1

I am attempting to direct client traffic to a kubernetes cluster NodePort listening on 192.168.1.100.30000 (https port).

Client's needs to make a request to 192.168.1.100.8000 so I added the following REDIRECT rule in iptables:

iptables -t nat -I PREROUTING -p tcp --dst 192.168.1.100 --dport 8000 -j REDIRECT --to-port 30000
iptables -t nat -I OUTPUT -d 192.168.1.100 -p tcp --dport 8000 -j REDIRECT --to-port 30000

However, I am getting the following error:

# curl -vk https://192.168.1.100:8000/v1/api
* About to connect() to 192.168.1.100 port 8000 (#0)
*   Trying 192.168.1.100...
* Connected to 192.168.1.100 (192.168.1.100) port 8000 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -12263 (SSL_ERROR_RX_RECORD_TOO_LONG)
* SSL received a record that exceeded the maximum permissible length.
* Closing connection 0
curl: (35) SSL received a record that exceeded the maximum permissible length.

also attempted to set up remotesystem indicated in this answer and make a request to the same endpoint and got the following error:

# ip netns exec remotesystem curl -vk https://192.168.1.100:8000/v1/api
* About to connect() to 192.168.1.100 port 8000 (#0)
*   Trying 192.168.1.100...
* Connection timed out
* Failed connect to 192.168.1.100:8000; Connection timed out
* Closing connection 0
curl: (7) Failed connect to 192.168.1.100:8000; Connection timed out

I know that kubernetes cluster has network policies enforced with calico crds, however, I have added a default allow all to the network policy and traffic seems to still be hanging.

I also checked the logs of the ingress-controller to see if request made it there but did not see any logs output when making the request.

The weird thing is directly curling the node port https://192.168.1.100.30000/v1/api works and I get a successful response back.

Question is, why is curling https://192.168.1.100:8000/v1/api (with the REDIRECT rule to 30000) cause the request to hang?

tiger_groove
  • 143
  • 4
  • See also my comment there: https://serverfault.com/questions/1097421/tcpdump-showing-different-redirection-port-after-adding-redirect-rule-in-iptable?noredirect=1#comment1432056_1097435 – A.B Apr 01 '22 at 09:54

0 Answers0