search

kelseyhightower / kubernetes-the-hard-way

Bootstrap Kubernetes the hard way. No scripts.
Apache License 2.0
41.26k stars 14.12k forks source link

iptables drop packet accessing pod ip if source from other host. #697

Closed V0idk closed 2 years ago

V0idk commented 2 years ago

A: cnio0: 10.200.1.1 B: cnio0: 10.200.2.1, pod IP: 10.200.2.4

A ping 10.200.2.1 is OK ,but fail to ping 10.200.2.4 B ping 10.200.2.4 is OK.

# route in A
root@vm1:~# ifconfig 
cnio0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.200.1.1  netmask 255.255.255.0  broadcast 10.200.1.255
        inet6 fe80::1c7a:daff:fee0:ae8b  prefixlen 64  scopeid 0x20<link>
        ether 1e:7a:da:e0:ae:8b  txqueuelen 1000  (Ethernet)
        RX packets 59  bytes 3816 (3.8 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 25  bytes 1942 (1.9 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@vm1:/opt/workdir/dropwatch/dropwatch-master# iptables -vL -t filter
Chain FORWARD (**policy DROP 22 packets, 1848 bytes**)
 pkts bytes target     prot opt in     out     source               destination         
  271 22647 DOCKER-USER  all  --  any    any     anywhere             anywhere            
  271 22647 DOCKER-ISOLATION-STAGE-1  all  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  any    docker0  anywhere             anywhere            
    0     0 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere            
    0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere            
  271 22647 KUBE-FORWARD  all  --  any    any     anywhere             anywhere             /* kubernetes forwarding rules */
  271 22647 KUBE-SERVICES  all  --  any    any     anywhere             anywhere             ctstate NEW /* kubernetes service portals */
  271 22647 KUBE-EXTERNAL-SERVICES  all  --  any    any     anywhere             anywhere             ctstate NEW /* kubernetes externally-visible service portals */

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         DESKTOP-FHTASOO 0.0.0.0         UG    100    0        0 eth0
10.200.1.0      0.0.0.0         255.255.255.0   U     0      0        0 cnio0
10.200.2.0      192.168.6.12    255.255.255.0   UG    0      0        0 eth2
10.200.3.0      192.168.6.13    255.255.255.0   UG    0      0        0 eth2
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.26.160.0    0.0.0.0         255.255.240.0   U     0      0        0 eth0
DESKTOP-FHTASOO 0.0.0.0         255.255.255.255 UH    100    0        0 eth0
192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.6.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2

# route in B
root@vm2:/opt/workdir# ifconfig 
cnio0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.200.2.1  netmask 255.255.255.0  broadcast 10.200.2.255
        inet6 fe80::d4c3:80ff:feec:12f4  prefixlen 64  scopeid 0x20<link>
        ether d6:c3:80:ec:12:f4  txqueuelen 1000  (Ethernet)
        RX packets 5531  bytes 446514 (446.5 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5435  bytes 522257 (522.2 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@vm2:/opt/workdir# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         DESKTOP-FHTASOO 0.0.0.0         UG    100    0        0 eth0
10.200.1.0      192.168.6.11    255.255.255.0   UG    0      0        0 eth2
10.200.2.0      0.0.0.0         255.255.255.0   U     0      0        0 cnio0
10.200.3.0      192.168.6.13    255.255.255.0   UG    0      0        0 eth2
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.26.160.0    0.0.0.0         255.255.240.0   U     0      0        0 eth0
DESKTOP-FHTASOO 0.0.0.0         255.255.255.255 UH    100    0        0 eth0
192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.6.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2

As you can see policy DROP 22 packets, 1848 bytes. why ?

V0idk commented 2 years ago

Hi, after remove docker (apt remove docker.io) and reboot, i don't know why but it‘s working now