VxLAN 实验 -- 不同网段的网络通信
# Generated by iptables-save v1.4.21 on Thu Jul 26 07:32:12 2018
*filter
# These rules allow traffic to be forwarded if it is to or from the flannel network range.
-A FORWARD -s 10.244.0.0/16 -j ACCEPT
-A FORWARD -d 10.244.0.0/16 -j ACCEPT
COMMIT
# Completed on Thu Jul 26 07:32:12 2018
# Generated by iptables-save v1.4.21 on Thu Jul 26 07:32:12 2018
*raw
:PREROUTING ACCEPT [60131:65785774]
:OUTPUT ACCEPT [39490:4150752]
COMMIT
# Completed on Thu Jul 26 07:32:12 2018
# Generated by iptables-save v1.4.21 on Thu Jul 26 07:32:12 2018
*nat
# This rule makes sure we don't NAT traffic within overlay network (. coming out of docker0)
-A POSTROUTING -s 10.244.0.0/16 -d 10.244.0.0/16 -j RETURN
# NAT if it's not multicast traffic
-A POSTROUTING -s 10.244.0.0/16 ! -d 224.0.0.0/4 -j MASQUERADE
# Prevent performing Masquerade on external traffic which arrives from a Node that owns the container/pod IP address
-A POSTROUTING ! -s 10.244.0.0/16 -d 10.244.0.0/24 -j RETURN
# Masquerade anything headed towards flannel from the host
-A POSTROUTING ! -s 10.244.0.0/16 -d 10.244.0.0/16 -j MASQUERADE
COMMIT
# Completed on Thu Jul 26 07:32:12 2018