死磕k8s之calico-环境准备
2024-07-06 18:35:19
序言:
本篇文章主要是列出了calico系列文章解析的环境以及准备工作。
环境
- k8s: v1.19.3
- iptables: v1.4.21
- route: 2.10-alpha
- calico: v3.16.4
- tcpdump
calico使用的是ipip模式,calico默认是ipip模式
k8s没有高可用安装,1个master节点,2个work节点
k8s没有使用ipvs
工具安装
calicoctl安装
calicoctl是calico社区提供一个全局查看calico网络的工具,类似kubectl之k8s
- 下载二进制包
curl -O -L https://github.com/projectcalico/calicoctl/releases/download/v3.4.0/calicoctl
- 拷贝到正确的可执行路径
cp calicoctl /usr/bin/
- 授予可执行权限
chmod +x /usr/bin/calicoctl
4.尝试获取calico节点试试
DATASTORE_TYPE=kubernetes KUBECONFIG=~/.kube/config calicoctl get nodes
下载calico.yaml文件
curl https://docs.projectcalico.org/archive/v3.16/manifests/calico.yaml -O
示例
1.创建deployment
kubectl create deployment nginx --image=nginx --port=80
2.为了方便测试,可以把pod固定运行在某个节点
kubectl edit deployment nginx
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: apps/v1
kind: Deployment
metadata:annotations:deployment.kubernetes.io/revision: "1"creationTimestamp: "2020-11-09T05:56:04Z"generation: 1labels:app: nginxname: nginxnamespace: defaultresourceVersion: "807087"selfLink: /apis/apps/v1/namespaces/default/deployments/nginxuid: ec684051-3725-4f5e-9efd-d96fb3257cca
spec:progressDeadlineSeconds: 600replicas: 1revisionHistoryLimit: 10selector:matchLabels:app: nginxstrategy:rollingUpdate:maxSurge: 25%maxUnavailable: 25%type: RollingUpdatetemplate:metadata:creationTimestamp: nulllabels:app: nginxapp: nginxspec:nodeSelector: kubernetes.io/hostname: XXX #此处可替换成自己节点的主机名containers:- image: nginximagePullPolicy: Alwaysname: nginxresources: {}terminationMessagePath: /dev/termination-logterminationMessagePolicy: FilednsPolicy: ClusterFirstrestartPolicy: AlwaysschedulerName: default-schedulersecurityContext: {}terminationGracePeriodSeconds: 30
status:availableReplicas: 1conditions:- lastTransitionTime: "2020-11-09T05:56:18Z"lastUpdateTime: "2020-11-09T05:56:18Z"message: Deployment has minimum availability.reason: MinimumReplicasAvailablestatus: "True"type: Available- lastTransitionTime: "2020-11-09T05:56:04Z"lastUpdateTime: "2020-11-09T05:56:18Z"message: ReplicaSet "nginx-6799fc88d8" has successfully progressed.reason: NewReplicaSetAvailablestatus: "True"type: ProgressingobservedGeneration: 1readyReplicas: 1replicas: 1updatedReplicas: 12.创建nodeport
kubectl create svc nodeport nginx --tcp=8080:80
3.尝试用节点+ip访问nodeport试试
我的完整节点、路由和防火墙信息
节点信息
路由信息
master节点1
work节点1
work节点2
防火墙信息
master节点1防火墙
# Generated by iptables-save v1.4.21 on Mon Nov 9 17:04:32 2020
*raw
:PREROUTING ACCEPT [66552762:12056037475]
:OUTPUT ACCEPT [67017604:13224857862]
:cali-OUTPUT - [0:0]
:cali-PREROUTING - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-to-host-endpoint - [0:0]
-A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
-A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
-A cali-OUTPUT -m comment --comment "cali:njdnLwYeGqBJyMxW" -j MARK --set-xmark 0x0/0xf0000
-A cali-OUTPUT -m comment --comment "cali:rz86uTUcEZAfFsh7" -j cali-to-host-endpoint
-A cali-OUTPUT -m comment --comment "cali:pN0F5zD0b8yf9W1Z" -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-PREROUTING -m comment --comment "cali:XFX5xbM8B9qR10JG" -j MARK --set-xmark 0x0/0xf0000
-A cali-PREROUTING -i cali+ -m comment --comment "cali:EWMPb0zVROM-woQp" -j MARK --set-xmark 0x40000/0x40000
-A cali-PREROUTING -m comment --comment "cali:V6ooGP15glg7wm91" -m mark --mark 0x40000/0x40000 -m rpfilter --invert -j DROP
-A cali-PREROUTING -m comment --comment "cali:RMTzKqp0j735XfY4" -m mark --mark 0x0/0x40000 -j cali-from-host-endpoint
-A cali-PREROUTING -m comment --comment "cali:T8-Zfumo2dKygI73" -m mark --mark 0x10000/0x10000 -j ACCEPT
COMMIT
# Completed on Mon Nov 9 17:04:32 2020
# Generated by iptables-save v1.4.21 on Mon Nov 9 17:04:32 2020
*mangle
:PREROUTING ACCEPT [825849:49462147]
:INPUT ACCEPT [66542314:12054806587]
:FORWARD ACCEPT [10450:1231073]
:OUTPUT ACCEPT [67017606:13224858047]
:POSTROUTING ACCEPT [67028056:13226089120]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-PROXY-CANARY - [0:0]
:cali-PREROUTING - [0:0]
:cali-from-host-endpoint - [0:0]
-A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
-A cali-PREROUTING -m comment --comment "cali:6BJqBjBC7crtA-7-" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-PREROUTING -m comment --comment "cali:KX7AGNd6rMcDUai6" -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-PREROUTING -m comment --comment "cali:wNH7KsA3ILKJBsY9" -j cali-from-host-endpoint
-A cali-PREROUTING -m comment --comment "cali:Cg96MgVuoPm7UMRo" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
COMMIT
# Completed on Mon Nov 9 17:04:32 2020
# Generated by iptables-save v1.4.21 on Mon Nov 9 17:04:32 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1098:66162]
:POSTROUTING ACCEPT [1098:66162]
:DOCKER - [0:0]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-MARK-DROP - [0:0]
:KUBE-MARK-MASQ - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-PROXY-CANARY - [0:0]
:KUBE-SEP-5G7TVIGO2RMIKKTY - [0:0]
:KUBE-SEP-KNF4SHE3YOGR5YAN - [0:0]
:KUBE-SEP-MFHCJYPBXWFXMLFL - [0:0]
:KUBE-SEP-NGWCFP2WQ6ZZCOWV - [0:0]
:KUBE-SEP-NTPQ6CEYN4LVUKMG - [0:0]
:KUBE-SEP-SE4IOH7EDXXMLYG2 - [0:0]
:KUBE-SEP-YX2CVEAXQDGPKPRP - [0:0]
:KUBE-SEP-YYG3HJMSEVMBQTZ3 - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-SVC-DR2DYVPMBY3GPZ5L - [0:0]
:KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
:KUBE-SVC-JD5MR3NA4I4DYORP - [0:0]
:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
:KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
:cali-OUTPUT - [0:0]
:cali-POSTROUTING - [0:0]
:cali-PREROUTING - [0:0]
:cali-fip-dnat - [0:0]
:cali-fip-snat - [0:0]
:cali-nat-outgoing - [0:0]
-A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -m comment --comment "cali:O3lYWMrLQYEMJtB5" -j cali-POSTROUTING
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/nginx:8080-80" -m tcp --dport 32220 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/nginx:8080-80" -m tcp --dport 32220 -j KUBE-SVC-DR2DYVPMBY3GPZ5L
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
-A KUBE-POSTROUTING -j MARK --set-xmark 0x4000/0x0
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE
-A KUBE-SEP-5G7TVIGO2RMIKKTY -s 192.168.179.130/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-5G7TVIGO2RMIKKTY -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 192.168.179.130:53
-A KUBE-SEP-KNF4SHE3YOGR5YAN -s 192.168.179.131/32 -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-MARK-MASQ
-A KUBE-SEP-KNF4SHE3YOGR5YAN -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 192.168.179.131:9153
-A KUBE-SEP-MFHCJYPBXWFXMLFL -s 192.168.231.70/32 -m comment --comment "default/nginx:8080-80" -j KUBE-MARK-MASQ
-A KUBE-SEP-MFHCJYPBXWFXMLFL -p tcp -m comment --comment "default/nginx:8080-80" -m tcp -j DNAT --to-destination 192.168.231.70:80
-A KUBE-SEP-NGWCFP2WQ6ZZCOWV -s 192.168.179.131/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-NGWCFP2WQ6ZZCOWV -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 192.168.179.131:53
-A KUBE-SEP-NTPQ6CEYN4LVUKMG -s 192.168.179.130/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-NTPQ6CEYN4LVUKMG -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 192.168.179.130:53
-A KUBE-SEP-SE4IOH7EDXXMLYG2 -s 192.168.179.131/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-SE4IOH7EDXXMLYG2 -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 192.168.179.131:53
-A KUBE-SEP-YX2CVEAXQDGPKPRP -s 192.168.179.130/32 -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-MARK-MASQ
-A KUBE-SEP-YX2CVEAXQDGPKPRP -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 192.168.179.130:9153
-A KUBE-SEP-YYG3HJMSEVMBQTZ3 -s 10.0.0.54/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-YYG3HJMSEVMBQTZ3 -p tcp -m comment --comment "default/kubernetes:https" -m tcp -j DNAT --to-destination 10.0.0.54:6443
-A KUBE-SERVICES -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
-A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-SVC-JD5MR3NA4I4DYORP
-A KUBE-SERVICES -d 10.101.14.7/32 -p tcp -m comment --comment "default/nginx:8080-80 cluster IP" -m tcp --dport 8080 -j KUBE-SVC-DR2DYVPMBY3GPZ5L
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-SVC-DR2DYVPMBY3GPZ5L -m comment --comment "default/nginx:8080-80" -j KUBE-SEP-MFHCJYPBXWFXMLFL
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-5G7TVIGO2RMIKKTY
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SEP-NGWCFP2WQ6ZZCOWV
-A KUBE-SVC-JD5MR3NA4I4DYORP -m comment --comment "kube-system/kube-dns:metrics" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-YX2CVEAXQDGPKPRP
-A KUBE-SVC-JD5MR3NA4I4DYORP -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-SEP-KNF4SHE3YOGR5YAN
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-YYG3HJMSEVMBQTZ3
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-NTPQ6CEYN4LVUKMG
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SEP-SE4IOH7EDXXMLYG2
-A cali-OUTPUT -m comment --comment "cali:GBTAv2p5CwevEyJm" -j cali-fip-dnat
-A cali-POSTROUTING -m comment --comment "cali:Z-c7XtVd2Bq7s_hA" -j cali-fip-snat
-A cali-POSTROUTING -m comment --comment "cali:nYKhEzDlr11Jccal" -j cali-nat-outgoing
-A cali-POSTROUTING -o tunl0 -m comment --comment "cali:JHlpT-eSqR1TvyYm" -m addrtype ! --src-type LOCAL --limit-iface-out -m addrtype --src-type LOCAL -j MASQUERADE
-A cali-PREROUTING -m comment --comment "cali:r6XmIziWUJsdOK6Z" -j cali-fip-dnat
-A cali-nat-outgoing -m comment --comment "cali:Dw4T8UWPnCLxRJiI" -m set --match-set cali40masq-ipam-pools src -m set ! --match-set cali40all-ipam-pools dst -j MASQUERADE
COMMIT
# Completed on Mon Nov 9 17:04:32 2020
# Generated by iptables-save v1.4.21 on Mon Nov 9 17:04:32 2020
*filter
:INPUT ACCEPT [99890:17430297]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [104783:20601687]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:KUBE-EXTERNAL-SERVICES - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-FORWARD - [0:0]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-PROXY-CANARY - [0:0]
:KUBE-SERVICES - [0:0]
:cali-FORWARD - [0:0]
:cali-INPUT - [0:0]
:cali-OUTPUT - [0:0]
:cali-from-hep-forward - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-from-wl-dispatch - [0:0]
:cali-fw-cali243955b783c - [0:0]
:cali-fw-cali44ada74fc70 - [0:0]
:cali-fw-cali625b23bdbe9 - [0:0]
:cali-pri-_PTRGc0U-L5Kz7V6ERW - [0:0]
:cali-pri-_u2Tn2rSoAPffvE7JO6 - [0:0]
:cali-pri-kns.kube-system - [0:0]
:cali-pro-_PTRGc0U-L5Kz7V6ERW - [0:0]
:cali-pro-_u2Tn2rSoAPffvE7JO6 - [0:0]
:cali-pro-kns.kube-system - [0:0]
:cali-to-hep-forward - [0:0]
:cali-to-host-endpoint - [0:0]
:cali-to-wl-dispatch - [0:0]
:cali-tw-cali243955b783c - [0:0]
:cali-tw-cali44ada74fc70 - [0:0]
:cali-tw-cali625b23bdbe9 - [0:0]
:cali-wl-to-host - [0:0]
-A INPUT -m comment --comment "cali:Cz_u1IQiXIMmKD4c" -j cali-INPUT
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
-A INPUT -j KUBE-FIREWALL
-A FORWARD -m comment --comment "cali:wUHhoiAYhphO9Mso" -j cali-FORWARD
-A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
-A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -m comment --comment "cali:S93hcgKJrXEqnTfs" -m comment --comment "Policy explicitly accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
-A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -j KUBE-FIREWALL
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
-A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-FORWARD -m comment --comment "cali:vjrMJCRpqwy5oRoX" -j MARK --set-xmark 0x0/0xe0000
-A cali-FORWARD -m comment --comment "cali:A_sPAO0mcxbT9mOV" -m mark --mark 0x0/0x10000 -j cali-from-hep-forward
-A cali-FORWARD -i cali+ -m comment --comment "cali:8ZoYfO5HKXWbB3pk" -j cali-from-wl-dispatch
-A cali-FORWARD -o cali+ -m comment --comment "cali:jdEuaPBe14V2hutn" -j cali-to-wl-dispatch
-A cali-FORWARD -m comment --comment "cali:12bc6HljsMKsmfr-" -j cali-to-hep-forward
-A cali-INPUT -p ipv4 -m comment --comment "cali:PajejrV4aFdkZojI" -m comment --comment "Allow IPIP packets from Calico hosts" -m set --match-set cali40all-hosts-net src -m addrtype --dst-type LOCAL -j ACCEPT
-A cali-INPUT -p ipv4 -m comment --comment "cali:_wjq-Yrma8Ly1Svo" -m comment --comment "Drop IPIP packets from non-Calico hosts" -j DROP
-A cali-INPUT -i cali+ -m comment --comment "cali:8TZGxLWh_Eiz66wc" -g cali-wl-to-host
-A cali-INPUT -m comment --comment "cali:6McIeIDvPdL6PE1T" -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-INPUT -m comment --comment "cali:YGPbrUms7NId8xVa" -j MARK --set-xmark 0x0/0xf0000
-A cali-INPUT -m comment --comment "cali:2gmY7Bg2i0i84Wk_" -j cali-from-host-endpoint
-A cali-INPUT -m comment --comment "cali:q-Vz2ZT9iGE331LL" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-OUTPUT -m comment --comment "cali:Mq1_rAdXXH3YkrzW" -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-OUTPUT -o cali+ -m comment --comment "cali:69FkRTJDvD5Vu6Vl" -j RETURN
-A cali-OUTPUT -p ipv4 -m comment --comment "cali:AnEsmO6bDZbQntWW" -m comment --comment "Allow IPIP packets to other Calico hosts" -m set --match-set cali40all-hosts-net dst -m addrtype --src-type LOCAL -j ACCEPT
-A cali-OUTPUT -m comment --comment "cali:9e9Uf3GU5tX--Lxy" -j MARK --set-xmark 0x0/0xf0000
-A cali-OUTPUT -m comment --comment "cali:OB2pzPrvQn6PC89t" -j cali-to-host-endpoint
-A cali-OUTPUT -m comment --comment "cali:tvSSMDBWrme3CUqM" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-from-wl-dispatch -i cali243955b783c -m comment --comment "cali:APGGscuv4DSHKnzq" -g cali-fw-cali243955b783c
-A cali-from-wl-dispatch -i cali44ada74fc70 -m comment --comment "cali:hC2OaO1cWejgAZB5" -g cali-fw-cali44ada74fc70
-A cali-from-wl-dispatch -i cali625b23bdbe9 -m comment --comment "cali:KzmjGAtmhYUsfp0F" -g cali-fw-cali625b23bdbe9
-A cali-from-wl-dispatch -m comment --comment "cali:9sALbg6uCMhDXnmx" -m comment --comment "Unknown interface" -j DROP
-A cali-fw-cali243955b783c -m comment --comment "cali:LfKRM2oPkX3nY0FQ" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali243955b783c -m comment --comment "cali:chYOLfHpvKunMrm0" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali243955b783c -m comment --comment "cali:Xx079LYLj4qDgxu6" -j MARK --set-xmark 0x0/0x10000
-A cali-fw-cali243955b783c -p udp -m comment --comment "cali:CaE5II_3KjhwM60j" -m comment --comment "Drop VXLAN encapped packets originating in workloads" -m multiport --dports 4789 -j DROP
-A cali-fw-cali243955b783c -p ipv4 -m comment --comment "cali:ooPe0qwdebc88DY0" -m comment --comment "Drop IPinIP encapped packets originating in workloads" -j DROP
-A cali-fw-cali243955b783c -m comment --comment "cali:PBPE27w2f8apDGGA" -j cali-pro-kns.kube-system
-A cali-fw-cali243955b783c -m comment --comment "cali:Z25rd9OeKmXM0K67" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-fw-cali243955b783c -m comment --comment "cali:8siwNArI6so1C8A7" -j cali-pro-_PTRGc0U-L5Kz7V6ERW
-A cali-fw-cali243955b783c -m comment --comment "cali:GQdxC1RgoLKx3Wba" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-fw-cali243955b783c -m comment --comment "cali:gdEM6-Tug23FLfqv" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-cali44ada74fc70 -m comment --comment "cali:5FarGsIy2BbFzJXI" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali44ada74fc70 -m comment --comment "cali:Wjk9yjiUdRIdjw3C" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali44ada74fc70 -m comment --comment "cali:QYYBBpg1QnwR6mRj" -j MARK --set-xmark 0x0/0x10000
-A cali-fw-cali44ada74fc70 -p udp -m comment --comment "cali:cZBJvzxCUEdI8wQs" -m comment --comment "Drop VXLAN encapped packets originating in workloads" -m multiport --dports 4789 -j DROP
-A cali-fw-cali44ada74fc70 -p ipv4 -m comment --comment "cali:Dh1hscoxMAqwcQLI" -m comment --comment "Drop IPinIP encapped packets originating in workloads" -j DROP
-A cali-fw-cali44ada74fc70 -m comment --comment "cali:txlbDzm1K96QdGgj" -j cali-pro-kns.kube-system
-A cali-fw-cali44ada74fc70 -m comment --comment "cali:saG936TE0xJwWc-v" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-fw-cali44ada74fc70 -m comment --comment "cali:RRmJfwQ0_Ea5D9Ka" -j cali-pro-_u2Tn2rSoAPffvE7JO6
-A cali-fw-cali44ada74fc70 -m comment --comment "cali:r9VK9XoDKcIg22st" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-fw-cali44ada74fc70 -m comment --comment "cali:3A08PWNBdqUa2Ibk" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-cali625b23bdbe9 -m comment --comment "cali:XwfZfNq9e-cDt4uG" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali625b23bdbe9 -m comment --comment "cali:7x6nPv5HKPE8008I" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali625b23bdbe9 -m comment --comment "cali:DUCCJoYVTJVMNuyR" -j MARK --set-xmark 0x0/0x10000
-A cali-fw-cali625b23bdbe9 -p udp -m comment --comment "cali:spPjSESqwXKLQUYk" -m comment --comment "Drop VXLAN encapped packets originating in workloads" -m multiport --dports 4789 -j DROP
-A cali-fw-cali625b23bdbe9 -p ipv4 -m comment --comment "cali:SUHJHk-cpyPhMIlB" -m comment --comment "Drop IPinIP encapped packets originating in workloads" -j DROP
-A cali-fw-cali625b23bdbe9 -m comment --comment "cali:kDUzV0M983Nl0HXX" -j cali-pro-kns.kube-system
-A cali-fw-cali625b23bdbe9 -m comment --comment "cali:HwgLS3tjHwCmNXqK" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-fw-cali625b23bdbe9 -m comment --comment "cali:4O94yXCD2zMkPZjV" -j cali-pro-_u2Tn2rSoAPffvE7JO6
-A cali-fw-cali625b23bdbe9 -m comment --comment "cali:PPrF8nGocovmzeUN" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-fw-cali625b23bdbe9 -m comment --comment "cali:auzFogBEZee9wpxn" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-pri-kns.kube-system -m comment --comment "cali:zoH5gU6U55FKZxEo" -j MARK --set-xmark 0x10000/0x10000
-A cali-pri-kns.kube-system -m comment --comment "cali:bcGRIJcyOS9dgBiB" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-pro-kns.kube-system -m comment --comment "cali:-50oJuMfLVO3LkBk" -j MARK --set-xmark 0x10000/0x10000
-A cali-pro-kns.kube-system -m comment --comment "cali:ztVPKv1UYejNzm1g" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-to-wl-dispatch -o cali243955b783c -m comment --comment "cali:kT2BQPdRcaexPAWm" -g cali-tw-cali243955b783c
-A cali-to-wl-dispatch -o cali44ada74fc70 -m comment --comment "cali:HpX4TCgzHAqT_2hG" -g cali-tw-cali44ada74fc70
-A cali-to-wl-dispatch -o cali625b23bdbe9 -m comment --comment "cali:_04dO9b8xNYXfrt3" -g cali-tw-cali625b23bdbe9
-A cali-to-wl-dispatch -m comment --comment "cali:aX0E9XDg2VbclqZL" -m comment --comment "Unknown interface" -j DROP
-A cali-tw-cali243955b783c -m comment --comment "cali:libYhdYPATE_sEMZ" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali243955b783c -m comment --comment "cali:Vy_Rcgck6K-KcFxt" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali243955b783c -m comment --comment "cali:tlhiYNd_ydeF0H_4" -j MARK --set-xmark 0x0/0x10000
-A cali-tw-cali243955b783c -m comment --comment "cali:6WOkxBh3iUgNvrFC" -j cali-pri-kns.kube-system
-A cali-tw-cali243955b783c -m comment --comment "cali:5soFdWrsFABL0ObQ" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-tw-cali243955b783c -m comment --comment "cali:PEkSrZgMGwU94CST" -j cali-pri-_PTRGc0U-L5Kz7V6ERW
-A cali-tw-cali243955b783c -m comment --comment "cali:9ftwU7tOXKus6A1p" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-tw-cali243955b783c -m comment --comment "cali:i9Z_F_aBZmYWMNvz" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-cali44ada74fc70 -m comment --comment "cali:-b955ur7sOodD4wU" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali44ada74fc70 -m comment --comment "cali:72YuP6s5N2JuU-1t" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali44ada74fc70 -m comment --comment "cali:uFNhGCRbxYGiuZLs" -j MARK --set-xmark 0x0/0x10000
-A cali-tw-cali44ada74fc70 -m comment --comment "cali:vq4g00L2cLrmavm_" -j cali-pri-kns.kube-system
-A cali-tw-cali44ada74fc70 -m comment --comment "cali:pLB7Ww8KYrSG4BsK" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-tw-cali44ada74fc70 -m comment --comment "cali:H0At6Z-QQy5cJB2p" -j cali-pri-_u2Tn2rSoAPffvE7JO6
-A cali-tw-cali44ada74fc70 -m comment --comment "cali:n08Ax13PmyUFgpfF" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-tw-cali44ada74fc70 -m comment --comment "cali:pf2ugpuVuhIT52ay" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-cali625b23bdbe9 -m comment --comment "cali:oCCW3Pa1lG-2zUCs" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali625b23bdbe9 -m comment --comment "cali:eQYw9nlGkVUxPbHA" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali625b23bdbe9 -m comment --comment "cali:2FV3lUHNtWeDfnU_" -j MARK --set-xmark 0x0/0x10000
-A cali-tw-cali625b23bdbe9 -m comment --comment "cali:AtZoByehN9Djkwwo" -j cali-pri-kns.kube-system
-A cali-tw-cali625b23bdbe9 -m comment --comment "cali:ck68rV0RHfXs-sgR" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-tw-cali625b23bdbe9 -m comment --comment "cali:CLkRkCckxHLQT6CO" -j cali-pri-_u2Tn2rSoAPffvE7JO6
-A cali-tw-cali625b23bdbe9 -m comment --comment "cali:ESRw1Awvhcp0cqEe" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-tw-cali625b23bdbe9 -m comment --comment "cali:ufLcJE1x1xp-ICyD" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-wl-to-host -m comment --comment "cali:Ee9Sbo10IpVujdIY" -j cali-from-wl-dispatch
-A cali-wl-to-host -m comment --comment "cali:nSZbcOoG1xPONxb8" -m comment --comment "Configured DefaultEndpointToHostAction" -j ACCEPT
COMMIT
# Completed on Mon Nov 9 17:04:32 2020
work节点1防火墙
# Generated by iptables-save v1.4.21 on Mon Nov 9 17:05:37 2020
*raw
:PREROUTING ACCEPT [1452145:556035822]
:OUTPUT ACCEPT [1433871:179823039]
:cali-OUTPUT - [0:0]
:cali-PREROUTING - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-to-host-endpoint - [0:0]
-A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
-A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
-A cali-OUTPUT -m comment --comment "cali:njdnLwYeGqBJyMxW" -j MARK --set-xmark 0x0/0xf0000
-A cali-OUTPUT -m comment --comment "cali:rz86uTUcEZAfFsh7" -j cali-to-host-endpoint
-A cali-OUTPUT -m comment --comment "cali:pN0F5zD0b8yf9W1Z" -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-PREROUTING -m comment --comment "cali:XFX5xbM8B9qR10JG" -j MARK --set-xmark 0x0/0xf0000
-A cali-PREROUTING -i cali+ -m comment --comment "cali:EWMPb0zVROM-woQp" -j MARK --set-xmark 0x40000/0x40000
-A cali-PREROUTING -m comment --comment "cali:V6ooGP15glg7wm91" -m mark --mark 0x40000/0x40000 -m rpfilter --invert -j DROP
-A cali-PREROUTING -m comment --comment "cali:RMTzKqp0j735XfY4" -m mark --mark 0x0/0x40000 -j cali-from-host-endpoint
-A cali-PREROUTING -m comment --comment "cali:T8-Zfumo2dKygI73" -m mark --mark 0x10000/0x10000 -j ACCEPT
COMMIT
# Completed on Mon Nov 9 17:05:37 2020
# Generated by iptables-save v1.4.21 on Mon Nov 9 17:05:37 2020
*mangle
:PREROUTING ACCEPT [68798:4129359]
:INPUT ACCEPT [1407945:519627818]
:FORWARD ACCEPT [44200:36408004]
:OUTPUT ACCEPT [1433871:179823039]
:POSTROUTING ACCEPT [1478071:216231043]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-PROXY-CANARY - [0:0]
:cali-PREROUTING - [0:0]
:cali-from-host-endpoint - [0:0]
-A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
-A cali-PREROUTING -m comment --comment "cali:6BJqBjBC7crtA-7-" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-PREROUTING -m comment --comment "cali:KX7AGNd6rMcDUai6" -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-PREROUTING -m comment --comment "cali:wNH7KsA3ILKJBsY9" -j cali-from-host-endpoint
-A cali-PREROUTING -m comment --comment "cali:Cg96MgVuoPm7UMRo" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
COMMIT
# Completed on Mon Nov 9 17:05:37 2020
# Generated by iptables-save v1.4.21 on Mon Nov 9 17:05:37 2020
*filter
:INPUT ACCEPT [2060:617691]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1938:174415]
:KUBE-EXTERNAL-SERVICES - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-FORWARD - [0:0]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-PROXY-CANARY - [0:0]
:KUBE-SERVICES - [0:0]
:cali-FORWARD - [0:0]
:cali-INPUT - [0:0]
:cali-OUTPUT - [0:0]
:cali-from-hep-forward - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-from-wl-dispatch - [0:0]
:cali-fw-cali583c2cee4e2 - [0:0]
:cali-pri-kns.default - [0:0]
:cali-pri-ksa.default.default - [0:0]
:cali-pro-kns.default - [0:0]
:cali-pro-ksa.default.default - [0:0]
:cali-to-hep-forward - [0:0]
:cali-to-host-endpoint - [0:0]
:cali-to-wl-dispatch - [0:0]
:cali-tw-cali583c2cee4e2 - [0:0]
:cali-wl-to-host - [0:0]
-A INPUT -m comment --comment "cali:Cz_u1IQiXIMmKD4c" -j cali-INPUT
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
-A INPUT -j KUBE-FIREWALL
-A FORWARD -m comment --comment "cali:wUHhoiAYhphO9Mso" -j cali-FORWARD
-A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
-A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A FORWARD -m comment --comment "cali:S93hcgKJrXEqnTfs" -m comment --comment "Policy explicitly accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
-A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -j KUBE-FIREWALL
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
-A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-FORWARD -m comment --comment "cali:vjrMJCRpqwy5oRoX" -j MARK --set-xmark 0x0/0xe0000
-A cali-FORWARD -m comment --comment "cali:A_sPAO0mcxbT9mOV" -m mark --mark 0x0/0x10000 -j cali-from-hep-forward
-A cali-FORWARD -i cali+ -m comment --comment "cali:8ZoYfO5HKXWbB3pk" -j cali-from-wl-dispatch
-A cali-FORWARD -o cali+ -m comment --comment "cali:jdEuaPBe14V2hutn" -j cali-to-wl-dispatch
-A cali-FORWARD -m comment --comment "cali:12bc6HljsMKsmfr-" -j cali-to-hep-forward
-A cali-INPUT -p ipv4 -m comment --comment "cali:PajejrV4aFdkZojI" -m comment --comment "Allow IPIP packets from Calico hosts" -m set --match-set cali40all-hosts-net src -m addrtype --dst-type LOCAL -j ACCEPT
-A cali-INPUT -p ipv4 -m comment --comment "cali:_wjq-Yrma8Ly1Svo" -m comment --comment "Drop IPIP packets from non-Calico hosts" -j DROP
-A cali-INPUT -i cali+ -m comment --comment "cali:8TZGxLWh_Eiz66wc" -g cali-wl-to-host
-A cali-INPUT -m comment --comment "cali:6McIeIDvPdL6PE1T" -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-INPUT -m comment --comment "cali:YGPbrUms7NId8xVa" -j MARK --set-xmark 0x0/0xf0000
-A cali-INPUT -m comment --comment "cali:2gmY7Bg2i0i84Wk_" -j cali-from-host-endpoint
-A cali-INPUT -m comment --comment "cali:q-Vz2ZT9iGE331LL" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-OUTPUT -m comment --comment "cali:Mq1_rAdXXH3YkrzW" -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-OUTPUT -o cali+ -m comment --comment "cali:69FkRTJDvD5Vu6Vl" -j RETURN
-A cali-OUTPUT -p ipv4 -m comment --comment "cali:AnEsmO6bDZbQntWW" -m comment --comment "Allow IPIP packets to other Calico hosts" -m set --match-set cali40all-hosts-net dst -m addrtype --src-type LOCAL -j ACCEPT
-A cali-OUTPUT -m comment --comment "cali:9e9Uf3GU5tX--Lxy" -j MARK --set-xmark 0x0/0xf0000
-A cali-OUTPUT -m comment --comment "cali:OB2pzPrvQn6PC89t" -j cali-to-host-endpoint
-A cali-OUTPUT -m comment --comment "cali:tvSSMDBWrme3CUqM" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-from-wl-dispatch -i cali583c2cee4e2 -m comment --comment "cali:wOp69dVXp81b7ZmM" -g cali-fw-cali583c2cee4e2
-A cali-from-wl-dispatch -m comment --comment "cali:5MAwXOlOVPIW0ZTw" -m comment --comment "Unknown interface" -j DROP
-A cali-fw-cali583c2cee4e2 -m comment --comment "cali:5VmAHsSec8KKZixP" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali583c2cee4e2 -m comment --comment "cali:4kZgmbKF5f2lHU6y" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali583c2cee4e2 -m comment --comment "cali:Y9LKrYzJ6HnhYla8" -j MARK --set-xmark 0x0/0x10000
-A cali-fw-cali583c2cee4e2 -p udp -m comment --comment "cali:jWz0mMHTwgQSeJaQ" -m comment --comment "Drop VXLAN encapped packets originating in workloads" -m multiport --dports 4789 -j DROP
-A cali-fw-cali583c2cee4e2 -p ipv4 -m comment --comment "cali:_EpWyX-lJtggvbaU" -m comment --comment "Drop IPinIP encapped packets originating in workloads" -j DROP
-A cali-fw-cali583c2cee4e2 -m comment --comment "cali:KFwo49mx24nNC1JU" -j cali-pro-kns.default
-A cali-fw-cali583c2cee4e2 -m comment --comment "cali:IhZOVdwPyM7uO0_g" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-fw-cali583c2cee4e2 -m comment --comment "cali:6Oi-QjykqywwxdBT" -j cali-pro-ksa.default.default
-A cali-fw-cali583c2cee4e2 -m comment --comment "cali:g9_1MHxLnvNv0Gjy" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-fw-cali583c2cee4e2 -m comment --comment "cali:o_g3B7Ml8JnBI4eq" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-pri-kns.default -m comment --comment "cali:7Fnh7Pv3_98FtLW7" -j MARK --set-xmark 0x10000/0x10000
-A cali-pri-kns.default -m comment --comment "cali:ZbV6bJXWSRefjK0u" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-pro-kns.default -m comment --comment "cali:oLzzje5WExbgfib5" -j MARK --set-xmark 0x10000/0x10000
-A cali-pro-kns.default -m comment --comment "cali:4goskqvxh5xcGw3s" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-to-wl-dispatch -o cali583c2cee4e2 -m comment --comment "cali:bbfs0W6gq_A4djM4" -g cali-tw-cali583c2cee4e2
-A cali-to-wl-dispatch -m comment --comment "cali:j-WWWPL5EbthlV1v" -m comment --comment "Unknown interface" -j DROP
-A cali-tw-cali583c2cee4e2 -m comment --comment "cali:aQC4ybpnPfkP-s87" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali583c2cee4e2 -m comment --comment "cali:0R2jBd3WaAMHToJy" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali583c2cee4e2 -m comment --comment "cali:iZyxT1kUymbHjTnm" -j MARK --set-xmark 0x0/0x10000
-A cali-tw-cali583c2cee4e2 -m comment --comment "cali:6P8Jptlt-vo792Se" -j cali-pri-kns.default
-A cali-tw-cali583c2cee4e2 -m comment --comment "cali:_icGm-ZKYxVURNsv" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-tw-cali583c2cee4e2 -m comment --comment "cali:RA5j2ff0fGMkh9Og" -j cali-pri-ksa.default.default
-A cali-tw-cali583c2cee4e2 -m comment --comment "cali:b8ckUcNBAEX6qLuU" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-tw-cali583c2cee4e2 -m comment --comment "cali:iVXSe24A8yUNlPnV" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-wl-to-host -m comment --comment "cali:Ee9Sbo10IpVujdIY" -j cali-from-wl-dispatch
-A cali-wl-to-host -m comment --comment "cali:nSZbcOoG1xPONxb8" -m comment --comment "Configured DefaultEndpointToHostAction" -j ACCEPT
COMMIT
# Completed on Mon Nov 9 17:05:37 2020
# Generated by iptables-save v1.4.21 on Mon Nov 9 17:05:37 2020
*nat
:PREROUTING ACCEPT [1:60]
:INPUT ACCEPT [1:60]
:OUTPUT ACCEPT [216:13064]
:POSTROUTING ACCEPT [216:13064]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-MARK-DROP - [0:0]
:KUBE-MARK-MASQ - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-PROXY-CANARY - [0:0]
:KUBE-SEP-5G7TVIGO2RMIKKTY - [0:0]
:KUBE-SEP-KNF4SHE3YOGR5YAN - [0:0]
:KUBE-SEP-MFHCJYPBXWFXMLFL - [0:0]
:KUBE-SEP-NGWCFP2WQ6ZZCOWV - [0:0]
:KUBE-SEP-NTPQ6CEYN4LVUKMG - [0:0]
:KUBE-SEP-SE4IOH7EDXXMLYG2 - [0:0]
:KUBE-SEP-YX2CVEAXQDGPKPRP - [0:0]
:KUBE-SEP-YYG3HJMSEVMBQTZ3 - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-SVC-DR2DYVPMBY3GPZ5L - [0:0]
:KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
:KUBE-SVC-JD5MR3NA4I4DYORP - [0:0]
:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
:KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
:cali-OUTPUT - [0:0]
:cali-POSTROUTING - [0:0]
:cali-PREROUTING - [0:0]
:cali-fip-dnat - [0:0]
:cali-fip-snat - [0:0]
:cali-nat-outgoing - [0:0]
-A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A POSTROUTING -m comment --comment "cali:O3lYWMrLQYEMJtB5" -j cali-POSTROUTING
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
-A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/nginx:8080-80" -m tcp --dport 32220 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/nginx:8080-80" -m tcp --dport 32220 -j KUBE-SVC-DR2DYVPMBY3GPZ5L
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
-A KUBE-POSTROUTING -j MARK --set-xmark 0x4000/0x0
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE
-A KUBE-SEP-5G7TVIGO2RMIKKTY -s 192.168.179.130/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-5G7TVIGO2RMIKKTY -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 192.168.179.130:53
-A KUBE-SEP-KNF4SHE3YOGR5YAN -s 192.168.179.131/32 -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-MARK-MASQ
-A KUBE-SEP-KNF4SHE3YOGR5YAN -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 192.168.179.131:9153
-A KUBE-SEP-MFHCJYPBXWFXMLFL -s 192.168.231.70/32 -m comment --comment "default/nginx:8080-80" -j KUBE-MARK-MASQ
-A KUBE-SEP-MFHCJYPBXWFXMLFL -p tcp -m comment --comment "default/nginx:8080-80" -m tcp -j DNAT --to-destination 192.168.231.70:80
-A KUBE-SEP-NGWCFP2WQ6ZZCOWV -s 192.168.179.131/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-NGWCFP2WQ6ZZCOWV -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 192.168.179.131:53
-A KUBE-SEP-NTPQ6CEYN4LVUKMG -s 192.168.179.130/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-NTPQ6CEYN4LVUKMG -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 192.168.179.130:53
-A KUBE-SEP-SE4IOH7EDXXMLYG2 -s 192.168.179.131/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-SE4IOH7EDXXMLYG2 -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 192.168.179.131:53
-A KUBE-SEP-YX2CVEAXQDGPKPRP -s 192.168.179.130/32 -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-MARK-MASQ
-A KUBE-SEP-YX2CVEAXQDGPKPRP -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 192.168.179.130:9153
-A KUBE-SEP-YYG3HJMSEVMBQTZ3 -s 10.0.0.54/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-YYG3HJMSEVMBQTZ3 -p tcp -m comment --comment "default/kubernetes:https" -m tcp -j DNAT --to-destination 10.0.0.54:6443
-A KUBE-SERVICES -d 10.101.14.7/32 -p tcp -m comment --comment "default/nginx:8080-80 cluster IP" -m tcp --dport 8080 -j KUBE-SVC-DR2DYVPMBY3GPZ5L
-A KUBE-SERVICES -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
-A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-SVC-JD5MR3NA4I4DYORP
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-SVC-DR2DYVPMBY3GPZ5L -m comment --comment "default/nginx:8080-80" -j KUBE-SEP-MFHCJYPBXWFXMLFL
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-5G7TVIGO2RMIKKTY
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SEP-NGWCFP2WQ6ZZCOWV
-A KUBE-SVC-JD5MR3NA4I4DYORP -m comment --comment "kube-system/kube-dns:metrics" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-YX2CVEAXQDGPKPRP
-A KUBE-SVC-JD5MR3NA4I4DYORP -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-SEP-KNF4SHE3YOGR5YAN
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-YYG3HJMSEVMBQTZ3
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-NTPQ6CEYN4LVUKMG
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SEP-SE4IOH7EDXXMLYG2
-A cali-OUTPUT -m comment --comment "cali:GBTAv2p5CwevEyJm" -j cali-fip-dnat
-A cali-POSTROUTING -m comment --comment "cali:Z-c7XtVd2Bq7s_hA" -j cali-fip-snat
-A cali-POSTROUTING -m comment --comment "cali:nYKhEzDlr11Jccal" -j cali-nat-outgoing
-A cali-POSTROUTING -o tunl0 -m comment --comment "cali:JHlpT-eSqR1TvyYm" -m addrtype ! --src-type LOCAL --limit-iface-out -m addrtype --src-type LOCAL -j MASQUERADE
-A cali-PREROUTING -m comment --comment "cali:r6XmIziWUJsdOK6Z" -j cali-fip-dnat
-A cali-nat-outgoing -m comment --comment "cali:Dw4T8UWPnCLxRJiI" -m set --match-set cali40masq-ipam-pools src -m set ! --match-set cali40all-ipam-pools dst -j MASQUERADE
COMMIT
# Completed on Mon Nov 9 17:05:37 2020
work节点2信息防火墙
# Generated by iptables-save v1.4.21 on Mon Nov 9 17:11:32 2020
*raw
:PREROUTING ACCEPT [1328058:536062069]
:OUTPUT ACCEPT [1193930:106347465]
:cali-OUTPUT - [0:0]
:cali-PREROUTING - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-to-host-endpoint - [0:0]
-A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
-A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
-A cali-OUTPUT -m comment --comment "cali:njdnLwYeGqBJyMxW" -j MARK --set-xmark 0x0/0xf0000
-A cali-OUTPUT -m comment --comment "cali:rz86uTUcEZAfFsh7" -j cali-to-host-endpoint
-A cali-OUTPUT -m comment --comment "cali:pN0F5zD0b8yf9W1Z" -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-PREROUTING -m comment --comment "cali:XFX5xbM8B9qR10JG" -j MARK --set-xmark 0x0/0xf0000
-A cali-PREROUTING -i cali+ -m comment --comment "cali:EWMPb0zVROM-woQp" -j MARK --set-xmark 0x40000/0x40000
-A cali-PREROUTING -m comment --comment "cali:V6ooGP15glg7wm91" -m mark --mark 0x40000/0x40000 -m rpfilter --invert -j DROP
-A cali-PREROUTING -m comment --comment "cali:RMTzKqp0j735XfY4" -m mark --mark 0x0/0x40000 -j cali-from-host-endpoint
-A cali-PREROUTING -m comment --comment "cali:T8-Zfumo2dKygI73" -m mark --mark 0x10000/0x10000 -j ACCEPT
COMMIT
# Completed on Mon Nov 9 17:11:32 2020
# Generated by iptables-save v1.4.21 on Mon Nov 9 17:11:32 2020
*mangle
:PREROUTING ACCEPT [68561:4115619]
:INPUT ACCEPT [1290551:505410056]
:FORWARD ACCEPT [37507:30652013]
:OUTPUT ACCEPT [1193930:106347465]
:POSTROUTING ACCEPT [1231436:136999426]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-PROXY-CANARY - [0:0]
:cali-PREROUTING - [0:0]
:cali-from-host-endpoint - [0:0]
-A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
-A cali-PREROUTING -m comment --comment "cali:6BJqBjBC7crtA-7-" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-PREROUTING -m comment --comment "cali:KX7AGNd6rMcDUai6" -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-PREROUTING -m comment --comment "cali:wNH7KsA3ILKJBsY9" -j cali-from-host-endpoint
-A cali-PREROUTING -m comment --comment "cali:Cg96MgVuoPm7UMRo" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
COMMIT
# Completed on Mon Nov 9 17:11:32 2020
# Generated by iptables-save v1.4.21 on Mon Nov 9 17:11:32 2020
*filter
:INPUT ACCEPT [3167:974288]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3019:276107]
:KUBE-EXTERNAL-SERVICES - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-FORWARD - [0:0]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-PROXY-CANARY - [0:0]
:KUBE-SERVICES - [0:0]
:cali-FORWARD - [0:0]
:cali-INPUT - [0:0]
:cali-OUTPUT - [0:0]
:cali-from-hep-forward - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-from-wl-dispatch - [0:0]
:cali-to-hep-forward - [0:0]
:cali-to-host-endpoint - [0:0]
:cali-to-wl-dispatch - [0:0]
:cali-wl-to-host - [0:0]
-A INPUT -m comment --comment "cali:Cz_u1IQiXIMmKD4c" -j cali-INPUT
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
-A INPUT -j KUBE-FIREWALL
-A FORWARD -m comment --comment "cali:wUHhoiAYhphO9Mso" -j cali-FORWARD
-A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
-A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A FORWARD -m comment --comment "cali:S93hcgKJrXEqnTfs" -m comment --comment "Policy explicitly accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
-A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -j KUBE-FIREWALL
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
-A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-FORWARD -m comment --comment "cali:vjrMJCRpqwy5oRoX" -j MARK --set-xmark 0x0/0xe0000
-A cali-FORWARD -m comment --comment "cali:A_sPAO0mcxbT9mOV" -m mark --mark 0x0/0x10000 -j cali-from-hep-forward
-A cali-FORWARD -i cali+ -m comment --comment "cali:8ZoYfO5HKXWbB3pk" -j cali-from-wl-dispatch
-A cali-FORWARD -o cali+ -m comment --comment "cali:jdEuaPBe14V2hutn" -j cali-to-wl-dispatch
-A cali-FORWARD -m comment --comment "cali:12bc6HljsMKsmfr-" -j cali-to-hep-forward
-A cali-INPUT -p ipv4 -m comment --comment "cali:PajejrV4aFdkZojI" -m comment --comment "Allow IPIP packets from Calico hosts" -m set --match-set cali40all-hosts-net src -m addrtype --dst-type LOCAL -j ACCEPT
-A cali-INPUT -p ipv4 -m comment --comment "cali:_wjq-Yrma8Ly1Svo" -m comment --comment "Drop IPIP packets from non-Calico hosts" -j DROP
-A cali-INPUT -i cali+ -m comment --comment "cali:8TZGxLWh_Eiz66wc" -g cali-wl-to-host
-A cali-INPUT -m comment --comment "cali:6McIeIDvPdL6PE1T" -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-INPUT -m comment --comment "cali:YGPbrUms7NId8xVa" -j MARK --set-xmark 0x0/0xf0000
-A cali-INPUT -m comment --comment "cali:2gmY7Bg2i0i84Wk_" -j cali-from-host-endpoint
-A cali-INPUT -m comment --comment "cali:q-Vz2ZT9iGE331LL" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-OUTPUT -m comment --comment "cali:Mq1_rAdXXH3YkrzW" -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-OUTPUT -o cali+ -m comment --comment "cali:69FkRTJDvD5Vu6Vl" -j RETURN
-A cali-OUTPUT -p ipv4 -m comment --comment "cali:AnEsmO6bDZbQntWW" -m comment --comment "Allow IPIP packets to other Calico hosts" -m set --match-set cali40all-hosts-net dst -m addrtype --src-type LOCAL -j ACCEPT
-A cali-OUTPUT -m comment --comment "cali:9e9Uf3GU5tX--Lxy" -j MARK --set-xmark 0x0/0xf0000
-A cali-OUTPUT -m comment --comment "cali:OB2pzPrvQn6PC89t" -j cali-to-host-endpoint
-A cali-OUTPUT -m comment --comment "cali:tvSSMDBWrme3CUqM" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-from-wl-dispatch -m comment --comment "cali:zTj6P0TIgYvgz-md" -m comment --comment "Unknown interface" -j DROP
-A cali-to-wl-dispatch -m comment --comment "cali:7KNphB1nNHw80nIO" -m comment --comment "Unknown interface" -j DROP
-A cali-wl-to-host -m comment --comment "cali:Ee9Sbo10IpVujdIY" -j cali-from-wl-dispatch
-A cali-wl-to-host -m comment --comment "cali:nSZbcOoG1xPONxb8" -m comment --comment "Configured DefaultEndpointToHostAction" -j ACCEPT
COMMIT
# Completed on Mon Nov 9 17:11:32 2020
# Generated by iptables-save v1.4.21 on Mon Nov 9 17:11:32 2020
*nat
:PREROUTING ACCEPT [1:60]
:INPUT ACCEPT [1:60]
:OUTPUT ACCEPT [183:10980]
:POSTROUTING ACCEPT [183:10980]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-MARK-DROP - [0:0]
:KUBE-MARK-MASQ - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-PROXY-CANARY - [0:0]
:KUBE-SEP-5G7TVIGO2RMIKKTY - [0:0]
:KUBE-SEP-KNF4SHE3YOGR5YAN - [0:0]
:KUBE-SEP-MFHCJYPBXWFXMLFL - [0:0]
:KUBE-SEP-NGWCFP2WQ6ZZCOWV - [0:0]
:KUBE-SEP-NTPQ6CEYN4LVUKMG - [0:0]
:KUBE-SEP-SE4IOH7EDXXMLYG2 - [0:0]
:KUBE-SEP-YX2CVEAXQDGPKPRP - [0:0]
:KUBE-SEP-YYG3HJMSEVMBQTZ3 - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-SVC-DR2DYVPMBY3GPZ5L - [0:0]
:KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
:KUBE-SVC-JD5MR3NA4I4DYORP - [0:0]
:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
:KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
:cali-OUTPUT - [0:0]
:cali-POSTROUTING - [0:0]
:cali-PREROUTING - [0:0]
:cali-fip-dnat - [0:0]
:cali-fip-snat - [0:0]
:cali-nat-outgoing - [0:0]
-A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A POSTROUTING -m comment --comment "cali:O3lYWMrLQYEMJtB5" -j cali-POSTROUTING
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
-A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/nginx:8080-80" -m tcp --dport 32220 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/nginx:8080-80" -m tcp --dport 32220 -j KUBE-SVC-DR2DYVPMBY3GPZ5L
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
-A KUBE-POSTROUTING -j MARK --set-xmark 0x4000/0x0
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE
-A KUBE-SEP-5G7TVIGO2RMIKKTY -s 192.168.179.130/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-5G7TVIGO2RMIKKTY -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 192.168.179.130:53
-A KUBE-SEP-KNF4SHE3YOGR5YAN -s 192.168.179.131/32 -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-MARK-MASQ
-A KUBE-SEP-KNF4SHE3YOGR5YAN -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 192.168.179.131:9153
-A KUBE-SEP-MFHCJYPBXWFXMLFL -s 192.168.231.70/32 -m comment --comment "default/nginx:8080-80" -j KUBE-MARK-MASQ
-A KUBE-SEP-MFHCJYPBXWFXMLFL -p tcp -m comment --comment "default/nginx:8080-80" -m tcp -j DNAT --to-destination 192.168.231.70:80
-A KUBE-SEP-NGWCFP2WQ6ZZCOWV -s 192.168.179.131/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-NGWCFP2WQ6ZZCOWV -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 192.168.179.131:53
-A KUBE-SEP-NTPQ6CEYN4LVUKMG -s 192.168.179.130/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-NTPQ6CEYN4LVUKMG -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 192.168.179.130:53
-A KUBE-SEP-SE4IOH7EDXXMLYG2 -s 192.168.179.131/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-SE4IOH7EDXXMLYG2 -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 192.168.179.131:53
-A KUBE-SEP-YX2CVEAXQDGPKPRP -s 192.168.179.130/32 -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-MARK-MASQ
-A KUBE-SEP-YX2CVEAXQDGPKPRP -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 192.168.179.130:9153
-A KUBE-SEP-YYG3HJMSEVMBQTZ3 -s 10.0.0.54/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-YYG3HJMSEVMBQTZ3 -p tcp -m comment --comment "default/kubernetes:https" -m tcp -j DNAT --to-destination 10.0.0.54:6443
-A KUBE-SERVICES -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
-A KUBE-SERVICES -d 10.101.14.7/32 -p tcp -m comment --comment "default/nginx:8080-80 cluster IP" -m tcp --dport 8080 -j KUBE-SVC-DR2DYVPMBY3GPZ5L
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-SVC-JD5MR3NA4I4DYORP
-A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-SVC-DR2DYVPMBY3GPZ5L -m comment --comment "default/nginx:8080-80" -j KUBE-SEP-MFHCJYPBXWFXMLFL
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-5G7TVIGO2RMIKKTY
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SEP-NGWCFP2WQ6ZZCOWV
-A KUBE-SVC-JD5MR3NA4I4DYORP -m comment --comment "kube-system/kube-dns:metrics" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-YX2CVEAXQDGPKPRP
-A KUBE-SVC-JD5MR3NA4I4DYORP -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-SEP-KNF4SHE3YOGR5YAN
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-YYG3HJMSEVMBQTZ3
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-NTPQ6CEYN4LVUKMG
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SEP-SE4IOH7EDXXMLYG2
-A cali-OUTPUT -m comment --comment "cali:GBTAv2p5CwevEyJm" -j cali-fip-dnat
-A cali-POSTROUTING -m comment --comment "cali:Z-c7XtVd2Bq7s_hA" -j cali-fip-snat
-A cali-POSTROUTING -m comment --comment "cali:nYKhEzDlr11Jccal" -j cali-nat-outgoing
-A cali-POSTROUTING -o tunl0 -m comment --comment "cali:JHlpT-eSqR1TvyYm" -m addrtype ! --src-type LOCAL --limit-iface-out -m addrtype --src-type LOCAL -j MASQUERADE
-A cali-PREROUTING -m comment --comment "cali:r6XmIziWUJsdOK6Z" -j cali-fip-dnat
-A cali-nat-outgoing -m comment --comment "cali:Dw4T8UWPnCLxRJiI" -m set --match-set cali40masq-ipam-pools src -m set ! --match-set cali40all-ipam-pools dst -j MASQUERADE
COMMIT
# Completed on Mon Nov 9 17:11:32 2020当按照死磕k8s之calico-nodeport第10条修改之后的环境如下
路由信息
work节点1的路由
work节点2的路由
防火墙信息
work节点1的防火墙
# Generated by iptables-save v1.4.21 on Tue Nov 10 22:36:02 2020
*raw
:PREROUTING ACCEPT [1839056:668628161]
:OUTPUT ACCEPT [1801380:213884018]
:cali-OUTPUT - [0:0]
:cali-PREROUTING - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-to-host-endpoint - [0:0]
-A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
-A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
-A cali-OUTPUT -m comment --comment "cali:njdnLwYeGqBJyMxW" -j MARK --set-xmark 0x0/0xf0000
-A cali-OUTPUT -m comment --comment "cali:rz86uTUcEZAfFsh7" -j cali-to-host-endpoint
-A cali-OUTPUT -m comment --comment "cali:pN0F5zD0b8yf9W1Z" -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-PREROUTING -m comment --comment "cali:XFX5xbM8B9qR10JG" -j MARK --set-xmark 0x0/0xf0000
-A cali-PREROUTING -i cali+ -m comment --comment "cali:EWMPb0zVROM-woQp" -j MARK --set-xmark 0x40000/0x40000
-A cali-PREROUTING -m comment --comment "cali:V6ooGP15glg7wm91" -m mark --mark 0x40000/0x40000 -m rpfilter --invert -j DROP
-A cali-PREROUTING -m comment --comment "cali:RMTzKqp0j735XfY4" -m mark --mark 0x0/0x40000 -j cali-from-host-endpoint
-A cali-PREROUTING -m comment --comment "cali:T8-Zfumo2dKygI73" -m mark --mark 0x10000/0x10000 -j ACCEPT
COMMIT
# Completed on Tue Nov 10 22:36:02 2020
# Generated by iptables-save v1.4.21 on Tue Nov 10 22:36:02 2020
*mangle
:PREROUTING ACCEPT [90072:5405799]
:INPUT ACCEPT [1794796:632212312]
:FORWARD ACCEPT [44260:36415849]
:OUTPUT ACCEPT [1801380:213884018]
:POSTROUTING ACCEPT [1845640:250299867]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-PROXY-CANARY - [0:0]
:cali-PREROUTING - [0:0]
:cali-from-host-endpoint - [0:0]
-A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
-A cali-PREROUTING -m comment --comment "cali:6BJqBjBC7crtA-7-" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-PREROUTING -m comment --comment "cali:KX7AGNd6rMcDUai6" -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-PREROUTING -m comment --comment "cali:wNH7KsA3ILKJBsY9" -j cali-from-host-endpoint
-A cali-PREROUTING -m comment --comment "cali:Cg96MgVuoPm7UMRo" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
COMMIT
# Completed on Tue Nov 10 22:36:02 2020
# Generated by iptables-save v1.4.21 on Tue Nov 10 22:36:02 2020
*filter
:INPUT ACCEPT [4925:1406041]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4775:434656]
:KUBE-EXTERNAL-SERVICES - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-FORWARD - [0:0]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-PROXY-CANARY - [0:0]
:KUBE-SERVICES - [0:0]
:cali-FORWARD - [0:0]
:cali-INPUT - [0:0]
:cali-OUTPUT - [0:0]
:cali-from-hep-forward - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-from-wl-dispatch - [0:0]
:cali-to-hep-forward - [0:0]
:cali-to-host-endpoint - [0:0]
:cali-to-wl-dispatch - [0:0]
:cali-wl-to-host - [0:0]
-A INPUT -m comment --comment "cali:Cz_u1IQiXIMmKD4c" -j cali-INPUT
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
-A INPUT -j KUBE-FIREWALL
-A FORWARD -m comment --comment "cali:wUHhoiAYhphO9Mso" -j cali-FORWARD
-A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
-A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A FORWARD -m comment --comment "cali:S93hcgKJrXEqnTfs" -m comment --comment "Policy explicitly accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
-A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -j KUBE-FIREWALL
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
-A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-FORWARD -m comment --comment "cali:vjrMJCRpqwy5oRoX" -j MARK --set-xmark 0x0/0xe0000
-A cali-FORWARD -m comment --comment "cali:A_sPAO0mcxbT9mOV" -m mark --mark 0x0/0x10000 -j cali-from-hep-forward
-A cali-FORWARD -i cali+ -m comment --comment "cali:8ZoYfO5HKXWbB3pk" -j cali-from-wl-dispatch
-A cali-FORWARD -o cali+ -m comment --comment "cali:jdEuaPBe14V2hutn" -j cali-to-wl-dispatch
-A cali-FORWARD -m comment --comment "cali:12bc6HljsMKsmfr-" -j cali-to-hep-forward
-A cali-INPUT -p ipv4 -m comment --comment "cali:PajejrV4aFdkZojI" -m comment --comment "Allow IPIP packets from Calico hosts" -m set --match-set cali40all-hosts-net src -m addrtype --dst-type LOCAL -j ACCEPT
-A cali-INPUT -p ipv4 -m comment --comment "cali:_wjq-Yrma8Ly1Svo" -m comment --comment "Drop IPIP packets from non-Calico hosts" -j DROP
-A cali-INPUT -i cali+ -m comment --comment "cali:8TZGxLWh_Eiz66wc" -g cali-wl-to-host
-A cali-INPUT -m comment --comment "cali:6McIeIDvPdL6PE1T" -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-INPUT -m comment --comment "cali:YGPbrUms7NId8xVa" -j MARK --set-xmark 0x0/0xf0000
-A cali-INPUT -m comment --comment "cali:2gmY7Bg2i0i84Wk_" -j cali-from-host-endpoint
-A cali-INPUT -m comment --comment "cali:q-Vz2ZT9iGE331LL" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-OUTPUT -m comment --comment "cali:Mq1_rAdXXH3YkrzW" -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-OUTPUT -o cali+ -m comment --comment "cali:69FkRTJDvD5Vu6Vl" -j RETURN
-A cali-OUTPUT -p ipv4 -m comment --comment "cali:AnEsmO6bDZbQntWW" -m comment --comment "Allow IPIP packets to other Calico hosts" -m set --match-set cali40all-hosts-net dst -m addrtype --src-type LOCAL -j ACCEPT
-A cali-OUTPUT -m comment --comment "cali:9e9Uf3GU5tX--Lxy" -j MARK --set-xmark 0x0/0xf0000
-A cali-OUTPUT -m comment --comment "cali:OB2pzPrvQn6PC89t" -j cali-to-host-endpoint
-A cali-OUTPUT -m comment --comment "cali:tvSSMDBWrme3CUqM" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-from-wl-dispatch -m comment --comment "cali:zTj6P0TIgYvgz-md" -m comment --comment "Unknown interface" -j DROP
-A cali-to-wl-dispatch -m comment --comment "cali:7KNphB1nNHw80nIO" -m comment --comment "Unknown interface" -j DROP
-A cali-wl-to-host -m comment --comment "cali:Ee9Sbo10IpVujdIY" -j cali-from-wl-dispatch
-A cali-wl-to-host -m comment --comment "cali:nSZbcOoG1xPONxb8" -m comment --comment "Configured DefaultEndpointToHostAction" -j ACCEPT
COMMIT
# Completed on Tue Nov 10 22:36:02 2020
# Generated by iptables-save v1.4.21 on Tue Nov 10 22:36:02 2020
*nat
:PREROUTING ACCEPT [2:120]
:INPUT ACCEPT [2:120]
:OUTPUT ACCEPT [514:31080]
:POSTROUTING ACCEPT [516:31200]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-MARK-DROP - [0:0]
:KUBE-MARK-MASQ - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-PROXY-CANARY - [0:0]
:KUBE-SEP-5G7TVIGO2RMIKKTY - [0:0]
:KUBE-SEP-KNF4SHE3YOGR5YAN - [0:0]
:KUBE-SEP-NGWCFP2WQ6ZZCOWV - [0:0]
:KUBE-SEP-NTPQ6CEYN4LVUKMG - [0:0]
:KUBE-SEP-PAOOOQUDSCRRYKFR - [0:0]
:KUBE-SEP-SE4IOH7EDXXMLYG2 - [0:0]
:KUBE-SEP-YX2CVEAXQDGPKPRP - [0:0]
:KUBE-SEP-YYG3HJMSEVMBQTZ3 - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-SVC-DR2DYVPMBY3GPZ5L - [0:0]
:KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
:KUBE-SVC-JD5MR3NA4I4DYORP - [0:0]
:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
:KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
:cali-OUTPUT - [0:0]
:cali-POSTROUTING - [0:0]
:cali-PREROUTING - [0:0]
:cali-fip-dnat - [0:0]
:cali-fip-snat - [0:0]
:cali-nat-outgoing - [0:0]
-A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A POSTROUTING -m comment --comment "cali:O3lYWMrLQYEMJtB5" -j cali-POSTROUTING
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
-A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/nginx:8080-80" -m tcp --dport 32220 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/nginx:8080-80" -m tcp --dport 32220 -j KUBE-SVC-DR2DYVPMBY3GPZ5L
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
-A KUBE-POSTROUTING -j MARK --set-xmark 0x4000/0x0
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE
-A KUBE-SEP-5G7TVIGO2RMIKKTY -s 192.168.179.130/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-5G7TVIGO2RMIKKTY -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 192.168.179.130:53
-A KUBE-SEP-KNF4SHE3YOGR5YAN -s 192.168.179.131/32 -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-MARK-MASQ
-A KUBE-SEP-KNF4SHE3YOGR5YAN -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 192.168.179.131:9153
-A KUBE-SEP-NGWCFP2WQ6ZZCOWV -s 192.168.179.131/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-NGWCFP2WQ6ZZCOWV -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 192.168.179.131:53
-A KUBE-SEP-NTPQ6CEYN4LVUKMG -s 192.168.179.130/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-NTPQ6CEYN4LVUKMG -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 192.168.179.130:53
-A KUBE-SEP-PAOOOQUDSCRRYKFR -s 192.168.233.136/32 -m comment --comment "default/nginx:8080-80" -j KUBE-MARK-MASQ
-A KUBE-SEP-PAOOOQUDSCRRYKFR -p tcp -m comment --comment "default/nginx:8080-80" -m tcp -j DNAT --to-destination 192.168.233.136:80
-A KUBE-SEP-SE4IOH7EDXXMLYG2 -s 192.168.179.131/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-SE4IOH7EDXXMLYG2 -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 192.168.179.131:53
-A KUBE-SEP-YX2CVEAXQDGPKPRP -s 192.168.179.130/32 -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-MARK-MASQ
-A KUBE-SEP-YX2CVEAXQDGPKPRP -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 192.168.179.130:9153
-A KUBE-SEP-YYG3HJMSEVMBQTZ3 -s 10.0.0.54/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-YYG3HJMSEVMBQTZ3 -p tcp -m comment --comment "default/kubernetes:https" -m tcp -j DNAT --to-destination 10.0.0.54:6443
-A KUBE-SERVICES -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
-A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-SVC-JD5MR3NA4I4DYORP
-A KUBE-SERVICES -d 10.101.14.7/32 -p tcp -m comment --comment "default/nginx:8080-80 cluster IP" -m tcp --dport 8080 -j KUBE-SVC-DR2DYVPMBY3GPZ5L
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-SVC-DR2DYVPMBY3GPZ5L -m comment --comment "default/nginx:8080-80" -j KUBE-SEP-PAOOOQUDSCRRYKFR
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-5G7TVIGO2RMIKKTY
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SEP-NGWCFP2WQ6ZZCOWV
-A KUBE-SVC-JD5MR3NA4I4DYORP -m comment --comment "kube-system/kube-dns:metrics" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-YX2CVEAXQDGPKPRP
-A KUBE-SVC-JD5MR3NA4I4DYORP -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-SEP-KNF4SHE3YOGR5YAN
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-YYG3HJMSEVMBQTZ3
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-NTPQ6CEYN4LVUKMG
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SEP-SE4IOH7EDXXMLYG2
-A cali-OUTPUT -m comment --comment "cali:GBTAv2p5CwevEyJm" -j cali-fip-dnat
-A cali-POSTROUTING -m comment --comment "cali:Z-c7XtVd2Bq7s_hA" -j cali-fip-snat
-A cali-POSTROUTING -m comment --comment "cali:nYKhEzDlr11Jccal" -j cali-nat-outgoing
-A cali-POSTROUTING -o tunl0 -m comment --comment "cali:JHlpT-eSqR1TvyYm" -m addrtype ! --src-type LOCAL --limit-iface-out -m addrtype --src-type LOCAL -j MASQUERADE
-A cali-PREROUTING -m comment --comment "cali:r6XmIziWUJsdOK6Z" -j cali-fip-dnat
-A cali-nat-outgoing -m comment --comment "cali:Dw4T8UWPnCLxRJiI" -m set --match-set cali40masq-ipam-pools src -m set ! --match-set cali40all-ipam-pools dst -j MASQUERADE
COMMIT
# Completed on Tue Nov 10 22:36:02 2020work节点2的防火墙
# Generated by iptables-save v1.4.21 on Tue Nov 10 22:35:30 2020
*raw
:PREROUTING ACCEPT [1693587:648705922]
:OUTPUT ACCEPT [1538628:137629267]
:cali-OUTPUT - [0:0]
:cali-PREROUTING - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-to-host-endpoint - [0:0]
-A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
-A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
-A cali-OUTPUT -m comment --comment "cali:njdnLwYeGqBJyMxW" -j MARK --set-xmark 0x0/0xf0000
-A cali-OUTPUT -m comment --comment "cali:rz86uTUcEZAfFsh7" -j cali-to-host-endpoint
-A cali-OUTPUT -m comment --comment "cali:pN0F5zD0b8yf9W1Z" -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-PREROUTING -m comment --comment "cali:XFX5xbM8B9qR10JG" -j MARK --set-xmark 0x0/0xf0000
-A cali-PREROUTING -i cali+ -m comment --comment "cali:EWMPb0zVROM-woQp" -j MARK --set-xmark 0x40000/0x40000
-A cali-PREROUTING -m comment --comment "cali:V6ooGP15glg7wm91" -m mark --mark 0x40000/0x40000 -m rpfilter --invert -j DROP
-A cali-PREROUTING -m comment --comment "cali:RMTzKqp0j735XfY4" -m mark --mark 0x0/0x40000 -j cali-from-host-endpoint
-A cali-PREROUTING -m comment --comment "cali:T8-Zfumo2dKygI73" -m mark --mark 0x10000/0x10000 -j ACCEPT
COMMIT
# Completed on Tue Nov 10 22:35:30 2020
# Generated by iptables-save v1.4.21 on Tue Nov 10 22:35:30 2020
*mangle
:PREROUTING ACCEPT [89732:5385879]
:INPUT ACCEPT [1656080:618053909]
:FORWARD ACCEPT [37507:30652013]
:OUTPUT ACCEPT [1538628:137629267]
:POSTROUTING ACCEPT [1576134:168281228]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-PROXY-CANARY - [0:0]
:cali-PREROUTING - [0:0]
:cali-from-host-endpoint - [0:0]
-A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
-A cali-PREROUTING -m comment --comment "cali:6BJqBjBC7crtA-7-" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-PREROUTING -m comment --comment "cali:KX7AGNd6rMcDUai6" -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-PREROUTING -m comment --comment "cali:wNH7KsA3ILKJBsY9" -j cali-from-host-endpoint
-A cali-PREROUTING -m comment --comment "cali:Cg96MgVuoPm7UMRo" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
COMMIT
# Completed on Tue Nov 10 22:35:30 2020
# Generated by iptables-save v1.4.21 on Tue Nov 10 22:35:30 2020
*filter
:INPUT ACCEPT [4671:1452670]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4403:402207]
:KUBE-EXTERNAL-SERVICES - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-FORWARD - [0:0]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-PROXY-CANARY - [0:0]
:KUBE-SERVICES - [0:0]
:cali-FORWARD - [0:0]
:cali-INPUT - [0:0]
:cali-OUTPUT - [0:0]
:cali-from-hep-forward - [0:0]
:cali-from-host-endpoint - [0:0]
:cali-from-wl-dispatch - [0:0]
:cali-fw-calib992f6c0b80 - [0:0]
:cali-pri-kns.default - [0:0]
:cali-pri-ksa.default.default - [0:0]
:cali-pro-kns.default - [0:0]
:cali-pro-ksa.default.default - [0:0]
:cali-to-hep-forward - [0:0]
:cali-to-host-endpoint - [0:0]
:cali-to-wl-dispatch - [0:0]
:cali-tw-calib992f6c0b80 - [0:0]
:cali-wl-to-host - [0:0]
-A INPUT -m comment --comment "cali:Cz_u1IQiXIMmKD4c" -j cali-INPUT
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
-A INPUT -j KUBE-FIREWALL
-A FORWARD -m comment --comment "cali:wUHhoiAYhphO9Mso" -j cali-FORWARD
-A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
-A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A FORWARD -m comment --comment "cali:S93hcgKJrXEqnTfs" -m comment --comment "Policy explicitly accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
-A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -j KUBE-FIREWALL
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
-A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-FORWARD -m comment --comment "cali:vjrMJCRpqwy5oRoX" -j MARK --set-xmark 0x0/0xe0000
-A cali-FORWARD -m comment --comment "cali:A_sPAO0mcxbT9mOV" -m mark --mark 0x0/0x10000 -j cali-from-hep-forward
-A cali-FORWARD -i cali+ -m comment --comment "cali:8ZoYfO5HKXWbB3pk" -j cali-from-wl-dispatch
-A cali-FORWARD -o cali+ -m comment --comment "cali:jdEuaPBe14V2hutn" -j cali-to-wl-dispatch
-A cali-FORWARD -m comment --comment "cali:12bc6HljsMKsmfr-" -j cali-to-hep-forward
-A cali-INPUT -p ipv4 -m comment --comment "cali:PajejrV4aFdkZojI" -m comment --comment "Allow IPIP packets from Calico hosts" -m set --match-set cali40all-hosts-net src -m addrtype --dst-type LOCAL -j ACCEPT
-A cali-INPUT -p ipv4 -m comment --comment "cali:_wjq-Yrma8Ly1Svo" -m comment --comment "Drop IPIP packets from non-Calico hosts" -j DROP
-A cali-INPUT -i cali+ -m comment --comment "cali:8TZGxLWh_Eiz66wc" -g cali-wl-to-host
-A cali-INPUT -m comment --comment "cali:6McIeIDvPdL6PE1T" -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-INPUT -m comment --comment "cali:YGPbrUms7NId8xVa" -j MARK --set-xmark 0x0/0xf0000
-A cali-INPUT -m comment --comment "cali:2gmY7Bg2i0i84Wk_" -j cali-from-host-endpoint
-A cali-INPUT -m comment --comment "cali:q-Vz2ZT9iGE331LL" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-OUTPUT -m comment --comment "cali:Mq1_rAdXXH3YkrzW" -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-OUTPUT -o cali+ -m comment --comment "cali:69FkRTJDvD5Vu6Vl" -j RETURN
-A cali-OUTPUT -p ipv4 -m comment --comment "cali:AnEsmO6bDZbQntWW" -m comment --comment "Allow IPIP packets to other Calico hosts" -m set --match-set cali40all-hosts-net dst -m addrtype --src-type LOCAL -j ACCEPT
-A cali-OUTPUT -m comment --comment "cali:9e9Uf3GU5tX--Lxy" -j MARK --set-xmark 0x0/0xf0000
-A cali-OUTPUT -m comment --comment "cali:OB2pzPrvQn6PC89t" -j cali-to-host-endpoint
-A cali-OUTPUT -m comment --comment "cali:tvSSMDBWrme3CUqM" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-from-wl-dispatch -i calib992f6c0b80 -m comment --comment "cali:nyWizKIhxhEKu_R9" -g cali-fw-calib992f6c0b80
-A cali-from-wl-dispatch -m comment --comment "cali:c7ADAC8U_JQvF3sg" -m comment --comment "Unknown interface" -j DROP
-A cali-fw-calib992f6c0b80 -m comment --comment "cali:MVutDVHpt6xiuOIr" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-calib992f6c0b80 -m comment --comment "cali:j6RaiDhmwi0w3NiP" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-calib992f6c0b80 -m comment --comment "cali:3O7iwdBsp_RV4tN0" -j MARK --set-xmark 0x0/0x10000
-A cali-fw-calib992f6c0b80 -p udp -m comment --comment "cali:y-scn8EfMAhMbN8Z" -m comment --comment "Drop VXLAN encapped packets originating in workloads" -m multiport --dports 4789 -j DROP
-A cali-fw-calib992f6c0b80 -p ipv4 -m comment --comment "cali:_jcNw1_3611CP1Or" -m comment --comment "Drop IPinIP encapped packets originating in workloads" -j DROP
-A cali-fw-calib992f6c0b80 -m comment --comment "cali:LNt1Ao7IbDMa6Fzs" -j cali-pro-kns.default
-A cali-fw-calib992f6c0b80 -m comment --comment "cali:sN3P0tpXSqHiWKmC" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-fw-calib992f6c0b80 -m comment --comment "cali:IpSvWXe2qvlG1eWa" -j cali-pro-ksa.default.default
-A cali-fw-calib992f6c0b80 -m comment --comment "cali:2kD7XKSnLdxcbXJ1" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-fw-calib992f6c0b80 -m comment --comment "cali:FmXJtByZylCXEMjR" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-pri-kns.default -m comment --comment "cali:7Fnh7Pv3_98FtLW7" -j MARK --set-xmark 0x10000/0x10000
-A cali-pri-kns.default -m comment --comment "cali:ZbV6bJXWSRefjK0u" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-pro-kns.default -m comment --comment "cali:oLzzje5WExbgfib5" -j MARK --set-xmark 0x10000/0x10000
-A cali-pro-kns.default -m comment --comment "cali:4goskqvxh5xcGw3s" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-to-wl-dispatch -o calib992f6c0b80 -m comment --comment "cali:yHvjwN_od6OF3IWk" -g cali-tw-calib992f6c0b80
-A cali-to-wl-dispatch -m comment --comment "cali:gv8yH4_F0qJIExRc" -m comment --comment "Unknown interface" -j DROP
-A cali-tw-calib992f6c0b80 -m comment --comment "cali:8P0MBHP_3JC153G4" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-calib992f6c0b80 -m comment --comment "cali:OffAxe1Ky2m4c4rp" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-calib992f6c0b80 -m comment --comment "cali:-QIjm2vqfHyMupvP" -j MARK --set-xmark 0x0/0x10000
-A cali-tw-calib992f6c0b80 -m comment --comment "cali:DVQrdQz1yUa4YKJf" -j cali-pri-kns.default
-A cali-tw-calib992f6c0b80 -m comment --comment "cali:_fi4DoNTmDbS74Bx" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-tw-calib992f6c0b80 -m comment --comment "cali:SUccwyUm5VQDNwwh" -j cali-pri-ksa.default.default
-A cali-tw-calib992f6c0b80 -m comment --comment "cali:YMZVIFdGm4JIivkD" -m comment --comment "Return if profile accepted" -m mark --mark 0x10000/0x10000 -j RETURN
-A cali-tw-calib992f6c0b80 -m comment --comment "cali:5Fzy20d8PObRkUiF" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-wl-to-host -m comment --comment "cali:Ee9Sbo10IpVujdIY" -j cali-from-wl-dispatch
-A cali-wl-to-host -m comment --comment "cali:nSZbcOoG1xPONxb8" -m comment --comment "Configured DefaultEndpointToHostAction" -j ACCEPT
COMMIT
# Completed on Tue Nov 10 22:35:30 2020
# Generated by iptables-save v1.4.21 on Tue Nov 10 22:35:30 2020
*nat
:PREROUTING ACCEPT [1:60]
:INPUT ACCEPT [1:60]
:OUTPUT ACCEPT [266:15960]
:POSTROUTING ACCEPT [266:15960]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-MARK-DROP - [0:0]
:KUBE-MARK-MASQ - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-PROXY-CANARY - [0:0]
:KUBE-SEP-5G7TVIGO2RMIKKTY - [0:0]
:KUBE-SEP-KNF4SHE3YOGR5YAN - [0:0]
:KUBE-SEP-NGWCFP2WQ6ZZCOWV - [0:0]
:KUBE-SEP-NTPQ6CEYN4LVUKMG - [0:0]
:KUBE-SEP-PAOOOQUDSCRRYKFR - [0:0]
:KUBE-SEP-SE4IOH7EDXXMLYG2 - [0:0]
:KUBE-SEP-YX2CVEAXQDGPKPRP - [0:0]
:KUBE-SEP-YYG3HJMSEVMBQTZ3 - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-SVC-DR2DYVPMBY3GPZ5L - [0:0]
:KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
:KUBE-SVC-JD5MR3NA4I4DYORP - [0:0]
:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
:KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
:cali-OUTPUT - [0:0]
:cali-POSTROUTING - [0:0]
:cali-PREROUTING - [0:0]
:cali-fip-dnat - [0:0]
:cali-fip-snat - [0:0]
:cali-nat-outgoing - [0:0]
-A PREROUTING -m comment --comment "cali:6gwbT8clXdHdC1b1" -j cali-PREROUTING
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A POSTROUTING -m comment --comment "cali:O3lYWMrLQYEMJtB5" -j cali-POSTROUTING
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
-A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/nginx:8080-80" -m tcp --dport 32220 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/nginx:8080-80" -m tcp --dport 32220 -j KUBE-SVC-DR2DYVPMBY3GPZ5L
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
-A KUBE-POSTROUTING -j MARK --set-xmark 0x4000/0x0
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE
-A KUBE-SEP-5G7TVIGO2RMIKKTY -s 192.168.179.130/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-5G7TVIGO2RMIKKTY -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 192.168.179.130:53
-A KUBE-SEP-KNF4SHE3YOGR5YAN -s 192.168.179.131/32 -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-MARK-MASQ
-A KUBE-SEP-KNF4SHE3YOGR5YAN -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 192.168.179.131:9153
-A KUBE-SEP-NGWCFP2WQ6ZZCOWV -s 192.168.179.131/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-NGWCFP2WQ6ZZCOWV -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 192.168.179.131:53
-A KUBE-SEP-NTPQ6CEYN4LVUKMG -s 192.168.179.130/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-NTPQ6CEYN4LVUKMG -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 192.168.179.130:53
-A KUBE-SEP-PAOOOQUDSCRRYKFR -s 192.168.233.136/32 -m comment --comment "default/nginx:8080-80" -j KUBE-MARK-MASQ
-A KUBE-SEP-PAOOOQUDSCRRYKFR -p tcp -m comment --comment "default/nginx:8080-80" -m tcp -j DNAT --to-destination 192.168.233.136:80
-A KUBE-SEP-SE4IOH7EDXXMLYG2 -s 192.168.179.131/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-SE4IOH7EDXXMLYG2 -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 192.168.179.131:53
-A KUBE-SEP-YX2CVEAXQDGPKPRP -s 192.168.179.130/32 -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-MARK-MASQ
-A KUBE-SEP-YX2CVEAXQDGPKPRP -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 192.168.179.130:9153
-A KUBE-SEP-YYG3HJMSEVMBQTZ3 -s 10.0.0.54/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-YYG3HJMSEVMBQTZ3 -p tcp -m comment --comment "default/kubernetes:https" -m tcp -j DNAT --to-destination 10.0.0.54:6443
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-SVC-JD5MR3NA4I4DYORP
-A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
-A KUBE-SERVICES -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
-A KUBE-SERVICES -d 10.101.14.7/32 -p tcp -m comment --comment "default/nginx:8080-80 cluster IP" -m tcp --dport 8080 -j KUBE-SVC-DR2DYVPMBY3GPZ5L
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-SVC-DR2DYVPMBY3GPZ5L -m comment --comment "default/nginx:8080-80" -j KUBE-SEP-PAOOOQUDSCRRYKFR
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-5G7TVIGO2RMIKKTY
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SEP-NGWCFP2WQ6ZZCOWV
-A KUBE-SVC-JD5MR3NA4I4DYORP -m comment --comment "kube-system/kube-dns:metrics" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-YX2CVEAXQDGPKPRP
-A KUBE-SVC-JD5MR3NA4I4DYORP -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-SEP-KNF4SHE3YOGR5YAN
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-YYG3HJMSEVMBQTZ3
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-NTPQ6CEYN4LVUKMG
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SEP-SE4IOH7EDXXMLYG2
-A cali-OUTPUT -m comment --comment "cali:GBTAv2p5CwevEyJm" -j cali-fip-dnat
-A cali-POSTROUTING -m comment --comment "cali:Z-c7XtVd2Bq7s_hA" -j cali-fip-snat
-A cali-POSTROUTING -m comment --comment "cali:nYKhEzDlr11Jccal" -j cali-nat-outgoing
-A cali-POSTROUTING -o tunl0 -m comment --comment "cali:JHlpT-eSqR1TvyYm" -m addrtype ! --src-type LOCAL --limit-iface-out -m addrtype --src-type LOCAL -j MASQUERADE
-A cali-PREROUTING -m comment --comment "cali:r6XmIziWUJsdOK6Z" -j cali-fip-dnat
-A cali-nat-outgoing -m comment --comment "cali:Dw4T8UWPnCLxRJiI" -m set --match-set cali40masq-ipam-pools src -m set ! --match-set cali40all-ipam-pools dst -j MASQUERADE
COMMIT
# Completed on Tue Nov 10 22:35:30 2020附录
防火墙和路由的执行顺序
死磕k8s之calico-环境准备相关推荐
- 死磕k8s之calico-nodeport
死磕k8s之calico-nodeport 序言: 我的环境 注意 开始发请求到nodeport 到达work节点1 1.首先会到达raw的PREROUTING,包的流向如下 2.然后到达mangle ...
- 那些在一个公司死磕了5-10年的程序员,最后都怎么样了?
来源:http://sina.lt/gbQk 最近在知乎上看到一个话题 那些在一个公司死磕了5-10年的程序员最后都怎么样了?" 在互联网红利爆发,人心躁动的今天,可以在一个公司磕到5~10 ...
- 『中级篇』Minikube快速搭建K8S单节点环境(61)
原创文章,欢迎转载.转载请注明:转载自IT人故事会,谢谢! 原文链接地址:『中级篇』Minikube快速搭建K8S单节点环境(61) 去介绍k8s的集群安装,本地搭建一个k8s的集群. 不会科学上网的 ...
- 在一个公司死磕了5-10年的人,最后都怎么样了?
来源 | http://zhihu.com/question/295529432/answer/626755505 最近在知乎上看到一个话题 那些在一个公司死磕了5-10年的人最后都怎么样了?&quo ...
- 死磕Java并发:分析 ArrayBlockingQueue 构造函数加锁问题
作者: chenssy 来源:Java技术驿站 昨天有位小伙伴问我一个 ArrayBlockingQueue 中的一个构造函数为何需要加锁,其实这个问题我还真没有注意过.主要是在看 ArrayBloc ...
- 死磕Java并发:J.U.C之阻塞队列:ArrayBlockingQueue
作者:chenssy 来源:Java技术驿站 ArrayBlockingQueue,一个由数组实现的有界阻塞队列.该队列采用FIFO的原则对元素进行排序添加的. ArrayBlockingQueue为 ...
- 死磕Java并发:J.U.C之并发工具类:Exchanger
作者:chenssy 来源:Java技术驿站 前面三篇博客分别介绍了CyclicBarrier.CountDownLatch.Semaphore,现在介绍并发工具类中的最后一个Exchange.Exc ...
- 死磕Java并发:深入分析CAS
作者:chenssy 来源:Java技术驿站公众号 CAS,Compare And Swap,即比较并交换.Doug lea大神在同步组件中大量使用CAS技术鬼斧神工地实现了Java多线程的并发操作. ...
- 死磕Java并发:J.U.C之Condition
作者:chenssy 来源:http://cmsblogs.com/?p=2222 在没有Lock之前,我们使用synchronized来控制同步,配合Object的wait().notify()系列 ...
最新文章
- 手机编程micropython_MicroPython可视化拼插编辑器:让硬件编程更智能!
- 再谈STM32的CAN过滤器-bxCAN的过滤器的4种工作模式以及使用方法总结
- java大会主题曲_网易未来大会主题曲发布,从创作到演唱都由AI包办
- P1772 [ZJOI2006]物流运输 最短路+DP
- 11. Java基础之继承
- [Abp vNext 源码分析] - 3. 依赖注入与拦截器
- MyBatis框架 多表联合查询实现
- Raft -【go一致性算法】
- Storm案例:统计单词个数
- python graphviz_Python中Graphviz的输出问题
- html的存储路径在哪,x浏览器书签保存在哪里?x浏览器书签本地存储路径位置分享...
- CAJ(caj)阅读器下载
- Steam自建游戏服务器配置
- JAVA语言 - Android拷贝assets文件(资源文件)
- VS-Code的使用
- ECharts实现带钓鱼岛和南海诸岛的中国(China)地图
- java仙侠回合制单机游戏_2019回合仙侠手游排行榜 好玩的回合制单机仙侠手游推荐...
- 基于正点原子触摸屏ui设计_基于黄金比例ui%C9%B8的设计系统
- 转:redis实践经验分享
- 【JZOJ2867】Contra
热门文章
- 解决 - 安装SQL Server 2017出现错误 “合成活动模板库(ATL) 规则失败”
- WiFi大师终极版本4.0.3源码已经上线,全新的系统、全新的功能!
- WIFI大师专业版支持多开系统和独立系统
- 在某高层建筑物中只有一部电梯,由N个正整数组成一个请求序列,列表中的数字表示电梯将在哪层停,电梯按列表顺序依次停靠电梯每上行一层需要花6秒时间,每下行一层需要花4秒时间,电梯每停一次需要用时5秒。
- Ubuntu使用超级用户权限
- 基于改进差分进化算法的微电网调度研究
- ps中nef是什么文件和如何打开nef文件的方法介绍
- 每天和琦琦学点新知识_算法
- 模拟电路设计入门系列 --- 巧学系列
- 单片机ISP、IAP和ICP几种烧录方式的区别