K
Q

couldn't find any FORWARD chain REJECT entry in proxy/iptables/proxier.go but somehow it shows up in the node iptables

8/23/2019

I have a new k8s install (kube-proxy iptable mode) and trying to learn how iptables is done. I noticed this entry in the FORWARD chain, REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

looking at proxy/iptables/proxier.go, nothing could have added above entry as far as I can tell. How did that entry is added there? The following is the entire FORWARD chain,

Chain FORWARD (policy DROP) target prot opt source destination
KUBE-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules / KUBE-SERVICES all -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW / kubernetes service portals */ DOCKER-ISOLATION all -- 0.0.0.0/0 0.0.0.0/0
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited ACCEPT all -- 10.244.0.0/16 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 10.244.0.0/16

The k8s is 1.15.2 release.

-- user6912709
kubernetes

Similar Questions

how can i reference the namespace in values.yaml?
istio upstream connect error or disconnect/reset before headers. reset reason: connection termination
Add an embedded device as resource to Kubernetes
Istio allowing external traffic through without ServiceEntry?

1 Answer

8/26/2019

it turns out this entry was added by firewalld in centos7 by default.

-- user6912709
Source: StackOverflow