# Generated by ip6tables-save v1.8.5 on Tue Nov 18 13:56:14 2025
*raw
:PREROUTING ACCEPT [239438:92592562]
:OUTPUT ACCEPT [238624:92547498]
-A PREROUTING -p udp -m devgroup --src-group 0x9 -j CT --notrack
COMMIT
# Completed on Tue Nov 18 13:56:14 2025
# Generated by ip6tables-save v1.8.5 on Tue Nov 18 13:56:14 2025
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [45:3420]
:OUTPUT ACCEPT [45:3420]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-PROXY-CANARY - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-MARK-MASQ - [0:0]
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A KUBE-SERVICES ! -d ::1/128 -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
-A KUBE-POSTROUTING -j MARK --set-xmark 0x4000/0x0
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE --random-fully
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
COMMIT
# Completed on Tue Nov 18 13:56:14 2025
# Generated by ip6tables-save v1.8.5 on Tue Nov 18 13:56:14 2025
*mangle
:PREROUTING ACCEPT [239438:92592562]
:INPUT ACCEPT [238494:92537498]
:FORWARD ACCEPT [21766:1249816]
:OUTPUT ACCEPT [238624:92547498]
:POSTROUTING ACCEPT [260390:93797314]
:KUBE-IPTABLES-HINT - [0:0]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-PROXY-CANARY - [0:0]
COMMIT
# Completed on Tue Nov 18 13:56:14 2025
# Generated by ip6tables-save v1.8.5 on Tue Nov 18 13:56:14 2025
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [21766:1249816]
:OUTPUT ACCEPT [238624:92547498]
:drop_forward - [0:0]
:accept_mng - [0:0]
:deny - [0:0]
:deny_limit - [0:0]
:external_accept - [0:0]
:mark_accept - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-FORWARD - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-EXTERNAL-SERVICES - [0:0]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-PROXY-CANARY - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-PROXY-FIREWALL - [0:0]
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes load balancer firewall" -j KUBE-PROXY-FIREWALL
-A INPUT -m comment --comment "kubernetes health check service ports" -j KUBE-NODEPORTS
-A INPUT -m conntrack --ctstate UNTRACKED -j ACCEPT
-A INPUT -d ff00::/8 -p udp -j ACCEPT
-A INPUT -p udp -m udp --dport 1024:65535 -m connmark --mark 0x10/0xff -j ACCEPT
-A INPUT -d ff00::/8 -p ipv6-icmp -j ACCEPT
-A INPUT -j KUBE-FIREWALL
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
-A INPUT -i lo -j ACCEPT
-A INPUT -i kub+ -j ACCEPT
-A INPUT -i cni+ -j ACCEPT
-A INPUT -p ipv6-icmp -j accept_mng
-A INPUT -p udp -m udp --dport 1024:65535 -m conntrack --ctstate NEW -m connmark --mark 0x0 -m socket --nowildcard -j mark_accept
-A INPUT -i en+ -m conntrack --ctstate NEW -j external_accept
-A INPUT -i net+ -m conntrack --ctstate NEW -j external_accept
-A INPUT -i usb+ -m conntrack --ctstate NEW -j external_accept
-A INPUT -j deny_limit
-A INPUT -j DROP
-A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes load balancer firewall" -j KUBE-PROXY-FIREWALL
-A FORWARD -i en+ -j drop_forward
-A FORWARD -i net+ -j drop_forward
-A FORWARD -i usb+ -j drop_forward
-A FORWARD -i bmc+ -j drop_forward
-A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
-A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
-A OUTPUT -j KUBE-FIREWALL
-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes load balancer firewall" -j KUBE-PROXY-FIREWALL
-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A drop_forward -o en+ -j DROP
-A drop_forward -o net+ -j DROP
-A drop_forward -o usb+ -j DROP
-A drop_forward -o bmc+ -j DROP
-A accept_mng -m devgroup --src-group 0x8 -j ACCEPT
-A accept_mng -i net1 -j ACCEPT
-A accept_mng -i cni0 -j ACCEPT
-A accept_mng -j deny_limit
-A deny -p tcp -j REJECT --reject-with tcp-reset
-A deny -p udp -j REJECT --reject-with icmp6-port-unreachable
-A deny -j REJECT --reject-with icmp6-adm-prohibited
-A deny_limit -m limit --limit 2/sec --limit-burst 10 -j deny
-A deny_limit -j DROP
-A external_accept -p tcp -m devgroup --src-group 0x8 -m multiport --dports 80,443 -j ACCEPT
-A external_accept -p tcp -m multiport --dports 20300:20399 -j ACCEPT
-A mark_accept -j CONNMARK --set-xmark 0x10/0xff
-A mark_accept -j ACCEPT
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Nov 18 13:56:14 2025
