0

GKE Cluster: Get into a pod (kubectl exec -ti ha-77lgb bash).

root@gke-ha-pool-1-10438716-b5wj:/home# iptables-save > /tmp/iptables-save.txt
root@gke-ha-pool-1-10438716-b5wj:/home# iptables-restore < /tmp/iptables-save.txt
iptables-restore v1.6.0: Bad IP address ""

Error occurred at line: 49
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

Why the above error is coming ?? I am not doing anything from my end, just saving and restore back.

Please see line number 49 below:

 47 -A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE
 48 -A KUBE-SEP-3XFQPLLWSOLEEI2B -s 172.30.192.5/32 -m comment --comment "default/my-nginx2" -j KUBE-MARK-MASQ
 49 -A KUBE-SEP-3XFQPLLWSOLEEI2B -p tcp -m comment --comment "default/my-nginx2" -m tcp -j DNAT --to-destination  --random     --persistent --to-destination  --random --persistent --to-destination
 50 -A KUBE-SEP-42YCR4PCVHTERQ6H -s 172.30.192.2/32 -m comment --comment "default/my-nginx2" -j KUBE-MARK-MASQ
 51 -A KUBE-SEP-42YCR4PCVHTERQ6H -p tcp -j DNAT --to-destination 172.30.0.16:80

Other information below:

  • Installed the iptables in the pod using:

    RUN apt install -y iptables

  • Included the following in the docker file:

    FROM ubuntu:16.04

  • Build docker image on host machine (Ubuntu 16.04) and pushed the image to GKE cluster.

    Host Machine details:

    cat  /etc/issue
Ubuntu 16.04.6 LTS \n \l

root@gke-ha-pool-1-10438716-b5wj:/home# iptables --version
iptables v1.6.0
root@gke-ha-pool-1-10438716-b5wj:/home# cat /etc/issue
Ubuntu 16.04.7 LTS \n \l

root@gke-ha-pool-1-10438716-b5wj:/home# uname -a
Linux gke-ha-pool-1-10438716-b5wj 5.4.89+ #1 SMP Sat Feb 13 19:45:14 PST 2021 x86_64 x86_64 x86_64 GNU/Linux

Sometimes, we also got the following error:

iptables-restore v1.6.0: Port `0' not valid
Error occurred at line: 106

Any help would be deeply appreciated.

Thanks -Nagendra

A.B
  • 9,037
  • 2
  • 19
  • 37
Nagendra Kumar
  • 11
  • 2
  • Indeed the line 49's DNAT rule is missing an IP address as the error tells. That's of course not expected from an `iptables-save` dump, nor the repetition of options: `--to-destination --random --persistent --to-destination --random --persistent --to-destination` . It looks to me there's a bug somewhere. – A.B May 28 '21 at 11:04
  • As this might also involve the host's kernel, what version is it? Maybe you might try and see if the problem persists or not with a newer kernel on the host and a newer iptables command on the container? – A.B May 28 '21 at 11:15
  • --to-destination after that you have to specify the destination IP address which was missing in your 49 line no and also I think you used the same line 2 times: -to-destination --random --persistent --to-destination --random --persistent --to-destination – asmath May 28 '21 at 15:26
  • @asmath the line is a dump from iptables-save which shouldn't output a faulty line in the first place, that's why it's weird. – A.B May 28 '21 at 15:34

0 Answers0