cni flannel iptables -t filter -D FORWARD -j REJECT --reject-with icmp-host-prohibited

[root@centos7 ~]# kubectl exec -it     nginx-app-56b5bb67cc-6hjgt     -- ls /sys/class/net/
eth0  lo
[root@centos7 ~]# kubectl exec -it     nginx-app-56b5bb67cc-6hjgt     -- ls /sys/class/net/eth0
addr_assign_type  dormant            mtu               proto_down
addr_len          duplex             name_assign_type  queues
address           flags              netdev_group      speed
broadcast         gro_flush_timeout  operstate         statistics
carrier           ifalias            phys_port_id      subsystem
carrier_changes   ifindex            phys_port_name    tx_queue_len
dev_id            iflink             phys_switch_id    type
dev_port          link_mode          power             uevent
[root@centos7 ~]# kubectl exec -it     nginx-app-56b5bb67cc-6hjgt     -- ls /sys/class/net/eth0/ifindex
/sys/class/net/eth0/ifindex
[root@centos7 ~]# kubectl exec -it     nginx-app-56b5bb67cc-6hjgt     -- cat  /sys/class/net/eth0/ifindex
3
[root@centos7 ~]# kubectl exec -it     nginx-app-56b5bb67cc-6hjgt     -- cat  /sys/class/net/eth0/name_assign_type
3
[root@centos7 ~]# kubectl exec -it     nginx-app-56b5bb67cc-6hjgt     -- cat  /sys/class/net/eth0/iflink
12
[root@centos7 ~]# 

12: veth626661db@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master cni0 state UP group default 
    link/ether e6:03:6c:ad:25:38 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::e403:6cff:fead:2538/64 scope link 
       valid_lft forever preferred_lft forever

[root@centos7 ~]# kubectl exec -it     nginx-app-56b5bb67cc-6hjgt     -- ping 8.8.8.8.
rpc error: code = 2 desc = oci runtime error: exec failed: container_linux.go:235: starting container process caused "exec: "ping": executable file not found in $PATH"

command terminated with exit code 126
[root@centos7 ~]# kubectl exec -it     nginx-app-56b5bb67cc-6hjgt     -- curl http://10.107.2.145:5443  
curl: (7) Failed to connect to 10.107.2.145 port 5443: No route to host
command terminated with exit code 7
[root@centos7 ~]# 

[root@centos7 ~]# ip a sh flannel.1
9: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default 
    link/ether da:af:67:aa:ac:d9 brd ff:ff:ff:ff:ff:ff
    inet 10.251.0.0/32 scope global flannel.1
       valid_lft forever preferred_lft forever
    inet6 fe80::d8af:67ff:feaa:acd9/64 scope link 
       valid_lft forever preferred_lft forever
[root@centos7 ~]# tcpdump -i veth626661db -eennv
tcpdump: listening on veth626661db, link-type EN10MB (Ethernet), capture size 262144 bytes
23:31:57.308683 6e:8d:69:3a:95:9e > de:03:c3:e8:e0:ca, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 19938, offset 0, flags [DF], proto TCP (6), length 60)
    10.251.0.47.35644 > 10.107.2.145.5443: Flags [S], cksum 0x1854 (incorrect -> 0x1554), seq 3760945103, win 28200, options [mss 1410,sackOK,TS val 3003842826 ecr 0,nop,wscale 7], length 0
23:31:57.308835 de:03:c3:e8:e0:ca > 6e:8d:69:3a:95:9e, ethertype IPv4 (0x0800), length 102: (tos 0xc0, ttl 64, id 13376, offset 0, flags [none], proto ICMP (1), length 88)
    10.251.0.1 > 10.251.0.47: ICMP host 10.107.2.145 unreachable - admin prohibited, length 68
        (tos 0x0, ttl 63, id 19938, offset 0, flags [DF], proto TCP (6), length 60)
    10.251.0.47.35644 > 10.107.2.145.5443: Flags [S], cksum 0x1854 (incorrect -> 0x1554), seq 3760945103, win 28200, options [mss 1410,sackOK,TS val 3003842826 ecr 0,nop,wscale 7], length 0
23:31:58.377429 6e:8d:69:3a:95:9e > de:03:c3:e8:e0:ca, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 19939, offset 0, flags [DF], proto TCP (6), length 60)
    10.251.0.47.35644 > 10.107.2.145.5443: Flags [S], cksum 0x1854 (incorrect -> 0x1127), seq 3760945103, win 28200, options [mss 1410,sackOK,TS val 3003843895 ecr 0,nop,wscale 7], length 0
23:31:58.377549 de:03:c3:e8:e0:ca > 6e:8d:69:3a:95:9e, ethertype IPv4 (0x0800), length 102: (tos 0xc0, ttl 64, id 13419, offset 0, flags [none], proto ICMP (1), length 88)
    10.251.0.1 > 10.251.0.47: ICMP host 10.107.2.145 unreachable - admin prohibited, length 68
        (tos 0x0, ttl 63, id 19939, offset 0, flags [DF], proto TCP (6), length 60)
    10.251.0.47.35644 > 10.107.2.145.5443: Flags [S], cksum 0x1854 (incorrect -> 0x1127), seq 3760945103, win 28200, options [mss 1410,sackOK,TS val 3003843895 ecr 0,nop,wscale 7], length 0
23:32:02.377416 de:03:c3:e8:e0:ca > 6e:8d:69:3a:95:9e, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 10.251.0.47 tell 10.251.0.1, length 28
23:32:02.377495 6e:8d:69:3a:95:9e > de:03:c3:e8:e0:ca, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 10.251.0.1 tell 10.251.0.47, length 28
23:32:02.377527 de:03:c3:e8:e0:ca > 6e:8d:69:3a:95:9e, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Reply 10.251.0.1 is-at de:03:c3:e8:e0:ca, length 28
23:32:02.377534 6e:8d:69:3a:95:9e > de:03:c3:e8:e0:ca, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Reply 10.251.0.47 is-at 6e:8d:69:3a:95:9e, length 28

[root@centos7 ~]# ip link show  veth626661db
12: veth626661db@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master cni0 state UP mode DEFAULT group default 
    link/ether e6:03:6c:ad:25:38 brd ff:ff:ff:ff:ff:ff link-netnsid 1

root@centos7 ~]# tcpdump -i cni0  tcp and host 10.107.2.145   -eennvv
tcpdump: listening on cni0, link-type EN10MB (Ethernet), capture size 262144 bytes
23:34:58.199373 6e:8d:69:3a:95:9e > de:03:c3:e8:e0:ca, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 64348, offset 0, flags [DF], proto TCP (6), length 60)
    10.251.0.47.36996 > 10.107.2.145.5443: Flags [S], cksum 0x1854 (incorrect -> 0xd837), seq 1370127242, win 28200, options [mss 1410,sackOK,TS val 3004023714 ecr 0,nop,wscale 7], length 0
23:34:59.257409 6e:8d:69:3a:95:9e > de:03:c3:e8:e0:ca, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 64349, offset 0, flags [DF], proto TCP (6), length 60)
    10.251.0.47.36996 > 10.107.2.145.5443: Flags [S], cksum 0x1854 (incorrect -> 0xd415), seq 1370127242, win 28200, options [mss 1410,sackOK,TS val 3004024772 ecr 0,nop,wscale 7], length 0
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel
[root@centos7 ~]# 

[root@centos7 ~]# kubectl logs  kube-flannel-ds-arm64-gmljw -n  kube-system
I0909 14:06:41.611364       1 main.go:518] Determining IP address of default interface
I0909 14:06:41.615836       1 main.go:531] Using interface with name enp125s0f0 and address 10.10.16.251
I0909 14:06:41.615883       1 main.go:548] Defaulting external address to interface address (10.10.16.251)
W0909 14:06:41.615909       1 client_config.go:517] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I0909 14:06:41.716610       1 kube.go:119] Waiting 10m0s for node controller to sync
I0909 14:06:41.716730       1 kube.go:306] Starting kube subnet manager
I0909 14:06:42.716915       1 kube.go:126] Node controller sync successful
I0909 14:06:42.716977       1 main.go:246] Created subnet manager: Kubernetes Subnet Manager - centos7
I0909 14:06:42.716999       1 main.go:249] Installing signal handlers
I0909 14:06:42.717336       1 main.go:390] Found network config - Backend type: vxlan
I0909 14:06:42.717486       1 vxlan.go:121] VXLAN config: VNI=1 Port=0 GBP=false Learning=false DirectRouting=false
I0909 14:06:43.321587       1 main.go:305] Setting up masking rules
I0909 14:06:43.412778       1 main.go:313] Changing default FORWARD chain policy to ACCEPT
I0909 14:06:43.413115       1 main.go:321] Wrote subnet file to /run/flannel/subnet.env
I0909 14:06:43.413146       1 main.go:325] Running backend.
I0909 14:06:43.413187       1 main.go:343] Waiting for all goroutines to exit
I0909 14:06:43.413234       1 vxlan_network.go:60] watching for new subnet leases
[root@centos7 ~]# cat  /run/flannel/subnet.env
FLANNEL_NETWORK=10.244.0.0/16
FLANNEL_SUBNET=10.251.0.1/24
FLANNEL_MTU=1450
FLANNEL_IPMASQ=true
[root@centos7 ~]# 

 发送了丢包

[root@centos7 ~]#  iptables -t raw -j TRACE -p tcp --dport 5443  -d   10.107.2.145 -I PREROUTING 1
[root@centos7 ~]# iptables -t raw -j TRACE -p tcp --dport   5443  -d   10.107.2.145 -I OUTPUT 1
[root@centos7 ~]# tail /var/log/kern.debug.log -f | grep 5443 | grep 10.107.2.145

[root@centos7 ~]# tail /var/log/kern.debug.log
Sep 10 00:09:28 centos7 kernel: TRACE: filter:FORWARD:rule:14 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) 
Sep 10 00:09:28 centos7 kernel: TRACE: filter:FORWARD_OUT_ZONES:rule:1 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) 
Sep 10 00:09:28 centos7 kernel: TRACE: filter:FWDO_public:rule:1 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) 
Sep 10 00:09:28 centos7 kernel: TRACE: filter:FWDO_public_log:return:1 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) 
Sep 10 00:09:28 centos7 kernel: TRACE: filter:FWDO_public:rule:2 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) 
Sep 10 00:09:28 centos7 kernel: TRACE: filter:FWDO_public_deny:return:1 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) 
Sep 10 00:09:28 centos7 kernel: TRACE: filter:FWDO_public:rule:3 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) 
Sep 10 00:09:28 centos7 kernel: TRACE: filter:FWDO_public_allow:return:1 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) 
Sep 10 00:09:28 centos7 kernel: TRACE: filter:FWDO_public:return:4 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) 
Sep 10 00:09:28 centos7 kernel: TRACE: filter:FORWARD:rule:16 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) 
[root@centos7 ~]# iptables  -t filter   -L FORWARD --line-number 
Chain FORWARD (policy DROP)
num  target     prot opt source               destination         
1    KUBE-FORWARD  all  --  anywhere             anywhere             /* kubernetes forwarding rules */
2    KUBE-SERVICES  all  --  anywhere             anywhere             ctstate NEW /* kubernetes service portals */
3    DOCKER-ISOLATION  all  --  anywhere             anywhere            
4    DOCKER     all  --  anywhere             anywhere            
5    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
6    ACCEPT     all  --  anywhere             anywhere            
7    ACCEPT     all  --  anywhere             anywhere            
8    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
9    ACCEPT     all  --  anywhere             anywhere            
10   FORWARD_direct  all  --  anywhere             anywhere            
11   FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere            
12   FORWARD_IN_ZONES  all  --  anywhere             anywhere            
13   FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere            
14   FORWARD_OUT_ZONES  all  --  anywhere             anywhere            
15   DROP       all  --  anywhere             anywhere             ctstate INVALID
16   REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
17   ACCEPT     all  --  10.244.0.0/16        anywhere            
18   ACCEPT     all  --  anywhere             10.244.0.0/16       
[root@centos7 ~]# iptables  -t filter   -L FWDO_public --line-number 
Chain FWDO_public (2 references)
num  target     prot opt source               destination         
1    FWDO_public_log  all  --  anywhere             anywhere            
2    FWDO_public_deny  all  --  anywhere             anywhere            
3    FWDO_public_allow  all  --  anywhere             anywhere            
[root@centos7 ~]# iptables  -t filter   -L FORWARD_OUT_ZONES  --line-number 
Chain FORWARD_OUT_ZONES (1 references)
num  target     prot opt source               destination         
1    FWDO_public  all  --  anywhere             anywhere            [goto] 
2    FWDO_public  all  --  anywhere             anywhere            [goto] 
[root@centos7 ~]# 
[root@centos7 ~]# iptables -t filter -D FORWARD -j REJECT --reject-with icmp-host-prohibited
[root@centos7 ~]# 

 return 

 target 类型包括 ACCEPT、REJECT、DROP、LOG 、SNAT、MASQUERADE、DNAT、REDIRECT、RETURN 或者跳转到其他规则等。只要执行到某一条链中只有按照顺序有一条规则匹配后就可以确定报文的去向了，除了 RETURN 类型，类似编程语言中的 return 语句，返回到它的调用点，继续执行下一条规则。

 

 

 

[root@centos7 ~]# iptables  -t filter   -L FORWARD --line-number 
Chain FORWARD (policy DROP)
num  target     prot opt source               destination         
1    KUBE-FORWARD  all  --  anywhere             anywhere             /* kubernetes forwarding rules */
2    KUBE-SERVICES  all  --  anywhere             anywhere             ctstate NEW /* kubernetes service portals */
3    DOCKER-ISOLATION  all  --  anywhere             anywhere            
4    DOCKER     all  --  anywhere             anywhere            
5    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
6    ACCEPT     all  --  anywhere             anywhere            
7    ACCEPT     all  --  anywhere             anywhere            
8    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
9    ACCEPT     all  --  anywhere             anywhere            
10   FORWARD_direct  all  --  anywhere             anywhere            
11   FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere            
12   FORWARD_IN_ZONES  all  --  anywhere             anywhere            
13   FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere            
14   FORWARD_OUT_ZONES  all  --  anywhere             anywhere            
15   DROP       all  --  anywhere             anywhere             ctstate INVALID
16   ACCEPT     all  --  10.244.0.0/16        anywhere            
17   ACCEPT     all  --  anywhere             10.244.0.0/16       

filter:FORWARD:policy:18 默认策略

[root@centos7 ~]# tail /var/log/kern.debug.log  | grep 5443 | grep 10.107.2.145
Sep 10 04:33:28 centos7 kernel: TRACE: filter:FORWARD:rule:14 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) 
Sep 10 04:33:28 centos7 kernel: TRACE: filter:FORWARD_OUT_ZONES:rule:1 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) 
Sep 10 04:33:28 centos7 kernel: TRACE: filter:FWDO_public:rule:1 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) 
Sep 10 04:33:28 centos7 kernel: TRACE: filter:FWDO_public_log:return:1 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) 
Sep 10 04:33:28 centos7 kernel: TRACE: filter:FWDO_public:rule:2 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) 
Sep 10 04:33:28 centos7 kernel: TRACE: filter:FWDO_public_deny:return:1 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) 
Sep 10 04:33:28 centos7 kernel: TRACE: filter:FWDO_public:rule:3 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) 
Sep 10 04:33:28 centos7 kernel: TRACE: filter:FWDO_public_allow:return:1 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) 
Sep 10 04:33:28 centos7 kernel: TRACE: filter:FWDO_public:return:4 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) 
Sep 10 04:33:28 centos7 kernel: TRACE: filter:FORWARD:policy:18 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) 
[root@centos7 ~]# iptables -t filter -L FORWARD  -n --line-number
Chain FORWARD (policy DROP)
num  target     prot opt source               destination         
1    KUBE-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0            /* kubernetes forwarding rules */
2    KUBE-SERVICES  all  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW /* kubernetes service portals */
3    DOCKER-ISOLATION  all  --  0.0.0.0/0            0.0.0.0/0           
4    DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
5    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
6    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
7    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
8    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
9    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
10   FORWARD_direct  all  --  0.0.0.0/0            0.0.0.0/0           
11   FORWARD_IN_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
12   FORWARD_IN_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
13   FORWARD_OUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
14   FORWARD_OUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
15   DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
16   ACCEPT     all  --  10.244.0.0/16        0.0.0.0/0           
17   ACCEPT     all  --  0.0.0.0/0            10.244.0.0/16       
[root@centos7 ~]# iptables -P FORWARD ACCEPT
更改默认策略
[root@centos7 ~]# iptables -t filter -L FORWARD  -n --line-number
Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    KUBE-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0            /* kubernetes forwarding rules */
2    KUBE-SERVICES  all  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW /* kubernetes service portals */
3    DOCKER-ISOLATION  all  --  0.0.0.0/0            0.0.0.0/0           
4    DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
5    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
6    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
7    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
8    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
9    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
10   FORWARD_direct  all  --  0.0.0.0/0            0.0.0.0/0           
11   FORWARD_IN_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
12   FORWARD_IN_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
13   FORWARD_OUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
14   FORWARD_OUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
15   DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
16   ACCEPT     all  --  10.244.0.0/16        0.0.0.0/0           
17   ACCEPT     all  --  0.0.0.0/0            10.244.0.0/16       

[root@centos7 ~]# kubectl exec -it  nginx-karmada-f89759699-8xmfw   -- curl https://10.107.2.145:5443/api?timeout=32s
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
command terminated with exit code 60
[root@centos7 ~]# 

CNI网络插件之flannel

虚拟网卡接口VETH(Virtual Ethernet )创建使用和绑定关系

iptables自定义链的使用