iptables
root@cloud:~# iptables -t nat -L POSTROUTING -n --line-number Chain POSTROUTING (policy ACCEPT) num target prot opt source destination 1 KUBE-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes postrouting rules */ 2 MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0 3 RETURN all -- 10.244.0.0/16 10.244.0.0/16 4 MASQUERADE all -- 10.244.0.0/16 !224.0.0.0/4 5 RETURN all -- !10.244.0.0/16 10.244.0.0/24 6 MASQUERADE all -- !10.244.0.0/16 10.244.0.0/16 root@cloud:~# iptables -t filter -L INPUT -n --line-number Chain INPUT (policy ACCEPT) num target prot opt source destination 1 KUBE-SERVICES all -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW /* kubernetes service portals */ 2 KUBE-EXTERNAL-SERVICES all -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW /* kubernetes externally-visible service portals */ 3 KUBE-FIREWALL all -- 0.0.0.0/0 0.0.0.0/0 4 DROP tcp -- 210.22.22.150 0.0.0.0/0 tcp dpt:10000 5 DROP tcp -- 210.22.22.150 0.0.0.0/0 tcp dpt:10004 root@cloud:~#
root@cloud:~# iptables -t filter -D INPUT 4 root@cloud:~# date Tue May 18 16:50:21 CST 2021 root@cloud:~# iptables -t filter -L INPUT -n --line-number Chain INPUT (policy ACCEPT) num target prot opt source destination 1 KUBE-SERVICES all -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW /* kubernetes service portals */ 2 KUBE-EXTERNAL-SERVICES all -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW /* kubernetes externally-visible service portals */ 3 KUBE-FIREWALL all -- 0.0.0.0/0 0.0.0.0/0
server : 开启 6666端口
client telnet server 66
root@ubuntu:~/c++# conntrack -L | grep 6666 tcp 6 86396 ESTABLISHED src=10.10.16.81 dst=10.10.16.82 sport=45486 dport=6666 src=10.10.16.82 dst=10.10.16.81 sport=6666 dport=45486 [ASSURED] mark=0 use=1
server : 开启 6666端口
client telnet server 66
添加tcp notrack
root@ubuntu:~/c++# iptables -t raw -I INPUT 1 -p udp --dport 6666 -j NOTRACK iptables: No chain/target/match by that name. root@ubuntu:~/c++# iptables -t raw -I PREROUTING 1 -p tcp --dport 6666 -j NOTRACK root@ubuntu:~/c++# conntrack -L | grep 6666
root@ubuntu:~/c++# iptables -t raw -L PREROUTING -n --line-number Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1 CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6666 NOTRACK 2 CT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:6666 NOTRACK root@ubuntu:~/c++# conntrack -L | grep 6666 conntrack v1.4.4 (conntrack-tools): 153 flow entries have been shown. root@ubuntu:~/c++#