1
$ iptables -t nat -L -n
Chain KUBE-PORTALS-CONTAINER (1 references)
target     prot opt source               destination         
…
REDIRECT   tcp  --  0.0.0.0/0    11.1.1.88      /* service-nginx */ tcp dpt:8001 redir ports 43318
Chain KUBE-PORTALS-HOST (1 references)
target     prot opt source               destination         
…
DNAT   tcp  --  0.0.0.0/0    11.1.1.88    /* service-nginx */ tcp dpt:8001 to:10.10.103.58:43318

[update] BTW, 10.10.103.58 is just the IP of eth0 of the local machine.

I saw the answer in Difference beetween DNAT and REDIRECT in IPTABLES, so I know that REDIRECT only work for local redirect.

[update] But my question is, in this cases, Kubernetes set both DNAT and REDIRECT at the same machine, why?

[update] My guess from the chains' name is that DNAT will forward any request send from host to 11.1.1.88 to 10.10.103.58:43318. But for the request send from a container running on this host the REDIRECT chain will work instead.

Am I right?

Community
  • 1
harryz
  • 289
  • 2
  • 3
  • 10
  • Could you edit into your question portions of the output of `iptables -L -n -v -t nat` instead (note additional `-v`)? The packet counts on those rules would be interesting to see. – MadHatter Aug 05 '15 at 08:26

1 Answers1

1

There is no need to setup both rules. One of them will be enough for same type of traffic.

  1. If you want to redirect traffic to local machine (firewall), you can use either one. Using DNAT may be useful if you want to specify a different IP address on the local machine other than the one picked up by REDIRECT in case your machine has multiple IP addresses.
  2. If you want to redirect traffic to some other machine, you need to use DNAT to specify the new destination.

In short, DNAT is more general and can be used in all cases.

Khaled
  • 35,688
  • 8
  • 69
  • 98
  • And yes, this machine has two IP addresses (eth0 and eth1, see the update), then which one will take effect then? – harryz Aug 05 '15 at 14:37