-
-
Save enixdark/1e9a597cd1bc01b5cc94229cf10bee3e to your computer and use it in GitHub Desktop.
Revisions
-
anfernee revised this gist
Feb 19, 2021 . 1 changed file with 6 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -12,7 +12,13 @@ Added the following on both source and gateway node. Egress gateway datapath sti iptables -A INPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A FORWARD -m state --state INVALID -j DROP ``` Append the following rules in source node. Egress datapath is broken. ``` iptables -I INPUT 1 -m state --state INVALID -j DROP iptables -I OUTPUT 1 -m state --state INVALID -j DROP iptables -I FORWARD 1 -m state --state INVALID -j DROP # This one drop the packet. ``` ## Conntrack status -
Feb 19, 2021 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -9,9 +9,9 @@ ## iptables Added the following on both source and gateway node. Egress gateway datapath still works. ``` iptables -A INPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A FORWARD -m state --state INVALID -j DROP ``` -
Feb 19, 2021 . 1 changed file with 6 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,9 +1,9 @@ | Node/Pod | IP | | ---------------- | ------------- | | Source Pod | 10.11.1.103 | | Source Node | 192.168.11.12 | | Gateway Node | 192.168.11.11 | | External Service | 192.168.11.13 | ## iptables -
Feb 19, 2021 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,5 @@ | Node | IP | | --------------- | ------------- | | Source Pod IP | 10.11.1.103 | | Source Node IP | 192.168.11.12 | | Gateway Node IP | 192.168.11.11 | -
Feb 19, 2021 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,9 +1,9 @@ | Source Pod IP | 10.11.1.103 | | Source Node IP | 192.168.11.12 | | Gateway Node IP | 192.168.11.11 | | Destination IP | 192.168.11.13 | ## iptables Added the following on both source and gateway node. Egress gateway datapath still works. -
Feb 19, 2021 . 1 changed file with 6 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,7 +1,9 @@ +-----------------+---------------+ | Source Pod IP | 10.11.1.103 | | Source Node IP | 192.168.11.12 | | Gateway Node IP | 192.168.11.11 | | Destination IP | 192.168.11.13 | +-----------------+---------------+ ## iptables Added the following on both source and gateway node. Egress gateway datapath still works. -
Feb 19, 2021 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,38 @@ Source Pod IP: 10.11.1.103 Source Node IP: 192.168.11.12 Gateway Node IP: 192.168.11.11 Destination IP: 192.168.11.13 ## iptables Added the following on both source and gateway node. Egress gateway datapath still works. ``` 81 iptables -A INPUT -m state --state INVALID -j DROP 82 iptables -A OUTPUT -m state --state INVALID -j DROP 83 iptables -A FORWARD -m state --state INVALID -j DROP ``` ## Conntrack status ### Source Pod ``` curl 196.168.11.13 ``` ### Gateway Node ``` [NEW] tcp 6 120 SYN_SENT src=10.11.1.103 dst=192.168.33.13 sport=33528 dport=80 [UNREPLIED] src=192.168.33.13 dst=10.11.1.103 sport=80 dport=33528 [UPDATE] tcp 6 60 SYN_RECV src=10.11.1.103 dst=192.168.33.13 sport=33528 dport=80 src=192.168.33.13 dst=10.11.1.103 sport=80 dport=33528 [UPDATE] tcp 6 86400 ESTABLISHED src=10.11.1.103 dst=192.168.33.13 sport=33528 dport=80 src=192.168.33.13 dst=10.11.1.103 sport=80 dport=33528 [ASSURED] [UPDATE] tcp 6 120 FIN_WAIT src=10.11.1.103 dst=192.168.33.13 sport=33528 dport=80 src=192.168.33.13 dst=10.11.1.103 sport=80 dport=33528 [ASSURED] [UPDATE] tcp 6 30 LAST_ACK src=10.11.1.103 dst=192.168.33.13 sport=33528 dport=80 src=192.168.33.13 dst=10.11.1.103 sport=80 dport=33528 [ASSURED] [UPDATE] tcp 6 120 TIME_WAIT src=10.11.1.103 dst=192.168.33.13 sport=33528 dport=80 src=192.168.33.13 dst=10.11.1.103 sport=80 dport=33528 [ASSURED] ``` ### Source Node ``` [NEW] tcp 6 300 ESTABLISHED src=192.168.33.13 dst=10.11.1.103 sport=80 dport=33546 [UNREPLIED] src=10.11.1.103 dst=192.168.33.13 sport=33546 dport=80 [UPDATE] tcp 6 120 FIN_WAIT src=192.168.33.13 dst=10.11.1.103 sport=80 dport=33546 [UNREPLIED] src=10.11.1.103 dst=192.168.33.13 sport=33546 dport=80 [DESTROY] tcp 6 FIN_WAIT src=192.168.33.13 dst=10.11.1.103 sport=80 dport=33546 [UNREPLIED] src=10.11.1.103 dst=192.168.33.13 sport=33546 dport=80 ``` #