k8s的iptables转发规则原理图

image.png

来源于https://github.com/cilium/k8s-iptables-diagram

#部分iptables规则
[root@localhost ~]# iptables-save 
# Generated by iptables-save v1.4.21 on Wed Nov 14 16:01:10 2018
*mangle
:PREROUTING ACCEPT [13123859:4246034841]
:INPUT ACCEPT [13090664:4240571126]
:FORWARD ACCEPT [3584:3013486]
:OUTPUT ACCEPT [12863341:3655778720]
:POSTROUTING ACCEPT [12866925:3658792206]
COMMIT
# Completed on Wed Nov 14 16:01:10 2018
# Generated by iptables-save v1.4.21 on Wed Nov 14 16:01:10 2018
*raw
:PREROUTING ACCEPT [13123859:4246034841]
:OUTPUT ACCEPT [12863341:3655778720]
COMMIT
# Completed on Wed Nov 14 16:01:10 2018
# Generated by iptables-save v1.4.21 on Wed Nov 14 16:01:10 2018
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
:KUBE-MARK-DROP - [0:0]
:KUBE-MARK-MASQ - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-SEP-2DR36SHMKG72WTUG - [0:0]
:KUBE-SEP-2FG2MTZOAJQOBCTO - [0:0]
:KUBE-SEP-6TIHUV4SBOWFDLOO - [0:0]
:KUBE-SEP-7LBTVXR4SNTYCXO7 - [0:0]
:KUBE-SEP-7YSF6JYM2PLNZOVZ - [0:0]
:KUBE-SEP-QLEXD5JUCJRC3DDG - [0:0]
:KUBE-SEP-WQKJNDAM4UDU2FCE - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
:KUBE-SVC-LC5QY66VUV2HJ6WZ - [0:0]
:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
:KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
:KUBE-SVC-XGLOHA7QRQ3V22RZ - [0:0]
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.21.0.0/16 ! -o br-e3714bddecff -j MASQUERADE
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-6d3f1ea4b920 -j MASQUERADE
-A POSTROUTING -s 172.19.0.0/16 ! -o br-33d37d9728d5 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.20.0.0/16 -d 172.20.0.0/16 -j RETURN
-A POSTROUTING -s 172.20.0.0/16 ! -d 224.0.0.0/4 -j MASQUERADE
-A POSTROUTING ! -s 172.20.0.0/16 -d 172.20.0.0/24 -j RETURN
-A POSTROUTING ! -s 172.20.0.0/16 -d 172.20.0.0/16 -j MASQUERADE
-A POSTROUTING -s 172.21.0.2/32 -d 172.21.0.2/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A POSTROUTING -s 172.21.0.3/32 -d 172.21.0.3/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.21.0.3/32 -d 172.21.0.3/32 -p tcp -m tcp --dport 8000 -j MASQUERADE
-A DOCKER -i br-e3714bddecff -j RETURN
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-6d3f1ea4b920 -j RETURN
-A DOCKER -i br-33d37d9728d5 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 2333 -j DNAT --to-destination 172.17.0.2:80
-A DOCKER ! -i br-e3714bddecff -p tcp -m tcp --dport 3306 -j DNAT --to-destination 172.21.0.2:3306
-A DOCKER ! -i br-e3714bddecff -p tcp -m tcp --dport 8089 -j DNAT --to-destination 172.21.0.3:80
-A DOCKER ! -i br-e3714bddecff -p tcp -m tcp --dport 8000 -j DNAT --to-destination 172.21.0.3:8000
-A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-system/kubernetes-dashboard:" -m tcp --dport 31711 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-system/kubernetes-dashboard:" -m tcp --dport 31711 -j KUBE-SVC-XGLOHA7QRQ3V22RZ
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE
-A KUBE-SEP-2DR36SHMKG72WTUG -s 10.0.60.51/32 -j KUBE-MARK-MASQ
-A KUBE-SEP-2DR36SHMKG72WTUG -p tcp -m tcp -j DNAT --to-destination 10.0.60.51:6443
-A KUBE-SEP-2FG2MTZOAJQOBCTO -s 172.20.0.5/32 -j KUBE-MARK-MASQ
-A KUBE-SEP-2FG2MTZOAJQOBCTO -p tcp -m tcp -j DNAT --to-destination 172.20.0.5:8443
-A KUBE-SEP-6TIHUV4SBOWFDLOO -s 172.20.0.3/32 -j KUBE-MARK-MASQ
-A KUBE-SEP-6TIHUV4SBOWFDLOO -p tcp -m tcp -j DNAT --to-destination 172.20.0.3:53
-A KUBE-SEP-7LBTVXR4SNTYCXO7 -s 172.20.0.4/32 -j KUBE-MARK-MASQ
-A KUBE-SEP-7LBTVXR4SNTYCXO7 -p tcp -m tcp -j DNAT --to-destination 172.20.0.4:443
-A KUBE-SEP-7YSF6JYM2PLNZOVZ -s 172.20.0.2/32 -j KUBE-MARK-MASQ
-A KUBE-SEP-7YSF6JYM2PLNZOVZ -p udp -m udp -j DNAT --to-destination 172.20.0.2:53
-A KUBE-SEP-QLEXD5JUCJRC3DDG -s 172.20.0.2/32 -j KUBE-MARK-MASQ
-A KUBE-SEP-QLEXD5JUCJRC3DDG -p tcp -m tcp -j DNAT --to-destination 172.20.0.2:53
-A KUBE-SEP-WQKJNDAM4UDU2FCE -s 172.20.0.3/32 -j KUBE-MARK-MASQ
-A KUBE-SEP-WQKJNDAM4UDU2FCE -p udp -m udp -j DNAT --to-destination 172.20.0.3:53
-A KUBE-SERVICES -d 10.68.15.73/32 -p tcp -m comment --comment "kube-system/kubernetes-dashboard: cluster IP" -m tcp --dport 443 -j KUBE-SVC-XGLOHA7QRQ3V22RZ
-A KUBE-SERVICES -d 10.68.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
-A KUBE-SERVICES -d 10.68.0.2/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
-A KUBE-SERVICES -d 10.68.0.2/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
-A KUBE-SERVICES -d 10.68.41.150/32 -p tcp -m comment --comment "kube-system/metrics-server: cluster IP" -m tcp --dport 443 -j KUBE-SVC-LC5QY66VUV2HJ6WZ
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-QLEXD5JUCJRC3DDG
-A KUBE-SVC-ERIFXISQEP7F7OF4 -j KUBE-SEP-6TIHUV4SBOWFDLOO
-A KUBE-SVC-LC5QY66VUV2HJ6WZ -j KUBE-SEP-7LBTVXR4SNTYCXO7
-A KUBE-SVC-NPX46M4PTMTKRN6Y -j KUBE-SEP-2DR36SHMKG72WTUG
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-7YSF6JYM2PLNZOVZ
-A KUBE-SVC-TCOU7JCQXEZGVUNU -j KUBE-SEP-WQKJNDAM4UDU2FCE
-A KUBE-SVC-XGLOHA7QRQ3V22RZ -j KUBE-SEP-2FG2MTZOAJQOBCTO
COMMIT
# Completed on Wed Nov 14 16:01:10 2018
# Generated by iptables-save v1.4.21 on Wed Nov 14 16:01:10 2018
*filter
:INPUT ACCEPT [1097:219353]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1093:231833]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:KUBE-EXTERNAL-SERVICES - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-FORWARD - [0:0]
:KUBE-SERVICES - [0:0]
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
-A INPUT -j KUBE-FIREWALL
-A INPUT -s 10.0.0.0/8 -p tcp -m tcp --dport 4194 -j ACCEPT
-A INPUT -s 172.16.0.0/12 -p tcp -m tcp --dport 4194 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 4194 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4194 -j DROP
-A INPUT -s 10.0.0.0/8 -p tcp -m tcp --dport 4194 -j ACCEPT
-A INPUT -s 172.16.0.0/12 -p tcp -m tcp --dport 4194 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 4194 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4194 -j DROP
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-e3714bddecff -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-e3714bddecff -j DOCKER
-A FORWARD -i br-e3714bddecff ! -o br-e3714bddecff -j ACCEPT
-A FORWARD -i br-e3714bddecff -o br-e3714bddecff -j ACCEPT
-A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-6d3f1ea4b920 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-6d3f1ea4b920 -j DOCKER
-A FORWARD -i br-6d3f1ea4b920 ! -o br-6d3f1ea4b920 -j ACCEPT
-A FORWARD -i br-6d3f1ea4b920 -o br-6d3f1ea4b920 -j ACCEPT
-A FORWARD -o br-33d37d9728d5 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-33d37d9728d5 -j DOCKER
-A FORWARD -i br-33d37d9728d5 ! -o br-33d37d9728d5 -j ACCEPT
-A FORWARD -i br-33d37d9728d5 -o br-33d37d9728d5 -j ACCEPT
-A FORWARD -j ACCEPT
-A FORWARD -s 172.20.0.0/16 -j ACCEPT
-A FORWARD -d 172.20.0.0/16 -j ACCEPT
-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -j KUBE-FIREWALL
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.21.0.2/32 ! -i br-e3714bddecff -o br-e3714bddecff -p tcp -m tcp --dport 3306 -j ACCEPT
-A DOCKER -d 172.21.0.3/32 ! -i br-e3714bddecff -o br-e3714bddecff -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.21.0.3/32 ! -i br-e3714bddecff -o br-e3714bddecff -p tcp -m tcp --dport 8000 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-e3714bddecff ! -o br-e3714bddecff -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-6d3f1ea4b920 ! -o br-6d3f1ea4b920 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-33d37d9728d5 ! -o br-33d37d9728d5 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-e3714bddecff -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-6d3f1ea4b920 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-33d37d9728d5 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
COMMIT
# Completed on Wed Nov 14 16:01:10 2018

最后编辑于：2018.12.19 16:51:32

人面猴
序言：七十年代末，一起剥皮案震惊了整个滨河市，随后出现的几起案子，更是在滨河造成了极大的恐慌，老刑警刘岩，带你破解...
沈念sama阅读 204,445评论 6赞 478
死咒
序言：滨河连续发生了三起死亡事件，死亡现场离奇诡异，居然都是意外死亡，警方通过查阅死者的电脑和手机，发现死者居然都...
沈念sama阅读 85,889评论 2赞 381
救了他两次的神仙让他今天三更去死
文/潘晓璐我一进店门，熙熙楼的掌柜王于贵愁眉苦脸地迎上来，“玉大人，你说我怎么就摊上这事。” “怎么了？”我有些...
开封第一讲书人阅读 151,047评论 0赞 337
道士缉凶录：失踪的卖姜人
文/不坏的土叔我叫张陵，是天一观的道长。经常有香客问我，道长，这世上最难降的妖魔是什么？我笑而不...
开封第一讲书人阅读 54,760评论 1赞 276
港岛之恋（遗憾婚礼）
正文为了忘掉前任，我火速办了婚礼，结果婚礼上，老公的妹妹穿的比我还像新娘。我一直安慰自己，他们只是感情好，可当我...
茶点故事阅读 63,745评论 5赞 367
恶毒庶女顶嫁案：这布局不是一般人想出来的
文/花漫我一把揭开白布。她就那样静静地躺着，像睡着了一般。火红的嫁衣衬着肌肤如雪。梳的纹丝不乱的头发上，一...
开封第一讲书人阅读 48,638评论 1赞 281
城市分裂传说
那天，我揣着相机与录音，去河边找鬼。笑死，一个胖子当着我的面吹牛，可吹牛的内容都是我干的。我是一名探鬼主播，决...
沈念sama阅读 38,011评论 3赞 398
双鸳鸯连环套：你想象不到人心有多黑
文/苍兰香墨我猛地睁开眼，长吁一口气：“原来是场噩梦啊……” “哼！你这毒妇竟也来了？” 一声冷哼从身侧响起，我...
开封第一讲书人阅读 36,669评论 0赞 258
万荣杀人案实录
序言：老挝万荣一对情侣失踪，失踪者是张志新（化名）和其女友刘颖，没想到半个月后，有当地人在树林里发现了一具尸体，经...
沈念sama阅读 40,923评论 1赞 299
护林员之死
正文独居荒郊野岭守林人离奇死亡，尸身上长有42处带血的脓包…… 初始之章·张勋以下内容为张勋视角年9月15日...
茶点故事阅读 35,655评论 2赞 321
白月光启示录
正文我和宋清朗相恋三年，在试婚纱的时候发现自己被绿了。大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
茶点故事阅读 37,740评论 1赞 330
活死人
序言：一个原本活蹦乱跳的男人离奇死亡，死状恐怖，灵堂内的尸体忽然破棺而出，到底是诈尸还是另有隐情，我是刑警宁泽，带...
沈念sama阅读 33,406评论 4赞 320
日本核电站爆炸内幕
正文年R本政府宣布，位于F岛的核电站，受9级特大地震影响，放射性物质发生泄漏。R本人自食恶果不足惜，却给世界环境...
茶点故事阅读 38,995评论 3赞 307
男人毒药：我在死后第九天来索命
文/蒙蒙一、第九天我趴在偏房一处隐蔽的房顶上张望。院中可真热闹，春花似锦、人声如沸。这庄子的主人今日做“春日...
开封第一讲书人阅读 29,961评论 0赞 19
一桩弑父案，背后竟有这般阴谋
文/苍兰香墨我抬头看了看天上的太阳。三九已至，却和暖如春，着一层夹袄步出监牢的瞬间，已是汗流浃背。一阵脚步声响...
开封第一讲书人阅读 31,197评论 1赞 260
情欲美人皮
我被黑心中介骗来泰国打工，没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留，地道东北人。一个月前我还...
沈念sama阅读 45,023评论 2赞 350
代替公主和亲
正文我出身青楼，却偏偏与公主长得像，于是被迫代替她去往敌国和亲。传闻我的和亲对象是个残疾皇子，可洞房花烛夜当晚...
茶点故事阅读 42,483评论 2赞 342

k8s的iptables转发规则原理图

推荐阅读更多精彩内容