjLvInId1gPHmQz - [0:0]
:cali-pri-_u2Tn2rSoAPffvE7JO6 - [0:0]
:cali-pri-_ymJUz7yzI6NOKJhG2- - [0:0]
:cali-pri-kns.calico-system - [0:0]
:cali-pri-kns.kube-system - [0:0]
:cali-pro-_4yi5_iSUAwsU8zMHTk - [0:0]
:cali-pro-_kJqfZpgUe7r2t4A-14 - [0:0]
:cali-pro-nzzjLvInId1gPHmQz - [0:0]
:cali-pro-_u2Tn2rSoAPffvE7JO6 - [0:0]
:cali-pro-ymJUz7yzI6NOKJhG2- - [0:0]
:cali-pro-kns.calico-system - [0:0]
:cali-pro-kns.kube-system - [0:0]
:cali-to-hep-forward - [0:0]
:cali-to-host-endpoint - [0:0]
:cali-to-wl-dispatch - [0:0]
:cali-to-wl-dispatch-5 - [0:0]
:cali-to-wl-dispatch-6 - [0:0]
:cali-tw-cali13445dd5604 - [0:0]
:cali-tw-cali510729528f2 - [0:0]
:cali-tw-cali525e6dbd5dd - [0:0]
:cali-tw-cali668201d770b - [0:0]
:cali-tw-cali6f507a886a3 - [0:0]
:cali-tw-calic4e40d41ba9 - [0:0]
:cali-wl-to-host - [0:0]
-A INPUT -m comment --comment “cali:Cz_u1IQiXIMmKD4c” -j cali-INPUT
-A INPUT -m conntrack --ctstate NEW -m comment --comment “kubernetes load balancer firewall” -j KUBE-PROXY-FIREWALL
-A INPUT -m comment --comment “kubernetes health check service ports” -j KUBE-NODEPORTS
-A INPUT -m conntrack --ctstate NEW -m comment --comment “kubernetes externally-visible service portals” -j KUBE-EXTERNAL-SERVICES
-A INPUT -j KUBE-FIREWALL
-A FORWARD -m comment --comment “cali:wUHhoiAYhphO9Mso” -j cali-FORWARD
-A FORWARD -m conntrack --ctstate NEW -m comment --comment “kubernetes load balancer firewall” -j KUBE-PROXY-FIREWALL
-A FORWARD -m comment --comment “kubernetes forwarding rules” -j KUBE-FORWARD
-A FORWARD -m conntrack --ctstate NEW -m comment --comment “kubernetes service portals” -j KUBE-SERVICES
-A FORWARD -m conntrack --ctstate NEW -m comment --comment “kubernetes externally-visible service portals” -j KUBE-EXTERNAL-SERVICES
-A FORWARD -m comment --comment “cali:S93hcgKJrXEqnTfs” -m comment --comment “Policy explicitly accepted packet.” -j ACCEPT
-A FORWARD -m comment --comment “cali:mp77cMpurHhyjLrM” -j MARK --set-xmark 0x10000/0x10000
-A OUTPUT -m comment --comment “cali:tVnHkvAo15HuiPy0” -j cali-OUTPUT
-A OUTPUT -m conntrack --ctstate NEW -m comment --comment “kubernetes load balancer firewall” -j KUBE-PROXY-FIREWALL
-A OUTPUT -m conntrack --ctstate NEW -m comment --comment “kubernetes service portals” -j KUBE-SERVICES
-A OUTPUT -j KUBE-FIREWALL
-A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment “block incoming localnet connections” -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
-A KUBE-FORWARD -m conntrack --ctstate INVALID -m nfacct --nfacct-name ct_state_invalid_dropped_pkts -j DROP
-A KUBE-FORWARD -m comment --comment “kubernetes forwarding rules” -j ACCEPT
-A KUBE-FORWARD -m comment --comment “kubernetes forwarding conntrack rule” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-FORWARD -m comment --comment “cali:vjrMJCRpqwy5oRoX” -j MARK --set-xmark 0x0/0xe0000
-A cali-FORWARD -m comment --comment “cali:A_sPAO0mcxbT9mOV” -j cali-from-hep-forward
-A cali-FORWARD -i cali+ -m comment --comment “cali:8ZoYfO5HKXWbB3pk” -j cali-from-wl-dispatch
-A cali-FORWARD -o cali+ -m comment --comment “cali:jdEuaPBe14V2hutn” -j cali-to-wl-dispatch
-A cali-FORWARD -m comment --comment “cali:12bc6HljsMKsmfr-” -j cali-to-hep-forward
-A cali-FORWARD -m comment --comment “cali:NOSxoaGx8OIstr1z” -j cali-cidr-block
-A cali-INPUT -p udp -m comment --comment “cali:J76FwxInZIsk7uKY” -m comment --comment “Allow IPv4 VXLAN packets from allowed hosts” -m multiport --dports 4789 -m set --match-set cali40all-vxlan-net src -m addrtype --dst-type LOCAL -j ACCEPT
-A cali-INPUT -p udp -m comment --comment “cali:EDCNTTxYfggApx8C” -m comment --comment “Drop IPv4 VXLAN packets from non-allowed hosts” -m multiport --dports 4789 -m addrtype --dst-type LOCAL -j DROP
-A cali-INPUT -i cali+ -m comment --comment “cali:H03xYXARh4e8pwd4” -g cali-wl-to-host
-A cali-INPUT -m comment --comment “cali:MN6K3isIWBigb1Va” -j ACCEPT
-A cali-INPUT -m comment --comment “cali:OSYphBLwOgic22Hz” -j MARK --set-xmark 0x0/0xf0000
-A cali-INPUT -m comment --comment “cali:rmi2_piRVmfeiwVp” -j cali-from-host-endpoint
-A cali-INPUT -m comment --comment “cali:F7Q8zu44qIbOVben” -m comment --comment “Host endpoint policy accepted packet.” -j ACCEPT
-A cali-OUTPUT -m comment --comment “cali:Mq1_rAdXXH3YkrzW” -j ACCEPT
-A cali-OUTPUT -o cali+ -m comment --comment “cali:69FkRTJDvD5Vu6Vl” -j RETURN
-A cali-OUTPUT -p udp -m comment --comment “cali:-QZG79DohFjalQBb” -m comment --comment “Allow IPv4 VXLAN packets to other allowed hosts” -m multiport --dports 4789 -m addrtype --src-type LOCAL -m set --match-set cali40all-vxlan-net dst -j ACCEPT
-A cali-OUTPUT -m comment --comment "cali:iC1pSPgbvgQzkUk
" -j MARK --set-xmark 0x0/0xf0000
-A cali-OUTPUT -m comment --comment “cali:4Zh7KtRvt4W5AEBR” -m conntrack ! --ctstate DNAT -j cali-to-host-endpoint
-A cali-OUTPUT -m comment --comment “cali:Y0k-bqjt-5CUqyUq” -m comment --comment “Host endpoint policy accepted packet.” -j ACCEPT
-A cali-from-wl-dispatch -i cali13445dd5604 -m comment --comment “cali:faoxRCREMXMMrfGh” -g cali-fw-cali13445dd5604
-A cali-from-wl-dispatch -i cali5+ -m comment --comment “cali:tER9iUBHNiBFS83P” -g cali-from-wl-dispatch-5
-A cali-from-wl-dispatch -i cali6+ -m comment --comment “cali:gkGCp06_kb-YV6z8” -g cali-from-wl-dispatch-6
-A cali-from-wl-dispatch -i calic4e40d41ba9 -m comment --comment “cali:nt2ClsN30-JNpien” -g cali-fw-calic4e40d41ba9
-A cali-from-wl-dispatch -m comment --comment “cali:NoJ7HenPD-hcY-da” -m comment --comment “Unknown interface” -j DROP
-A cali-from-wl-dispatch-5 -i cali510729528f2 -m comment --comment “cali:uxXT2fAtsrLmsQZS” -g cali-fw-cali510729528f2
-A cali-from-wl-dispatch-5 -i cali525e6dbd5dd -m comment --comment “cali:mkjcCmtXq-4pTeop” -g cali-fw-cali525e6dbd5dd
-A cali-from-wl-dispatch-5 -m comment --comment “cali:8MGVculT2kEPEwsh” -m comment --comment “Unknown interface” -j DROP
-A cali-from-wl-dispatch-6 -i cali668201d770b -m comment --comment “cali:jkTDTCtTilZCgI_t” -g cali-fw-cali668201d770b
-A cali-from-wl-dispatch-6 -i cali6f507a886a3 -m comment --comment “cali:8AvhFIKo6PhPOtoF” -g cali-fw-cali6f507a886a3
-A cali-from-wl-dispatch-6 -m comment --comment “cali:RE5BUJfnXNYp4jht” -m comment --comment “Unknown interface” -j DROP
-A cali-fw-cali13445dd5604 -m comment --comment “cali:PvYHdA3_YqG1j4zT” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali13445dd5604 -m comment --comment “cali:YvEbCCBkMzezINBN” -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali13445dd5604 -m comment --comment “cali:Bje1hp-BzGydOAnX” -j MARK --set-xmark 0x0/0x30000
-A cali-fw-cali13445dd5604 -p udp -m comment --comment “cali:NYRe1fi6vS6rXA0N” -m comment --comment “Drop VXLAN encapped packets originating in workloads” -m multiport --dports 4789 -j DROP
-A cali-fw-cali13445dd5604 -p ipencap -m comment --comment “cali:Bc7KQrRQPX1wH9AH” -m comment --comment “Drop IPinIP encapped packets originating in workloads” -j DROP
-A cali-fw-cali13445dd5604 -m comment --comment “cali:AHnVt1tNHUznwvLB” -j cali-pro-_kJqfZpgUe7r2t4A-14
-A cali-fw-cali13445dd5604 -m comment --comment “cali:nwbUs95shXOYlJCP” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-fw-cali13445dd5604 -m comment --comment “cali:X4__WNi853m440ty” -j cali-pro-_4yi5_iSUAwsU8zMHTk
-A cali-fw-cali13445dd5604 -m comment --comment “cali:_s7n6xCmhw9iwuGA” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-fw-cali13445dd5604 -m comment --comment “cali:KQCZNMZ8qpObYiJz” -m comment --comment “Drop if no profiles matched” -j DROP
-A cali-fw-cali510729528f2 -m comment --comment “cali:CG5VVJZEs6JaX6HT” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali510729528f2 -m comment --comment “cali:jeJc7Keutfkgx9br” -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali510729528f2 -m comment --comment “cali:KCEpJW95o-xcrFc0” -j MARK --set-xmark 0x0/0x30000
-A cali-fw-cali510729528f2 -p udp -m comment --comment “cali:L6Qtf93ixO5SAMlZ” -m comment --comment “Drop VXLAN encapped packets originating in workloads” -m multiport --dports 4789 -j DROP
-A cali-fw-cali510729528f2 -p ipencap -m comment --comment “cali:il6wlNyEeI4XE4Sd” -m comment --comment “Drop IPinIP encapped packets originating in workloads” -j DROP
-A cali-fw-cali510729528f2 -m comment --comment “cali:PZcbO_TEl4pnvoP9” -j cali-pro-kns.kube-system
-A cali-fw-cali510729528f2 -m comment --comment “cali:-Vy06Nz8TteF63nz” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-fw-cali510729528f2 -m comment --comment “cali:ldVPC688k56R8pt4” -j cali-pro-_u2Tn2rSoAPffvE7JO6
-A cali-fw-cali510729528f2 -m comment --comment “cali:NRnNgdxbtrOpuPwK” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-fw-cali510729528f2 -m comment --comment “cali:NyroVoUf1HCSUjm1” -m comment --comment “Drop if no profiles matched” -j DROP
-A cali-fw-cali525e6dbd5dd -m comment --comment “cali:GLQNEFwQaC1x3JIT” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali525e6dbd5dd -m comment --comment “cali:9kefquuhsyVs87Du” -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali525e6dbd5dd -m comment --comment “cali:ZuhmnwWJ1V0d_8l1” -j MARK --set-xmark 0x0/0x30000
-A cali-fw-cali525e6dbd5dd -p udp -m comment --comment “cali:_vP8Ft_5kLliaKY9” -m comment --comment “Drop VXLAN encapped packets originating in workloads” -m multiport --dports 4789 -j DROP
-A cali-fw-cali525e6dbd5dd -p ipencap -m comment --comment “cali:DG0BYCQcmkgmfs9w” -m comment --comment “Drop IPinIP encapped packets originating in workloads” -j DROP
-A cali-fw-cali525e6dbd5dd -m comment --comment “cali:S_cTZmUrDobvIm6Z” -j cali-pro-kns.kube-system
-A cali-fw-cali525e6dbd5dd -m comment --comment “cali:KywNyftw-w6tLqa-” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-fw-cali525e6dbd5dd -m comment --comment “cali:lqyRlWX-Bu5NGrKC” -j cali-pro-_u2Tn2rSoAPffvE7JO6
-A cali-fw-cali525e6dbd5dd -m comment --comment “cali:AzHr1Ff6n251BeOw” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-fw-cali525e6dbd5dd -m comment --comment “cali:89mkN7YXbZZD_dHT” -m comment --comment “Drop if no profiles matched” -j DROP
-A cali-fw-cali668201d770b -m comment --comment “cali:KwMjp_GtiR2_kAEV” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali668201d770b -m comment --comment “cali:2-mrAQ6-ImXA6IQN” -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali668201d770b -m comment --comment “cali:bU85PtwfM8DG_cNb” -j MARK --set-xmark 0x0/0x30000
-A cali-fw-cali668201d770b -p udp -m comment --comment “cali:ZLP9oXBI5b7MnzNL” -m comment --comment “Drop VXLAN encapped packets originating in workloads” -m multiport --dports 4789 -j DROP
-A cali-fw-cali668201d770b -p ipencap -m comment --comment “cali:ATiwiFu1hJhafAsD” -m comment --comment “Drop IPinIP encapped packets originating in workloads” -j DROP
-A cali-fw-cali668201d770b -m comment --comment “cali:xepZWDsJT7CvZ-Xv” -j cali-pro-kns.calico-system
-A cali-fw-cali668201d770b -m comment --comment “cali:8d-rIeg2Depct-DY” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-fw-cali668201d770b -m comment --comment “cali:VkwRn0npIxp3n7wX” -j cali-pro-nzzjLvInId1gPHmQz
-A cali-fw-cali668201d770b -m comment --comment “cali:ha61oFpT5M7FT5t8” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-fw-cali668201d770b -m comment --comment “cali:g4Etexh9DhKznqJv” -m comment --comment “Drop if no profiles matched” -j DROP
-A cali-fw-cali6f507a886a3 -m comment --comment “cali:bBuK5GtX8D39f_NL” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali6f507a886a3 -m comment --comment “cali:Fl4NvlM9rOV4JEih” -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali6f507a886a3 -m comment --comment “cali:xQpEEBx8PyjaMCqA” -j MARK --set-xmark 0x0/0x30000
-A cali-fw-cali6f507a886a3 -p udp -m comment --comment “cali:smqgBHX4Ux-95k_G” -m comment --comment “Drop VXLAN encapped packets originating in workloads” -m multiport --dports 4789 -j DROP
-A cali-fw-cali6f507a886a3 -p ipencap -m comment --comment “cali:j6vfqx0pqQ7lyn6x” -m comment --comment “Drop IPinIP encapped packets originating in workloads” -j DROP
-A cali-fw-cali6f507a886a3 -m comment --comment “cali:TvqwYnqVP-aUMVym” -j cali-pro-_kJqfZpgUe7r2t4A-14
-A cali-fw-cali6f507a886a3 -m comment --comment “cali:3nOsVQEkSmLqdc3B” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-fw-cali6f507a886a3 -m comment --comment “cali:_Lac8C_6di7nZxwn” -j cali-pro-_4yi5_iSUAwsU8zMHTk
-A cali-fw-cali6f507a886a3 -m comment --comment “cali:ojlny3nAyExgcyb4” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-fw-cali6f507a886a3 -m comment --comment “cali:5G0NrkK1TZGre-XQ” -m comment --comment “Drop if no profiles matched” -j DROP
-A cali-fw-calic4e40d41ba9 -m comment --comment “cali:asa5LiJAEKuknYfX” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-calic4e40d41ba9 -m comment --comment “cali:Lk_trZ8atK6k4uxI” -m conntrack --ctstate INVALID -j DROP
-A cali-fw-calic4e40d41ba9 -m comment --comment “cali:BNrY3l0ouV5u2hpc” -j MARK --set-xmark 0x0/0x30000
-A cali-fw-calic4e40d41ba9 -p udp -m comment --comment “cali:VPxLjL2UMXI72bwZ” -m comment --comment “Drop VXLAN encapped packets originating in workloads” -m multiport --dports 4789 -j DROP
-A cali-fw-calic4e40d41ba9 -p ipencap -m comment --comment “cali:h9CJy7K2DugLV2FY” -m comment --comment “Drop IPinIP encapped packets originating in workloads” -j DROP
-A cali-fw-calic4e40d41ba9 -m comment --comment “cali:QKdAZxokWz-0sMuC” -j cali-pro-kns.calico-system
-A cali-fw-calic4e40d41ba9 -m comment --comment “cali:qgasXCBBb_w-C1Y8” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-fw-calic4e40d41ba9 -m comment --comment “cali:3Zzre6q9wMM2ajyj” -j cali-pro-_ymJUz7yzI6NOKJhG2-
-A cali-fw-calic4e40d41ba9 -m comment --comment “cali:jy5-Mn1Adu1pIrBD” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-fw-calic4e40d41ba9 -m comment --comment “cali:dt658MOQ9cow9UkM” -m comment --comment “Drop if no profiles matched” -j DROP
-A cali-pi-_FDiLImilezd09cpg5ci -p tcp -m comment --comment “cali:wH4Z-YLtazvrkIUi” -m comment --comment “Policy calico-apiserver/knp.default.allow-apiserver ingress” -m multiport --dports 5443 -j MARK --set-xmark 0x10000/0x10000
-A cali-pri-_4yi5_iSUAwsU8zMHTk -m comment --comment “cali:ZYnaZZFwsSjfXO4C” -m comment --comment “Profile ksa.calico-apiserver.calico-apiserver ingress”
-A cali-pri-_kJqfZpgUe7r2t4A-14 -m comment --comment “cali:IQx0SzlDGn6BPv0A” -m comment --comment “Profile kns.calico-apiserver ingress” -j MARK --set-xmark 0x10000/0x10000
-A cali-pri-nzzjLvInId1gPHmQz -m comment --comment “cali:UQoEf2WCdU0bPTCb” -m comment --comment “Profile ksa.calico-system.calico-kube-controllers ingress”
-A cali-pri-_u2Tn2rSoAPffvE7JO6 -m comment --comment “cali:WqgznqAQ-uYV0oBx” -m comment --comment “Profile ksa.kube-system.coredns ingress”
-A cali-pri-_ymJUz7yzI6NOKJhG2- -m comment --comment “cali:52zm9tLYY65R0fSD” -m comment --comment “Profile ksa.calico-system.csi-node-driver ingress”
-A cali-pri-kns.calico-system -m comment --comment “cali:hLANj-OVIyT53h_j” -m comment --comment “Profile kns.calico-system ingress” -j MARK --set-xmark 0x10000/0x10000
-A cali-pri-kns.kube-system -m comment --comment “cali:J1TyxtHWd0qaBGK-” -m comment --comment “Profile kns.kube-system ingress” -j MARK --set-xmark 0x10000/0x10000
-A cali-pro-_4yi5_iSUAwsU8zMHTk -m comment --comment “cali:Pp_dQp2FeNabRhyi” -m comment --comment “Profile ksa.calico-apiserver.calico-apiserver egress”
-A cali-pro-_kJqfZpgUe7r2t4A-14 -m comment --comment “cali:_cFTxC141wwWRzyZ” -m comment --comment “Profile kns.calico-apiserver egress” -j MARK --set-xmark 0x10000/0x10000
-A cali-pro-nzzjLvInId1gPHmQz -m comment --comment “cali:5bHxBXLMkJKgC6dk” -m comment --comment “Profile ksa.calico-system.calico-kube-controllers egress”
-A cali-pro-_u2Tn2rSoAPffvE7JO6 -m comment --comment “cali:0-_UPh39dt5XfhmJ” -m comment --comment “Profile ksa.kube-system.coredns egress”
-A cali-pro-_ymJUz7yzI6NOKJhG2- -m comment --comment “cali:yuJvAdyU1LYltt-O” -m comment --comment “Profile ksa.calico-system.csi-node-driver egress”
-A cali-pro-kns.calico-system -m comment --comment “cali:gWxJzCZXxl31NR0P” -m comment --comment “Profile kns.calico-system egress” -j MARK --set-xmark 0x10000/0x10000
-A cali-pro-kns.kube-system -m comment --comment “cali:tgOR2S8DVHZW3F1M” -m comment --comment “Profile kns.kube-system egress” -j MARK --set-xmark 0x10000/0x10000
-A cali-to-wl-dispatch -o cali13445dd5604 -m comment --comment “cali:NsZOQo1gsjs3-L57” -g cali-tw-cali13445dd5604
-A cali-to-wl-dispatch -o cali5+ -m comment --comment “cali:cPAgdGzgDqyeYtlg” -g cali-to-wl-dispatch-5
-A cali-to-wl-dispatch -o cali6+ -m comment --comment “cali:Y5ouiKAa6SItFHfW” -g cali-to-wl-dispatch-6
-A cali-to-wl-dispatch -o calic4e40d41ba9 -m comment --comment “cali:OzevpBx_WiFBCVxQ” -g cali-tw-calic4e40d41ba9
-A cali-to-wl-dispatch -m comment --comment “cali:_9zJPvOaloeWKtvj” -m comment --comment “Unknown interface” -j DROP
-A cali-to-wl-dispatch-5 -o cali510729528f2 -m comment --comment “cali:SwKnIcBQJELIdPDr” -g cali-tw-cali510729528f2
-A cali-to-wl-dispatch-5 -o cali525e6dbd5dd -m comment --comment “cali:deWYY3MhWo5haKr6” -g cali-tw-cali525e6dbd5dd
-A cali-to-wl-dispatch-5 -m comment --comment “cali:5VJ6zqxahPWwmNez” -m comment --comment “Unknown interface” -j DROP
-A cali-to-wl-dispatch-6 -o cali668201d770b -m comment --comment “cali:BNCmZTTTG4dOI8Xk” -g cali-tw-cali668201d770b
-A cali-to-wl-dispatch-6 -o cali6f507a886a3 -m comment --comment “cali:S5Uw7umDK99et5hm” -g cali-tw-cali6f507a886a3
-A cali-to-wl-dispatch-6 -m comment --comment “cali:l1v-o0DL1jd02YtE” -m comment --comment “Unknown interface” -j DROP
-A cali-tw-cali13445dd5604 -m comment --comment “cali:ZjpotW_tqkOlGPsy” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali13445dd5604 -m comment --comment “cali:VFowy4TFx7pLSbN8” -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali13445dd5604 -m comment --comment “cali:m65ZoYCTC3K09Uw3” -j MARK --set-xmark 0x0/0x30000
-A cali-tw-cali13445dd5604 -m comment --comment “cali:25__tQqG-iO9Xk4D” -m comment --comment “Start of tier default” -j MARK --set-xmark 0x0/0x20000
-A cali-tw-cali13445dd5604 -m comment --comment “cali:5SvCeMGbe6GDCS-I” -j cali-pi-_FDiLImilezd09cpg5ci
-A cali-tw-cali13445dd5604 -m comment --comment “cali:F3Lisyg5V668Eimc” -m comment --comment “Return if policy accepted” -j RETURN
-A cali-tw-cali13445dd5604 -m comment --comment “cali:rfCRZjF1zjKhgBRa” -m comment --comment “Drop if no policies passed packet” -j DROP
-A cali-tw-cali13445dd5604 -m comment --comment “cali:9RY_IQs8eMcN00_2” -j cali-pri-_kJqfZpgUe7r2t4A-14
-A cali-tw-cali13445dd5604 -m comment --comment “cali:4QnWcQdlfE0W4tQk” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-tw-cali13445dd5604 -m comment --comment “cali:IM3hiO38o5WvX3kt” -j cali-pri-_4yi5_iSUAwsU8zMHTk
-A cali-tw-cali13445dd5604 -m comment --comment “cali:yOwGZqVOvaSbQB3o” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-tw-cali13445dd5604 -m comment --comment “cali:uuCFVw6IcxjPm-C9” -m comment --comment “Drop if no profiles matched” -j DROP
-A cali-tw-cali510729528f2 -m comment --comment “cali:HVUrh3RjL0y0JQ6r” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali510729528f2 -m comment --comment “cali:OLs-ruhEX6I2cwBP” -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali510729528f2 -m comment --comment “cali:cecdu3GKh8YaIH3R” -j MARK --set-xmark 0x0/0x30000
-A cali-tw-cali510729528f2 -m comment --comment “cali:WeLDkwyXUzfpJ1uG” -j cali-pri-kns.kube-system
-A cali-tw-cali510729528f2 -m comment --comment “cali:er5nYmI5ALt2x9kA” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-tw-cali510729528f2 -m comment --comment “cali:Ab54BJRoFFGPjB6X” -j cali-pri-_u2Tn2rSoAPffvE7JO6
-A cali-tw-cali510729528f2 -m comment --comment “cali:4XG3hE9jNln0gby-” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-tw-cali510729528f2 -m comment --comment “cali:pbHoqBX70iopsTs8” -m comment --comment “Drop if no profiles matched” -j DROP
-A cali-tw-cali525e6dbd5dd -m comment --comment “cali:X4FoxBpZn0Qg_MMq” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali525e6dbd5dd -m comment --comment “cali:tyvILEyYqS59Vx7t” -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali525e6dbd5dd -m comment --comment “cali:H0mM-kO61aO8kENW” -j MARK --set-xmark 0x0/0x30000
-A cali-tw-cali525e6dbd5dd -m comment --comment “cali:BUJpmgaJFaKpaRTm” -j cali-pri-kns.kube-system
-A cali-tw-cali525e6dbd5dd -m comment --comment “cali:p_cPnUgyW6Gwyuld” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-tw-cali525e6dbd5dd -m comment --comment “cali:zeov2W0DNZnEo1Dl” -j cali-pri-_u2Tn2rSoAPffvE7JO6
-A cali-tw-cali525e6dbd5dd -m comment --comment “cali:NW1I2oxdt31lzQpj” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-tw-cali525e6dbd5dd -m comment --comment “cali:9lnrAfr7GnJyQqAf” -m comment --comment “Drop if no profiles matched” -j DROP
-A cali-tw-cali668201d770b -m comment --comment “cali:6qTUD8tF3KKI7lpo” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali668201d770b -m comment --comment “cali:dRzgMlc-vxvNOib" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali668201d770b -m comment --comment “cali:xdupzLBUu-OqI6nH” -j MARK --set-xmark 0x0/0x30000
-A cali-tw-cali668201d770b -m comment --comment “cali:o4vGYXrOUG0oc6ss” -j cali-pri-kns.calico-system
-A cali-tw-cali668201d770b -m comment --comment “cali:P2QdzNCjDY93iSlU” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-tw-cali668201d770b -m comment --comment “cali:iLm69qPHcBhQF2t8” -j cali-pri-nzzjLvInId1gPHmQz
-A cali-tw-cali668201d770b -m comment --comment “cali:fHcNYqftYLLwNqnl” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-tw-cali668201d770b -m comment --comment “cali:KktEeXMH0y1otaBp” -m comment --comment “Drop if no profiles matched” -j DROP
-A cali-tw-cali6f507a886a3 -m comment --comment “cali:xL4A4UQ4HCHR6rbZ” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali6f507a886a3 -m comment --comment “cali:FbW9_MN5KtBADeqV” -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali6f507a886a3 -m comment --comment “cali:40gaxvEIquTcakTV” -j MARK --set-xmark 0x0/0x30000
-A cali-tw-cali6f507a886a3 -m comment --comment “cali:r_hYqF4W20HSkai1” -m comment --comment “Start of tier default” -j MARK --set-xmark 0x0/0x20000
-A cali-tw-cali6f507a886a3 -m comment --comment "cali:-mx-2PAUC-mQzma
” -j cali-pi-_FDiLImilezd09cpg5ci
-A cali-tw-cali6f507a886a3 -m comment --comment “cali:T3zh9_QucMdlWkP-” -m comment --comment “Return if policy accepted” -j RETURN
-A cali-tw-cali6f507a886a3 -m comment --comment “cali:zhlwfCIOB4zzqK5" -m comment --comment “Drop if no policies passed packet” -j DROP
-A cali-tw-cali6f507a886a3 -m comment --comment "cali:jOFjOlZ4NiSEnAH
” -j cali-pri-_kJqfZpgUe7r2t4A-14
-A cali-tw-cali6f507a886a3 -m comment --comment “cali:IwQqdams4h2zMSuD” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-tw-cali6f507a886a3 -m comment --comment “cali:eexPDdM1Q_3Hl12I” -j cali-pri-_4yi5_iSUAwsU8zMHTk
-A cali-tw-cali6f507a886a3 -m comment --comment “cali:FoPl3lRR7SZd4B7V” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-tw-cali6f507a886a3 -m comment --comment “cali:gAc_Ohwg7VVHFtKE” -m comment --comment “Drop if no profiles matched” -j DROP
-A cali-tw-calic4e40d41ba9 -m comment --comment “cali:iln_rtntXEBzDh36” -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-calic4e40d41ba9 -m comment --comment “cali:4pNs7DazlPbFQsc5” -m conntrack --ctstate INVALID -j DROP
-A cali-tw-calic4e40d41ba9 -m comment --comment “cali:bk51OjP4aEG_qufz” -j MARK --set-xmark 0x0/0x30000
-A cali-tw-calic4e40d41ba9 -m comment --comment “cali:ugnQAR80dC9kc4Sk” -j cali-pri-kns.calico-system
-A cali-tw-calic4e40d41ba9 -m comment --comment “cali:q_A5DcMUNTEMqULx” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-tw-calic4e40d41ba9 -m comment --comment “cali:jhl8alRPg6VX0boe” -j cali-pri-_ymJUz7yzI6NOKJhG2-
-A cali-tw-calic4e40d41ba9 -m comment --comment “cali:P72ADTQ_94Nj83eJ” -m comment --comment “Return if profile accepted” -j RETURN
-A cali-tw-calic4e40d41ba9 -m comment --comment “cali:etuzgaTarbsgA9II” -m comment --comment “Drop if no profiles matched” -j DROP
-A cali-wl-to-host -m comment --comment “cali:Ee9Sbo10IpVujdIY” -j cali-from-wl-dispatch
-A cali-wl-to-host -m comment --comment “cali:nSZbcOoG1xPONxb8” -m comment --comment “Configured DefaultEndpointToHostAction” -j ACCEPT
COMMIT

Completed on Wed Nov 27 21:35:28 2024

Generated by iptables-save v1.8.7 on Wed Nov 27 21:35:28 2024

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:KUBE-EXT-CG5I4G2RS3ZVWGLK - [0:0]
:KUBE-EXT-EDNDUDH2C75GIR6O - [0:0]
:KUBE-EXT-KBK63ZDRC2H2A4NZ - [0:0]
:KUBE-EXT-USSPT3VGI3BECJVH - [0:0]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-MARK-MASQ - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-PROXY-CANARY - [0:0]
:KUBE-SEP-3NBHWQ4X7EMHCZMG - [0:0]
:KUBE-SEP-5O7LL2TTYR3B565K - [0:0]
:KUBE-SEP-5Y2H5KJDVMBVUFUE - [0:0]
:KUBE-SEP-63XWT66BXUCGZMHX - [0:0]
:KUBE-SEP-7ZSOEBX7262XRR45 - [0:0]
:KUBE-SEP-AGWTGSJZ2KVAYSQA - [0:0]
:KUBE-SEP-COARL4UR2NSNLDGO - [0:0]
:KUBE-SEP-E3ZZNUM7W24RHZHF - [0:0]
:KUBE-SEP-EITIJ3MQ7JZ2N5IS - [0:0]
:KUBE-SEP-EQYJQVPP5RAKERV3 - [0:0]
:KUBE-SEP-FWUJK7A6CJC7QTMN - [0:0]
:KUBE-SEP-GNEJUGLT6X5IVBVR - [0:0]
:KUBE-SEP-LZTNY462IKFEUZMW - [0:0]
:KUBE-SEP-PXLNR36ENJNDIJKG - [0:0]
:KUBE-SEP-QSRQYLIAFED5ON5X - [0:0]
:KUBE-SEP-VNNVCEOK3BC5WXSP - [0:0]
:KUBE-SEP-WJWEB5WRXZSYPLN6 - [0:0]
:KUBE-SEP-WXBWGEIKKE3BLWDL - [0:0]
:KUBE-SEP-Z3OJH2DTZFAWKAZ4 - [0:0]
:KUBE-SEP-ZI5O4S2QUBAR5BN2 - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-SVC-CG5I4G2RS3ZVWGLK - [0:0]
:KUBE-SVC-EDNDUDH2C75GIR6O - [0:0]
:KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
:KUBE-SVC-EZYNCFY2F7N6OQA2 - [0:0]
:KUBE-SVC-I24EZXP75AX5E7TU - [0:0]
:KUBE-SVC-JD5MR3NA4I4DYORP - [0:0]
:KUBE-SVC-KBK63ZDRC2H2A4NZ - [0:0]
:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
:KUBE-SVC-RK657RLKDNVNU64O - [0:0]
:KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
:KUBE-SVC-USSPT3VGI3BECJVH - [0:0]
:cali-OUTPUT - [0:0]
:cali-POSTROUTING - [0:0]
:cali-PREROUTING - [0:0]
:cali-fip-dnat - [0:0]
:cali-fip-snat - [0:0]
:cali-nat-outgoing - [0:0]
-A PREROUTING -m comment --comment “cali:6gwbT8clXdHdC1b1” -j cali-PREROUTING
-A PREROUTING -m comment --comment “kubernetes service portals” -j KUBE-SERVICES
-A OUTPUT -m comment --comment “cali:tVnHkvAo15HuiPy0” -j cali-OUTPUT
-A OUTPUT -m comment --comment “kubernetes service portals” -j KUBE-SERVICES
-A POSTROUTING -m comment --comment “kubernetes postrouting rules” -j KUBE-POSTROUTING
-A POSTROUTING -m comment --comment “cali:0i8pjzKKPyA34aQD” -j cali-POSTROUTING
-A KUBE-EXT-CG5I4G2RS3ZVWGLK -m comment --comment “masquerade traffic for ingress-nginx/ingress-nginx-controller:http external destinations” -j KUBE-MARK-MASQ
-A KUBE-EXT-CG5I4G2RS3ZVWGLK -j KUBE-SVC-CG5I4G2RS3ZVWGLK
-A KUBE-EXT-EDNDUDH2C75GIR6O -m comment --comment “masquerade traffic for ingress-nginx/ingress-nginx-controller:https external destinations” -j KUBE-MARK-MASQ
-A KUBE-EXT-EDNDUDH2C75GIR6O -j KUBE-SVC-EDNDUDH2C75GIR6O
-A KUBE-EXT-KBK63ZDRC2H2A4NZ -m comment --comment “masquerade traffic for test-k8s/test-web-port-01 external destinations” -j KUBE-MARK-MASQ
-A KUBE-EXT-KBK63ZDRC2H2A4NZ -j KUBE-SVC-KBK63ZDRC2H2A4NZ
-A KUBE-EXT-USSPT3VGI3BECJVH -m comment --comment “masquerade traffic for test-k8s/test-web-port external destinations” -j KUBE-MARK-MASQ
-A KUBE-EXT-USSPT3VGI3BECJVH -j KUBE-SVC-USSPT3VGI3BECJVH
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-NODEPORTS -d 127.0.0.0/8 -p tcp -m comment --comment “test-k8s/test-web-port-01” -m nfacct --nfacct-name localhost_nps_accepted_pkts -j KUBE-EXT-KBK63ZDRC2H2A4NZ
-A KUBE-NODEPORTS -p tcp -m comment --comment “test-k8s/test-web-port-01” -j KUBE-EXT-KBK63ZDRC2H2A4NZ
-A KUBE-NODEPORTS -d 127.0.0.0/8 -p tcp -m comment --comment “test-k8s/test-web-port” -m nfacct --nfacct-name localhost_nps_accepted_pkts -j KUBE-EXT-USSPT3VGI3BECJVH
-A KUBE-NODEPORTS -p tcp -m comment --comment “test-k8s/test-web-port” -j KUBE-EXT-USSPT3VGI3BECJVH
-A KUBE-NODEPORTS -d 127.0.0.0/8 -p tcp -m comment --comment “ingress-nginx/ingress-nginx-controller:http” -m nfacct --nfacct-name localhost_nps_accepted_pkts -j KUBE-EXT-CG5I4G2RS3ZVWGLK
-A KUBE-NODEPORTS -p tcp -m comment --comment “ingress-nginx/ingress-nginx-controller:http” -j KUBE-EXT-CG5I4G2RS3ZVWGLK
-A KUBE-NODEPORTS -d 127.0.0.0/8 -p tcp -m comment --comment “ingress-nginx/ingress-nginx-controller:https” -m nfacct --nfacct-name localhost_nps_accepted_pkts -j KUBE-EXT-EDNDUDH2C75GIR6O
-A KUBE-NODEPORTS -p tcp -m comment --comment “ingress-nginx/ingress-nginx-controller:https” -j KUBE-EXT-EDNDUDH2C75GIR6O
-A KUBE-POSTROUTING -j RETURN
-A KUBE-POSTROUTING -j MARK --set-xmark 0x4000/0x0
-A KUBE-POSTROUTING -m comment --comment “kubernetes service traffic requiring SNAT” -j MASQUERADE --random-fully
-A KUBE-SEP-3NBHWQ4X7EMHCZMG -s 10.244.151.130/32 -m comment --comment “kube-system/kube-dns:metrics” -j KUBE-MARK-MASQ
-A KUBE-SEP-3NBHWQ4X7EMHCZMG -p tcp -m comment --comment “kube-system/kube-dns:metrics” -m tcp -j DNAT --to-destination 10.244.151.130:9153
-A KUBE-SEP-5O7LL2TTYR3B565K -s 192.168.174.125/32 -m comment --comment “calico-system/calico-typha:calico-typha” -j KUBE-MARK-MASQ
-A KUBE-SEP-5O7LL2TTYR3B565K -p tcp -m comment --comment “calico-system/calico-typha:calico-typha” -m tcp -j DNAT --to-destination 192.168.174.125:5473
-A KUBE-SEP-5Y2H5KJDVMBVUFUE -s 10.244.44.245/32 -m comment --comment “ingress-nginx/ingress-nginx-controller-admission:https-webhook” -j KUBE-MARK-MASQ
-A KUBE-SEP-5Y2H5KJDVMBVUFUE -p tcp -m comment --comment “ingress-nginx/ingress-nginx-controller-admission:https-webhook” -m tcp -j DNAT --to-destination 10.244.44.245:8443
-A KUBE-SEP-63XWT66BXUCGZMHX -s 10.244.151.130/32 -m comment --comment “kube-system/kube-dns:dns” -j KUBE-MARK-MASQ
-A KUBE-SEP-63XWT66BXUCGZMHX -p udp -m comment --comment “kube-system/kube-dns:dns” -m udp -j DNAT --to-destination 10.244.151.130:53
-A KUBE-SEP-7ZSOEBX7262XRR45 -s 10.244.154.248/32 -m comment --comment “test-k8s/test-web-port-01” -j KUBE-MARK-MASQ
-A KUBE-SEP-7ZSOEBX7262XRR45 -p tcp -m comment --comment “test-k8s/test-web-port-01” -m tcp -j DNAT --to-destination 10.244.154.248:80
-A KUBE-SEP-AGWTGSJZ2KVAYSQA -s 192.168.174.126/32 -m comment --comment “calico-system/calico-typha:calico-typha” -j KUBE-MARK-MASQ
-A KUBE-SEP-AGWTGSJZ2KVAYSQA -p tcp -m comment --comment “calico-system/calico-typha:calico-typha” -m tcp -j DNAT --to-destination 192.168.174.126:5473
-A KUBE-SEP-COARL4UR2NSNLDGO -s 10.244.44.245/32 -m comment --comment “ingress-nginx/ingress-nginx-controller:http” -j KUBE-MARK-MASQ
-A KUBE-SEP-COARL4UR2NSNLDGO -p tcp -m comment --comment “ingress-nginx/ingress-nginx-controller:http” -m tcp -j DNAT --to-destination 10.244.44.245:80
-A KUBE-SEP-E3ZZNUM7W24RHZHF -s 192.168.174.110/32 -m comment --comment “default/kubernetes:https” -j KUBE-MARK-MASQ
-A KUBE-SEP-E3ZZNUM7W24RHZHF -p tcp -m comment --comment “default/kubernetes:https” -m tcp -j DNAT --to-destination 192.168.174.110:6443
-A KUBE-SEP-EITIJ3MQ7JZ2N5IS -s 10.244.151.133/32 -m comment --comment “kube-system/kube-dns:metrics” -j KUBE-MARK-MASQ
-A KUBE-SEP-EITIJ3MQ7JZ2N5IS -p tcp -m comment --comment “kube-system/kube-dns:metrics” -m tcp -j DNAT --to-destination 10.244.151.133:9153
-A KUBE-SEP-EQYJQVPP5RAKERV3 -s 10.244.44.248/32 -m comment --comment “test-k8s/test-web-port-01” -j KUBE-MARK-MASQ
-A KUBE-SEP-EQYJQVPP5RAKERV3 -p tcp -m comment --comment “test-k8s/test-web-port-01” -m tcp -j DNAT --to-destination 10.244.44.248:80
-A KUBE-SEP-FWUJK7A6CJC7QTMN -s 10.244.151.132/32 -m comment --comment “calico-apiserver/calico-api:apiserver” -j KUBE-MARK-MASQ
-A KUBE-SEP-FWUJK7A6CJC7QTMN -p tcp -m comment --comment “calico-apiserver/calico-api:apiserver” -m tcp -j DNAT --to-destination 10.244.151.132:5443
-A KUBE-SEP-GNEJUGLT6X5IVBVR -s 10.244.151.130/32 -m comment --comment “kube-system/kube-dns:dns-tcp” -j KUBE-MARK-MASQ
-A KUBE-SEP-GNEJUGLT6X5IVBVR -p tcp -m comment --comment “kube-system/kube-dns:dns-tcp” -m tcp -j DNAT --to-destination 10.244.151.130:53
-A KUBE-SEP-LZTNY462IKFEUZMW -s 10.244.151.131/32 -m comment --comment “calico-apiserver/calico-api:apiserver” -j KUBE-MARK-MASQ
-A KUBE-SEP-LZTNY462IKFEUZMW -p tcp -m comment --comment “calico-apiserver/calico-api:apiserver” -m tcp -j DNAT --to-destination 10.244.151.131:5443
-A KUBE-SEP-PXLNR36ENJNDIJKG -s 10.244.44.247/32 -m comment --comment “test-k8s/test-web-port” -j KUBE-MARK-MASQ
-A KUBE-SEP-PXLNR36ENJNDIJKG -p tcp -m comment --comment “test-k8s/test-web-port” -m tcp -j DNAT --to-destination 10.244.44.247:80
-A KUBE-SEP-QSRQYLIAFED5ON5X -s 10.244.151.133/32 -m comment --comment “kube-system/kube-dns:dns-tcp” -j KUBE-MARK-MASQ
-A KUBE-SEP-QSRQYLIAFED5ON5X -p tcp -m comment --comment “kube-system/kube-dns:dns-tcp” -m tcp -j DNAT --to-destination 10.244.151.133:53
-A KUBE-SEP-VNNVCEOK3BC5WXSP -s 10.244.154.246/32 -m comment --comment “test-k8s/test-web-port” -j KUBE-MARK-MASQ
-A KUBE-SEP-VNNVCEOK3BC5WXSP -p tcp -m comment --comment “test-k8s/test-web-port” -m tcp -j DNAT --to-destination 10.244.154.246:80
-A KUBE-SEP-WJWEB5WRXZSYPLN6 -s 10.244.151.133/32 -m comment --comment “kube-system/kube-dns:dns” -j KUBE-MARK-MASQ
-A KUBE-SEP-WJWEB5WRXZSYPLN6 -p udp -m comment --comment “kube-system/kube-dns:dns” -m udp -j DNAT --to-destination 10.244.151.133:53
-A KUBE-SEP-WXBWGEIKKE3BLWDL -s 10.244.44.245/32 -m comment --comment “ingress-nginx/ingress-nginx-controller:https” -j KUBE-MARK-MASQ
-A KUBE-SEP-WXBWGEIKKE3BLWDL -p tcp -m comment --comment “ingress-nginx/ingress-nginx-controller:https” -m tcp -j DNAT --to-destination 10.244.44.245:443
-A KUBE-SEP-Z3OJH2DTZFAWKAZ4 -s 10.244.154.249/32 -m comment --comment “test-k8s/test-web-port-01” -j KUBE-MARK-MASQ
-A KUBE-SEP-Z3OJH2DTZFAWKAZ4 -p tcp -m comment --comment “test-k8s/test-web-port-01” -m tcp -j DNAT --to-destination 10.244.154.249:80
-A KUBE-SEP-ZI5O4S2QUBAR5BN2 -s 10.244.154.247/32 -m comment --comment “test-k8s/test-web-port” -j KUBE-MARK-MASQ
-A KUBE-SEP-ZI5O4S2QUBAR5BN2 -p tcp -m comment --comment “test-k8s/test-web-port” -m tcp -j DNAT --to-destination 10.244.154.247:80
-A KUBE-SERVICES -d 10.106.245.165/32 -p tcp -m comment --comment “ingress-nginx/ingress-nginx-controller-admission:https-webhook cluster IP” -j KUBE-SVC-EZYNCFY2F7N6OQA2
-A KUBE-SERVICES -d 10.111.120.103/32 -p tcp -m comment --comment “test-k8s/test-web-port-01 cluster IP” -j KUBE-SVC-KBK63ZDRC2H2A4NZ
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment “kube-system/kube-dns:dns-tcp cluster IP” -j KUBE-SVC-ERIFXISQEP7F7OF4
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment “kube-system/kube-dns:metrics cluster IP” -j KUBE-SVC-JD5MR3NA4I4DYORP
-A KUBE-SERVICES -d 10.106.101.205/32 -p tcp -m comment --comment “calico-system/calico-typha:calico-typha cluster IP” -j KUBE-SVC-RK657RLKDNVNU64O
-A KUBE-SERVICES -d 10.102.84.150/32 -p tcp -m comment --comment “calico-apiserver/calico-api:apiserver cluster IP” -j KUBE-SVC-I24EZXP75AX5E7TU
-A KUBE-SERVICES -d 10.97.87.241/32 -p tcp -m comment --comment “test-k8s/test-web-port cluster IP” -j KUBE-SVC-USSPT3VGI3BECJVH
-A KUBE-SERVICES -d 10.96.0.1/32 -p tcp -m comment --comment “default/kubernetes:https cluster IP” -j KUBE-SVC-NPX46M4PTMTKRN6Y
-A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m comment --comment “kube-system/kube-dns:dns cluster IP” -j KUBE-SVC-TCOU7JCQXEZGVUNU
-A KUBE-SERVICES -d 10.105.17.117/32 -p tcp -m comment --comment “ingress-nginx/ingress-nginx-controller:http cluster IP” -j KUBE-SVC-CG5I4G2RS3ZVWGLK
-A KUBE-SERVICES -d 10.105.17.117/32 -p tcp -m comment --comment “ingress-nginx/ingress-nginx-controller:https cluster IP” -j KUBE-SVC-EDNDUDH2C75GIR6O
-A KUBE-SERVICES -m comment --comment “kubernetes service nodeports; NOTE: this must be the last rule in this chain” -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-SVC-CG5I4G2RS3ZVWGLK ! -s 10.244.0.0/16 -d 10.105.17.117/32 -p tcp -m comment --comment “ingress-nginx/ingress-nginx-controller:http cluster IP” -j KUBE-MARK-MASQ
-A KUBE-SVC-CG5I4G2RS3ZVWGLK -m comment --comment “ingress-nginx/ingress-nginx-controller:http → 10.244.44.245:80” -j KUBE-SEP-COARL4UR2NSNLDGO
-A KUBE-SVC-EDNDUDH2C75GIR6O ! -s 10.244.0.0/16 -d 10.105.17.117/32 -p tcp -m comment --comment “ingress-nginx/ingress-nginx-controller:https cluster IP” -j KUBE-MARK-MASQ
-A KUBE-SVC-EDNDUDH2C75GIR6O -m comment --comment “ingress-nginx/ingress-nginx-controller:https → 10.244.44.245:443” -j KUBE-SEP-WXBWGEIKKE3BLWDL
-A KUBE-SVC-ERIFXISQEP7F7OF4 ! -s 10.244.0.0/16 -d 10.96.0.10/32 -p tcp -m comment --comment “kube-system/kube-dns:dns-tcp cluster IP” -j KUBE-MARK-MASQ
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment “kube-system/kube-dns:dns-tcp → 10.244.151.130:53” -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-GNEJUGLT6X5IVBVR
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment “kube-system/kube-dns:dns-tcp → 10.244.151.133:53” -j KUBE-SEP-QSRQYLIAFED5ON5X
-A KUBE-SVC-EZYNCFY2F7N6OQA2 ! -s 10.244.0.0/16 -d 10.106.245.165/32 -p tcp -m comment --comment “ingress-nginx/ingress-nginx-controller-admission:https-webhook cluster IP” -j KUBE-MARK-MASQ
-A KUBE-SVC-EZYNCFY2F7N6OQA2 -m comment --comment “ingress-nginx/ingress-nginx-controller-admission:https-webhook → 10.244.44.245:8443” -j KUBE-SEP-5Y2H5KJDVMBVUFUE
-A KUBE-SVC-I24EZXP75AX5E7TU ! -s 10.244.0.0/16 -d 10.102.84.150/32 -p tcp -m comment --comment “calico-apiserver/calico-api:apiserver cluster IP” -j KUBE-MARK-MASQ
-A KUBE-SVC-I24EZXP75AX5E7TU -m comment --comment “calico-apiserver/calico-api:apiserver → 10.244.151.131:5443” -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-LZTNY462IKFEUZMW
-A KUBE-SVC-I24EZXP75AX5E7TU -m comment --comment “calico-apiserver/calico-api:apiserver → 10.244.151.132:5443” -j KUBE-SEP-FWUJK7A6CJC7QTMN
-A KUBE-SVC-JD5MR3NA4I4DYORP ! -s 10.244.0.0/16 -d 10.96.0.10/32 -p tcp -m comment --comment “kube-system/kube-dns:metrics cluster IP” -j KUBE-MARK-MASQ
-A KUBE-SVC-JD5MR3NA4I4DYORP -m comment --comment “kube-system/kube-dns:metrics → 10.244.151.130:9153” -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-3NBHWQ4X7EMHCZMG
-A KUBE-SVC-JD5MR3NA4I4DYORP -m comment --comment “kube-system/kube-dns:metrics → 10.244.151.133:9153” -j KUBE-SEP-EITIJ3MQ7JZ2N5IS
-A KUBE-SVC-KBK63ZDRC2H2A4NZ ! -s 10.244.0.0/16 -d 10.111.120.103/32 -p tcp -m comment --comment “test-k8s/test-web-port-01 cluster IP” -j KUBE-MARK-MASQ
-A KUBE-SVC-KBK63ZDRC2H2A4NZ -m comment --comment “test-k8s/test-web-port-01 → 10.244.154.248:80” -m statistic --mode random --probability 0.33333333349 -j KUBE-SEP-7ZSOEBX7262XRR45
-A KUBE-SVC-KBK63ZDRC2H2A4NZ -m comment --comment “test-k8s/test-web-port-01 → 10.244.154.249:80” -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-Z3OJH2DTZFAWKAZ4
-A KUBE-SVC-KBK63ZDRC2H2A4NZ -m comment --comment “test-k8s/test-web-port-01 → 10.244.44.248:80” -j KUBE-SEP-EQYJQVPP5RAKERV3
-A KUBE-SVC-NPX46M4PTMTKRN6Y ! -s 10.244.0.0/16 -d 10.96.0.1/32 -p tcp -m comment --comment “default/kubernetes:https cluster IP” -j KUBE-MARK-MASQ
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment “default/kubernetes:https → 192.168.174.110:6443” -j KUBE-SEP-E3ZZNUM7W24RHZHF
-A KUBE-SVC-RK657RLKDNVNU64O ! -s 10.244.0.0/16 -d 10.106.101.205/32 -p tcp -m comment --comment “calico-system/calico-typha:calico-typha cluster IP” -j KUBE-MARK-MASQ
-A KUBE-SVC-RK657RLKDNVNU64O -m comment --comment “calico-system/calico-typha:calico-typha → 192.168.174.125:5473” -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-5O7LL2TTYR3B565K
-A KUBE-SVC-RK657RLKDNVNU64O -m comment --comment “calico-system/calico-typha:calico-typha → 192.168.174.126:5473” -j KUBE-SEP-AGWTGSJZ2KVAYSQA
-A KUBE-SVC-TCOU7JCQXEZGVUNU ! -s 10.244.0.0/16 -d 10.96.0.10/32 -p udp -m comment --comment “kube-system/kube-dns:dns cluster IP” -j KUBE-MARK-MASQ
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment “kube-system/kube-dns:dns → 10.244.151.130:53” -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-63XWT66BXUCGZMHX
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment “kube-system/kube-dns:dns → 10.244.151.133:53” -j KUBE-SEP-WJWEB5WRXZSYPLN6
-A KUBE-SVC-USSPT3VGI3BECJVH ! -s 10.244.0.0/16 -d 10.97.87.241/32 -p tcp -m comment --comment “test-k8s/test-web-port cluster IP” -j KUBE-MARK-MASQ
-A KUBE-SVC-USSPT3VGI3BECJVH -m comment --comment “test-k8s/test-web-port → 10.244.154.246:80” -m statistic --mode random --probability 0.33333333349 -j KUBE-SEP-VNNVCEOK3BC5WXSP
-A KUBE-SVC-USSPT3VGI3BECJVH -m comment --comment “test-k8s/test-web-port → 10.244.154.247:80” -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-ZI5O4S2QUBAR5BN2
-A KUBE-SVC-USSPT3VGI3BECJVH -m comment --comment “test-k8s/test-web-port → 10.244.44.247:80” -j KUBE-SEP-PXLNR36ENJNDIJKG
-A cali-OUTPUT -m comment --comment “cali:GBTAv2p5CwevEyJm” -j cali-fip-dnat
-A cali-POSTROUTING -m comment --comment “cali:Z-c7XtVd2Bq7s_hA” -j cali-fip-snat
-A cali-POSTROUTING -m comment --comment “cali:nYKhEzDlr11Jccal” -j cali-nat-outgoing
-A cali-POSTROUTING -o vxlan.calico -m comment --comment “cali:e9dnSgSVNmIcpVhP” -m addrtype ! --src-type LOCAL --limit-iface-out -m addrtype --src-type LOCAL -j MASQUERADE --random-fully
-A cali-PREROUTING -m comment --comment “cali:r6XmIziWUJsdOK6Z” -j cali-fip-dnat
-A cali-nat-outgoing -m comment --comment “cali:flqWnvo8yq4ULQLa” -m set --match-set cali40masq-ipam-pools src -m set ! --match-set cali40all-ipam-pools dst -j MASQUERADE --random-fully
COMMIT

Completed on Wed Nov 27 21:35:28 2024

根据上面的完整的iptables-save规则,我找到如下匹配条目,但是并没有发现有关32670端口相关的策略

nat链:

-A PREROUTING -m comment --comment “kubernetes service portals” -j KUBE-SERVICES

-A KUBE-SERVICES -m comment --comment “kubernetes service nodeports; NOTE: this must be the last rule in this chain” -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS

-A KUBE-NODEPORTS -p tcp -m comment --comment “test-k8s/test-web-port” -j KUBE-EXT-USSPT3VGI3BECJVH
-A KUBE-NODEPORTS -p tcp -m comment --comment “test-k8s/test-web-port-01” -j KUBE-EXT-KBK63ZDRC2H2A4NZ

-A KUBE-EXT-USSPT3VGI3BECJVH -m comment --comment “masquerade traffic for test-k8s/test-web-port external destinations” -j KUBE-MARK-MASQ
-A KUBE-EXT-USSPT3VGI3BECJVH -j KUBE-SVC-USSPT3VGI3BECJVH

-A KUBE-EXT-KBK63ZDRC2H2A4NZ -m comment --comment “masquerade traffic for test-k8s/test-web-port-01 external destinations” -j KUBE-MARK-MASQ
-A KUBE-EXT-KBK63ZDRC2H2A4NZ -j KUBE-SVC-KBK63ZDRC2H2A4NZ

-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000

-A KUBE-SVC-USSPT3VGI3BECJVH ! -s 10.244.0.0/16 -d 10.97.87.241/32 -p tcp -m comment --comment “test-k8s/test-web-port cluster IP” -j KUBE-MARK-MASQ
-A KUBE-SVC-USSPT3VGI3BECJVH -m comment --comment “test-k8s/test-web-port → 10.244.154.246:80” -m statistic --mode random --probability 0.33333333349 -j KUBE-SEP-VNNVCEOK3BC5WXSP
-A KUBE-SVC-USSPT3VGI3BECJVH -m comment --comment “test-k8s/test-web-port → 10.244.154.247:80” -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-ZI5O4S2QUBAR5BN2
-A KUBE-SVC-USSPT3VGI3BECJVH -m comment --comment “test-k8s/test-web-port → 10.244.44.247:80” -j KUBE-SEP-PXLNR36ENJNDIJKG

-A KUBE-SVC-KBK63ZDRC2H2A4NZ ! -s 10.244.0.0/16 -d 10.111.120.103/32 -p tcp -m comment --comment “test-k8s/test-web-port-01 cluster IP” -j KUBE-MARK-MASQ
-A KUBE-SVC-KBK63ZDRC2H2A4NZ -m comment --comment “test-k8s/test-web-port-01 → 10.244.154.248:80” -m statistic --mode random --probability 0.33333333349 -j KUBE-SEP-7ZSOEBX7262XRR45
-A KUBE-SVC-KBK63ZDRC2H2A4NZ -m comment --comment “test-k8s/test-web-port-01 → 10.244.154.249:80” -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-Z3OJH2DTZFAWKAZ4
-A KUBE-SVC-KBK63ZDRC2H2A4NZ -m comment --comment “test-k8s/test-web-port-01 → 10.244.44.248:80” -j KUBE-SEP-EQYJQVPP5RAKERV3

-A KUBE-SEP-VNNVCEOK3BC5WXSP -s 10.244.154.246/32 -m comment --comment “test-k8s/test-web-port” -j KUBE-MARK-MASQ
-A KUBE-SEP-VNNVCEOK3BC5WXSP -p tcp -m comment --comment “test-k8s/test-web-port” -m tcp -j DNAT --to-destination 10.244.154.246:80

-A KUBE-SEP-ZI5O4S2QUBAR5BN2 -s 10.244.154.247/32 -m comment --comment “test-k8s/test-web-port” -j KUBE-MARK-MASQ
-A KUBE-SEP-ZI5O4S2QUBAR5BN2 -p tcp -m comment --comment “test-k8s/test-web-port” -m tcp -j DNAT --to-destination 10.244.154.247:80

-A KUBE-SEP-PXLNR36ENJNDIJKG -s 10.244.44.247/32 -m comment --comment “test-k8s/test-web-port” -j KUBE-MARK-MASQ
-A KUBE-SEP-PXLNR36ENJNDIJKG -p tcp -m comment --comment “test-k8s/test-web-port” -m tcp -j DNAT --to-destination 10.244.44.247:80

-A KUBE-SEP-7ZSOEBX7262XRR45 -s 10.244.154.248/32 -m comment --comment “test-k8s/test-web-port-01” -j KUBE-MARK-MASQ
-A KUBE-SEP-7ZSOEBX7262XRR45 -p tcp -m comment --comment “test-k8s/test-web-port-01” -m tcp -j DNAT --to-destination 10.244.154.248:80

-A KUBE-SEP-Z3OJH2DTZFAWKAZ4 -s 10.244.154.249/32 -m comment --comment “test-k8s/test-web-port-01” -j KUBE-MARK-MASQ
-A KUBE-SEP-Z3OJH2DTZFAWKAZ4 -p tcp -m comment --comment “test-k8s/test-web-port-01” -m tcp -j DNAT --to-destination 10.244.154.249:80

-A KUBE-SEP-EQYJQVPP5RAKERV3 -s 10.244.44.248/32 -m comment --comment “test-k8s/test-web-port-01” -j KUBE-MARK-MASQ
-A KUBE-SEP-EQYJQVPP5RAKERV3 -p tcp -m comment --comment “test-k8s/test-web-port-01” -m tcp -j DNAT --to-destination 10.244.44.248:80