# The results come from ztunnel pod
# iptables -S -t nat-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -j LOG --log-prefix "nat pre [ztunnel-ntkqj] "
-A INPUT -j LOG --log-prefix "nat inp [ztunnel-ntkqj] "
-A OUTPUT -j LOG --log-prefix "nat out [ztunnel-ntkqj] "
-A OUTPUT -p tcp -m tcp --dport 15088 -j REDIRECT --to-ports 15008
-A POSTROUTING -j LOG --log-prefix "nat post [ztunnel-ntkqj] "
# iptables -S -t mangle
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -j LOG --log-prefix "mangle pre [ztunnel-ntkqj] "
-A PREROUTING -i pistioin -p tcp -m tcp --dport 15008 -j TPROXY --on-port 15008 --on-ip 127.0.0.1 --tproxy-mark 0x400/0xfff
-A PREROUTING -i pistioout -p tcp -j TPROXY --on-port 15001 --on-ip 127.0.0.1 --tproxy-mark 0x400/0xfff
-A PREROUTING -i pistioin -p tcp -j TPROXY --on-port 15006 --on-ip 127.0.0.1 --tproxy-mark 0x400/0xfff
-A PREROUTING ! -d 10.30.0.5/32 -i eth0 -p tcp -j MARK --set-xmark 0x4d3/0xfff
-A INPUT -j LOG --log-prefix "mangle inp [ztunnel-ntkqj] "
-A FORWARD -j LOG --log-prefix "mangle fw [ztunnel-ntkqj] "
-A OUTPUT -j LOG --log-prefix "mangle out [ztunnel-ntkqj] "
-A POSTROUTING -j LOG --log-prefix "mangle post [ztunnel-ntkqj] "
===
-A PREROUTING -i pistioin -p tcp -m tcp --dport 15008 -j TPROXY --on-port 15008 --on-ip 127.0.0.1 --tproxy-mark 0x400/0xfff
Note: take every tcp packet targeting port 15008, deliver to 127.0.0.1:15008 and mark packet with 0x400/0xfff
port 15008 is Istio HBONE mTLS tunnel port
-A PREROUTING -i pistioout -p tcp -j TPROXY --on-port 15001 --on-ip 127.0.0.1 --tproxy-mark 0x400/0xfff
Note: take every tcp packet, then deliver them to 127.0.0.1:15001 and also mark packet with 0x400/0xfff
port 15001 is envoy outbound port
-A PREROUTING -i pistioin -p tcp -j TPROXY --on-port 15006 --on-ip 127.0.0.1 --tproxy-mark 0x400/0xfff
Note: take every tcp packet, then deliver to 127.0.0.1:15006 and mark packet with 0x400/0xfff
port 15006 is envoy inbound port
No comments:
Post a Comment