后部署我想要打开的所有 kubernetes 资源port 443
。我将其添加到我的白名单表中,但它仍然关闭。对于端口 80,我也发生了同样的情况。刷新所有表、删除所有 kubernetes 资源并从头开始设置防火墙(包括白名单port 80
)前再次部署kubernetesport 80
终于开放了。
现在我更愿意了解为什么我无法打开port 443
而不是再次执行所有操作。我发现有一个表KUBE-FIREWALL
(见下文),默认情况下会阻止所有内容。
这是我的主要问题:
KUBE-FIREWALL 的规则是否比我的表 TCP 具有更高的优先级?如果,我怎样才能改变优先级?
输入
Chain INPUT (policy DROP)
target prot opt source destination
cali-INPUT all -- anywhere anywhere /* cali:Cz_u1IQiXIMmKD4c */
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
KUBE-EXTERNAL-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes externally-visible service portals */
KUBE-FIREWALL all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp echo-request ctstate NEW
UDP udp -- anywhere anywhere ctstate NEW
TCP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
卡利输入
Chain cali-INPUT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* cali:msRIDfJRWnYwzW4g */ mark match 0x10000/0x10000
cali-wl-to-host all -- anywhere anywhere [goto] /* cali:y4fKWmWkTnYGshVX */
MARK all -- anywhere anywhere /* cali:JnMb-hdLugWL4jEZ */ MARK and 0xfff0ffff
cali-from-host-endpoint all -- anywhere anywhere /* cali:NPKZwKxJ-5imzORj */
ACCEPT all -- anywhere anywhere /* cali:aes7S4xZI-7Jyw63 */ /* Host endpoint policy accepted packet. */ mark match 0x10000/0x10000
KUBE-防火墙
Chain cali-INPUT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* cali:msRIDfJRWnYwzW4g */ mark match 0x10000/0x10000
cali-wl-to-host all -- anywhere anywhere [goto] /* cali:y4fKWmWkTnYGshVX */
MARK all -- anywhere anywhere /* cali:JnMb-hdLugWL4jEZ */ MARK and 0xfff0ffff
cali-from-host-endpoint all -- anywhere anywhere /* cali:NPKZwKxJ-5imzORj */
ACCEPT all -- anywhere anywhere /* cali:aes7S4xZI-7Jyw63 */ /* Host endpoint policy accepted packet. */ mark match 0x10000/0x10000
claus@vmd33301:~$ sudo iptables -L KUBE-FIREWALL
Chain KUBE-FIREWALL (2 references)
target prot opt source destination
DROP all -- anywhere anywhere /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000
传输控制协议
Chain TCP (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
答案1
编辑2
该端口已关闭,因为没有任何东西在监听它:)
编辑1
列表顺序很重要,但 KUBE-FIREWALL 只删除标记的包。我错过了mark match 0x8000/0x8000
规则末尾的 。因此它应该工作。我的猜测是其中一个 cali 规则(或fail2ban?)声明了端口 443。如果没有完整的 iptables 输出,就无法知道。
---原答案如下---
是的,TCP 的优先级较低,因为它在列表中的位置较低。 KUBE-FIREWALL 链不仅在 TCP 链之前进行评估,而且会以丢弃所有剩余流量的规则结束。因此,您的 TCP 规则永远不会被评估。
您可以使用以下命令将 TCP 链入口点插入 KUBE-FIREWALL 链上方,iptables -I INPUT ...
或者使用以下命令将其插入特定行号上方iptables -I INPUT 2 ...
(插入第 2 行上方)。您可以通过在 iptables 命令中添加 --line-numbers 来查看行号。 ( iptables -nvL --line-numbers
)