# Generated by iptables-save v1.8.4 on Thu Apr 15 19:08:39 2021
*security
:INPUT ACCEPT [73601:200697042]
:FORWARD ACCEPT [26:2389]
:OUTPUT ACCEPT [66775:23317239]
COMMIT
# Completed on Thu Apr 15 19:08:39 2021
# Generated by iptables-save v1.8.4 on Thu Apr 15 19:08:39 2021
*raw
:PREROUTING ACCEPT [31366:51145901]
:OUTPUT ACCEPT [29573:12058951]
COMMIT
# Completed on Thu Apr 15 19:08:39 2021
# Generated by iptables-save v1.8.4 on Thu Apr 15 19:08:39 2021
*mangle
:PREROUTING ACCEPT [31366:51145901]
:INPUT ACCEPT [31340:51143512]
:FORWARD ACCEPT [26:2389]
:OUTPUT ACCEPT [29573:12058951]
:POSTROUTING ACCEPT [29594:12061040]
:KUBE-PROXY-CANARY - [0:0]
:KUBE-KUBELET-CANARY - [0:0]
COMMIT
# Completed on Thu Apr 15 19:08:39 2021
# Generated by iptables-save v1.8.4 on Thu Apr 15 19:08:39 2021
*nat
:PREROUTING ACCEPT [2:105]
:INPUT ACCEPT [77:4620]
:POSTROUTING ACCEPT [559:38798]
:OUTPUT ACCEPT [556:38526]
:KUBE-PROXY-CANARY - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-MARK-DROP - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-MARK-MASQ - [0:0]
:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
:KUBE-SEP-OGNOLD2JUSLFPOMZ - [0:0]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-SVC-QMWWTXBG7KFJQKLO - [0:0]
:KUBE-SEP-2AHCZLASALRZCLS7 - [0:0]
:CNI-HOSTPORT-SETMARK - [0:0]
:CNI-HOSTPORT-MASQ - [0:0]
:CNI-HOSTPORT-DNAT - [0:0]
:CNI-DN-2bd9aad8cae8f393e11d3 - [0:0]
:KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
:KUBE-SEP-VOJ5KSDSMKF2NGVM - [0:0]
:KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
:KUBE-SEP-YP32F2HEJI64ZYJN - [0:0]
:KUBE-SVC-JD5MR3NA4I4DYORP - [0:0]
:KUBE-SEP-6KJXLLADRY4FRUOJ - [0:0]
:KUBE-SVC-W3ST5H65YH2QID6S - [0:0]
:KUBE-SEP-UZYAOWLXOIYK7Z2F - [0:0]
:KUBE-SVC-IKNZCF5XJQBTG3KZ - [0:0]
:KUBE-FW-IKNZCF5XJQBTG3KZ - [0:0]
:KUBE-SEP-HTHX4MVTHJ3OQ45G - [0:0]
:KUBE-SVC-X3WUOHPTYIG7AA3Q - [0:0]
:KUBE-FW-X3WUOHPTYIG7AA3Q - [0:0]
:KUBE-SEP-AK7EYFNCDRLQXBSU - [0:0]
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A PREROUTING -m addrtype --dst-type LOCAL -j CNI-HOSTPORT-DNAT
-A POSTROUTING -m comment --comment "CNI portfwd requiring masquerade" -j CNI-HOSTPORT-MASQ
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
-A POSTROUTING -s 10.42.0.0/16 -d 10.42.0.0/16 -j RETURN
-A POSTROUTING -s 10.42.0.0/16 ! -d 224.0.0.0/4 -j MASQUERADE --random-fully
-A POSTROUTING ! -s 10.42.0.0/16 -d 10.42.0.0/24 -j RETURN
-A POSTROUTING ! -s 10.42.0.0/16 -d 10.42.0.0/16 -j MASQUERADE --random-fully
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -m addrtype --dst-type LOCAL -j CNI-HOSTPORT-DNAT
-A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.148.190/32 -p tcp -m comment --comment "kube-system/traefik:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.43.148.190/32 -p tcp -m comment --comment "kube-system/traefik:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-IKNZCF5XJQBTG3KZ
-A KUBE-SERVICES -d 10.0.2.15/32 -p tcp -m comment --comment "kube-system/traefik:https loadbalancer IP" -m tcp --dport 443 -j KUBE-FW-IKNZCF5XJQBTG3KZ
-A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.43.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
-A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.43.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
-A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.43.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
-A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.43.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-SVC-JD5MR3NA4I4DYORP
-A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.238.124/32 -p tcp -m comment --comment "kube-system/metrics-server cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.43.238.124/32 -p tcp -m comment --comment "kube-system/metrics-server cluster IP" -m tcp --dport 443 -j KUBE-SVC-QMWWTXBG7KFJQKLO
-A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.191.172/32 -p tcp -m comment --comment "kube-system/traefik-prometheus:metrics cluster IP" -m tcp --dport 9100 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.43.191.172/32 -p tcp -m comment --comment "kube-system/traefik-prometheus:metrics cluster IP" -m tcp --dport 9100 -j KUBE-SVC-W3ST5H65YH2QID6S
-A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.148.190/32 -p tcp -m comment --comment "kube-system/traefik:http cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.43.148.190/32 -p tcp -m comment --comment "kube-system/traefik:http cluster IP" -m tcp --dport 80 -j KUBE-SVC-X3WUOHPTYIG7AA3Q
-A KUBE-SERVICES -d 10.0.2.15/32 -p tcp -m comment --comment "kube-system/traefik:http loadbalancer IP" -m tcp --dport 80 -j KUBE-FW-X3WUOHPTYIG7AA3Q
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
-A KUBE-POSTROUTING -j MARK --set-xmark 0x4000/0x0
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE --random-fully
-A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-system/traefik:https" -m tcp --dport 31124 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-system/traefik:https" -m tcp --dport 31124 -j KUBE-SVC-IKNZCF5XJQBTG3KZ
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-system/traefik:http" -m tcp --dport 30364 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-system/traefik:http" -m tcp --dport 30364 -j KUBE-SVC-X3WUOHPTYIG7AA3Q
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-OGNOLD2JUSLFPOMZ
-A KUBE-SEP-OGNOLD2JUSLFPOMZ -s 10.0.2.15/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-OGNOLD2JUSLFPOMZ -p tcp -m comment --comment "default/kubernetes:https" -m tcp -j DNAT --to-destination 10.0.2.15:6443
-A KUBE-SVC-QMWWTXBG7KFJQKLO -m comment --comment "kube-system/metrics-server" -j KUBE-SEP-2AHCZLASALRZCLS7
-A KUBE-SEP-2AHCZLASALRZCLS7 -s 10.42.0.4/32 -m comment --comment "kube-system/metrics-server" -j KUBE-MARK-MASQ
-A KUBE-SEP-2AHCZLASALRZCLS7 -p tcp -m comment --comment "kube-system/metrics-server" -m tcp -j DNAT --to-destination 10.42.0.4:443
-A CNI-HOSTPORT-SETMARK -m comment --comment "CNI portfwd masquerade mark" -j MARK --set-xmark 0x2000/0x2000
-A CNI-HOSTPORT-MASQ -m mark --mark 0x2000/0x2000 -j MASQUERADE
-A CNI-HOSTPORT-DNAT -p tcp -m comment --comment "dnat name: \"cbr0\" id: \"c7664eeb4726364ecec7a74a2258c68d68b35f9e49f63f358f80cd896db9b8cf\"" -m multiport --dports 80,443 -j CNI-DN-2bd9aad8cae8f393e11d3
-A CNI-DN-2bd9aad8cae8f393e11d3 -s 10.42.0.0/24 -p tcp -m tcp --dport 80 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-2bd9aad8cae8f393e11d3 -s 127.0.0.1/32 -p tcp -m tcp --dport 80 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-2bd9aad8cae8f393e11d3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.42.0.7:80
-A CNI-DN-2bd9aad8cae8f393e11d3 -s 10.42.0.0/24 -p tcp -m tcp --dport 443 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-2bd9aad8cae8f393e11d3 -s 127.0.0.1/32 -p tcp -m tcp --dport 443 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-2bd9aad8cae8f393e11d3 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.42.0.7:443
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SEP-VOJ5KSDSMKF2NGVM
-A KUBE-SEP-VOJ5KSDSMKF2NGVM -s 10.42.0.2/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-VOJ5KSDSMKF2NGVM -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 10.42.0.2:53
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SEP-YP32F2HEJI64ZYJN
-A KUBE-SEP-YP32F2HEJI64ZYJN -s 10.42.0.2/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-YP32F2HEJI64ZYJN -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 10.42.0.2:53
-A KUBE-SVC-JD5MR3NA4I4DYORP -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-SEP-6KJXLLADRY4FRUOJ
-A KUBE-SEP-6KJXLLADRY4FRUOJ -s 10.42.0.2/32 -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-MARK-MASQ
-A KUBE-SEP-6KJXLLADRY4FRUOJ -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 10.42.0.2:9153
-A KUBE-SVC-W3ST5H65YH2QID6S -m comment --comment "kube-system/traefik-prometheus:metrics" -j KUBE-SEP-UZYAOWLXOIYK7Z2F
-A KUBE-SEP-UZYAOWLXOIYK7Z2F -s 10.42.0.6/32 -m comment --comment "kube-system/traefik-prometheus:metrics" -j KUBE-MARK-MASQ
-A KUBE-SEP-UZYAOWLXOIYK7Z2F -p tcp -m comment --comment "kube-system/traefik-prometheus:metrics" -m tcp -j DNAT --to-destination 10.42.0.6:9100
-A KUBE-SVC-IKNZCF5XJQBTG3KZ -m comment --comment "kube-system/traefik:https" -j KUBE-SEP-HTHX4MVTHJ3OQ45G
-A KUBE-FW-IKNZCF5XJQBTG3KZ -m comment --comment "kube-system/traefik:https loadbalancer IP" -j KUBE-MARK-MASQ
-A KUBE-FW-IKNZCF5XJQBTG3KZ -m comment --comment "kube-system/traefik:https loadbalancer IP" -j KUBE-SVC-IKNZCF5XJQBTG3KZ
-A KUBE-FW-IKNZCF5XJQBTG3KZ -m comment --comment "kube-system/traefik:https loadbalancer IP" -j KUBE-MARK-DROP
-A KUBE-SEP-HTHX4MVTHJ3OQ45G -s 10.42.0.6/32 -m comment --comment "kube-system/traefik:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-HTHX4MVTHJ3OQ45G -p tcp -m comment --comment "kube-system/traefik:https" -m tcp -j DNAT --to-destination 10.42.0.6:443
-A KUBE-SVC-X3WUOHPTYIG7AA3Q -m comment --comment "kube-system/traefik:http" -j KUBE-SEP-AK7EYFNCDRLQXBSU
-A KUBE-FW-X3WUOHPTYIG7AA3Q -m comment --comment "kube-system/traefik:http loadbalancer IP" -j KUBE-MARK-MASQ
-A KUBE-FW-X3WUOHPTYIG7AA3Q -m comment --comment "kube-system/traefik:http loadbalancer IP" -j KUBE-SVC-X3WUOHPTYIG7AA3Q
-A KUBE-FW-X3WUOHPTYIG7AA3Q -m comment --comment "kube-system/traefik:http loadbalancer IP" -j KUBE-MARK-DROP
-A KUBE-SEP-AK7EYFNCDRLQXBSU -s 10.42.0.6/32 -m comment --comment "kube-system/traefik:http" -j KUBE-MARK-MASQ
-A KUBE-SEP-AK7EYFNCDRLQXBSU -p tcp -m comment --comment "kube-system/traefik:http" -m tcp -j DNAT --to-destination 10.42.0.6:80
COMMIT
# Completed on Thu Apr 15 19:08:39 2021
# Generated by iptables-save v1.8.4 on Thu Apr 15 19:08:39 2021
*filter
:INPUT ACCEPT [31340:51143512]
:FORWARD ACCEPT [8:360]
:OUTPUT ACCEPT [29564:12058224]
:KUBE-PROXY-CANARY - [0:0]
:KUBE-EXTERNAL-SERVICES - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-FORWARD - [0:0]
:KUBE-ROUTER-INPUT - [0:0]
:KUBE-ROUTER-FORWARD - [0:0]
:KUBE-ROUTER-OUTPUT - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-KUBELET-CANARY - [0:0]
-A INPUT -m comment --comment "kube-router netpol - 4IA2OSFRMVNDXBVV" -j KUBE-ROUTER-INPUT
-A INPUT -j KUBE-FIREWALL
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
-A FORWARD -m comment --comment "kube-router netpol - TEMCG2JMHZYE7H7T" -j KUBE-ROUTER-FORWARD
-A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
-A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
-A FORWARD -s 10.42.0.0/16 -j ACCEPT
-A FORWARD -d 10.42.0.0/16 -j ACCEPT
-A OUTPUT -m comment --comment "kube-router netpol - VEAAIY32XVBHCSCY" -j KUBE-ROUTER-OUTPUT
-A OUTPUT -j KUBE-FIREWALL
-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A KUBE-ROUTER-INPUT -d 10.43.0.0/16 -m comment --comment "allow traffic to cluster IP - M66LPN4N3KB5HTJR" -j RETURN
-A KUBE-ROUTER-INPUT -p tcp -m comment --comment "allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
-A KUBE-ROUTER-INPUT -p udp -m comment --comment "allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ" -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -j RETURN
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
-A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
COMMIT
# Completed on Thu Apr 15 19:08:39 2021