I'm running kube-proxy on each of my kubernetes nodes. I see, that it is installing it's iptables rules, to create virtual services hosts. I use flannel overlay networking to connect together the docker networks of my nodes. This works all fine from inside docker containers. So I am able to connect to the pods directly as well as to the services from inside a docker container.

But due to certain requirements I need to access services from a node host, in the same way as from inside a docker container. The problem is, that this is just possible for the node, a service pod is running on.

See the following example of iptables-save on an node, that is not hosting a kubernetes-dashboard pod as clarification (the pod is running on kube-node-2):

[root@kube-node-1 ~]# iptables-save | grep dashboard
-A KUBE-SEP-CAT6SKLXJIMXS63T -s 172.16.99.5/32 -m comment --comment    "kube-system/kubernetes-dashboard:" -j KUBE-MARK-MASQ
-A KUBE-SEP-CAT6SKLXJIMXS63T -p tcp -m comment --comment "kube- system/kubernetes-dashboard:" -m tcp -j DNAT --to-destination  172.16.99.5:9090
-A KUBE-SERVICES -d 10.254.242.220/32 -p tcp -m comment --comment "kube-system/kubernetes-dashboard: cluster IP" -m tcp --dport 80 -j KUBE-SVC-XGLOHA7QRQ3V22RZ
-A KUBE-SVC-XGLOHA7QRQ3V22RZ -m comment --comment "kube-system/kubernetes-dashboard:" -j KUBE-SEP-CAT6SKLXJIMXS63T

I'm now able to curl http://172.16.99.5:9090 but I'm not able to curl http://10.254.242.220 (on kube-node-2 this command succeeds). On the other hand, from the same host a docker run -it --rm centos /usr/bin/curl http://10.254.242.220 does work.

I have the intuition, that something with the iptables rules and NATing is missing, such that, all packages jump into the KUBE-SERVICES chain. Perhaps somebody can help me understanding, what's going on and provide a solution.