zoukankan      html  css  js  c++  java
  • cni flannel iptables -t filter -D FORWARD -j REJECT --reject-with icmp-host-prohibited

    [root@centos7 ~]# kubectl exec -it     nginx-app-56b5bb67cc-6hjgt     -- ls /sys/class/net/
    eth0  lo
    [root@centos7 ~]# kubectl exec -it     nginx-app-56b5bb67cc-6hjgt     -- ls /sys/class/net/eth0
    addr_assign_type  dormant            mtu               proto_down
    addr_len          duplex             name_assign_type  queues
    address           flags              netdev_group      speed
    broadcast         gro_flush_timeout  operstate         statistics
    carrier           ifalias            phys_port_id      subsystem
    carrier_changes   ifindex            phys_port_name    tx_queue_len
    dev_id            iflink             phys_switch_id    type
    dev_port          link_mode          power             uevent
    [root@centos7 ~]# kubectl exec -it     nginx-app-56b5bb67cc-6hjgt     -- ls /sys/class/net/eth0/ifindex
    /sys/class/net/eth0/ifindex
    [root@centos7 ~]# kubectl exec -it     nginx-app-56b5bb67cc-6hjgt     -- cat  /sys/class/net/eth0/ifindex
    3
    [root@centos7 ~]# kubectl exec -it     nginx-app-56b5bb67cc-6hjgt     -- cat  /sys/class/net/eth0/name_assign_type
    3
    [root@centos7 ~]# kubectl exec -it     nginx-app-56b5bb67cc-6hjgt     -- cat  /sys/class/net/eth0/iflink
    12
    [root@centos7 ~]# 
    12: veth626661db@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master cni0 state UP group default 
        link/ether e6:03:6c:ad:25:38 brd ff:ff:ff:ff:ff:ff link-netnsid 1
        inet6 fe80::e403:6cff:fead:2538/64 scope link 
           valid_lft forever preferred_lft forever
    [root@centos7 ~]# kubectl exec -it     nginx-app-56b5bb67cc-6hjgt     -- ping 8.8.8.8.
    rpc error: code = 2 desc = oci runtime error: exec failed: container_linux.go:235: starting container process caused "exec: "ping": executable file not found in $PATH"
    
    command terminated with exit code 126
    [root@centos7 ~]# kubectl exec -it     nginx-app-56b5bb67cc-6hjgt     -- curl http://10.107.2.145:5443  
    curl: (7) Failed to connect to 10.107.2.145 port 5443: No route to host
    command terminated with exit code 7
    [root@centos7 ~]# 
    [root@centos7 ~]# ip a sh flannel.1
    9: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default 
        link/ether da:af:67:aa:ac:d9 brd ff:ff:ff:ff:ff:ff
        inet 10.251.0.0/32 scope global flannel.1
           valid_lft forever preferred_lft forever
        inet6 fe80::d8af:67ff:feaa:acd9/64 scope link 
           valid_lft forever preferred_lft forever
    [root@centos7 ~]# tcpdump -i veth626661db -eennv
    tcpdump: listening on veth626661db, link-type EN10MB (Ethernet), capture size 262144 bytes
    23:31:57.308683 6e:8d:69:3a:95:9e > de:03:c3:e8:e0:ca, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 19938, offset 0, flags [DF], proto TCP (6), length 60)
        10.251.0.47.35644 > 10.107.2.145.5443: Flags [S], cksum 0x1854 (incorrect -> 0x1554), seq 3760945103, win 28200, options [mss 1410,sackOK,TS val 3003842826 ecr 0,nop,wscale 7], length 0
    23:31:57.308835 de:03:c3:e8:e0:ca > 6e:8d:69:3a:95:9e, ethertype IPv4 (0x0800), length 102: (tos 0xc0, ttl 64, id 13376, offset 0, flags [none], proto ICMP (1), length 88)
        10.251.0.1 > 10.251.0.47: ICMP host 10.107.2.145 unreachable - admin prohibited, length 68
            (tos 0x0, ttl 63, id 19938, offset 0, flags [DF], proto TCP (6), length 60)
        10.251.0.47.35644 > 10.107.2.145.5443: Flags [S], cksum 0x1854 (incorrect -> 0x1554), seq 3760945103, win 28200, options [mss 1410,sackOK,TS val 3003842826 ecr 0,nop,wscale 7], length 0
    23:31:58.377429 6e:8d:69:3a:95:9e > de:03:c3:e8:e0:ca, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 19939, offset 0, flags [DF], proto TCP (6), length 60)
        10.251.0.47.35644 > 10.107.2.145.5443: Flags [S], cksum 0x1854 (incorrect -> 0x1127), seq 3760945103, win 28200, options [mss 1410,sackOK,TS val 3003843895 ecr 0,nop,wscale 7], length 0
    23:31:58.377549 de:03:c3:e8:e0:ca > 6e:8d:69:3a:95:9e, ethertype IPv4 (0x0800), length 102: (tos 0xc0, ttl 64, id 13419, offset 0, flags [none], proto ICMP (1), length 88)
        10.251.0.1 > 10.251.0.47: ICMP host 10.107.2.145 unreachable - admin prohibited, length 68
            (tos 0x0, ttl 63, id 19939, offset 0, flags [DF], proto TCP (6), length 60)
        10.251.0.47.35644 > 10.107.2.145.5443: Flags [S], cksum 0x1854 (incorrect -> 0x1127), seq 3760945103, win 28200, options [mss 1410,sackOK,TS val 3003843895 ecr 0,nop,wscale 7], length 0
    23:32:02.377416 de:03:c3:e8:e0:ca > 6e:8d:69:3a:95:9e, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 10.251.0.47 tell 10.251.0.1, length 28
    23:32:02.377495 6e:8d:69:3a:95:9e > de:03:c3:e8:e0:ca, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 10.251.0.1 tell 10.251.0.47, length 28
    23:32:02.377527 de:03:c3:e8:e0:ca > 6e:8d:69:3a:95:9e, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Reply 10.251.0.1 is-at de:03:c3:e8:e0:ca, length 28
    23:32:02.377534 6e:8d:69:3a:95:9e > de:03:c3:e8:e0:ca, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Reply 10.251.0.47 is-at 6e:8d:69:3a:95:9e, length 28
    [root@centos7 ~]# ip link show  veth626661db
    12: veth626661db@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master cni0 state UP mode DEFAULT group default 
        link/ether e6:03:6c:ad:25:38 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    root@centos7 ~]# tcpdump -i cni0  tcp and host 10.107.2.145   -eennvv
    tcpdump: listening on cni0, link-type EN10MB (Ethernet), capture size 262144 bytes
    23:34:58.199373 6e:8d:69:3a:95:9e > de:03:c3:e8:e0:ca, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 64348, offset 0, flags [DF], proto TCP (6), length 60)
        10.251.0.47.36996 > 10.107.2.145.5443: Flags [S], cksum 0x1854 (incorrect -> 0xd837), seq 1370127242, win 28200, options [mss 1410,sackOK,TS val 3004023714 ecr 0,nop,wscale 7], length 0
    23:34:59.257409 6e:8d:69:3a:95:9e > de:03:c3:e8:e0:ca, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 64349, offset 0, flags [DF], proto TCP (6), length 60)
        10.251.0.47.36996 > 10.107.2.145.5443: Flags [S], cksum 0x1854 (incorrect -> 0xd415), seq 1370127242, win 28200, options [mss 1410,sackOK,TS val 3004024772 ecr 0,nop,wscale 7], length 0
    ^C
    2 packets captured
    2 packets received by filter
    0 packets dropped by kernel
    [root@centos7 ~]# 

    [root@centos7 ~]# kubectl logs  kube-flannel-ds-arm64-gmljw -n  kube-system
    I0909 14:06:41.611364       1 main.go:518] Determining IP address of default interface
    I0909 14:06:41.615836       1 main.go:531] Using interface with name enp125s0f0 and address 10.10.16.251
    I0909 14:06:41.615883       1 main.go:548] Defaulting external address to interface address (10.10.16.251)
    W0909 14:06:41.615909       1 client_config.go:517] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
    I0909 14:06:41.716610       1 kube.go:119] Waiting 10m0s for node controller to sync
    I0909 14:06:41.716730       1 kube.go:306] Starting kube subnet manager
    I0909 14:06:42.716915       1 kube.go:126] Node controller sync successful
    I0909 14:06:42.716977       1 main.go:246] Created subnet manager: Kubernetes Subnet Manager - centos7
    I0909 14:06:42.716999       1 main.go:249] Installing signal handlers
    I0909 14:06:42.717336       1 main.go:390] Found network config - Backend type: vxlan
    I0909 14:06:42.717486       1 vxlan.go:121] VXLAN config: VNI=1 Port=0 GBP=false Learning=false DirectRouting=false
    I0909 14:06:43.321587       1 main.go:305] Setting up masking rules
    I0909 14:06:43.412778       1 main.go:313] Changing default FORWARD chain policy to ACCEPT
    I0909 14:06:43.413115       1 main.go:321] Wrote subnet file to /run/flannel/subnet.env
    I0909 14:06:43.413146       1 main.go:325] Running backend.
    I0909 14:06:43.413187       1 main.go:343] Waiting for all goroutines to exit
    I0909 14:06:43.413234       1 vxlan_network.go:60] watching for new subnet leases
    [root@centos7 ~]# cat  /run/flannel/subnet.env
    FLANNEL_NETWORK=10.244.0.0/16
    FLANNEL_SUBNET=10.251.0.1/24
    FLANNEL_MTU=1450
    FLANNEL_IPMASQ=true
    [root@centos7 ~]# 

     发送了丢包

    [root@centos7 ~]#  iptables -t raw -j TRACE -p tcp --dport 5443  -d   10.107.2.145 -I PREROUTING 1
    [root@centos7 ~]# iptables -t raw -j TRACE -p tcp --dport   5443  -d   10.107.2.145 -I OUTPUT 1
    [root@centos7 ~]# tail /var/log/kern.debug.log -f | grep 5443 | grep 10.107.2.145
    [root@centos7 ~]# tail /var/log/kern.debug.log
    Sep 10 00:09:28 centos7 kernel: TRACE: filter:FORWARD:rule:14 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) 
    Sep 10 00:09:28 centos7 kernel: TRACE: filter:FORWARD_OUT_ZONES:rule:1 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) 
    Sep 10 00:09:28 centos7 kernel: TRACE: filter:FWDO_public:rule:1 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) 
    Sep 10 00:09:28 centos7 kernel: TRACE: filter:FWDO_public_log:return:1 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) 
    Sep 10 00:09:28 centos7 kernel: TRACE: filter:FWDO_public:rule:2 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) 
    Sep 10 00:09:28 centos7 kernel: TRACE: filter:FWDO_public_deny:return:1 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) 
    Sep 10 00:09:28 centos7 kernel: TRACE: filter:FWDO_public:rule:3 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) 
    Sep 10 00:09:28 centos7 kernel: TRACE: filter:FWDO_public_allow:return:1 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) 
    Sep 10 00:09:28 centos7 kernel: TRACE: filter:FWDO_public:return:4 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) 
    Sep 10 00:09:28 centos7 kernel: TRACE: filter:FORWARD:rule:16 IN=cni0 OUT=enp125s0f0 PHYSIN=veth953be59b MAC=de:03:c3:e8:e0:ca:7e:0e:e5:ea:da:0a:08:00 SRC=10.251.0.58 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29419 DF PROTO=TCP SPT=48858 DPT=5443 SEQ=3784103382 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080AC410D40B0000000001030307) 
    [root@centos7 ~]# iptables  -t filter   -L FORWARD --line-number 
    Chain FORWARD (policy DROP)
    num  target     prot opt source               destination         
    1    KUBE-FORWARD  all  --  anywhere             anywhere             /* kubernetes forwarding rules */
    2    KUBE-SERVICES  all  --  anywhere             anywhere             ctstate NEW /* kubernetes service portals */
    3    DOCKER-ISOLATION  all  --  anywhere             anywhere            
    4    DOCKER     all  --  anywhere             anywhere            
    5    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    6    ACCEPT     all  --  anywhere             anywhere            
    7    ACCEPT     all  --  anywhere             anywhere            
    8    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    9    ACCEPT     all  --  anywhere             anywhere            
    10   FORWARD_direct  all  --  anywhere             anywhere            
    11   FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere            
    12   FORWARD_IN_ZONES  all  --  anywhere             anywhere            
    13   FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere            
    14   FORWARD_OUT_ZONES  all  --  anywhere             anywhere            
    15   DROP       all  --  anywhere             anywhere             ctstate INVALID
    16   REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
    17   ACCEPT     all  --  10.244.0.0/16        anywhere            
    18   ACCEPT     all  --  anywhere             10.244.0.0/16       
    [root@centos7 ~]# iptables  -t filter   -L FWDO_public --line-number 
    Chain FWDO_public (2 references)
    num  target     prot opt source               destination         
    1    FWDO_public_log  all  --  anywhere             anywhere            
    2    FWDO_public_deny  all  --  anywhere             anywhere            
    3    FWDO_public_allow  all  --  anywhere             anywhere            
    [root@centos7 ~]# iptables  -t filter   -L FORWARD_OUT_ZONES  --line-number 
    Chain FORWARD_OUT_ZONES (1 references)
    num  target     prot opt source               destination         
    1    FWDO_public  all  --  anywhere             anywhere            [goto] 
    2    FWDO_public  all  --  anywhere             anywhere            [goto] 
    [root@centos7 ~]# 
    [root@centos7 ~]# iptables -t filter -D FORWARD -j REJECT --reject-with icmp-host-prohibited
    [root@centos7 ~]# 

     return 

     target 类型包括 ACCEPT、REJECTDROPLOG 、SNATMASQUERADEDNATREDIRECTRETURN 或者跳转到其他规则等。只要执行到某一条链中只有按照顺序有一条规则匹配后就可以确定报文的去向了,除了 RETURN 类型,类似编程语言中的 return 语句,返回到它的调用点,继续执行下一条规则。

     

     

     

    [root@centos7 ~]# iptables  -t filter   -L FORWARD --line-number 
    Chain FORWARD (policy DROP)
    num  target     prot opt source               destination         
    1    KUBE-FORWARD  all  --  anywhere             anywhere             /* kubernetes forwarding rules */
    2    KUBE-SERVICES  all  --  anywhere             anywhere             ctstate NEW /* kubernetes service portals */
    3    DOCKER-ISOLATION  all  --  anywhere             anywhere            
    4    DOCKER     all  --  anywhere             anywhere            
    5    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    6    ACCEPT     all  --  anywhere             anywhere            
    7    ACCEPT     all  --  anywhere             anywhere            
    8    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    9    ACCEPT     all  --  anywhere             anywhere            
    10   FORWARD_direct  all  --  anywhere             anywhere            
    11   FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere            
    12   FORWARD_IN_ZONES  all  --  anywhere             anywhere            
    13   FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere            
    14   FORWARD_OUT_ZONES  all  --  anywhere             anywhere            
    15   DROP       all  --  anywhere             anywhere             ctstate INVALID
    16   ACCEPT     all  --  10.244.0.0/16        anywhere            
    17   ACCEPT     all  --  anywhere             10.244.0.0/16       

    filter:FORWARD:policy:18 默认策略

    [root@centos7 ~]# tail /var/log/kern.debug.log  | grep 5443 | grep 10.107.2.145
    Sep 10 04:33:28 centos7 kernel: TRACE: filter:FORWARD:rule:14 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) 
    Sep 10 04:33:28 centos7 kernel: TRACE: filter:FORWARD_OUT_ZONES:rule:1 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) 
    Sep 10 04:33:28 centos7 kernel: TRACE: filter:FWDO_public:rule:1 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) 
    Sep 10 04:33:28 centos7 kernel: TRACE: filter:FWDO_public_log:return:1 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) 
    Sep 10 04:33:28 centos7 kernel: TRACE: filter:FWDO_public:rule:2 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) 
    Sep 10 04:33:28 centos7 kernel: TRACE: filter:FWDO_public_deny:return:1 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) 
    Sep 10 04:33:28 centos7 kernel: TRACE: filter:FWDO_public:rule:3 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) 
    Sep 10 04:33:28 centos7 kernel: TRACE: filter:FWDO_public_allow:return:1 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) 
    Sep 10 04:33:28 centos7 kernel: TRACE: filter:FWDO_public:return:4 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) 
    Sep 10 04:33:28 centos7 kernel: TRACE: filter:FORWARD:policy:18 IN=cni0 OUT=enp125s0f0 PHYSIN=vethf2b4fa5f MAC=8e:85:2d:6e:87:44:a6:c5:c8:9f:57:18:08:00 SRC=10.251.0.65 DST=10.107.2.145 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10351 DF PROTO=TCP SPT=57826 DPT=5443 SEQ=3692120601 ACK=0 WINDOW=28200 RES=0x00 SYN URGP=0 OPT (020405820402080A37181E180000000001030307) 
    [root@centos7 ~]# iptables -t filter -L FORWARD  -n --line-number
    Chain FORWARD (policy DROP)
    num  target     prot opt source               destination         
    1    KUBE-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0            /* kubernetes forwarding rules */
    2    KUBE-SERVICES  all  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW /* kubernetes service portals */
    3    DOCKER-ISOLATION  all  --  0.0.0.0/0            0.0.0.0/0           
    4    DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
    5    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    6    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
    7    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
    8    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    9    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
    10   FORWARD_direct  all  --  0.0.0.0/0            0.0.0.0/0           
    11   FORWARD_IN_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
    12   FORWARD_IN_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
    13   FORWARD_OUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
    14   FORWARD_OUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
    15   DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    16   ACCEPT     all  --  10.244.0.0/16        0.0.0.0/0           
    17   ACCEPT     all  --  0.0.0.0/0            10.244.0.0/16       
    [root@centos7 ~]# iptables -P FORWARD ACCEPT
    更改默认策略 [root@centos7
    ~]# iptables -t filter -L FORWARD -n --line-number Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 KUBE-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules */ 2 KUBE-SERVICES all -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW /* kubernetes service portals */ 3 DOCKER-ISOLATION all -- 0.0.0.0/0 0.0.0.0/0 4 DOCKER all -- 0.0.0.0/0 0.0.0.0/0 5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 7 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 9 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 10 FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0 11 FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 12 FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0 13 FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 14 FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0 15 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 16 ACCEPT all -- 10.244.0.0/16 0.0.0.0/0 17 ACCEPT all -- 0.0.0.0/0 10.244.0.0/16
    [root@centos7 ~]# kubectl exec -it  nginx-karmada-f89759699-8xmfw   -- curl https://10.107.2.145:5443/api?timeout=32s
    curl: (60) SSL certificate problem: unable to get local issuer certificate
    More details here: https://curl.haxx.se/docs/sslcerts.html
    
    curl failed to verify the legitimacy of the server and therefore could not
    establish a secure connection to it. To learn more about this situation and
    how to fix it, please visit the web page mentioned above.
    command terminated with exit code 60
    [root@centos7 ~]# 

    CNI网络插件之flannel

    虚拟网卡接口VETH(Virtual Ethernet )创建使用和绑定关系

    iptables自定义链的使用

  • 相关阅读:
    DVWA 黑客攻防演练(十)反射型 XSS 攻击 Reflected Cross Site Scripting
    DVWA 黑客攻防演练(九) SQL 盲注 SQL Injection (Blind)
    DVWA 黑客攻防演练(八)SQL 注入 SQL Injection
    DVWA 黑客攻防演练(七)Weak Session IDs
    DVWA 黑客攻防演练(六)不安全的验证码 Insecure CAPTCHA
    DVWA 黑客攻防演练(五)文件上传漏洞 File Upload
    工作流表结构设计
    Visual Studio 2019尝鲜----新建空项目体验
    《使用CSLA 2019:CSLA .NET概述》原版和机译文档下载
    .NET快速开发平台的在线预览
  • 原文地址:https://www.cnblogs.com/dream397/p/15250743.html
Copyright © 2011-2022 走看看