cni flannel iptables -t filter -D FORWARD -j REJECT --reject-with icmp-host-prohibited
[root@centos7 ~]# kubectl exec -it nginx-app-56b5bb67cc-6hjgt -- ls /sys/class/net/ eth0 lo [root@centos7 ~]# kubectl exec -it nginx-app-56b5bb67cc-6hjgt -- ls /sys/class/net/eth0 addr_assign_type dormant mtu proto_down addr_len duplex name_assign_type queues address flags netdev_group speed broadcast gro_flush_timeout operstate statistics carrier ifalias phys_port_id subsystem carrier_changes ifindex phys_port_name tx_queue_len dev_id iflink phys_switch_id type dev_port link_mode power uevent [root@centos7 ~]# kubectl exec -it nginx-app-56b5bb67cc-6hjgt -- ls /sys/class/net/eth0/ifindex /sys/class/net/eth0/ifindex [root@centos7 ~]# kubectl exec -it nginx-app-56b5bb67cc-6hjgt -- cat /sys/class/net/eth0/ifindex 3 [root@centos7 ~]# kubectl exec -it nginx-app-56b5bb67cc-6hjgt -- cat /sys/class/net/eth0/name_assign_type 3 [root@centos7 ~]# kubectl exec -it nginx-app-56b5bb67cc-6hjgt -- cat /sys/class/net/eth0/iflink 12 [root@centos7 ~]#
12: veth626661db@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master cni0 state UP group default link/ether e6:03:6c:ad:25:38 brd ff:ff:ff:ff:ff:ff link-netnsid 1 inet6 fe80::e403:6cff:fead:2538/64 scope link valid_lft forever preferred_lft forever
[root@centos7 ~]# kubectl exec -it nginx-app-56b5bb67cc-6hjgt -- ping 8.8.8.8. rpc error: code = 2 desc = oci runtime error: exec failed: container_linux.go:235: starting container process caused "exec: \"ping\": executable file not found in $PATH" command terminated with exit code 126 [root@centos7 ~]# kubectl exec -it nginx-app-56b5bb67cc-6hjgt -- curl http://10.107.2.145:5443 curl: (7) Failed to connect to 10.107.2.145 port 5443: No route to host command terminated with exit code 7 [root@centos7 ~]#
[root@centos7 ~]# ip a sh flannel.1 9: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default link/ether da:af:67:aa:ac:d9 brd ff:ff:ff:ff:ff:ff inet 10.251.0.0/32 scope global flannel.1 valid_lft forever preferred_lft forever inet6 fe80::d8af:67ff:feaa:acd9/64 scope link valid_lft forever preferred_lft forever [root@centos7 ~]# tcpdump -i veth626661db -eennv tcpdump: listening on veth626661db, link-type EN10MB (Ethernet), capture size 262144 bytes 23:31:57.308683 6e:8d:69:3a:95:9e > de:03:c3:e8:e0:ca, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 19938, offset 0, flags [DF], proto TCP (6), length 60) 10.251.0.47.35644 > 10.107.2.145.5443: Flags [S], cksum 0x1854 (incorrect -> 0x1554), seq 3760945103, win 28200, options [mss 1410,sackOK,TS val 3003842826 ecr 0,nop,wscale 7], length 0 23:31:57.308835 de:03:c3:e8:e0:ca > 6e:8d:69:3a:95:9e, ethertype IPv4 (0x0800), length 102: (tos 0xc0, ttl 64, id 13376, offset 0, flags [none], proto ICMP (1), length 88) 10.251.0.1 > 10.251.0.47: ICMP host 10.107.2.145 unreachable - admin prohibited, length 68 (tos 0x0, ttl 63, id 19938, offset 0, flags [DF], proto TCP (6), length 60) 10.251.0.47.35644 > 10.107.2.145.5443: Flags [S], cksum 0x1854 (incorrect -> 0x1554), seq 3760945103, win 28200, options [mss 1410,sackOK,TS val 3003842826 ecr 0,nop,wscale 7], length 0 23:31:58.377429 6e:8d:69:3a:95:9e > de:03:c3:e8:e0:ca, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 19939, offset 0, flags [DF], proto TCP (6), length 60) 10.251.0.47.35644 > 10.107.2.145.5443: Flags [S], cksum 0x1854 (incorrect -> 0x1127), seq 3760945103, win 28200, options [mss 1410,sackOK,TS val 3003843895 ecr 0,nop,wscale 7], length 0 23:31:58.377549 de:03:c3:e8:e0:ca > 6e:8d:69:3a:95:9e, ethertype IPv4 (0x0800), length 102: (tos 0xc0, ttl 64, id 13419, offset 0, flags [none], proto ICMP (1), length 88) 10.251.0.1 > 10.251.0.47: ICMP host 10.107.2.145 unreachable - admin prohibited, length 68 (tos 0x0, ttl 63, id 19939, offset 0, flags [DF], proto TCP (6), length 60) 10.251.0.47.35644 > 10.107.2.145.5443: Flags [S], cksum 0x1854 (incorrect -> 0x1127), seq 3760945103, win 28200, options [mss 1410,sackOK,TS val 3003843895 ecr 0,nop,wscale 7], length 0 23:32:02.377416 de:03:c3:e8:e0:ca > 6e:8d:69:3a:95:9e, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 10.251.0.47 tell 10.251.0.1, length 28 23:32:02.377495 6e:8d:69:3a:95:9e > de:03:c3:e8:e0:ca, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 10.251.0.1 tell 10.251.0.47, length 28 23:32:02.377527 de:03:c3:e8:e0:ca > 6e:8d:69:3a:95:9e, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Reply 10.251.0.1 is-at de:03:c3:e8:e0:ca, length 28 23:32:02.377534 6e:8d:69:3a:95:9e > de:03:c3:e8:e0:ca, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Reply 10.251.0.47 is-at 6e:8d:69:3a:95:9e, length 28
[root@centos7 ~]# ip link show veth626661db 12: veth626661db@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master cni0 state UP mode DEFAULT group default link/ether e6:03:6c:ad:25:38 brd ff:ff:ff:ff:ff:ff link-netnsid 1
root@centos7 ~]# tcpdump -i cni0 tcp and host 10.107.2.145 -eennvv tcpdump: listening on cni0, link-type EN10MB (Ethernet), capture size 262144 bytes 23:34:58.199373 6e:8d:69:3a:95:9e > de:03:c3:e8:e0:ca, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 64348, offset 0, flags [DF], proto TCP (6), length 60) 10.251.0.47.36996 > 10.107.2.145.5443: Flags [S], cksum 0x1854 (incorrect -> 0xd837), seq 1370127242, win 28200, options [mss 1410,sackOK,TS val 3004023714 ecr 0,nop,wscale 7], length 0 23:34:59.257409 6e:8d:69:3a:95:9e > de:03:c3:e8:e0:ca, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 64349, offset 0, flags [DF], proto TCP (6), length 60) 10.251.0.47.36996 > 10.107.2.145.5443: Flags [S], cksum 0x1854 (incorrect -> 0xd415), seq 1370127242, win 28200, options [mss 1410,sackOK,TS val 3004024772 ecr 0,nop,wscale 7], length 0 ^C 2 packets captured 2 packets received by filter 0 packets dropped by kernel [root@centos7 ~]#
[root@centos7 ~]# kubectl logs kube-flannel-ds-arm64-gmljw -n kube-system I0909 14:06:41.611364 1 main.go:518] Determining IP address of default interface I0909 14:06:41.615836 1 main.go:531] Using interface with name enp125s0f0 and address 10.10.16.251 I0909 14:06:41.615883 1 main.go:548] Defaulting external address to interface address (10.10.16.251) W0909 14:06:41.615909 1 client_config.go:517] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work. I0909 14:06:41.716610 1 kube.go:119] Waiting 10m0s for node controller to sync I0909 14:06:41.716730 1 kube.go:306] Starting kube subnet manager I0909 14:06:42.716915 1 kube.go:126] Node controller sync successful I0909 14:06:42.716977 1 main.go:246] Created subnet manager: Kubernetes Subnet Manager - centos7 I0909 14:06:42.716999 1 main.go:249] Installing signal handlers I0909 14:06:42.717336 1 main.go:390] Found network config - Backend type: vxlan I0909 14:06:42.717486 1 vxlan.go:121] VXLAN config: VNI=1 Port=0 GBP=false Learning=false DirectRouting=false I0909 14:06:43.321587 1 main.go:305] Setting up masking rules I0909 14:06:43.412778 1 main.go:313] Changing default FORWARD chain policy to ACCEPT I0909 14:06:43.413115 1 main.go:321] Wrote subnet file to /run/flannel/subnet.env I0909 14:06:43.413146 1 main.go:325] Running backend. I0909 14:06:43.413187 1 main.go:343] Waiting for all goroutines to exit I0909 14:06:43.413234 1 vxlan_network.go:60] watching for new subnet leases [root@centos7 ~]# cat /run/flannel/subnet.env FLANNEL_NETWORK=10.244.0.0/16 FLANNEL_SUBNET=10.251.0.1/24 FLANNEL_MTU=1450 FLANNEL_IPMASQ=true [root@centos7 ~]#
发送了丢包
[root@centos7 ~]# iptables -t raw -j TRACE -p tcp --dport 5443 -d 10.107.2.145 -I PREROUTING 1 [root@centos7 ~]# iptables -t raw -j TRACE -p tcp --dport 5443 -d 10.107.2.145 -I OUTPUT 1 [root@centos7 ~]# tail /var/log/kern.debug.log -f | grep 5443 | grep 10.107.2.145
[root@centos7 ~]# tail /var/log/kern.debug.log Sep 10 00:09:28 centos7 kernel: TRACE: filter:FORWARD:rule:14 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) Sep 10 00:09:28 centos7 kernel: TRACE: filter:FORWARD_OUT_ZONES:rule:1 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) Sep 10 00:09:28 centos7 kernel: TRACE: filter:FWDO_public:rule:1 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) Sep 10 00:09:28 centos7 kernel: TRACE: filter:FWDO_public_log:return:1 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) Sep 10 00:09:28 centos7 kernel: TRACE: filter:FWDO_public:rule:2 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) Sep 10 00:09:28 centos7 kernel: TRACE: filter:FWDO_public_deny:return:1 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) Sep 10 00:09:28 centos7 kernel: TRACE: filter:FWDO_public:rule:3 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) Sep 10 00:09:28 centos7 kernel: TRACE: filter:FWDO_public_allow:return:1 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) Sep 10 00:09:28 centos7 kernel: TRACE: filter:FWDO_public:return:4 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) Sep 10 00:09:28 centos7 kernel: TRACE: filter:FORWARD:rule:16 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) [root@centos7 ~]# iptables -t filter -L FORWARD --line-number Chain FORWARD (policy DROP) num target prot opt source destination 1 KUBE-FORWARD all -- anywhere anywhere /* kubernetes forwarding rules */ 2 KUBE-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes service portals */ 3 DOCKER-ISOLATION all -- anywhere anywhere 4 DOCKER all -- anywhere anywhere 5 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED 6 ACCEPT all -- anywhere anywhere 7 ACCEPT all -- anywhere anywhere 8 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED 9 ACCEPT all -- anywhere anywhere 10 FORWARD_direct all -- anywhere anywhere 11 FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere 12 FORWARD_IN_ZONES all -- anywhere anywhere 13 FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere 14 FORWARD_OUT_ZONES all -- anywhere anywhere 15 DROP all -- anywhere anywhere ctstate INVALID 16 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited 17 ACCEPT all -- 10.244.0.0/16 anywhere 18 ACCEPT all -- anywhere 10.244.0.0/16 [root@centos7 ~]# iptables -t filter -L FWDO_public --line-number Chain FWDO_public (2 references) num target prot opt source destination 1 FWDO_public_log all -- anywhere anywhere 2 FWDO_public_deny all -- anywhere anywhere 3 FWDO_public_allow all -- anywhere anywhere [root@centos7 ~]# iptables -t filter -L FORWARD_OUT_ZONES --line-number Chain FORWARD_OUT_ZONES (1 references) num target prot opt source destination 1 FWDO_public all -- anywhere anywhere [goto] 2 FWDO_public all -- anywhere anywhere [goto] [root@centos7 ~]# [root@centos7 ~]# iptables -t filter -D FORWARD -j REJECT --reject-with icmp-host-prohibited [root@centos7 ~]#
return
target
类型包括 ACCEPT、REJECT
、DROP
、LOG
、SNAT
、MASQUERADE
、DNAT
、REDIRECT
、RETURN
或者跳转到其他规则等。只要执行到某一条链中只有按照顺序有一条规则匹配后就可以确定报文的去向了,除了 RETURN
类型,类似编程语言中的 return
语句,返回到它的调用点,继续执行下一条规则。
[root@centos7 ~]# iptables -t filter -L FORWARD --line-number Chain FORWARD (policy DROP) num target prot opt source destination 1 KUBE-FORWARD all -- anywhere anywhere /* kubernetes forwarding rules */ 2 KUBE-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes service portals */ 3 DOCKER-ISOLATION all -- anywhere anywhere 4 DOCKER all -- anywhere anywhere 5 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED 6 ACCEPT all -- anywhere anywhere 7 ACCEPT all -- anywhere anywhere 8 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED 9 ACCEPT all -- anywhere anywhere 10 FORWARD_direct all -- anywhere anywhere 11 FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere 12 FORWARD_IN_ZONES all -- anywhere anywhere 13 FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere 14 FORWARD_OUT_ZONES all -- anywhere anywhere 15 DROP all -- anywhere anywhere ctstate INVALID 16 ACCEPT all -- 10.244.0.0/16 anywhere 17 ACCEPT all -- anywhere 10.244.0.0/16
filter:FORWARD:policy:18 默认策略
[root@centos7 ~]# tail /var/log/kern.debug.log | grep 5443 | grep 10.107.2.145 Sep 10 04:33:28 centos7 kernel: TRACE: filter:FORWARD:rule:14 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) Sep 10 04:33:28 centos7 kernel: TRACE: filter:FORWARD_OUT_ZONES:rule:1 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) Sep 10 04:33:28 centos7 kernel: TRACE: filter:FWDO_public:rule:1 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) Sep 10 04:33:28 centos7 kernel: TRACE: filter:FWDO_public_log:return:1 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) Sep 10 04:33:28 centos7 kernel: TRACE: filter:FWDO_public:rule:2 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) Sep 10 04:33:28 centos7 kernel: TRACE: filter:FWDO_public_deny:return:1 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) Sep 10 04:33:28 centos7 kernel: TRACE: filter:FWDO_public:rule:3 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) Sep 10 04:33:28 centos7 kernel: TRACE: filter:FWDO_public_allow:return:1 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) Sep 10 04:33:28 centos7 kernel: TRACE: filter:FWDO_public:return:4 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) Sep 10 04:33:28 centos7 kernel: TRACE: filter:FORWARD:policy:18 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) [root@centos7 ~]# iptables -t filter -L FORWARD -n --line-number Chain FORWARD (policy DROP) num target prot opt source destination 1 KUBE-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules */ 2 KUBE-SERVICES all -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW /* kubernetes service portals */ 3 DOCKER-ISOLATION all -- 0.0.0.0/0 0.0.0.0/0 4 DOCKER all -- 0.0.0.0/0 0.0.0.0/0 5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 7 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 9 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 10 FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0 11 FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 12 FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0 13 FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 14 FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0 15 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 16 ACCEPT all -- 10.244.0.0/16 0.0.0.0/0 17 ACCEPT all -- 0.0.0.0/0 10.244.0.0/16 [root@centos7 ~]# iptables -P FORWARD ACCEPT
更改默认策略 [root@centos7 ~]# iptables -t filter -L FORWARD -n --line-number Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 KUBE-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules */ 2 KUBE-SERVICES all -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW /* kubernetes service portals */ 3 DOCKER-ISOLATION all -- 0.0.0.0/0 0.0.0.0/0 4 DOCKER all -- 0.0.0.0/0 0.0.0.0/0 5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 7 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 9 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 10 FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0 11 FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 12 FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0 13 FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 14 FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0 15 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 16 ACCEPT all -- 10.244.0.0/16 0.0.0.0/0 17 ACCEPT all -- 0.0.0.0/0 10.244.0.0/16
[root@centos7 ~]# kubectl exec -it nginx-karmada-f89759699-8xmfw -- curl https://10.107.2.145:5443/api?timeout=32s curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. command terminated with exit code 60 [root@centos7 ~]#
CNI网络插件之flannel
虚拟网卡接口VETH(Virtual Ethernet )创建使用和绑定关系
iptables自定义链的使用