k8s nodePort Service can't be reached externally #31

ravishivt · 2017-01-10T20:47:22Z

I have a 3x node kubernetes cluster: kube-ravi196 10.163.148.196 (master), kube-ravi197 10.163.148.197, and kube-ravi198 10.163.148.198. I have a pod that's currently scheduled on kube-ravi198 that I'd like to be exposed externally to the cluster. So I have a service of type nodePort with the nodePort set to 30080. I can successfully do curl localhost:30080 locally on each node. But externally, curl nodeX:30080 only works against kube-ravi198. The other two timeout.

I debugged iptables and found that the external request is getting dropped in the FORWARD chain as it's hitting the default DROP policy. From my (limited) understanding of Canal, Canal sets up flannel.1 interface on each node and then creates one calico interface for each pod running on a node. It then sets up a felix-FORWARD iptables target in the FORWARD chain to ACCEPT any traffic coming or leaving a calico interface. The problem is that node-to-node traffic goes through the flannel.1 interface and there is nothing to ACCEPT traffic that gets forwarded to it. Doing curl localhost:30080 works because it bypasses the FORWARD table even though its getting DNATed (not sure why).

My fix is to add:
sudo iptables -A FORWARD -o flannel.1 -j ACCEPT

Debug info below:

$ kubectl get pods --namespace=kube-system -l "k8s-app=kube-registry" -o wide
NAME                     READY     STATUS    RESTARTS   AGE       IP              NODE
kube-registry-v0-1mthd   1/1       Running   0          39m       192.168.75.13   ravi-kube198

$ kubectl get service --namespace=kube-system -l "k8s-app=kube-registry"
NAME            CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
kube-registry   10.100.57.109   <nodes>       5000:30080/TCP   5h

$ kubectl get pods --namespace=kube-system -l "k8s-app=kube-proxy" -o wide
NAME               READY     STATUS    RESTARTS   AGE       IP               NODE
kube-proxy-1rzz8   1/1       Running   0          40m       10.163.148.198   ravi-kube198
kube-proxy-fz20x   1/1       Running   0          40m       10.163.148.197   ravi-kube197
kube-proxy-lm7nm   1/1       Running   0          40m       10.163.148.196   ravi-kube196

iptables-save

# Generated by iptables-save v1.6.0 on Thu Jan  5 22:33:57 2017
*nat
:PREROUTING ACCEPT [1:60]
:INPUT ACCEPT [1:60]
:OUTPUT ACCEPT [40:2834]
:POSTROUTING ACCEPT [40:2834]
:DOCKER - [0:0]
:KUBE-MARK-DROP - [0:0]
:KUBE-MARK-MASQ - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-SEP-4U6BTAJCDMHBCNTE - [0:0]
:KUBE-SEP-7QBKTOBWZOW2ADYZ - [0:0]
:KUBE-SEP-DARQFIU6CIZ6DHSZ - [0:0]
:KUBE-SEP-FMM5BAXI5QDNGXPJ - [0:0]
:KUBE-SEP-KJX7S6NVUIOUABFE - [0:0]
:KUBE-SEP-KMRLJBMSXVC225LD - [0:0]
:KUBE-SEP-KXX2UKHAML22525B - [0:0]
:KUBE-SEP-NCDBIYVKEUM6V7JV - [0:0]
:KUBE-SEP-YSVAKJLNBVVBENUI - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-SVC-E66MHSUH4AYEXSQE - [0:0]
:KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
:KUBE-SVC-JV2WR75K33AEZUK7 - [0:0]
:KUBE-SVC-KWJORWLCTF22FLD3 - [0:0]
:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
:KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
:KUBE-SVC-XGLOHA7QRQ3V22RZ - [0:0]
:felix-FIP-DNAT - [0:0]
:felix-FIP-SNAT - [0:0]
:felix-POSTROUTING - [0:0]
:felix-PREROUTING - [0:0]
-A PREROUTING -j felix-PREROUTING
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -j felix-POSTROUTING
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/16 -d 192.168.0.0/16 -j RETURN
-A POSTROUTING -s 192.168.0.0/16 ! -d 224.0.0.0/4 -j MASQUERADE
-A POSTROUTING ! -s 192.168.0.0/16 -d 192.168.0.0/16 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-system/kube-registry:registry" -m tcp --dport 30080 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-system/kube-registry:registry" -m tcp --dport 30080 -j KUBE-SVC-JV2WR75K33AEZUK7
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-system/kubernetes-dashboard:" -m tcp --dport 30882 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-system/kubernetes-dashboard:" -m tcp --dport 30882 -j KUBE-SVC-XGLOHA7QRQ3V22RZ
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE
-A KUBE-SEP-4U6BTAJCDMHBCNTE -s 192.168.75.33/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-4U6BTAJCDMHBCNTE -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 192.168.75.33:53
-A KUBE-SEP-7QBKTOBWZOW2ADYZ -s 10.163.148.196/32 -m comment --comment "kube-system/glusterfs-dynamic-kube-registry-pvc:" -j KUBE-MARK-MASQ
-A KUBE-SEP-7QBKTOBWZOW2ADYZ -p tcp -m comment --comment "kube-system/glusterfs-dynamic-kube-registry-pvc:" -m tcp -j DNAT --to-destination 10.163.148.196:1
-A KUBE-SEP-DARQFIU6CIZ6DHSZ -s 10.163.148.198/32 -m comment --comment "kube-system/glusterfs-dynamic-kube-registry-pvc:" -j KUBE-MARK-MASQ
-A KUBE-SEP-DARQFIU6CIZ6DHSZ -p tcp -m comment --comment "kube-system/glusterfs-dynamic-kube-registry-pvc:" -m tcp -j DNAT --to-destination 10.163.148.198:1
-A KUBE-SEP-FMM5BAXI5QDNGXPJ -s 10.163.148.196/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-FMM5BAXI5QDNGXPJ -p tcp -m comment --comment "default/kubernetes:https" -m recent --set --name KUBE-SEP-FMM5BAXI5QDNGXPJ --mask 255.255.255.255 --rsource -m tcp -j DNAT --to-destination 10.163.148.196:6443
-A KUBE-SEP-KJX7S6NVUIOUABFE -s 10.163.148.196/32 -m comment --comment "kube-system/canal-etcd:" -j KUBE-MARK-MASQ
-A KUBE-SEP-KJX7S6NVUIOUABFE -p tcp -m comment --comment "kube-system/canal-etcd:" -m tcp -j DNAT --to-destination 10.163.148.196:6666
-A KUBE-SEP-KMRLJBMSXVC225LD -s 192.168.45.37/32 -m comment --comment "kube-system/kubernetes-dashboard:" -j KUBE-MARK-MASQ
-A KUBE-SEP-KMRLJBMSXVC225LD -p tcp -m comment --comment "kube-system/kubernetes-dashboard:" -m tcp -j DNAT --to-destination 192.168.45.37:9090
-A KUBE-SEP-KXX2UKHAML22525B -s 10.163.148.197/32 -m comment --comment "kube-system/glusterfs-dynamic-kube-registry-pvc:" -j KUBE-MARK-MASQ
-A KUBE-SEP-KXX2UKHAML22525B -p tcp -m comment --comment "kube-system/glusterfs-dynamic-kube-registry-pvc:" -m tcp -j DNAT --to-destination 10.163.148.197:1
-A KUBE-SEP-NCDBIYVKEUM6V7JV -s 192.168.75.33/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-NCDBIYVKEUM6V7JV -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 192.168.75.33:53
-A KUBE-SEP-YSVAKJLNBVVBENUI -s 192.168.75.32/32 -m comment --comment "kube-system/kube-registry:registry" -j KUBE-MARK-MASQ
-A KUBE-SEP-YSVAKJLNBVVBENUI -p tcp -m comment --comment "kube-system/kube-registry:registry" -m tcp -j DNAT --to-destination 192.168.75.32:5000
-A KUBE-SERVICES ! -s 192.168.0.0/16 -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
-A KUBE-SERVICES ! -s 192.168.0.0/16 -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
-A KUBE-SERVICES ! -s 192.168.0.0/16 -d 10.100.57.109/32 -p tcp -m comment --comment "kube-system/kube-registry:registry cluster IP" -m tcp --dport 5000 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.100.57.109/32 -p tcp -m comment --comment "kube-system/kube-registry:registry cluster IP" -m tcp --dport 5000 -j KUBE-SVC-JV2WR75K33AEZUK7
-A KUBE-SERVICES ! -s 192.168.0.0/16 -d 10.110.206.254/32 -p tcp -m comment --comment "kube-system/kubernetes-dashboard: cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.110.206.254/32 -p tcp -m comment --comment "kube-system/kubernetes-dashboard: cluster IP" -m tcp --dport 80 -j KUBE-SVC-XGLOHA7QRQ3V22RZ
-A KUBE-SERVICES ! -s 192.168.0.0/16 -d 10.96.232.136/32 -p tcp -m comment --comment "kube-system/canal-etcd: cluster IP" -m tcp --dport 6666 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.96.232.136/32 -p tcp -m comment --comment "kube-system/canal-etcd: cluster IP" -m tcp --dport 6666 -j KUBE-SVC-KWJORWLCTF22FLD3
-A KUBE-SERVICES ! -s 192.168.0.0/16 -d 10.106.192.243/32 -p tcp -m comment --comment "kube-system/glusterfs-dynamic-kube-registry-pvc: cluster IP" -m tcp --dport 1 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.106.192.243/32 -p tcp -m comment --comment "kube-system/glusterfs-dynamic-kube-registry-pvc: cluster IP" -m tcp --dport 1 -j KUBE-SVC-E66MHSUH4AYEXSQE
-A KUBE-SERVICES ! -s 192.168.0.0/16 -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-SVC-E66MHSUH4AYEXSQE -m comment --comment "kube-system/glusterfs-dynamic-kube-registry-pvc:" -m statistic --mode random --probability 0.33332999982 -j KUBE-SEP-7QBKTOBWZOW2ADYZ
-A KUBE-SVC-E66MHSUH4AYEXSQE -m comment --comment "kube-system/glusterfs-dynamic-kube-registry-pvc:" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-KXX2UKHAML22525B
-A KUBE-SVC-E66MHSUH4AYEXSQE -m comment --comment "kube-system/glusterfs-dynamic-kube-registry-pvc:" -j KUBE-SEP-DARQFIU6CIZ6DHSZ
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SEP-4U6BTAJCDMHBCNTE
-A KUBE-SVC-JV2WR75K33AEZUK7 -m comment --comment "kube-system/kube-registry:registry" -j KUBE-SEP-YSVAKJLNBVVBENUI
-A KUBE-SVC-KWJORWLCTF22FLD3 -m comment --comment "kube-system/canal-etcd:" -j KUBE-SEP-KJX7S6NVUIOUABFE
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-FMM5BAXI5QDNGXPJ --mask 255.255.255.255 --rsource -j KUBE-SEP-FMM5BAXI5QDNGXPJ
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-FMM5BAXI5QDNGXPJ
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SEP-NCDBIYVKEUM6V7JV
-A KUBE-SVC-XGLOHA7QRQ3V22RZ -m comment --comment "kube-system/kubernetes-dashboard:" -j KUBE-SEP-KMRLJBMSXVC225LD
-A felix-POSTROUTING -j felix-FIP-SNAT
-A felix-PREROUTING -j felix-FIP-DNAT
COMMIT
# Completed on Thu Jan  5 22:33:57 2017
# Generated by iptables-save v1.6.0 on Thu Jan  5 22:33:57 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-SERVICES - [0:0]
:f2b-sshd - [0:0]
:felix-FAILSAFE-IN - [0:0]
:felix-FAILSAFE-OUT - [0:0]
:felix-FORWARD - [0:0]
:felix-FROM-ENDPOINT - [0:0]
:felix-FROM-HOST-IF - [0:0]
:felix-INPUT - [0:0]
:felix-OUTPUT - [0:0]
:felix-TO-ENDPOINT - [0:0]
:felix-TO-HOST-IF - [0:0]
:felix-from-2364763ca74 - [0:0]
:felix-from-428849870ea - [0:0]
:felix-p-_0f05888047b5982-i - [0:0]
:felix-p-_0f05888047b5982-o - [0:0]
:felix-p-_3806fbfa06d1365-i - [0:0]
:felix-p-_3806fbfa06d1365-o - [0:0]
:felix-to-2364763ca74 - [0:0]
:felix-to-428849870ea - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j felix-INPUT
-A INPUT -j KUBE-FIREWALL
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j felix-FORWARD
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j felix-OUTPUT
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -j KUBE-FIREWALL
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A DOCKER-ISOLATION -j RETURN
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
-A f2b-sshd -j RETURN
-A felix-FAILSAFE-IN -p tcp -m tcp --dport 22 -j ACCEPT
-A felix-FAILSAFE-OUT -p tcp -m tcp --dport 2379 -j ACCEPT
-A felix-FAILSAFE-OUT -p tcp -m tcp --dport 2380 -j ACCEPT
-A felix-FAILSAFE-OUT -p tcp -m tcp --dport 4001 -j ACCEPT
-A felix-FAILSAFE-OUT -p tcp -m tcp --dport 7001 -j ACCEPT
-A felix-FORWARD -i cali+ -m conntrack --ctstate INVALID -j DROP
-A felix-FORWARD -o cali+ -m conntrack --ctstate INVALID -j DROP
-A felix-FORWARD -i cali+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A felix-FORWARD -o cali+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A felix-FORWARD -i cali+ -j felix-FROM-ENDPOINT
-A felix-FORWARD -o cali+ -j felix-TO-ENDPOINT
-A felix-FORWARD -i cali+ -j ACCEPT
-A felix-FORWARD -o cali+ -j ACCEPT
-A felix-FROM-ENDPOINT -i cali2364763ca74 -g felix-from-2364763ca74
-A felix-FROM-ENDPOINT -i cali428849870ea -g felix-from-428849870ea
-A felix-FROM-ENDPOINT -m comment --comment "From unknown endpoint" -j DROP
-A felix-FROM-HOST-IF -m comment --comment "Unknown interface, return" -j RETURN
-A felix-INPUT -m conntrack --ctstate INVALID -j DROP
-A felix-INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A felix-INPUT ! -i cali+ -g felix-FROM-HOST-IF
-A felix-INPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A felix-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A felix-INPUT -j felix-FROM-ENDPOINT
-A felix-OUTPUT -m conntrack --ctstate INVALID -j DROP
-A felix-OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A felix-OUTPUT ! -o cali+ -g felix-TO-HOST-IF
-A felix-TO-ENDPOINT -o cali2364763ca74 -g felix-to-2364763ca74
-A felix-TO-ENDPOINT -o cali428849870ea -g felix-to-428849870ea
-A felix-TO-ENDPOINT -m comment --comment "To unknown endpoint" -j DROP
-A felix-TO-HOST-IF -m comment --comment "Unknown interface, return" -j RETURN
-A felix-from-2364763ca74 -j MARK --set-xmark 0x0/0x1000000
-A felix-from-2364763ca74 -m mac ! --mac-source 2A:E8:7F:82:AA:B5 -m comment --comment "Incorrect source MAC" -j DROP
-A felix-from-2364763ca74 -m comment --comment "Start of tier k8s-network-policy" -j MARK --set-xmark 0x0/0x2000000
-A felix-from-2364763ca74 -m mark --mark 0x0/0x2000000 -j felix-p-_3806fbfa06d1365-o
-A felix-from-2364763ca74 -m mark --mark 0x1000000/0x1000000 -m comment --comment "Return if policy accepted" -j RETURN
-A felix-from-2364763ca74 -m mark --mark 0x0/0x2000000 -m comment --comment "Drop if no policy in tier passed" -j DROP
-A felix-from-2364763ca74 -j felix-p-_0f05888047b5982-o
-A felix-from-2364763ca74 -m mark --mark 0x1000000/0x1000000 -m comment --comment "Profile accepted packet" -j RETURN
-A felix-from-2364763ca74 -m comment --comment "Packet did not match any profile (endpoint eth0)" -j DROP
-A felix-from-428849870ea -j MARK --set-xmark 0x0/0x1000000
-A felix-from-428849870ea -m mac ! --mac-source E6:76:86:8B:42:2A -m comment --comment "Incorrect source MAC" -j DROP
-A felix-from-428849870ea -m comment --comment "Start of tier k8s-network-policy" -j MARK --set-xmark 0x0/0x2000000
-A felix-from-428849870ea -m mark --mark 0x0/0x2000000 -j felix-p-_3806fbfa06d1365-o
-A felix-from-428849870ea -m mark --mark 0x1000000/0x1000000 -m comment --comment "Return if policy accepted" -j RETURN
-A felix-from-428849870ea -m mark --mark 0x0/0x2000000 -m comment --comment "Drop if no policy in tier passed" -j DROP
-A felix-from-428849870ea -j felix-p-_0f05888047b5982-o
-A felix-from-428849870ea -m mark --mark 0x1000000/0x1000000 -m comment --comment "Profile accepted packet" -j RETURN
-A felix-from-428849870ea -m comment --comment "Packet did not match any profile (endpoint eth0)" -j DROP
-A felix-p-_0f05888047b5982-i -j MARK --set-xmark 0x1000000/0x1000000
-A felix-p-_0f05888047b5982-i -m mark --mark 0x1000000/0x1000000 -j RETURN
-A felix-p-_0f05888047b5982-o -j MARK --set-xmark 0x1000000/0x1000000
-A felix-p-_0f05888047b5982-o -m mark --mark 0x1000000/0x1000000 -j RETURN
-A felix-p-_3806fbfa06d1365-i -j MARK --set-xmark 0x2000000/0x2000000
-A felix-p-_3806fbfa06d1365-i -m mark --mark 0x2000000/0x2000000 -j RETURN
-A felix-p-_3806fbfa06d1365-o -j MARK --set-xmark 0x2000000/0x2000000
-A felix-p-_3806fbfa06d1365-o -m mark --mark 0x2000000/0x2000000 -j RETURN
-A felix-to-2364763ca74 -j MARK --set-xmark 0x0/0x1000000
-A felix-to-2364763ca74 -m comment --comment "Start of tier k8s-network-policy" -j MARK --set-xmark 0x0/0x2000000
-A felix-to-2364763ca74 -m mark --mark 0x0/0x2000000 -j felix-p-_3806fbfa06d1365-i
-A felix-to-2364763ca74 -m mark --mark 0x1000000/0x1000000 -m comment --comment "Return if policy accepted" -j RETURN
-A felix-to-2364763ca74 -m mark --mark 0x0/0x2000000 -m comment --comment "Drop if no policy in tier passed" -j DROP
-A felix-to-2364763ca74 -j felix-p-_0f05888047b5982-i
-A felix-to-2364763ca74 -m mark --mark 0x1000000/0x1000000 -m comment --comment "Profile accepted packet" -j RETURN
-A felix-to-2364763ca74 -m comment --comment "Packet did not match any profile (endpoint eth0)" -j DROP
-A felix-to-428849870ea -j MARK --set-xmark 0x0/0x1000000
-A felix-to-428849870ea -m comment --comment "Start of tier k8s-network-policy" -j MARK --set-xmark 0x0/0x2000000
-A felix-to-428849870ea -m mark --mark 0x0/0x2000000 -j felix-p-_3806fbfa06d1365-i
-A felix-to-428849870ea -m mark --mark 0x1000000/0x1000000 -m comment --comment "Return if policy accepted" -j RETURN
-A felix-to-428849870ea -m mark --mark 0x0/0x2000000 -m comment --comment "Drop if no policy in tier passed" -j DROP
-A felix-to-428849870ea -j felix-p-_0f05888047b5982-i
-A felix-to-428849870ea -m mark --mark 0x1000000/0x1000000 -m comment --comment "Profile accepted packet" -j RETURN
-A felix-to-428849870ea -m comment --comment "Packet did not match any profile (endpoint eth0)" -j DROP
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j ACCEPT
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-input -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-input -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
-A ufw-user-logging-forward -j RETURN
-A ufw-user-logging-input -j RETURN
-A ufw-user-logging-output -j RETURN
COMMIT
# Completed on Thu Jan  5 22:33:57 2017

iptables nat table

Chain PREROUTING (policy ACCEPT 1 packets, 60 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    60 felix-PREROUTING  all  --  any    any     anywhere             anywhere            
 7328  448K KUBE-SERVICES  all  --  any    any     anywhere             anywhere             /* kubernetes service portals */
 9819  590K DOCKER     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 1 packets, 60 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 2 packets, 144 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 3398  207K KUBE-SERVICES  all  --  any    any     anywhere             anywhere             /* kubernetes service portals */
  177 11058 DOCKER     all  --  any    any     anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 2 packets, 144 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    2   144 felix-POSTROUTING  all  --  any    any     anywhere             anywhere            
 3893  237K KUBE-POSTROUTING  all  --  any    any     anywhere             anywhere             /* kubernetes postrouting rules */
    0     0 MASQUERADE  all  --  any    !docker0  172.17.0.0/16        anywhere            
    0     0 RETURN     all  --  any    any     192.168.0.0/16       192.168.0.0/16      
    0     0 MASQUERADE  all  --  any    any     192.168.0.0/16      !base-address.mcast.net/4 
    0     0 MASQUERADE  all  --  any    any    !192.168.0.0/16       192.168.0.0/16      

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 any     anywhere             anywhere            

Chain KUBE-MARK-DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  any    any     anywhere             anywhere             MARK or 0x8000

Chain KUBE-MARK-MASQ (18 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  any    any     anywhere             anywhere             MARK or 0x4000

Chain KUBE-NODEPORTS (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-MARK-MASQ  tcp  --  any    any     anywhere             anywhere             /* kube-system/kube-registry:registry */ tcp dpt:30080
    0     0 KUBE-SVC-JV2WR75K33AEZUK7  tcp  --  any    any     anywhere             anywhere             /* kube-system/kube-registry:registry */ tcp dpt:30080
    0     0 KUBE-MARK-MASQ  tcp  --  any    any     anywhere             anywhere             /* kube-system/kubernetes-dashboard: */ tcp dpt:30882
    0     0 KUBE-SVC-XGLOHA7QRQ3V22RZ  tcp  --  any    any     anywhere             anywhere             /* kube-system/kubernetes-dashboard: */ tcp dpt:30882

Chain KUBE-POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  any    any     anywhere             anywhere             /* kubernetes service traffic requiring SNAT */ mark match 0x4000/0x4000

Chain KUBE-SEP-4U6BTAJCDMHBCNTE (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-MARK-MASQ  all  --  any    any     192.168.75.33        anywhere             /* kube-system/kube-dns:dns-tcp */
    0     0 DNAT       tcp  --  any    any     anywhere             anywhere             /* kube-system/kube-dns:dns-tcp */ tcp to:192.168.75.33:53

Chain KUBE-SEP-7QBKTOBWZOW2ADYZ (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-MARK-MASQ  all  --  any    any     10.163.148.196       anywhere             /* kube-system/glusterfs-dynamic-kube-registry-pvc: */
    0     0 DNAT       tcp  --  any    any     anywhere             anywhere             /* kube-system/glusterfs-dynamic-kube-registry-pvc: */ tcp to:10.163.148.196:1

Chain KUBE-SEP-DARQFIU6CIZ6DHSZ (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-MARK-MASQ  all  --  any    any     10.163.148.198       anywhere             /* kube-system/glusterfs-dynamic-kube-registry-pvc: */
    0     0 DNAT       tcp  --  any    any     anywhere             anywhere             /* kube-system/glusterfs-dynamic-kube-registry-pvc: */ tcp to:10.163.148.198:1

Chain KUBE-SEP-FMM5BAXI5QDNGXPJ (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-MARK-MASQ  all  --  any    any     10.163.148.196       anywhere             /* default/kubernetes:https */
    0     0 DNAT       tcp  --  any    any     anywhere             anywhere             /* default/kubernetes:https */ recent: SET name: KUBE-SEP-FMM5BAXI5QDNGXPJ side: source mask: 255.255.255.255 tcp to:10.163.148.196:6443

Chain KUBE-SEP-KJX7S6NVUIOUABFE (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-MARK-MASQ  all  --  any    any     10.163.148.196       anywhere             /* kube-system/canal-etcd: */
    0     0 DNAT       tcp  --  any    any     anywhere             anywhere             /* kube-system/canal-etcd: */ tcp to:10.163.148.196:6666

Chain KUBE-SEP-KMRLJBMSXVC225LD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-MARK-MASQ  all  --  any    any     192.168.45.37        anywhere             /* kube-system/kubernetes-dashboard: */
    0     0 DNAT       tcp  --  any    any     anywhere             anywhere             /* kube-system/kubernetes-dashboard: */ tcp to:192.168.45.37:9090

Chain KUBE-SEP-KXX2UKHAML22525B (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-MARK-MASQ  all  --  any    any     10.163.148.197       anywhere             /* kube-system/glusterfs-dynamic-kube-registry-pvc: */
    0     0 DNAT       tcp  --  any    any     anywhere             anywhere             /* kube-system/glusterfs-dynamic-kube-registry-pvc: */ tcp to:10.163.148.197:1

Chain KUBE-SEP-NCDBIYVKEUM6V7JV (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-MARK-MASQ  all  --  any    any     192.168.75.33        anywhere             /* kube-system/kube-dns:dns */
    0     0 DNAT       udp  --  any    any     anywhere             anywhere             /* kube-system/kube-dns:dns */ udp to:192.168.75.33:53

Chain KUBE-SEP-YSVAKJLNBVVBENUI (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-MARK-MASQ  all  --  any    any     192.168.75.32        anywhere             /* kube-system/kube-registry:registry */
    0     0 DNAT       tcp  --  any    any     anywhere             anywhere             /* kube-system/kube-registry:registry */ tcp to:192.168.75.32:5000

Chain KUBE-SERVICES (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-MARK-MASQ  tcp  --  any    any    !192.168.0.0/16       10.96.0.1            /* default/kubernetes:https cluster IP */ tcp dpt:https
    0     0 KUBE-SVC-NPX46M4PTMTKRN6Y  tcp  --  any    any     anywhere             10.96.0.1            /* default/kubernetes:https cluster IP */ tcp dpt:https
    0     0 KUBE-MARK-MASQ  udp  --  any    any    !192.168.0.0/16       10.96.0.10           /* kube-system/kube-dns:dns cluster IP */ udp dpt:domain
    0     0 KUBE-SVC-TCOU7JCQXEZGVUNU  udp  --  any    any     anywhere             10.96.0.10           /* kube-system/kube-dns:dns cluster IP */ udp dpt:domain
    0     0 KUBE-MARK-MASQ  tcp  --  any    any    !192.168.0.0/16       10.100.57.109        /* kube-system/kube-registry:registry cluster IP */ tcp dpt:5000
    0     0 KUBE-SVC-JV2WR75K33AEZUK7  tcp  --  any    any     anywhere             10.100.57.109        /* kube-system/kube-registry:registry cluster IP */ tcp dpt:5000
    0     0 KUBE-MARK-MASQ  tcp  --  any    any    !192.168.0.0/16       10.110.206.254       /* kube-system/kubernetes-dashboard: cluster IP */ tcp dpt:http
    0     0 KUBE-SVC-XGLOHA7QRQ3V22RZ  tcp  --  any    any     anywhere             10.110.206.254       /* kube-system/kubernetes-dashboard: cluster IP */ tcp dpt:http
    0     0 KUBE-MARK-MASQ  tcp  --  any    any    !192.168.0.0/16       10.96.232.136        /* kube-system/canal-etcd: cluster IP */ tcp dpt:6666
    0     0 KUBE-SVC-KWJORWLCTF22FLD3  tcp  --  any    any     anywhere             10.96.232.136        /* kube-system/canal-etcd: cluster IP */ tcp dpt:6666
    0     0 KUBE-MARK-MASQ  tcp  --  any    any    !192.168.0.0/16       10.106.192.243       /* kube-system/glusterfs-dynamic-kube-registry-pvc: cluster IP */ tcp dpt:tcpmux
    0     0 KUBE-SVC-E66MHSUH4AYEXSQE  tcp  --  any    any     anywhere             10.106.192.243       /* kube-system/glusterfs-dynamic-kube-registry-pvc: cluster IP */ tcp dpt:tcpmux
    0     0 KUBE-MARK-MASQ  tcp  --  any    any    !192.168.0.0/16       10.96.0.10           /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:domain
    0     0 KUBE-SVC-ERIFXISQEP7F7OF4  tcp  --  any    any     anywhere             10.96.0.10           /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:domain
    1    60 KUBE-NODEPORTS  all  --  any    any     anywhere             anywhere             /* kubernetes service nodeports; NOTE: this must be the last rule in this chain */ ADDRTYPE match dst-type LOCAL

Chain KUBE-SVC-E66MHSUH4AYEXSQE (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-SEP-7QBKTOBWZOW2ADYZ  all  --  any    any     anywhere             anywhere             /* kube-system/glusterfs-dynamic-kube-registry-pvc: */ statistic mode random probability 0.33332999982
    0     0 KUBE-SEP-KXX2UKHAML22525B  all  --  any    any     anywhere             anywhere             /* kube-system/glusterfs-dynamic-kube-registry-pvc: */ statistic mode random probability 0.50000000000
    0     0 KUBE-SEP-DARQFIU6CIZ6DHSZ  all  --  any    any     anywhere             anywhere             /* kube-system/glusterfs-dynamic-kube-registry-pvc: */

Chain KUBE-SVC-ERIFXISQEP7F7OF4 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-SEP-4U6BTAJCDMHBCNTE  all  --  any    any     anywhere             anywhere             /* kube-system/kube-dns:dns-tcp */

Chain KUBE-SVC-JV2WR75K33AEZUK7 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-SEP-YSVAKJLNBVVBENUI  all  --  any    any     anywhere             anywhere             /* kube-system/kube-registry:registry */

Chain KUBE-SVC-KWJORWLCTF22FLD3 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-SEP-KJX7S6NVUIOUABFE  all  --  any    any     anywhere             anywhere             /* kube-system/canal-etcd: */

Chain KUBE-SVC-NPX46M4PTMTKRN6Y (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-SEP-FMM5BAXI5QDNGXPJ  all  --  any    any     anywhere             anywhere             /* default/kubernetes:https */ recent: CHECK seconds: 10800 reap name: KUBE-SEP-FMM5BAXI5QDNGXPJ side: source mask: 255.255.255.255
    0     0 KUBE-SEP-FMM5BAXI5QDNGXPJ  all  --  any    any     anywhere             anywhere             /* default/kubernetes:https */

Chain KUBE-SVC-TCOU7JCQXEZGVUNU (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-SEP-NCDBIYVKEUM6V7JV  all  --  any    any     anywhere             anywhere             /* kube-system/kube-dns:dns */

Chain KUBE-SVC-XGLOHA7QRQ3V22RZ (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-SEP-KMRLJBMSXVC225LD  all  --  any    any     anywhere             anywhere             /* kube-system/kubernetes-dashboard: */

Chain felix-FIP-DNAT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain felix-FIP-SNAT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain felix-POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   144 felix-FIP-SNAT  all  --  any    any     anywhere             anywhere            

Chain felix-PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    60 felix-FIP-DNAT  all  --  any    any     anywhere             anywhere

iptables filter table

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  627  238K felix-INPUT  all  --  any    any     anywhere             anywhere            
22383 5721K KUBE-FIREWALL  all  --  any    any     anywhere             anywhere            
    7   448 f2b-sshd   tcp  --  any    any     anywhere             anywhere             multiport dports ssh
22421 5723K ufw-before-logging-input  all  --  any    any     anywhere             anywhere            
22421 5723K ufw-before-input  all  --  any    any     anywhere             anywhere            
11828  769K ufw-after-input  all  --  any    any     anywhere             anywhere            
10228  619K ufw-after-logging-input  all  --  any    any     anywhere             anywhere            
10228  619K ufw-reject-input  all  --  any    any     anywhere             anywhere            
10228  619K ufw-track-input  all  --  any    any     anywhere             anywhere            

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 felix-FORWARD  all  --  any    any     anywhere             anywhere            
    0     0 DOCKER-ISOLATION  all  --  any    any     anywhere             anywhere            
    0     0 DOCKER     all  --  any    docker0  anywhere             anywhere            
    0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere            
    0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere            
    0     0 ufw-before-logging-forward  all  --  any    any     anywhere             anywhere            
    0     0 ufw-before-forward  all  --  any    any     anywhere             anywhere            
    0     0 ufw-after-forward  all  --  any    any     anywhere             anywhere            
    0     0 ufw-after-logging-forward  all  --  any    any     anywhere             anywhere            
    0     0 ufw-reject-forward  all  --  any    any     anywhere             anywhere            
    0     0 ufw-track-forward  all  --  any    any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  603  271K felix-OUTPUT  all  --  any    any     anywhere             anywhere            
12066 8724K KUBE-SERVICES  all  --  any    any     anywhere             anywhere             /* kubernetes service portals */
11638 5267K KUBE-FIREWALL  all  --  any    any     anywhere             anywhere            
11674 5269K ufw-before-logging-output  all  --  any    any     anywhere             anywhere            
11674 5269K ufw-before-output  all  --  any    any     anywhere             anywhere            
 1219 81378 ufw-after-output  all  --  any    any     anywhere             anywhere            
 1219 81378 ufw-after-logging-output  all  --  any    any     anywhere             anywhere            
 1219 81378 ufw-reject-output  all  --  any    any     anywhere             anywhere            
 1219 81378 ufw-track-output  all  --  any    any     anywhere             anywhere            

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  any    any     anywhere             anywhere            

Chain KUBE-FIREWALL (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere             /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000

Chain KUBE-SERVICES (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain f2b-sshd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    7   448 RETURN     all  --  any    any     anywhere             anywhere            

Chain felix-FAILSAFE-IN (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh

Chain felix-FAILSAFE-OUT (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:2379
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:2380
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:4001
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:afs3-callback

Chain felix-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  cali+  any     anywhere             anywhere             ctstate INVALID
    0     0 DROP       all  --  any    cali+   anywhere             anywhere             ctstate INVALID
    0     0 ACCEPT     all  --  cali+  any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  any    cali+   anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 felix-FROM-ENDPOINT  all  --  cali+  any     anywhere             anywhere            
    0     0 felix-TO-ENDPOINT  all  --  any    cali+   anywhere             anywhere            
    0     0 ACCEPT     all  --  cali+  any     anywhere             anywhere            
    0     0 ACCEPT     all  --  any    cali+   anywhere             anywhere            

Chain felix-FROM-ENDPOINT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 felix-from-2364763ca74  all  --  cali2364763ca74 any     anywhere             anywhere            [goto] 
    0     0 felix-from-428849870ea  all  --  cali428849870ea any     anywhere             anywhere            [goto] 
    0     0 DROP       all  --  any    any     anywhere             anywhere             /* From unknown endpoint */

Chain felix-FROM-HOST-IF (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   11   660 RETURN     all  --  any    any     anywhere             anywhere             /* Unknown interface, return */

Chain felix-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID
  616  237K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
   11   660 felix-FROM-HOST-IF  all  --  !cali+ any     anywhere             anywhere            [goto] 
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp spt:bootpc dpt:bootps
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:domain
    0     0 felix-FROM-ENDPOINT  all  --  any    any     anywhere             anywhere            

Chain felix-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID
  603  271K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 felix-TO-HOST-IF  all  --  any    !cali+  anywhere             anywhere            [goto] 

Chain felix-TO-ENDPOINT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 felix-to-2364763ca74  all  --  any    cali2364763ca74  anywhere             anywhere            [goto] 
    0     0 felix-to-428849870ea  all  --  any    cali428849870ea  anywhere             anywhere            [goto] 
    0     0 DROP       all  --  any    any     anywhere             anywhere             /* To unknown endpoint */

Chain felix-TO-HOST-IF (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  any    any     anywhere             anywhere             /* Unknown interface, return */

Chain felix-from-2364763ca74 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  any    any     anywhere             anywhere             MARK and 0xfeffffff
    0     0 DROP       all  --  any    any     anywhere             anywhere             MAC ! 2A:E8:7F:82:AA:B5 /* Incorrect source MAC */
    0     0 MARK       all  --  any    any     anywhere             anywhere             /* Start of tier k8s-network-policy */ MARK and 0xfdffffff
    0     0 felix-p-_3806fbfa06d1365-o  all  --  any    any     anywhere             anywhere             mark match 0x0/0x2000000
    0     0 RETURN     all  --  any    any     anywhere             anywhere             mark match 0x1000000/0x1000000 /* Return if policy accepted */
    0     0 DROP       all  --  any    any     anywhere             anywhere             mark match 0x0/0x2000000 /* Drop if no policy in tier passed */
    0     0 felix-p-_0f05888047b5982-o  all  --  any    any     anywhere             anywhere            
    0     0 RETURN     all  --  any    any     anywhere             anywhere             mark match 0x1000000/0x1000000 /* Profile accepted packet */
    0     0 DROP       all  --  any    any     anywhere             anywhere             /* Packet did not match any profile (endpoint eth0) */

Chain felix-from-428849870ea (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  any    any     anywhere             anywhere             MARK and 0xfeffffff
    0     0 DROP       all  --  any    any     anywhere             anywhere             MAC ! E6:76:86:8B:42:2A /* Incorrect source MAC */
    0     0 MARK       all  --  any    any     anywhere             anywhere             /* Start of tier k8s-network-policy */ MARK and 0xfdffffff
    0     0 felix-p-_3806fbfa06d1365-o  all  --  any    any     anywhere             anywhere             mark match 0x0/0x2000000
    0     0 RETURN     all  --  any    any     anywhere             anywhere             mark match 0x1000000/0x1000000 /* Return if policy accepted */
    0     0 DROP       all  --  any    any     anywhere             anywhere             mark match 0x0/0x2000000 /* Drop if no policy in tier passed */
    0     0 felix-p-_0f05888047b5982-o  all  --  any    any     anywhere             anywhere            
    0     0 RETURN     all  --  any    any     anywhere             anywhere             mark match 0x1000000/0x1000000 /* Profile accepted packet */
    0     0 DROP       all  --  any    any     anywhere             anywhere             /* Packet did not match any profile (endpoint eth0) */

Chain felix-p-_0f05888047b5982-i (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  any    any     anywhere             anywhere             MARK or 0x1000000
    0     0 RETURN     all  --  any    any     anywhere             anywhere             mark match 0x1000000/0x1000000

Chain felix-p-_0f05888047b5982-o (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  any    any     anywhere             anywhere             MARK or 0x1000000
    0     0 RETURN     all  --  any    any     anywhere             anywhere             mark match 0x1000000/0x1000000

Chain felix-p-_3806fbfa06d1365-i (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  any    any     anywhere             anywhere             MARK or 0x2000000
    0     0 RETURN     all  --  any    any     anywhere             anywhere             mark match 0x2000000/0x2000000

Chain felix-p-_3806fbfa06d1365-o (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  any    any     anywhere             anywhere             MARK or 0x2000000
    0     0 RETURN     all  --  any    any     anywhere             anywhere             mark match 0x2000000/0x2000000

Chain felix-to-2364763ca74 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  any    any     anywhere             anywhere             MARK and 0xfeffffff
    0     0 MARK       all  --  any    any     anywhere             anywhere             /* Start of tier k8s-network-policy */ MARK and 0xfdffffff
    0     0 felix-p-_3806fbfa06d1365-i  all  --  any    any     anywhere             anywhere             mark match 0x0/0x2000000
    0     0 RETURN     all  --  any    any     anywhere             anywhere             mark match 0x1000000/0x1000000 /* Return if policy accepted */
    0     0 DROP       all  --  any    any     anywhere             anywhere             mark match 0x0/0x2000000 /* Drop if no policy in tier passed */
    0     0 felix-p-_0f05888047b5982-i  all  --  any    any     anywhere             anywhere            
    0     0 RETURN     all  --  any    any     anywhere             anywhere             mark match 0x1000000/0x1000000 /* Profile accepted packet */
    0     0 DROP       all  --  any    any     anywhere             anywhere             /* Packet did not match any profile (endpoint eth0) */

Chain felix-to-428849870ea (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  any    any     anywhere             anywhere             MARK and 0xfeffffff
    0     0 MARK       all  --  any    any     anywhere             anywhere             /* Start of tier k8s-network-policy */ MARK and 0xfdffffff
    0     0 felix-p-_3806fbfa06d1365-i  all  --  any    any     anywhere             anywhere             mark match 0x0/0x2000000
    0     0 RETURN     all  --  any    any     anywhere             anywhere             mark match 0x1000000/0x1000000 /* Return if policy accepted */
    0     0 DROP       all  --  any    any     anywhere             anywhere             mark match 0x0/0x2000000 /* Drop if no policy in tier passed */
    0     0 felix-p-_0f05888047b5982-i  all  --  any    any     anywhere             anywhere            
    0     0 RETURN     all  --  any    any     anywhere             anywhere             mark match 0x1000000/0x1000000 /* Profile accepted packet */
    0     0 DROP       all  --  any    any     anywhere             anywhere             /* Packet did not match any profile (endpoint eth0) */

Chain ufw-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1187 94602 ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:netbios-ns
  103 23080 ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:netbios-dgm
    0     0 ufw-skip-to-policy-input  tcp  --  any    any     anywhere             anywhere             tcp dpt:netbios-ssn
    0     0 ufw-skip-to-policy-input  tcp  --  any    any     anywhere             anywhere             tcp dpt:microsoft-ds
   11  3719 ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:bootps
    0     0 ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:bootpc
    0     0 ufw-skip-to-policy-input  all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp source-quench
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp time-exceeded
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp parameter-problem
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request
    0     0 ufw-user-forward  all  --  any    any     anywhere             anywhere            

Chain ufw-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 3444  207K ACCEPT     all  --  lo     any     anywhere             anywhere            
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ufw-logging-deny  all  --  any    any     anywhere             anywhere             ctstate INVALID
    0     0 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp source-quench
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp time-exceeded
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp parameter-problem
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp spt:bootps dpt:bootpc
 9181  598K ufw-not-local  all  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     udp  --  any    any     anywhere             224.0.0.251          udp dpt:mdns
    0     0 ACCEPT     udp  --  any    any     anywhere             239.255.255.250      udp dpt:1900
 9181  598K ufw-user-input  all  --  any    any     anywhere             anywhere            

Chain ufw-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 3375  203K ACCEPT     all  --  any    lo      anywhere             anywhere            
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
  584 41189 ufw-user-output  all  --  any    any     anywhere             anywhere            

Chain ufw-logging-allow (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-logging-deny (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-not-local (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 7880  476K RETURN     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type LOCAL
    0     0 RETURN     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
 1301  121K RETURN     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
    0     0 ufw-logging-deny  all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10
    0     0 DROP       all  --  any    any     anywhere             anywhere            

Chain ufw-reject-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-skip-to-policy-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere            

Chain ufw-skip-to-policy-input (7 references)
 pkts bytes target     prot opt in     out     source               destination         
 1301  121K ACCEPT     all  --  any    any     anywhere             anywhere            

Chain ufw-skip-to-policy-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            

Chain ufw-track-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 7842  471K ACCEPT     tcp  --  any    any     anywhere             anywhere             ctstate NEW
   36  5577 ACCEPT     udp  --  any    any     anywhere             anywhere             ctstate NEW

Chain ufw-track-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  247 14820 ACCEPT     tcp  --  any    any     anywhere             anywhere             ctstate NEW
  337 26369 ACCEPT     udp  --  any    any     anywhere             anywhere             ctstate NEW

Chain ufw-user-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   128 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh

Chain ufw-user-limit (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            

Chain ufw-user-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  any    any     anywhere             anywhere            

Chain ufw-user-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  any    any     anywhere             anywhere            

Chain ufw-user-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  any    any     anywhere             anywhere            

Chain ufw-user-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

iptables FORWARD chain on ravi-kube196

deploy@ravi-kube196:~$ sudo iptables -t filter -v --line-numbers -L FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 felix-FORWARD  all  --  any    any     anywhere             anywhere
2      540 34911 DOCKER-ISOLATION  all  --  any    any     anywhere             anywhere
3        0     0 DOCKER     all  --  any    docker0  anywhere             anywhere
4        0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
5        0     0 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere
6        0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere
7      540 34911 ufw-before-logging-forward  all  --  any    any     anywhere             anywhere
8      540 34911 ufw-before-forward  all  --  any    any     anywhere             anywhere
9      495 30976 ufw-after-forward  all  --  any    any     anywhere             anywhere
10     495 30976 ufw-after-logging-forward  all  --  any    any     anywhere             anywhere
11     495 30976 ufw-reject-forward  all  --  any    any     anywhere             anywhere
12     495 30976 ufw-track-forward  all  --  any    any     anywhere             anywhere

iptables felix-FORWARD chain on ravi-kube196

deploy@ravi-kube196:~$ sudo iptables -t filter -v --line-numbers -L felix-FORWARD
Chain felix-FORWARD (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       all  --  cali+  any     anywhere             anywhere             ctstate INVALID
2        0     0 DROP       all  --  any    cali+   anywhere             anywhere             ctstate INVALID
3        0     0 ACCEPT     all  --  cali+  any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
4        0     0 ACCEPT     all  --  any    cali+   anywhere             anywhere             ctstate RELATED,ESTABLISHED
5        0     0 felix-FROM-ENDPOINT  all  --  cali+  any     anywhere             anywhere
6        0     0 felix-TO-ENDPOINT  all  --  any    cali+   anywhere             anywhere
7        0     0 ACCEPT     all  --  cali+  any     anywhere             anywhere
8        0     0 ACCEPT     all  --  any    cali+   anywhere             anywhere

ravi-kube196 interfaces (the node I'm testing connectivity to pod externally)

deploy@ravi-kube196:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:8a:2a:2f brd ff:ff:ff:ff:ff:ff
    inet 10.163.148.196/24 brd 10.163.148.255 scope global ens160
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fe8a:2a2f/64 scope link
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:11:4d:a2:d0 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 scope global docker0
       valid_lft forever preferred_lft forever
4: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
    link/ether 46:59:e6:e9:27:7f brd ff:ff:ff:ff:ff:ff
    inet 192.168.44.0/16 scope global flannel.1
       valid_lft forever preferred_lft forever
    inet6 fe80::4459:e6ff:fee9:277f/64 scope link
       valid_lft forever preferred_lft forever

ravi-kube198 interfaces (the node running the target pod)

deploy@ravi-kube198:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:8a:ee:fa brd ff:ff:ff:ff:ff:ff
    inet 10.163.148.198/24 brd 10.163.148.255 scope global ens160
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fe8a:eefa/64 scope link
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:3e:9d:23:64 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 scope global docker0
       valid_lft forever preferred_lft forever
4: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
    link/ether b2:b1:ab:e4:91:c1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.50.0/16 scope global flannel.1
       valid_lft forever preferred_lft forever
    inet6 fe80::b0b1:abff:fee4:91c1/64 scope link
       valid_lft forever preferred_lft forever
7: cali6b7c7fd87ef@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default
    link/ether 6a:bd:d6:bf:12:e4 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::68bd:d6ff:febf:12e4/64 scope link
       valid_lft forever preferred_lft forever

I originally raised this with kubernetes, kubernetes/kubernetes#39658, but now think this is a canal specific issue.

The text was updated successfully, but these errors were encountered:

caseydavenport · 2017-01-12T02:22:48Z

I'm assuming we've not hit this before because the default FORWARD behavior is usually ACCEPT, so the rule sudo iptables -A FORWARD -o flannel.1 -j ACCEPT isn't required.

@tomdee should flannel be configuring this rule when the default FORWARD behavior is not ACCEPT?

ravishivt · 2017-01-12T04:58:59Z

FWIW, on a default Ubuntu 16.04 with ufw enabled, FORWARD is set to DROP.

tmjd · 2017-03-20T17:59:29Z

@ravishivt have you done any more testing around this issue? I'm just curious if there have been any updates that resolved the issue.
@tomdee, as Casey posed, should flannel being configuring that rule?

Is this really a flannel issue that needs to be created? I found these 2 issues in the flannel repo:

flannel 0.7.0 + docker 1.13.0 issue flannel-io/flannel#603
Ingress flannel0 not route traffic to docker0 flannel-io/flannel#613
but both were closed with a resolution of adding iptables forwarding rule.

tmjd · 2017-04-17T20:36:28Z

@ravishivt You have a solution that sounds like the solution suggested from the flannel project so I'm going to close this issue. Please feel free to reopen if you think this is not the correct action or open a new issue if you have other issues. Thanks.

upskill-mrollins · 2018-08-10T21:26:57Z

If your software requires iptables -P FORWARD ACCEPT then why not set this when modifying all the other iptable rules?
This is still an issue with ubuntu 16.04, Docker 17.03.2, rancher/calico-node:v3.1.1

tmjd · 2018-08-16T19:30:48Z

@upskill-mrollins This repo is for Canal which is specific configuration of flannel and calico, there isn't any Canal software so there isn't really a place where it modifies iptables rules.

There is kubernetes/kubernetes#39823, which I submitted a fix for to kube-proxy to address this issue (it has been merged and released). Since kube-proxy is responsible for setting up K8s services (including NodePorts) I thought too that since it needs a FORWARD ACCEPT it should set the rule.

What version of kube-proxy is rancher using? (I'm not sure about the first release that included my changes but it has been there for several releases now.)

Are you using Canal? If not I'd suggest opening a Calico issue instead of commenting on this Canal one.

upskill-mrollins · 2018-08-17T18:05:54Z

Totally agree, I think this is more of a flannel issue than anything else, and their documentation does point this out. I was new to Canal, and didn't understand the underlying dependencies. It also turned out to be a default configuration by Rancher 2.0.6 which was enabling the pod security features of Canal. They set this to disabled in their latest 2.0.7 release, so my cross namespace communication is working now. Thank you for your response!

daald · 2018-10-11T23:55:38Z

I just wasted over 20 hours in trying to setup my first kubernetes cluster. And I'm still not there. In my eyes we have either a lack of documentation here "user is responsible for setting the rule to ACCEPT" or we have a bug. I tested with BOTH Flannel and Calico, so that means (when reading the above) that we already have at least 3 different network controllers which are not able to handle this where we should open an issue (if not already).

I think, at least a tool like kubeadm should warn about it if discovered, in the same way as it warns about bad sysctl settings and missing kernel modules

caseydavenport · 2018-10-13T20:36:27Z

Kubernetes, specifically kube-proxy, will add ACCEPT rules to the FORWARD table in order to cover this case provided the --cluster-cidr option is configured. If we're relying on that, we should probably document it, or stop relying on it.

I've raised a new issue to track doing something on this: projectcalico/calico#2230

ravishivt mentioned this issue Jan 10, 2017

Add iptables FORWARD rule for external requests to service with nodePort kubernetes/kubernetes#39658

Closed

caseydavenport assigned tomdee Jan 12, 2017

caseydavenport added the kind/support label Jan 12, 2017

ravishivt mentioned this issue Jan 12, 2017

Handle nodes with iptables FORWARD DROP better kubernetes/kubernetes#39823

Closed

tmjd closed this as completed Apr 17, 2017

caseydavenport mentioned this issue Oct 13, 2018

Address systems with default FORWARD action set to DROP projectcalico/calico#2230

Closed

jgallucci32 mentioned this issue Jan 18, 2021

[self-hosted] cannot initialize workspace: cannot connect to workspace daemon gitpod-io/gitpod#2935

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

k8s nodePort Service can't be reached externally #31

k8s nodePort Service can't be reached externally #31

ravishivt commented Jan 10, 2017

caseydavenport commented Jan 12, 2017

ravishivt commented Jan 12, 2017

tmjd commented Mar 20, 2017

tmjd commented Apr 17, 2017

upskill-mrollins commented Aug 10, 2018

tmjd commented Aug 16, 2018

upskill-mrollins commented Aug 17, 2018

daald commented Oct 11, 2018 •

edited

Loading

caseydavenport commented Oct 13, 2018

k8s nodePort Service can't be reached externally #31

k8s nodePort Service can't be reached externally #31

Comments

ravishivt commented Jan 10, 2017

caseydavenport commented Jan 12, 2017

ravishivt commented Jan 12, 2017

tmjd commented Mar 20, 2017

tmjd commented Apr 17, 2017

upskill-mrollins commented Aug 10, 2018

tmjd commented Aug 16, 2018

upskill-mrollins commented Aug 17, 2018

daald commented Oct 11, 2018 • edited Loading

caseydavenport commented Oct 13, 2018

daald commented Oct 11, 2018 •

edited

Loading