Weave unable to establish connection

[danielgelling]

What you expected to happen?

Weave pods running stable using ipv4 to communicate.

What happened?

A while (1 to 2 days) after initialising the weave pods they are unable to communicate to eachother because they want to use ipv6, however it is unable to do so.

Restarting (deleting) the pods gets the cluster up and running again, however after a few days it reverts back to ipv6 again.

How to reproduce it?

Install Kubernetes on bare-metal and set CNI to weave. (I also run Istio 1.0.1, which might be an influence, however I don't think so.)

Anything else we need to know?

Versions:

$ weave version
2.4.1
$ docker version
17.12.1-ce
$ uname -a
Linux master 4.15.0-34-generic #37-Ubuntu SMP Mon Aug 27 15:21:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ kubectl version
v1.11.3

Logs:

$ kubectl logs -n kube-system <weave-net-pod> weave

(I have replaced all ipv4 addresses with xx.xx.xx.xx for node1's ipv4 and yy.yy.yy.yy for node2's ipv4 and respectively for ipv6 xx:xx:xx:xx:xx:xx and yy:yy:yy:yy:yy:yy)

INFO: 2018/09/23 12:51:15.909349 overlay_switch ->[xx:xx:xx:xx:xx:xx(node1)] using fastdp
INFO: 2018/09/23 12:51:15.909411 ->[xx.xx.xx.xx:6783|xx:xx:xx:xx:xx:xx(node1)]: connection added (new peer)
INFO: 2018/09/23 12:51:15.911480 ->[xx.xx.xx.xx:6783|xx:xx:xx:xx:xx:xx(node1)]: connection fully established
INFO: 2018/09/23 12:51:15.912178 EMSGSIZE on send, expecting PMTU update (IP packet was 60028 bytes, payload was 60020 bytes)
INFO: 2018/09/23 12:51:15.913073 sleeve ->[xx.xx.xx.xx:6783|xx:xx:xx:xx:xx:xx(node1)]: Effective MTU verified at 1438
INFO: 2018/09/23 12:52:15.174644 overlay_switch ->[yy:yy:yy:yy:yy:yy(node2)] fastdp timed out waiting for vxlan heartbeat
INFO: 2018/09/23 12:52:15.174706 overlay_switch ->[yy:yy:yy:yy:yy:yy(node2)] using sleeve
INFO: 2018/09/23 12:52:15.174812 overlay_switch ->[yy:yy:yy:yy:yy:yy(node2)] sleeve timed out waiting for UDP heartbeat
INFO: 2018/09/23 12:52:15.175056 ->[yy.yy.yy.yy:6783|yy:yy:yy:yy:yy:yy(node2)]: connection shutting down due to error: no working forwarders to yy:yy:yy:yy:yy:yy(node2)
INFO: 2018/09/23 12:52:15.175669 ->[yy.yy.yy.yy:6783|yy:yy:yy:yy:yy:yy(node2)]: connection deleted
INFO: 2018/09/23 12:52:15.175779 Removed unreachable peer yy:yy:yy:yy:yy:yy(node2)
INFO: 2018/09/23 12:52:15.176322 ->[yy.yy.yy.yy:6783] attempting connection
INFO: 2018/09/23 12:52:15.178830 ->[yy.yy.yy.yy:6783|yy:yy:yy:yy:yy:yy(node2)]: connection ready; using protocol version 2
INFO: 2018/09/23 12:52:15.178973 overlay_switch ->[yy:yy:yy:yy:yy:yy(node2)] using fastdp
INFO: 2018/09/23 12:52:15.179029 ->[yy.yy.yy.yy:6783|yy:yy:yy:yy:yy:yy(node2)]: connection added (new peer)
INFO: 2018/09/23 12:52:15.181063 ->[yy.yy.yy.yy:6783|yy:yy:yy:yy:yy:yy(node2)]: connection fully established
INFO: 2018/09/23 12:52:15.181372 EMSGSIZE on send, expecting PMTU update (IP packet was 60028 bytes, payload was 60020 bytes)
INFO: 2018/09/23 12:52:15.182086 sleeve ->[yy.yy.yy.yy:6783|yy:yy:yy:yy:yy:yy(node2)]: Effective MTU verified at 1438
INFO: 2018/09/23 12:52:15.910451 overlay_switch ->[xx:xx:xx:xx:xx:xx(node1)] fastdp timed out waiting for vxlan heartbeat
INFO: 2018/09/23 12:52:15.910498 overlay_switch ->[xx:xx:xx:xx:xx:xx(node1)] using sleeve
INFO: 2018/09/23 12:52:15.911533 overlay_switch ->[xx:xx:xx:xx:xx:xx(node1)] sleeve timed out waiting for UDP heartbeat
INFO: 2018/09/23 12:52:15.911730 ->[xx.xx.xx.xx:6783|xx:xx:xx:xx:xx:xx(node1)]: connection shutting down due to error: no working forwarders to xx:xx:xx:xx:xx:xx(node1)
INFO: 2018/09/23 12:52:15.912057 ->[xx.xx.xx.xx:6783|xx:xx:xx:xx:xx:xx(node1)]: connection deleted
INFO: 2018/09/23 12:52:15.912164 Removed unreachable peer xx:xx:xx:xx:xx:xx(node1)
INFO: 2018/09/23 12:52:15.912500 ->[xx.xx.xx.xx:6783] attempting connection
INFO: 2018/09/23 12:52:15.914665 ->[xx.xx.xx.xx:6783|xx:xx:xx:xx:xx:xx(node1)]: connection ready; using protocol version 2
INFO: 2018/09/23 12:52:15.914757 overlay_switch ->[xx:xx:xx:xx:xx:xx(node1)] using fastdp
INFO: 2018/09/23 12:52:15.914781 ->[xx.xx.xx.xx:6783|xx:xx:xx:xx:xx:xx(node1)]: connection added (new peer)
INFO: 2018/09/23 12:52:16.416121 ->[xx.xx.xx.xx:6783|xx:xx:xx:xx:xx:xx(node1)]: connection fully established
INFO: 2018/09/23 12:52:16.416846 EMSGSIZE on send, expecting PMTU update (IP packet was 60028 bytes, payload was 60020 bytes)
INFO: 2018/09/23 12:52:16.417793 sleeve ->[xx.xx.xx.xx:6783|xx:xx:xx:xx:xx:xx(node1)]: Effective MTU verified at 1438
INFO: 2018/09/23 12:53:15.179374 overlay_switch ->[yy:yy:yy:yy:yy:yy(node2)] fastdp timed out waiting for vxlan heartbeat
INFO: 2018/09/23 12:53:15.179426 overlay_switch ->[yy:yy:yy:yy:yy:yy(node2)] using sleeve
INFO: 2018/09/23 12:53:15.179874 overlay_switch ->[yy:yy:yy:yy:yy:yy(node2)] sleeve timed out waiting for UDP heartbeat
INFO: 2018/09/23 12:53:15.179912 ->[yy.yy.yy.yy:6783|yy:yy:yy:yy:yy:yy(node2)]: connection shutting down due to error: no working forwarders to yy:yy:yy:yy:yy:yy(node2)
INFO: 2018/09/23 12:53:15.180025 ->[yy.yy.yy.yy:6783|yy:yy:yy:yy:yy:yy(node2)]: connection deleted
INFO: 2018/09/23 12:53:15.180074 Removed unreachable peer yy:yy:yy:yy:yy:yy(node2)
INFO: 2018/09/23 12:53:15.180302 ->[yy.yy.yy.yy:6783] attempting connection
INFO: 2018/09/23 12:53:15.182521 ->[yy.yy.yy.yy:6783|yy:yy:yy:yy:yy:yy(node2)]: connection ready; using protocol version 2
INFO: 2018/09/23 12:53:15.182730 overlay_switch ->[yy:yy:yy:yy:yy:yy(node2)] using fastdp
INFO: 2018/09/23 12:53:15.182841 ->[yy.yy.yy.yy:6783|yy:yy:yy:yy:yy:yy(node2)]: connection added (new peer)
INFO: 2018/09/23 12:53:15.185254 ->[yy.yy.yy.yy:6783|yy:yy:yy:yy:yy:yy(node2)]: connection fully established
INFO: 2018/09/23 12:53:15.185705 EMSGSIZE on send, expecting PMTU update (IP packet was 60028 bytes, payload was 60020 bytes)
INFO: 2018/09/23 12:53:15.187381 sleeve ->[yy.yy.yy.yy:6783|yy:yy:yy:yy:yy:yy(node2)]: Effective MTU verified at 1438

Network:

$ ip route (on node1)

10.32.0.0/12 dev weave proto kernel scope link src 10.44.0.2 
37.97.207.0/24 dev ens3 proto kernel scope link src xx.xx.xx.xx
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 

$ ip -4 -o addr (on node1)

1: lo    inet 127.0.0.1/8 scope host lo\       valid_lft forever preferred_lft forever
2: ens3    inet xx.xx.xx.xx/24 brd 37.97.207.255 scope global ens3\       valid_lft forever preferred_lft forever
3: docker0    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0\       valid_lft forever preferred_lft forever
6: weave    inet 10.44.0.2/12 brd 10.47.255.255 scope global weave\       valid_lft forever preferred_lft forever

$ sudo iptables-save (on node1) (replaced master IP with aaa.aaa.aaa.aaa)

# Generated by iptables-save v1.6.1 on Mon Sep 24 15:36:43 2018
*mangle
:PREROUTING ACCEPT [98405631:26224132062]
:INPUT ACCEPT [15117733:5581948624]
:FORWARD ACCEPT [83160253:20631263107]
:OUTPUT ACCEPT [5528859:2603459897]
:POSTROUTING ACCEPT [88688187:23234573649]
COMMIT
# Completed on Mon Sep 24 15:36:43 2018
# Generated by iptables-save v1.6.1 on Mon Sep 24 15:36:43 2018
*nat
:PREROUTING ACCEPT [11:649]
:INPUT ACCEPT [2:144]
:OUTPUT ACCEPT [44:2640]
:POSTROUTING ACCEPT [56:3603]
:DOCKER - [0:0]
:KUBE-MARK-DROP - [0:0]
:KUBE-MARK-MASQ - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-SEP-2447GU5RTIFBOAK6 - [0:0]
:KUBE-SEP-26E5AQBAPBB273GU - [0:0]
:KUBE-SEP-2RTWY72KF4R5H4PN - [0:0]
:KUBE-SEP-3MUETLFVSYZJNT6T - [0:0]
:KUBE-SEP-4CPZW7KXGMZ2FWXK - [0:0]
:KUBE-SEP-4JU7VUHRYIFE5ETA - [0:0]
:KUBE-SEP-5VKEIBBWB6VGT6YY - [0:0]
:KUBE-SEP-6BGWFBA2ZVVL4XUJ - [0:0]
:KUBE-SEP-6M7V3CMG65XMYRI6 - [0:0]
:KUBE-SEP-6VTFHLFYGHSFVRX5 - [0:0]
:KUBE-SEP-75GI72J4NPBKQV25 - [0:0]
:KUBE-SEP-B7DIGK5JH3OAZM2M - [0:0]
:KUBE-SEP-BNIBTBUCQSIDRFOT - [0:0]
:KUBE-SEP-BTV3UBEYKKT2ZAFY - [0:0]
:KUBE-SEP-CE4MAC43A4U7UWW2 - [0:0]
:KUBE-SEP-CYNCKEY6DCH5LVB3 - [0:0]
:KUBE-SEP-DXGXB64BFQM5O6HI - [0:0]
:KUBE-SEP-FYQCQQKKIGOOCAKG - [0:0]
:KUBE-SEP-G6S7BO7XZ4QVHZK6 - [0:0]
:KUBE-SEP-GVTBAXUPJLV2N23L - [0:0]
:KUBE-SEP-HBTKOG2WQRAVWLMZ - [0:0]
:KUBE-SEP-JP4QVL53NAA5VUP4 - [0:0]
:KUBE-SEP-KR7ENJI3VOKZJZGY - [0:0]
:KUBE-SEP-KYPMANDOPFSUUYRM - [0:0]
:KUBE-SEP-L4Q7P2A56O3BRT5V - [0:0]
:KUBE-SEP-MAGUPMGHQ4SYPH3Z - [0:0]
:KUBE-SEP-MLCXYQXRZBTQGSWO - [0:0]
:KUBE-SEP-MZPGDVSBXCI445WY - [0:0]
:KUBE-SEP-NJYTX6UQFVGWZ3CW - [0:0]
:KUBE-SEP-NNGMHMYESJ4VHDBO - [0:0]
:KUBE-SEP-O72F3AYB5ZA3T57F - [0:0]
:KUBE-SEP-OHQWPSWETPKDAEDB - [0:0]
:KUBE-SEP-OJXM5U43NVI6LWHE - [0:0]
:KUBE-SEP-OYJWJ2BI4X6YKYL6 - [0:0]
:KUBE-SEP-PRZIRSCBN725W3AF - [0:0]
:KUBE-SEP-R5N5226U5KO4YKUS - [0:0]
:KUBE-SEP-RRS4NH6WQ5DUFSWQ - [0:0]
:KUBE-SEP-S2HYMJLUTHICA4HF - [0:0]
:KUBE-SEP-SQJJZSJPZECSGRW6 - [0:0]
:KUBE-SEP-SZZ7MOWKTWUFXIJT - [0:0]
:KUBE-SEP-TCEQYW72XJYUXQCS - [0:0]
:KUBE-SEP-TQGVBMVPB27MY32T - [0:0]
:KUBE-SEP-UJJNLSZU6HL4F5UO - [0:0]
:KUBE-SEP-UWG5X5PQ3H55QDK7 - [0:0]
:KUBE-SEP-VDIAXT75ZN7FIBWV - [0:0]
:KUBE-SEP-VGQOIEKZQ7YOIJTQ - [0:0]
:KUBE-SEP-WE44Z53SFRBACWCD - [0:0]
:KUBE-SEP-WZMKPCNFFNW2GSJP - [0:0]
:KUBE-SEP-YM4YUX3532XD5ANF - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-SVC-22SFEYCEMTJRPU4Y - [0:0]
:KUBE-SVC-3IK4M33DJP7J77ZU - [0:0]
:KUBE-SVC-3XHAPDZ2SSE6DUFQ - [0:0]
:KUBE-SVC-3ZDHMHBJ4TQPN6YW - [0:0]
:KUBE-SVC-4BQASKKZBUHVUKPW - [0:0]
:KUBE-SVC-55XDDSOMT7GLYG6B - [0:0]
:KUBE-SVC-62L5C2KEOX6ICGVJ - [0:0]
:KUBE-SVC-6N4OP6ZNRR7R3GKW - [0:0]
:KUBE-SVC-6W6JV2RNZSFPWRVZ - [0:0]
:KUBE-SVC-7N6LHPYFOVFT454K - [0:0]
:KUBE-SVC-7NKQV7KRSMGKZMKF - [0:0]
:KUBE-SVC-A4N66M5KWTPIOJ3M - [0:0]
:KUBE-SVC-DVMPY5RYN62D73EJ - [0:0]
:KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
:KUBE-SVC-F2IARDLERJIFF7VR - [0:0]
:KUBE-SVC-F4WP6CIDODMYIYVX - [0:0]
:KUBE-SVC-FNIRFTR6AM2WTDP7 - [0:0]
:KUBE-SVC-FWUZ7WRQUHHJNJ54 - [0:0]
:KUBE-SVC-G6D3V5KS3PXPUEDS - [0:0]
:KUBE-SVC-IBZWWK3KTI7UHZ5A - [0:0]
:KUBE-SVC-K452ZV6IYIAVNGP2 - [0:0]
:KUBE-SVC-K7J76NXP7AUZVFGS - [0:0]
:KUBE-SVC-KAMYK5TIXMZU3YTO - [0:0]
:KUBE-SVC-KJXHRH2GAPVGE7JV - [0:0]
:KUBE-SVC-LTOKVKL3D46WIGR3 - [0:0]
:KUBE-SVC-MOGYKZGMI2GFGYKR - [0:0]
:KUBE-SVC-MOJGSJ7NVZO75AX4 - [0:0]
:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
:KUBE-SVC-OUON3FTD7HM7NL6D - [0:0]
:KUBE-SVC-POFVSRMRNLJ5KKAQ - [0:0]
:KUBE-SVC-QKBPQ4SGBRRTCDLV - [0:0]
:KUBE-SVC-RE6JWH3DBIURQRB2 - [0:0]
:KUBE-SVC-RPUGQCDLMV3GNS5S - [0:0]
:KUBE-SVC-SEST5XGLUQ5J34LB - [0:0]
:KUBE-SVC-SWAUWSHBU25OTO33 - [0:0]
:KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
:KUBE-SVC-TQ34WR2LLKW7ES4K - [0:0]
:KUBE-SVC-TUZA6CVEP5VUF2XG - [0:0]
:KUBE-SVC-U2XTOAGOXQJP3ONI - [0:0]
:KUBE-SVC-UBK3RQ57NJWVL3NK - [0:0]
:KUBE-SVC-URHNY53EOWC2EMYB - [0:0]
:KUBE-SVC-WCVDNE75ZH7OMWGI - [0:0]
:KUBE-SVC-XGLOHA7QRQ3V22RZ - [0:0]
:KUBE-SVC-YGLWZMENMIM6GX3O - [0:0]
:KUBE-SVC-YH3LEFIUTBLV7MHJ - [0:0]
:WEAVE - [0:0]
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -j WEAVE
-A DOCKER -i docker0 -j RETURN
-A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-NODEPORTS -p tcp -m comment --comment "istio-system/istio-ingressgateway:http2-prometheus" -m tcp --dport 30320 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "istio-system/istio-ingressgateway:http2-prometheus" -m tcp --dport 30320 -j KUBE-SVC-3XHAPDZ2SSE6DUFQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp-citadel-grpc-tls" -m tcp --dport 31563 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp-citadel-grpc-tls" -m tcp --dport 31563 -j KUBE-SVC-4BQASKKZBUHVUKPW
-A KUBE-NODEPORTS -p tcp -m comment --comment "istio-system/istio-ingressgateway:http2-grafana" -m tcp --dport 31351 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "istio-system/istio-ingressgateway:http2-grafana" -m tcp --dport 31351 -j KUBE-SVC-FNIRFTR6AM2WTDP7
-A KUBE-NODEPORTS -p tcp -m comment --comment "istio-system/istio-ingressgateway:https" -m tcp --dport 31390 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "istio-system/istio-ingressgateway:https" -m tcp --dport 31390 -j KUBE-SVC-7N6LHPYFOVFT454K
-A KUBE-NODEPORTS -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp" -m tcp --dport 31400 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp" -m tcp --dport 31400 -j KUBE-SVC-62L5C2KEOX6ICGVJ
-A KUBE-NODEPORTS -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp-pilot-grpc-tls" -m tcp --dport 32651 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp-pilot-grpc-tls" -m tcp --dport 32651 -j KUBE-SVC-F4WP6CIDODMYIYVX
-A KUBE-NODEPORTS -p tcp -m comment --comment "istio-system/istio-ingressgateway:http2" -m tcp --dport 31380 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "istio-system/istio-ingressgateway:http2" -m tcp --dport 31380 -j KUBE-SVC-G6D3V5KS3PXPUEDS
-A KUBE-NODEPORTS -p tcp -m comment --comment "docker-registry/docker-registry:" -m tcp --dport 31429 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "docker-registry/docker-registry:" -m tcp --dport 31429 -j KUBE-SVC-6N4OP6ZNRR7R3GKW
-A KUBE-NODEPORTS -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp-dns-tls" -m tcp --dport 31747 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp-dns-tls" -m tcp --dport 31747 -j KUBE-SVC-FWUZ7WRQUHHJNJ54
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE
-A KUBE-SEP-2447GU5RTIFBOAK6 -s 10.36.0.7/32 -m comment --comment "istio-system/istio-pilot:http-monitoring" -j KUBE-MARK-MASQ
-A KUBE-SEP-2447GU5RTIFBOAK6 -p tcp -m comment --comment "istio-system/istio-pilot:http-monitoring" -m tcp -j DNAT --to-destination 10.36.0.7:9093
-A KUBE-SEP-26E5AQBAPBB273GU -s 10.36.0.3/32 -m comment --comment "istio-system/istio-ingressgateway:tcp-dns-tls" -j KUBE-MARK-MASQ
-A KUBE-SEP-26E5AQBAPBB273GU -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp-dns-tls" -m tcp -j DNAT --to-destination 10.36.0.3:853
-A KUBE-SEP-2RTWY72KF4R5H4PN -s 10.36.0.11/32 -m comment --comment "istio-system/jaeger-collector:jaeger-collector-tchannel" -j KUBE-MARK-MASQ
-A KUBE-SEP-2RTWY72KF4R5H4PN -p tcp -m comment --comment "istio-system/jaeger-collector:jaeger-collector-tchannel" -m tcp -j DNAT --to-destination 10.36.0.11:14267
-A KUBE-SEP-3MUETLFVSYZJNT6T -s 10.36.0.8/32 -m comment --comment "istio-system/istio-citadel:http-monitoring" -j KUBE-MARK-MASQ
-A KUBE-SEP-3MUETLFVSYZJNT6T -p tcp -m comment --comment "istio-system/istio-citadel:http-monitoring" -m tcp -j DNAT --to-destination 10.36.0.8:9093
-A KUBE-SEP-4CPZW7KXGMZ2FWXK -s 10.36.0.0/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-4CPZW7KXGMZ2FWXK -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 10.36.0.0:53
-A KUBE-SEP-4JU7VUHRYIFE5ETA -s 10.36.0.5/32 -m comment --comment "istio-system/istio-telemetry:prometheus" -j KUBE-MARK-MASQ
-A KUBE-SEP-4JU7VUHRYIFE5ETA -p tcp -m comment --comment "istio-system/istio-telemetry:prometheus" -m tcp -j DNAT --to-destination 10.36.0.5:42422
-A KUBE-SEP-5VKEIBBWB6VGT6YY -s 10.35.0.0/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-5VKEIBBWB6VGT6YY -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 10.35.0.0:53
-A KUBE-SEP-6BGWFBA2ZVVL4XUJ -s 10.36.0.11/32 -m comment --comment "istio-system/jaeger-query:query-http" -j KUBE-MARK-MASQ
-A KUBE-SEP-6BGWFBA2ZVVL4XUJ -p tcp -m comment --comment "istio-system/jaeger-query:query-http" -m tcp -j DNAT --to-destination 10.36.0.11:16686
-A KUBE-SEP-6M7V3CMG65XMYRI6 -s aaa.aaa.aaa.aaa/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-6M7V3CMG65XMYRI6 -p tcp -m comment --comment "default/kubernetes:https" -m tcp -j DNAT --to-destination aaa.aaa.aaa.aaa:6443
-A KUBE-SEP-6VTFHLFYGHSFVRX5 -s 10.36.0.3/32 -m comment --comment "istio-system/istio-ingressgateway:tcp-pilot-grpc-tls" -j KUBE-MARK-MASQ
-A KUBE-SEP-6VTFHLFYGHSFVRX5 -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp-pilot-grpc-tls" -m tcp -j DNAT --to-destination 10.36.0.3:15011
-A KUBE-SEP-75GI72J4NPBKQV25 -s 10.36.0.9/32 -m comment --comment "istio-system/servicegraph:http" -j KUBE-MARK-MASQ
-A KUBE-SEP-75GI72J4NPBKQV25 -p tcp -m comment --comment "istio-system/servicegraph:http" -m tcp -j DNAT --to-destination 10.36.0.9:8088
-A KUBE-SEP-B7DIGK5JH3OAZM2M -s 10.36.0.5/32 -m comment --comment "istio-system/istio-telemetry:grpc-mixer-mtls" -j KUBE-MARK-MASQ
-A KUBE-SEP-B7DIGK5JH3OAZM2M -p tcp -m comment --comment "istio-system/istio-telemetry:grpc-mixer-mtls" -m tcp -j DNAT --to-destination 10.36.0.5:15004
-A KUBE-SEP-BNIBTBUCQSIDRFOT -s 10.36.0.5/32 -m comment --comment "istio-system/istio-telemetry:grpc-mixer" -j KUBE-MARK-MASQ
-A KUBE-SEP-BNIBTBUCQSIDRFOT -p tcp -m comment --comment "istio-system/istio-telemetry:grpc-mixer" -m tcp -j DNAT --to-destination 10.36.0.5:9091
-A KUBE-SEP-BTV3UBEYKKT2ZAFY -s 10.36.0.11/32 -m comment --comment "istio-system/zipkin:http" -j KUBE-MARK-MASQ
-A KUBE-SEP-BTV3UBEYKKT2ZAFY -p tcp -m comment --comment "istio-system/zipkin:http" -m tcp -j DNAT --to-destination 10.36.0.11:9411
-A KUBE-SEP-CE4MAC43A4U7UWW2 -s 10.36.0.11/32 -m comment --comment "istio-system/jaeger-collector:jaeger-collector-http" -j KUBE-MARK-MASQ
-A KUBE-SEP-CE4MAC43A4U7UWW2 -p tcp -m comment --comment "istio-system/jaeger-collector:jaeger-collector-http" -m tcp -j DNAT --to-destination 10.36.0.11:14268
-A KUBE-SEP-CYNCKEY6DCH5LVB3 -s 10.35.0.5/32 -m comment --comment "guideandgo/mysql:" -j KUBE-MARK-MASQ
-A KUBE-SEP-CYNCKEY6DCH5LVB3 -p tcp -m comment --comment "guideandgo/mysql:" -m tcp -j DNAT --to-destination 10.35.0.5:3306
-A KUBE-SEP-DXGXB64BFQM5O6HI -s 10.36.0.12/32 -m comment --comment "istio-system/istio-policy:http-monitoring" -j KUBE-MARK-MASQ
-A KUBE-SEP-DXGXB64BFQM5O6HI -p tcp -m comment --comment "istio-system/istio-policy:http-monitoring" -m tcp -j DNAT --to-destination 10.36.0.12:9093
-A KUBE-SEP-FYQCQQKKIGOOCAKG -s 10.36.0.3/32 -m comment --comment "istio-system/istio-ingressgateway:tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-FYQCQQKKIGOOCAKG -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp" -m tcp -j DNAT --to-destination 10.36.0.3:31400
-A KUBE-SEP-G6S7BO7XZ4QVHZK6 -s 10.36.0.12/32 -m comment --comment "istio-system/istio-policy:grpc-mixer" -j KUBE-MARK-MASQ
-A KUBE-SEP-G6S7BO7XZ4QVHZK6 -p tcp -m comment --comment "istio-system/istio-policy:grpc-mixer" -m tcp -j DNAT --to-destination 10.36.0.12:9091
-A KUBE-SEP-GVTBAXUPJLV2N23L -s 10.36.0.3/32 -m comment --comment "istio-system/istio-ingressgateway:tcp-citadel-grpc-tls" -j KUBE-MARK-MASQ
-A KUBE-SEP-GVTBAXUPJLV2N23L -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp-citadel-grpc-tls" -m tcp -j DNAT --to-destination 10.36.0.3:8060
-A KUBE-SEP-HBTKOG2WQRAVWLMZ -s 10.36.0.11/32 -m comment --comment "istio-system/tracing:http-query" -j KUBE-MARK-MASQ
-A KUBE-SEP-HBTKOG2WQRAVWLMZ -p tcp -m comment --comment "istio-system/tracing:http-query" -m tcp -j DNAT --to-destination 10.36.0.11:16686
-A KUBE-SEP-JP4QVL53NAA5VUP4 -s 10.36.0.8/32 -m comment --comment "istio-system/istio-citadel:grpc-citadel" -j KUBE-MARK-MASQ
-A KUBE-SEP-JP4QVL53NAA5VUP4 -p tcp -m comment --comment "istio-system/istio-citadel:grpc-citadel" -m tcp -j DNAT --to-destination 10.36.0.8:8060
-A KUBE-SEP-KR7ENJI3VOKZJZGY -s 10.36.0.7/32 -m comment --comment "istio-system/istio-pilot:grpc-xds" -j KUBE-MARK-MASQ
-A KUBE-SEP-KR7ENJI3VOKZJZGY -p tcp -m comment --comment "istio-system/istio-pilot:grpc-xds" -m tcp -j DNAT --to-destination 10.36.0.7:15010
-A KUBE-SEP-KYPMANDOPFSUUYRM -s 10.36.0.7/32 -m comment --comment "istio-system/istio-pilot:https-xds" -j KUBE-MARK-MASQ
-A KUBE-SEP-KYPMANDOPFSUUYRM -p tcp -m comment --comment "istio-system/istio-pilot:https-xds" -m tcp -j DNAT --to-destination 10.36.0.7:15011
-A KUBE-SEP-L4Q7P2A56O3BRT5V -s 10.36.0.3/32 -m comment --comment "istio-system/istio-ingressgateway:http2-prometheus" -j KUBE-MARK-MASQ
-A KUBE-SEP-L4Q7P2A56O3BRT5V -p tcp -m comment --comment "istio-system/istio-ingressgateway:http2-prometheus" -m tcp -j DNAT --to-destination 10.36.0.3:15030
-A KUBE-SEP-MAGUPMGHQ4SYPH3Z -s 10.36.0.12/32 -m comment --comment "istio-system/istio-policy:grpc-mixer-mtls" -j KUBE-MARK-MASQ
-A KUBE-SEP-MAGUPMGHQ4SYPH3Z -p tcp -m comment --comment "istio-system/istio-policy:grpc-mixer-mtls" -m tcp -j DNAT --to-destination 10.36.0.12:15004
-A KUBE-SEP-MLCXYQXRZBTQGSWO -s 10.36.0.6/32 -m comment --comment "istio-system/prometheus:http-prometheus" -j KUBE-MARK-MASQ
-A KUBE-SEP-MLCXYQXRZBTQGSWO -p tcp -m comment --comment "istio-system/prometheus:http-prometheus" -m tcp -j DNAT --to-destination 10.36.0.6:9090
-A KUBE-SEP-MZPGDVSBXCI445WY -s 10.44.0.1/32 -m comment --comment "kube-system/kubernetes-dashboard:" -j KUBE-MARK-MASQ
-A KUBE-SEP-MZPGDVSBXCI445WY -p tcp -m comment --comment "kube-system/kubernetes-dashboard:" -m tcp -j DNAT --to-destination 10.44.0.1:8443
-A KUBE-SEP-NJYTX6UQFVGWZ3CW -s 10.35.0.1/32 -m comment --comment "docker-registry/docker-registry:" -j KUBE-MARK-MASQ
-A KUBE-SEP-NJYTX6UQFVGWZ3CW -p tcp -m comment --comment "docker-registry/docker-registry:" -m tcp -j DNAT --to-destination 10.35.0.1:5000
-A KUBE-SEP-NNGMHMYESJ4VHDBO -s 10.35.0.3/32 -m comment --comment "guideandgo/api-gateway:http" -j KUBE-MARK-MASQ
-A KUBE-SEP-NNGMHMYESJ4VHDBO -p tcp -m comment --comment "guideandgo/api-gateway:http" -m tcp -j DNAT --to-destination 10.35.0.3:80
-A KUBE-SEP-O72F3AYB5ZA3T57F -s 10.36.0.5/32 -m comment --comment "istio-system/istio-telemetry:http-monitoring" -j KUBE-MARK-MASQ
-A KUBE-SEP-O72F3AYB5ZA3T57F -p tcp -m comment --comment "istio-system/istio-telemetry:http-monitoring" -m tcp -j DNAT --to-destination 10.36.0.5:9093
-A KUBE-SEP-OHQWPSWETPKDAEDB -s 10.36.0.3/32 -m comment --comment "istio-system/istio-ingressgateway:http2" -j KUBE-MARK-MASQ
-A KUBE-SEP-OHQWPSWETPKDAEDB -p tcp -m comment --comment "istio-system/istio-ingressgateway:http2" -m tcp -j DNAT --to-destination 10.36.0.3:80
-A KUBE-SEP-OJXM5U43NVI6LWHE -s 10.36.0.15/32 -m comment --comment "istio-system/istio-sidecar-injector:" -j KUBE-MARK-MASQ
-A KUBE-SEP-OJXM5U43NVI6LWHE -p tcp -m comment --comment "istio-system/istio-sidecar-injector:" -m tcp -j DNAT --to-destination 10.36.0.15:443
-A KUBE-SEP-OYJWJ2BI4X6YKYL6 -s 10.35.0.2/32 -m comment --comment "guideandgo/redis:" -j KUBE-MARK-MASQ
-A KUBE-SEP-OYJWJ2BI4X6YKYL6 -p tcp -m comment --comment "guideandgo/redis:" -m tcp -j DNAT --to-destination 10.35.0.2:6379
-A KUBE-SEP-PRZIRSCBN725W3AF -s 10.36.0.0/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-PRZIRSCBN725W3AF -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 10.36.0.0:53
-A KUBE-SEP-R5N5226U5KO4YKUS -s 10.36.0.1/32 -m comment --comment "kube-system/tiller-deploy:tiller" -j KUBE-MARK-MASQ
-A KUBE-SEP-R5N5226U5KO4YKUS -p tcp -m comment --comment "kube-system/tiller-deploy:tiller" -m tcp -j DNAT --to-destination 10.36.0.1:44134
-A KUBE-SEP-RRS4NH6WQ5DUFSWQ -s 10.36.0.4/32 -m comment --comment "istio-system/istio-egressgateway:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-RRS4NH6WQ5DUFSWQ -p tcp -m comment --comment "istio-system/istio-egressgateway:https" -m tcp -j DNAT --to-destination 10.36.0.4:443
-A KUBE-SEP-S2HYMJLUTHICA4HF -s 10.36.0.14/32 -m comment --comment "istio-system/istio-galley:https-validation" -j KUBE-MARK-MASQ
-A KUBE-SEP-S2HYMJLUTHICA4HF -p tcp -m comment --comment "istio-system/istio-galley:https-validation" -m tcp -j DNAT --to-destination 10.36.0.14:443
-A KUBE-SEP-SQJJZSJPZECSGRW6 -s 10.36.0.7/32 -m comment --comment "istio-system/istio-pilot:http-legacy-discovery" -j KUBE-MARK-MASQ
-A KUBE-SEP-SQJJZSJPZECSGRW6 -p tcp -m comment --comment "istio-system/istio-pilot:http-legacy-discovery" -m tcp -j DNAT --to-destination 10.36.0.7:8080
-A KUBE-SEP-SZZ7MOWKTWUFXIJT -s 10.32.0.2/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-SZZ7MOWKTWUFXIJT -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 10.32.0.2:53
-A KUBE-SEP-TCEQYW72XJYUXQCS -s 10.36.0.13/32 -m comment --comment "istio-system/istio-statsd-prom-bridge:statsd-prom" -j KUBE-MARK-MASQ
-A KUBE-SEP-TCEQYW72XJYUXQCS -p tcp -m comment --comment "istio-system/istio-statsd-prom-bridge:statsd-prom" -m tcp -j DNAT --to-destination 10.36.0.13:9102
-A KUBE-SEP-TQGVBMVPB27MY32T -s 10.36.0.4/32 -m comment --comment "istio-system/istio-egressgateway:http2" -j KUBE-MARK-MASQ
-A KUBE-SEP-TQGVBMVPB27MY32T -p tcp -m comment --comment "istio-system/istio-egressgateway:http2" -m tcp -j DNAT --to-destination 10.36.0.4:80
-A KUBE-SEP-UJJNLSZU6HL4F5UO -s 10.32.0.2/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-UJJNLSZU6HL4F5UO -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 10.32.0.2:53
-A KUBE-SEP-UWG5X5PQ3H55QDK7 -s 10.36.0.3/32 -m comment --comment "istio-system/istio-ingressgateway:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-UWG5X5PQ3H55QDK7 -p tcp -m comment --comment "istio-system/istio-ingressgateway:https" -m tcp -j DNAT --to-destination 10.36.0.3:443
-A KUBE-SEP-VDIAXT75ZN7FIBWV -s 10.36.0.14/32 -m comment --comment "istio-system/istio-galley:http-monitoring" -j KUBE-MARK-MASQ
-A KUBE-SEP-VDIAXT75ZN7FIBWV -p tcp -m comment --comment "istio-system/istio-galley:http-monitoring" -m tcp -j DNAT --to-destination 10.36.0.14:9093
-A KUBE-SEP-VGQOIEKZQ7YOIJTQ -s 10.36.0.3/32 -m comment --comment "istio-system/istio-ingressgateway:http2-grafana" -j KUBE-MARK-MASQ
-A KUBE-SEP-VGQOIEKZQ7YOIJTQ -p tcp -m comment --comment "istio-system/istio-ingressgateway:http2-grafana" -m tcp -j DNAT --to-destination 10.36.0.3:15031
-A KUBE-SEP-WE44Z53SFRBACWCD -s 10.36.0.13/32 -m comment --comment "istio-system/istio-statsd-prom-bridge:statsd-udp" -j KUBE-MARK-MASQ
-A KUBE-SEP-WE44Z53SFRBACWCD -p udp -m comment --comment "istio-system/istio-statsd-prom-bridge:statsd-udp" -m udp -j DNAT --to-destination 10.36.0.13:9125
-A KUBE-SEP-WZMKPCNFFNW2GSJP -s 10.35.0.0/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-WZMKPCNFFNW2GSJP -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 10.35.0.0:53
-A KUBE-SEP-YM4YUX3532XD5ANF -s 10.36.0.2/32 -m comment --comment "istio-system/grafana:http" -j KUBE-MARK-MASQ
-A KUBE-SEP-YM4YUX3532XD5ANF -p tcp -m comment --comment "istio-system/grafana:http" -m tcp -j DNAT --to-destination 10.36.0.2:3000
-A KUBE-SERVICES -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
-A KUBE-SERVICES -d 10.110.244.118/32 -p tcp -m comment --comment "istio-system/istio-galley:http-monitoring cluster IP" -m tcp --dport 9093 -j KUBE-SVC-55XDDSOMT7GLYG6B
-A KUBE-SERVICES -d 10.105.210.96/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:http2-prometheus cluster IP" -m tcp --dport 15030 -j KUBE-SVC-3XHAPDZ2SSE6DUFQ
-A KUBE-SERVICES -d aaa.aaa.aaa.aaa/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:http2-prometheus external IP" -m tcp --dport 15030 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d aaa.aaa.aaa.aaa/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:http2-prometheus external IP" -m tcp --dport 15030 -m physdev ! --physdev-is-in -m addrtype ! --src-type LOCAL -j KUBE-SVC-3XHAPDZ2SSE6DUFQ
-A KUBE-SERVICES -d aaa.aaa.aaa.aaa/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:http2-prometheus external IP" -m tcp --dport 15030 -m addrtype --dst-type LOCAL -j KUBE-SVC-3XHAPDZ2SSE6DUFQ
-A KUBE-SERVICES -d 10.97.118.46/32 -p tcp -m comment --comment "istio-system/istio-policy:grpc-mixer cluster IP" -m tcp --dport 9091 -j KUBE-SVC-U2XTOAGOXQJP3ONI
-A KUBE-SERVICES -d 10.97.109.215/32 -p tcp -m comment --comment "istio-system/tracing:http-query cluster IP" -m tcp --dport 80 -j KUBE-SVC-A4N66M5KWTPIOJ3M
-A KUBE-SERVICES -d 10.99.84.128/32 -p tcp -m comment --comment "guideandgo/api-gateway:http cluster IP" -m tcp --dport 80 -j KUBE-SVC-3IK4M33DJP7J77ZU
-A KUBE-SERVICES -d 10.111.132.165/32 -p tcp -m comment --comment "kube-system/kubernetes-dashboard: cluster IP" -m tcp --dport 443 -j KUBE-SVC-XGLOHA7QRQ3V22RZ
-A KUBE-SERVICES -d 10.105.142.210/32 -p tcp -m comment --comment "kube-system/tiller-deploy:tiller cluster IP" -m tcp --dport 44134 -j KUBE-SVC-K7J76NXP7AUZVFGS
-A KUBE-SERVICES -d 10.110.244.118/32 -p tcp -m comment --comment "istio-system/istio-galley:https-validation cluster IP" -m tcp --dport 443 -j KUBE-SVC-OUON3FTD7HM7NL6D
-A KUBE-SERVICES -d 10.105.210.96/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp-citadel-grpc-tls cluster IP" -m tcp --dport 8060 -j KUBE-SVC-4BQASKKZBUHVUKPW
-A KUBE-SERVICES -d aaa.aaa.aaa.aaa/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp-citadel-grpc-tls external IP" -m tcp --dport 8060 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d aaa.aaa.aaa.aaa/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp-citadel-grpc-tls external IP" -m tcp --dport 8060 -m physdev ! --physdev-is-in -m addrtype ! --src-type LOCAL -j KUBE-SVC-4BQASKKZBUHVUKPW
-A KUBE-SERVICES -d aaa.aaa.aaa.aaa/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp-citadel-grpc-tls external IP" -m tcp --dport 8060 -m addrtype --dst-type LOCAL -j KUBE-SVC-4BQASKKZBUHVUKPW
-A KUBE-SERVICES -d 10.105.210.96/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:http2-grafana cluster IP" -m tcp --dport 15031 -j KUBE-SVC-FNIRFTR6AM2WTDP7
-A KUBE-SERVICES -d aaa.aaa.aaa.aaa/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:http2-grafana external IP" -m tcp --dport 15031 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d aaa.aaa.aaa.aaa/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:http2-grafana external IP" -m tcp --dport 15031 -m physdev ! --physdev-is-in -m addrtype ! --src-type LOCAL -j KUBE-SVC-FNIRFTR6AM2WTDP7
-A KUBE-SERVICES -d aaa.aaa.aaa.aaa/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:http2-grafana external IP" -m tcp --dport 15031 -m addrtype --dst-type LOCAL -j KUBE-SVC-FNIRFTR6AM2WTDP7
-A KUBE-SERVICES -d 10.98.35.184/32 -p tcp -m comment --comment "istio-system/istio-citadel:http-monitoring cluster IP" -m tcp --dport 9093 -j KUBE-SVC-MOGYKZGMI2GFGYKR
-A KUBE-SERVICES -d 10.111.117.246/32 -p tcp -m comment --comment "istio-system/istio-pilot:http-legacy-discovery cluster IP" -m tcp --dport 8080 -j KUBE-SVC-YGLWZMENMIM6GX3O
-A KUBE-SERVICES -d 10.104.79.133/32 -p tcp -m comment --comment "istio-system/jaeger-query:query-http cluster IP" -m tcp --dport 16686 -j KUBE-SVC-3ZDHMHBJ4TQPN6YW
-A KUBE-SERVICES -d 10.105.210.96/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-7N6LHPYFOVFT454K
-A KUBE-SERVICES -d aaa.aaa.aaa.aaa/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:https external IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d aaa.aaa.aaa.aaa/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:https external IP" -m tcp --dport 443 -m physdev ! --physdev-is-in -m addrtype ! --src-type LOCAL -j KUBE-SVC-7N6LHPYFOVFT454K
-A KUBE-SERVICES -d aaa.aaa.aaa.aaa/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:https external IP" -m tcp --dport 443 -m addrtype --dst-type LOCAL -j KUBE-SVC-7N6LHPYFOVFT454K
-A KUBE-SERVICES -d 10.105.210.96/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp cluster IP" -m tcp --dport 31400 -j KUBE-SVC-62L5C2KEOX6ICGVJ
-A KUBE-SERVICES -d aaa.aaa.aaa.aaa/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp external IP" -m tcp --dport 31400 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d aaa.aaa.aaa.aaa/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp external IP" -m tcp --dport 31400 -m physdev ! --physdev-is-in -m addrtype ! --src-type LOCAL -j KUBE-SVC-62L5C2KEOX6ICGVJ
-A KUBE-SERVICES -d aaa.aaa.aaa.aaa/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp external IP" -m tcp --dport 31400 -m addrtype --dst-type LOCAL -j KUBE-SVC-62L5C2KEOX6ICGVJ
-A KUBE-SERVICES -d 10.105.210.96/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp-pilot-grpc-tls cluster IP" -m tcp --dport 15011 -j KUBE-SVC-F4WP6CIDODMYIYVX
-A KUBE-SERVICES -d aaa.aaa.aaa.aaa/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp-pilot-grpc-tls external IP" -m tcp --dport 15011 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d aaa.aaa.aaa.aaa/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp-pilot-grpc-tls external IP" -m tcp --dport 15011 -m physdev ! --physdev-is-in -m addrtype ! --src-type LOCAL -j KUBE-SVC-F4WP6CIDODMYIYVX
-A KUBE-SERVICES -d aaa.aaa.aaa.aaa/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp-pilot-grpc-tls external IP" -m tcp --dport 15011 -m addrtype --dst-type LOCAL -j KUBE-SVC-F4WP6CIDODMYIYVX
-A KUBE-SERVICES -d 10.97.27.68/32 -p tcp -m comment --comment "istio-system/istio-egressgateway:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-F2IARDLERJIFF7VR
-A KUBE-SERVICES -d 10.106.207.77/32 -p tcp -m comment --comment "istio-system/istio-telemetry:grpc-mixer-mtls cluster IP" -m tcp --dport 15004 -j KUBE-SVC-POFVSRMRNLJ5KKAQ
-A KUBE-SERVICES -d 10.97.118.46/32 -p tcp -m comment --comment "istio-system/istio-policy:http-monitoring cluster IP" -m tcp --dport 9093 -j KUBE-SVC-KAMYK5TIXMZU3YTO
-A KUBE-SERVICES -d 10.110.90.141/32 -p tcp -m comment --comment "istio-system/jaeger-collector:jaeger-collector-tchannel cluster IP" -m tcp --dport 14267 -j KUBE-SVC-QKBPQ4SGBRRTCDLV
-A KUBE-SERVICES -d 10.110.90.141/32 -p tcp -m comment --comment "istio-system/jaeger-collector:jaeger-collector-http cluster IP" -m tcp --dport 14268 -j KUBE-SVC-SEST5XGLUQ5J34LB
-A KUBE-SERVICES -d 10.103.86.155/32 -p tcp -m comment --comment "guideandgo/mysql: cluster IP" -m tcp --dport 3306 -j KUBE-SVC-YH3LEFIUTBLV7MHJ
-A KUBE-SERVICES -d 10.105.210.96/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:http2 cluster IP" -m tcp --dport 80 -j KUBE-SVC-G6D3V5KS3PXPUEDS
-A KUBE-SERVICES -d aaa.aaa.aaa.aaa/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:http2 external IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d aaa.aaa.aaa.aaa/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:http2 external IP" -m tcp --dport 80 -m physdev ! --physdev-is-in -m addrtype ! --src-type LOCAL -j KUBE-SVC-G6D3V5KS3PXPUEDS
-A KUBE-SERVICES -d aaa.aaa.aaa.aaa/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:http2 external IP" -m tcp --dport 80 -m addrtype --dst-type LOCAL -j KUBE-SVC-G6D3V5KS3PXPUEDS
-A KUBE-SERVICES -d 10.97.27.68/32 -p tcp -m comment --comment "istio-system/istio-egressgateway:http2 cluster IP" -m tcp --dport 80 -j KUBE-SVC-IBZWWK3KTI7UHZ5A
-A KUBE-SERVICES -d 10.107.121.217/32 -p tcp -m comment --comment "istio-system/grafana:http cluster IP" -m tcp --dport 3000 -j KUBE-SVC-K452ZV6IYIAVNGP2
-A KUBE-SERVICES -d 10.106.207.77/32 -p tcp -m comment --comment "istio-system/istio-telemetry:prometheus cluster IP" -m tcp --dport 42422 -j KUBE-SVC-SWAUWSHBU25OTO33
-A KUBE-SERVICES -d 10.98.35.184/32 -p tcp -m comment --comment "istio-system/istio-citadel:grpc-citadel cluster IP" -m tcp --dport 8060 -j KUBE-SVC-6W6JV2RNZSFPWRVZ
-A KUBE-SERVICES -d 10.106.207.77/32 -p tcp -m comment --comment "istio-system/istio-telemetry:http-monitoring cluster IP" -m tcp --dport 9093 -j KUBE-SVC-7NKQV7KRSMGKZMKF
-A KUBE-SERVICES -d 10.111.117.246/32 -p tcp -m comment --comment "istio-system/istio-pilot:grpc-xds cluster IP" -m tcp --dport 15010 -j KUBE-SVC-RE6JWH3DBIURQRB2
-A KUBE-SERVICES -d 10.98.186.192/32 -p tcp -m comment --comment "docker-registry/docker-registry: cluster IP" -m tcp --dport 5000 -j KUBE-SVC-6N4OP6ZNRR7R3GKW
-A KUBE-SERVICES -d 10.106.207.77/32 -p tcp -m comment --comment "istio-system/istio-telemetry:grpc-mixer cluster IP" -m tcp --dport 9091 -j KUBE-SVC-LTOKVKL3D46WIGR3
-A KUBE-SERVICES -d 10.111.117.246/32 -p tcp -m comment --comment "istio-system/istio-pilot:https-xds cluster IP" -m tcp --dport 15011 -j KUBE-SVC-DVMPY5RYN62D73EJ
-A KUBE-SERVICES -d 10.110.121.234/32 -p tcp -m comment --comment "istio-system/istio-sidecar-injector: cluster IP" -m tcp --dport 443 -j KUBE-SVC-MOJGSJ7NVZO75AX4
-A KUBE-SERVICES -d 10.111.251.224/32 -p tcp -m comment --comment "istio-system/zipkin:http cluster IP" -m tcp --dport 9411 -j KUBE-SVC-UBK3RQ57NJWVL3NK
-A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
-A KUBE-SERVICES -d 10.97.118.46/32 -p tcp -m comment --comment "istio-system/istio-policy:grpc-mixer-mtls cluster IP" -m tcp --dport 15004 -j KUBE-SVC-TUZA6CVEP5VUF2XG
-A KUBE-SERVICES -d 10.101.0.190/32 -p tcp -m comment --comment "istio-system/servicegraph:http cluster IP" -m tcp --dport 8088 -j KUBE-SVC-TQ34WR2LLKW7ES4K
-A KUBE-SERVICES -d 10.105.210.96/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp-dns-tls cluster IP" -m tcp --dport 853 -j KUBE-SVC-FWUZ7WRQUHHJNJ54
-A KUBE-SERVICES -d aaa.aaa.aaa.aaa/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp-dns-tls external IP" -m tcp --dport 853 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d aaa.aaa.aaa.aaa/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp-dns-tls external IP" -m tcp --dport 853 -m physdev ! --physdev-is-in -m addrtype ! --src-type LOCAL -j KUBE-SVC-FWUZ7WRQUHHJNJ54
-A KUBE-SERVICES -d aaa.aaa.aaa.aaa/32 -p tcp -m comment --comment "istio-system/istio-ingressgateway:tcp-dns-tls external IP" -m tcp --dport 853 -m addrtype --dst-type LOCAL -j KUBE-SVC-FWUZ7WRQUHHJNJ54
-A KUBE-SERVICES -d 10.108.147.221/32 -p udp -m comment --comment "istio-system/istio-statsd-prom-bridge:statsd-udp cluster IP" -m udp --dport 9125 -j KUBE-SVC-URHNY53EOWC2EMYB
-A KUBE-SERVICES -d 10.108.147.221/32 -p tcp -m comment --comment "istio-system/istio-statsd-prom-bridge:statsd-prom cluster IP" -m tcp --dport 9102 -j KUBE-SVC-RPUGQCDLMV3GNS5S
-A KUBE-SERVICES -d 10.111.117.246/32 -p tcp -m comment --comment "istio-system/istio-pilot:http-monitoring cluster IP" -m tcp --dport 9093 -j KUBE-SVC-22SFEYCEMTJRPU4Y
-A KUBE-SERVICES -d 10.97.40.145/32 -p tcp -m comment --comment "istio-system/prometheus:http-prometheus cluster IP" -m tcp --dport 9090 -j KUBE-SVC-KJXHRH2GAPVGE7JV
-A KUBE-SERVICES -d 10.107.154.57/32 -p tcp -m comment --comment "guideandgo/redis: cluster IP" -m tcp --dport 6379 -j KUBE-SVC-WCVDNE75ZH7OMWGI
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-SVC-22SFEYCEMTJRPU4Y -m comment --comment "istio-system/istio-pilot:http-monitoring" -j KUBE-SEP-2447GU5RTIFBOAK6
-A KUBE-SVC-3IK4M33DJP7J77ZU -m comment --comment "guideandgo/api-gateway:http" -j KUBE-SEP-NNGMHMYESJ4VHDBO
-A KUBE-SVC-3XHAPDZ2SSE6DUFQ -m comment --comment "istio-system/istio-ingressgateway:http2-prometheus" -j KUBE-SEP-L4Q7P2A56O3BRT5V
-A KUBE-SVC-3ZDHMHBJ4TQPN6YW -m comment --comment "istio-system/jaeger-query:query-http" -j KUBE-SEP-6BGWFBA2ZVVL4XUJ
-A KUBE-SVC-4BQASKKZBUHVUKPW -m comment --comment "istio-system/istio-ingressgateway:tcp-citadel-grpc-tls" -j KUBE-SEP-GVTBAXUPJLV2N23L
-A KUBE-SVC-55XDDSOMT7GLYG6B -m comment --comment "istio-system/istio-galley:http-monitoring" -j KUBE-SEP-VDIAXT75ZN7FIBWV
-A KUBE-SVC-62L5C2KEOX6ICGVJ -m comment --comment "istio-system/istio-ingressgateway:tcp" -j KUBE-SEP-FYQCQQKKIGOOCAKG
-A KUBE-SVC-6N4OP6ZNRR7R3GKW -m comment --comment "docker-registry/docker-registry:" -j KUBE-SEP-NJYTX6UQFVGWZ3CW
-A KUBE-SVC-6W6JV2RNZSFPWRVZ -m comment --comment "istio-system/istio-citadel:grpc-citadel" -j KUBE-SEP-JP4QVL53NAA5VUP4
-A KUBE-SVC-7N6LHPYFOVFT454K -m comment --comment "istio-system/istio-ingressgateway:https" -j KUBE-SEP-UWG5X5PQ3H55QDK7
-A KUBE-SVC-7NKQV7KRSMGKZMKF -m comment --comment "istio-system/istio-telemetry:http-monitoring" -j KUBE-SEP-O72F3AYB5ZA3T57F
-A KUBE-SVC-A4N66M5KWTPIOJ3M -m comment --comment "istio-system/tracing:http-query" -j KUBE-SEP-HBTKOG2WQRAVWLMZ
-A KUBE-SVC-DVMPY5RYN62D73EJ -m comment --comment "istio-system/istio-pilot:https-xds" -j KUBE-SEP-KYPMANDOPFSUUYRM
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -m statistic --mode random --probability 0.33332999982 -j KUBE-SEP-UJJNLSZU6HL4F5UO
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-5VKEIBBWB6VGT6YY
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SEP-PRZIRSCBN725W3AF
-A KUBE-SVC-F2IARDLERJIFF7VR -m comment --comment "istio-system/istio-egressgateway:https" -j KUBE-SEP-RRS4NH6WQ5DUFSWQ
-A KUBE-SVC-F4WP6CIDODMYIYVX -m comment --comment "istio-system/istio-ingressgateway:tcp-pilot-grpc-tls" -j KUBE-SEP-6VTFHLFYGHSFVRX5
-A KUBE-SVC-FNIRFTR6AM2WTDP7 -m comment --comment "istio-system/istio-ingressgateway:http2-grafana" -j KUBE-SEP-VGQOIEKZQ7YOIJTQ
-A KUBE-SVC-FWUZ7WRQUHHJNJ54 -m comment --comment "istio-system/istio-ingressgateway:tcp-dns-tls" -j KUBE-SEP-26E5AQBAPBB273GU
-A KUBE-SVC-G6D3V5KS3PXPUEDS -m comment --comment "istio-system/istio-ingressgateway:http2" -j KUBE-SEP-OHQWPSWETPKDAEDB
-A KUBE-SVC-IBZWWK3KTI7UHZ5A -m comment --comment "istio-system/istio-egressgateway:http2" -j KUBE-SEP-TQGVBMVPB27MY32T
-A KUBE-SVC-K452ZV6IYIAVNGP2 -m comment --comment "istio-system/grafana:http" -j KUBE-SEP-YM4YUX3532XD5ANF
-A KUBE-SVC-K7J76NXP7AUZVFGS -m comment --comment "kube-system/tiller-deploy:tiller" -j KUBE-SEP-R5N5226U5KO4YKUS
-A KUBE-SVC-KAMYK5TIXMZU3YTO -m comment --comment "istio-system/istio-policy:http-monitoring" -j KUBE-SEP-DXGXB64BFQM5O6HI
-A KUBE-SVC-KJXHRH2GAPVGE7JV -m comment --comment "istio-system/prometheus:http-prometheus" -j KUBE-SEP-MLCXYQXRZBTQGSWO
-A KUBE-SVC-LTOKVKL3D46WIGR3 -m comment --comment "istio-system/istio-telemetry:grpc-mixer" -j KUBE-SEP-BNIBTBUCQSIDRFOT
-A KUBE-SVC-MOGYKZGMI2GFGYKR -m comment --comment "istio-system/istio-citadel:http-monitoring" -j KUBE-SEP-3MUETLFVSYZJNT6T
-A KUBE-SVC-MOJGSJ7NVZO75AX4 -m comment --comment "istio-system/istio-sidecar-injector:" -j KUBE-SEP-OJXM5U43NVI6LWHE
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-6M7V3CMG65XMYRI6
-A KUBE-SVC-OUON3FTD7HM7NL6D -m comment --comment "istio-system/istio-galley:https-validation" -j KUBE-SEP-S2HYMJLUTHICA4HF
-A KUBE-SVC-POFVSRMRNLJ5KKAQ -m comment --comment "istio-system/istio-telemetry:grpc-mixer-mtls" -j KUBE-SEP-B7DIGK5JH3OAZM2M
-A KUBE-SVC-QKBPQ4SGBRRTCDLV -m comment --comment "istio-system/jaeger-collector:jaeger-collector-tchannel" -j KUBE-SEP-2RTWY72KF4R5H4PN
-A KUBE-SVC-RE6JWH3DBIURQRB2 -m comment --comment "istio-system/istio-pilot:grpc-xds" -j KUBE-SEP-KR7ENJI3VOKZJZGY
-A KUBE-SVC-RPUGQCDLMV3GNS5S -m comment --comment "istio-system/istio-statsd-prom-bridge:statsd-prom" -j KUBE-SEP-TCEQYW72XJYUXQCS
-A KUBE-SVC-SEST5XGLUQ5J34LB -m comment --comment "istio-system/jaeger-collector:jaeger-collector-http" -j KUBE-SEP-CE4MAC43A4U7UWW2
-A KUBE-SVC-SWAUWSHBU25OTO33 -m comment --comment "istio-system/istio-telemetry:prometheus" -j KUBE-SEP-4JU7VUHRYIFE5ETA
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -m statistic --mode random --probability 0.33332999982 -j KUBE-SEP-SZZ7MOWKTWUFXIJT
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-WZMKPCNFFNW2GSJP
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SEP-4CPZW7KXGMZ2FWXK
-A KUBE-SVC-TQ34WR2LLKW7ES4K -m comment --comment "istio-system/servicegraph:http" -j KUBE-SEP-75GI72J4NPBKQV25
-A KUBE-SVC-TUZA6CVEP5VUF2XG -m comment --comment "istio-system/istio-policy:grpc-mixer-mtls" -j KUBE-SEP-MAGUPMGHQ4SYPH3Z
-A KUBE-SVC-U2XTOAGOXQJP3ONI -m comment --comment "istio-system/istio-policy:grpc-mixer" -j KUBE-SEP-G6S7BO7XZ4QVHZK6
-A KUBE-SVC-UBK3RQ57NJWVL3NK -m comment --comment "istio-system/zipkin:http" -j KUBE-SEP-BTV3UBEYKKT2ZAFY
-A KUBE-SVC-URHNY53EOWC2EMYB -m comment --comment "istio-system/istio-statsd-prom-bridge:statsd-udp" -j KUBE-SEP-WE44Z53SFRBACWCD
-A KUBE-SVC-WCVDNE75ZH7OMWGI -m comment --comment "guideandgo/redis:" -j KUBE-SEP-OYJWJ2BI4X6YKYL6
-A KUBE-SVC-XGLOHA7QRQ3V22RZ -m comment --comment "kube-system/kubernetes-dashboard:" -j KUBE-SEP-MZPGDVSBXCI445WY
-A KUBE-SVC-YGLWZMENMIM6GX3O -m comment --comment "istio-system/istio-pilot:http-legacy-discovery" -j KUBE-SEP-SQJJZSJPZECSGRW6
-A KUBE-SVC-YH3LEFIUTBLV7MHJ -m comment --comment "guideandgo/mysql:" -j KUBE-SEP-CYNCKEY6DCH5LVB3
-A WEAVE -s 10.32.0.0/12 -d 224.0.0.0/4 -j RETURN
-A WEAVE ! -s 10.32.0.0/12 -d 10.32.0.0/12 -j MASQUERADE
-A WEAVE -s 10.32.0.0/12 ! -d 10.32.0.0/12 -j MASQUERADE
COMMIT
# Completed on Mon Sep 24 15:36:43 2018
# Generated by iptables-save v1.6.1 on Mon Sep 24 15:36:43 2018
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:DOCKER-USER - [0:0]
:KUBE-EXTERNAL-SERVICES - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-FORWARD - [0:0]
:KUBE-SERVICES - [0:0]
:WEAVE-NPC - [0:0]
:WEAVE-NPC-DEFAULT - [0:0]
:WEAVE-NPC-EGRESS - [0:0]
:WEAVE-NPC-EGRESS-ACCEPT - [0:0]
:WEAVE-NPC-EGRESS-CUSTOM - [0:0]
:WEAVE-NPC-EGRESS-DEFAULT - [0:0]
:WEAVE-NPC-INGRESS - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
-A INPUT -j KUBE-FIREWALL
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A INPUT -i weave -j WEAVE-NPC-EGRESS
-A FORWARD -i weave -m comment --comment "NOTE: this must go before \'-j KUBE-FORWARD\'" -j WEAVE-NPC-EGRESS
-A FORWARD -o weave -m comment --comment "NOTE: this must go before \'-j KUBE-FORWARD\'" -j WEAVE-NPC
-A FORWARD -o weave -m state --state NEW -j NFLOG --nflog-group 86
-A FORWARD -o weave -j DROP
-A FORWARD -i weave ! -o weave -j ACCEPT
-A FORWARD -o weave -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -j KUBE-FIREWALL
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A DOCKER-ISOLATION -j RETURN
-A DOCKER-USER -j RETURN
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
-A WEAVE-NPC -m state --state RELATED,ESTABLISHED -j ACCEPT
-A WEAVE-NPC -d 224.0.0.0/4 -j ACCEPT
-A WEAVE-NPC -m state --state NEW -j WEAVE-NPC-DEFAULT
-A WEAVE-NPC -m state --state NEW -j WEAVE-NPC-INGRESS
-A WEAVE-NPC -m set ! --match-set weave-local-pods dst -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-bvh)S%F{pyAKiesetV=%.VGEm dst -m comment --comment "DefaultAllow ingress isolation for namespace: istio-system" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-5j+Bh:SU[ueD[|IYoLl(]R7PK dst -m comment --comment "DefaultAllow ingress isolation for namespace: guideandgo" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-;rGqyMIl1HN^cfDki~Z$3]6!N dst -m comment --comment "DefaultAllow ingress isolation for namespace: default" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-Rzff}h:=]JaaJl/G;(XJpGjZ[ dst -m comment --comment "DefaultAllow ingress isolation for namespace: kube-public" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-P.B|!ZhkAr5q=XZ?3}tMBA+0 dst -m comment --comment "DefaultAllow ingress isolation for namespace: kube-system" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set [email protected]($G#E#;DC^=Mt dst -m comment --comment "DefaultAllow ingress isolation for namespace: docker-registry" -j ACCEPT
-A WEAVE-NPC-EGRESS -m state --state RELATED,ESTABLISHED -j ACCEPT
-A WEAVE-NPC-EGRESS -m state --state NEW -m set ! --match-set weave-local-pods src -j RETURN
-A WEAVE-NPC-EGRESS -d 224.0.0.0/4 -j RETURN
-A WEAVE-NPC-EGRESS -m state --state NEW -j WEAVE-NPC-EGRESS-DEFAULT
-A WEAVE-NPC-EGRESS -m state --state NEW -m mark ! --mark 0x40000/0x40000 -j WEAVE-NPC-EGRESS-CUSTOM
-A WEAVE-NPC-EGRESS -m state --state NEW -m mark ! --mark 0x40000/0x40000 -j NFLOG --nflog-group 86
-A WEAVE-NPC-EGRESS -m mark ! --mark 0x40000/0x40000 -j DROP
-A WEAVE-NPC-EGRESS-ACCEPT -j MARK --set-xmark 0x40000/0x40000
-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-T!4;|djrJ6I/V(PuRqP3_P8uo src -m comment --comment "DefaultAllow egress isolation for namespace: istio-system" -j WEAVE-NPC-EGRESS-ACCEPT
-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-T!4;|djrJ6I/V(PuRqP3_P8uo src -m comment --comment "DefaultAllow egress isolation for namespace: istio-system" -j RETURN
-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-:YM7fvxm}ye(g{h:b%}3*AI?T src -m comment --comment "DefaultAllow egress isolation for namespace: guideandgo" -j WEAVE-NPC-EGRESS-ACCEPT
-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-:YM7fvxm}ye(g{h:b%}3*AI?T src -m comment --comment "DefaultAllow egress isolation for namespace: guideandgo" -j RETURN
-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-s_+ChJId4Uy_$}G;WdH|~TK)I src -m comment --comment "DefaultAllow egress isolation for namespace: default" -j WEAVE-NPC-EGRESS-ACCEPT
-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-s_+ChJId4Uy_$}G;WdH|~TK)I src -m comment --comment "DefaultAllow egress isolation for namespace: default" -j RETURN
-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-41s)5vQ^o/xWGz6a20N:~?#|E src -m comment --comment "DefaultAllow egress isolation for namespace: kube-public" -j WEAVE-NPC-EGRESS-ACCEPT
-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-41s)5vQ^o/xWGz6a20N:~?#|E src -m comment --comment "DefaultAllow egress isolation for namespace: kube-public" -j RETURN
-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-E1ney4o[ojNrLk.6rOHi;7MPE src -m comment --comment "DefaultAllow egress isolation for namespace: kube-system" -j WEAVE-NPC-EGRESS-ACCEPT
-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-E1ney4o[ojNrLk.6rOHi;7MPE src -m comment --comment "DefaultAllow egress isolation for namespace: kube-system" -j RETURN
-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-*x?c/WfpEZ[]Pso]2H_2^|csS src -m comment --comment "DefaultAllow egress isolation for namespace: docker-registry" -j WEAVE-NPC-EGRESS-ACCEPT
-A WEAVE-NPC-EGRESS-DEFAULT -m set --match-set weave-*x?c/WfpEZ[]Pso]2H_2^|csS src -m comment --comment "DefaultAllow egress isolation for namespace: docker-registry" -j RETURN
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -s aaa.aaa.aaa.aaa/32 -j ACCEPT
-A ufw-user-input -s aaa.aaa.aaa.aa0/32 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 10250 -j ACCEPT
-A ufw-user-input -p tcp -m multiport --dports 30000:32767 -j ACCEPT
-A ufw-user-input -j DROP
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Mon Sep 24 15:36:43 2018

[bboreham]

because they want to use ipv6

What made you think that?

[danielgelling]

@bboreham Look at the logs coming from the weave pods, where xx:xx:xx:xx:xx:xx is the ipv6 address of node1:

INFO: 2018/09/23 12:52:15.911730 ->[xx.xx.xx.xx:6783|xx:xx:xx:xx:xx:xx(node1)]: connection shutting down due to error: no working forwarders to xx:xx:xx:xx:xx:xx(node1)

[bboreham]

That looks more like a Weave Net "Peer Name", which is an opaque internal identifier.
https://www.weave.works/docs/net/latest/operational-guide/concepts/#peer

The log indicates you are getting TCP traffic but not UDP traffic. I can't think of anything that would cause that after 1-2 days and then revert on a restart.

[danielgelling]

These logs don't appear when the weave pods are running normally.

When i run ifconfig on a node the Weave interface shows the Peer name as it's ipv6 address.

[danielgelling]

Today it happened again. I forgot to mention, when I try to access the K8s dashboard (using kubectl proxy) it gives me this error:

Error: 'dial tcp 10.44.0.1:8443: connect: no route to host'
Trying to reach: 'https://10.44.0.1:8443/'

However after a restart of all weave pods everything seems normal again.

[bboreham]

These logs don't appear when the weave pods are running normally.

Yes, it won't work if it can't get UDP packets across. That is the thing we need to diagnose.

When i run ifconfig on a node the Weave interface shows the Peer name as it's ipv6 address.

I suspect you are looking at the MAC address, which is set to the peer name.

[bboreham]

I've renamed this because ipv6 is the second-oldest request (#19) for a feature in Weave Net: there is no code to handle ipv6 and your logs don't show an ipv6 problem.

[danielgelling]

I've found what caused the "no route to host" errors. I configured the firewall on the nodes/master to only allow the ports listed in the Kubernetes docs. Which only specifies opening up TCP ports and no UDP. Opening up all connections for the same ports for incoming connections to/from the nodes and master fixed the issue.

However I still find it weird that the cluster was able to function normally for a limited amount of time...

[bboreham]

Thanks for the update @danielgelling.

Sadly that docs page is only covering ports used by Kubernetes' internal features. It does note "The pod network plugin you use (see below) may also require certain ports to be open", and we publish https://www.weave.works/docs/net/latest/faq/#ports. If you can say how else you searched for that information we can attempt to make it easier to find.

It is mysterious to me how a firewall would be reset by deleting the pods.

[danielgelling]

Your comment about the UDP packets set me thinking last week, so I thought about what are the things that could block these packets. Firewall came to mind, because on the setup of the master and the nodes we blocked all incoming traffic except for our office and VPN ip, and the ports mentioned in the K8s docs