When you set up a network listener, using the low-level bind(2) call or any higher-level wrapper, you specify not just the port you're listening on but also the specific IP address. (And this is true inside a container as well, except that the "loopback" interface only reaches the container.) On a Linux host if you run ifconfig you will likely have at least two interfaces, your "real" network connection and a special "loopback" connection that only reaches the host. In this day and age you likely have a wireless Ethernet connection, but you could also have a wired Ethernet connection, or more than one of them, or some kind of other network connection. ![]() ![]() A KUBE-SERVICES -d 10.43.0.Your physical hardware can have more than one network interface. Therefore, you will see: -A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.203.205/32 -p tcp -m comment -comment "kube-system/metrics-server:https cluster IP" -m tcp -dport 443 -j KUBE-MARK-MASQ To see precisely who listens on certain ports, e.g 80 and 443, append one more grep to the command: iptables-save | grep -P "(-to-destination|-.port)" | grep -v "DROP" | grep -P ":\d+|-dport \d+"|grep -P "\b(443|80)\b" You will not see the container names, but you will see their IP addresses, so you will be able to run docker inspect and find mathces. Therefore, you will see that multiple containers handle ports 80 and 443. A KUBE-SERVICES -d 10.43.158.90/32 -p tcp -m comment -comment "ingress-nginx/default-http-backend cluster IP" -m tcp -dport 80 -j KUBE-SVC-JTFAIQOSQRKTQWS3 A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.158.90/32 -p tcp -m comment -comment "ingress-nginx/default-http-backend cluster IP" -m tcp -dport 80 -j KUBE-MARK-MASQ A KUBE-SERVICES -d 10.43.203.205/32 -p tcp -m comment -comment "kube-system/metrics-server:https cluster IP" -m tcp -dport 443 -j KUBE-SVC-Z4ANX4WAEWEBLCTM ![]() A KUBE-SERVICES -d 10.43.0.10/32 -p tcp -m comment -comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp -dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4 A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.0.10/32 -p tcp -m comment -comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp -dport 53 -j KUBE-MARK-MASQ A KUBE-SERVICES -d 10.43.0.10/32 -p udp -m comment -comment "kube-system/kube-dns:dns cluster IP" -m udp -dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.0.10/32 -p udp -m comment -comment "kube-system/kube-dns:dns cluster IP" -m udp -dport 53 -j KUBE-MARK-MASQ A KUBE-SERVICES -d 10.43.0.10/32 -p tcp -m comment -comment "kube-system/kube-dns:metrics cluster IP" -m tcp -dport 9153 -j KUBE-SVC-JD5MR3NA4I4DYORP A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.0.10/32 -p tcp -m comment -comment "kube-system/kube-dns:metrics cluster IP" -m tcp -dport 9153 -j KUBE-MARK-MASQ A KUBE-SERVICES -d 10.43.0.1/32 -p tcp -m comment -comment "default/kubernetes:https cluster IP" -m tcp -dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y A KUBE-SERVICES ! -s 10.42.0.0/16 -d 10.43.0.1/32 -p tcp -m comment -comment "default/kubernetes:https cluster IP" -m tcp -dport 443 -j KUBE-MARK-MASQ A KUBE-SEP-U5JKF7K4YNNYXQDU -p tcp -m comment -comment "default/kubernetes:https" -m tcp -j DNAT -to-destination 138.201.139.162:6443 A KUBE-SEP-QMNQ4GQ2JI3QXI4N -p udp -m comment -comment "kube-system/kube-dns:dns" -m udp -j DNAT -to-destination 10.42.0.6:53 A KUBE-SEP-PK2JJP3XEEJW3OPW -p tcp -m comment -comment "kube-system/kube-dns:metrics" -m tcp -j DNAT -to-destination 10.42.0.6:9153 ![]() A KUBE-SEP-LJF33VEROEJBDKWI -p tcp -m comment -comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT -to-destination 10.42.1.2:53 A KUBE-SEP-KAJYD2TZYV7IYC6H -p udp -m comment -comment "kube-system/kube-dns:dns" -m udp -j DNAT -to-destination 10.42.1.2:53 A KUBE-SEP-J7ZDRJF2PSY5XJQS -p tcp -m comment -comment "kube-system/metrics-server:https" -m tcp -j DNAT -to-destination 10.42.0.5:4443 A KUBE-SEP-F4W6KYXNUTEPM6IK -p tcp -m comment -comment "kube-system/kube-dns:metrics" -m tcp -j DNAT -to-destination 10.42.1.2:9153 A KUBE-SEP-7KPAUC7DBZEOGEJO -p tcp -m comment -comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT -to-destination 10.42.0.6:53 With the above command, you will see the output like the following: -A KUBE-SEP-2ICPNCS4ZCJFOURG -p tcp -m comment -comment "ingress-nginx/default-http-backend" -m tcp -j DNAT -to-destination 10.42.1.3:8080 Anyway, you will be able to deduce it by the name, using the "comments" section like "ingress-nginx/default-http-backend cluster IP": iptables-save | grep -P "(-to-destination|-.port)" | grep -v "DROP" | grep -P ":\d+|-dport \d+" However, it will not demonstrate to you which container exactly exposed which of the ports. You can use the following command to see Rancher's exposed ports so that it will show you the port number highlighted.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |