NMAP
> nmap -p <start_port>-<endport> <ip>
Example:
> nmap -p 30000-32000 127.0.0.1 Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-23 21:10 UTC Nmap scan report for localhost (127.0.0.1) Host is up (0.00017s latency). Not shown: 2000 closed ports PORT STATE SERVICE 30500/tcp filtered unknown Nmap done: 1 IP address (1 host up) scanned in 1.24 seconds > nmap -p 30000-32000 10.250.220.238 Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-23 21:11 UTC Nmap scan report for kubernetes-devtest-worker1 (10.250.220.238) Host is up (0.00017s latency). Not shown: 2000 closed ports PORT STATE SERVICE 30500/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
IPTables
iptables -[LS] [chain [rulenum]] [options]
Options: -4 ipv4 -6 ipv6 -j target target for rule (may load target extension) -g chain jump to chain with no return -m match extended match (may load extension) -n numeric output of addresses and ports -t table table to manipulate (default: `filter') -v verbose mode --line-numbers print line numbers when listing -x expand numbers (display exact values)
iptables -[LS] [chain [rulenum]] [options]
--list -L [chain [rulenum]]
List the rules in a chain or all chains
--list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
Options:
--ipv4 -4 Nothing (line is ignored by ip6tables-restore)
--ipv6 -6 Error (line is ignored by iptables-restore)
[!] --protocol -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
source specification
[!] --destination -d address[/mask][...]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--wait -w [seconds] wait for the xtables lock
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
> sudo iptables -Ln
Chain INPUT (policy ACCEPT) target prot opt source destination cali-INPUT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:Cz_u1IQiXIMmKD4c */ KUBE-FIREWALL all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination cali-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 /* cali:wUHhoiAYhphO9Mso */ KUBE-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules */ DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0 DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination cali-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:tVnHkvAo15HuiPy0 */ KUBE-FIREWALL all -- 0.0.0.0/0 0.0.0.0/0 Chain DOCKER (1 references) target prot opt source destination Chain DOCKER-ISOLATION-STAGE-1 (1 references) target prot opt source destination DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-ISOLATION-STAGE-2 (1 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain KUBE-FIREWALL (2 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000 Chain KUBE-FORWARD (1 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules */ mark match 0x4000/0x4000 ACCEPT all -- 10.233.64.0/18 0.0.0.0/0 /* kubernetes forwarding conntrack pod source rule */ ctstate RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 10.233.64.0/18 /* kubernetes forwarding conntrack pod destination rule */ ctstate RELATED,ESTABLISHED Chain cali-FORWARD (1 references) target prot opt source destination MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:vjrMJCRpqwy5oRoX */ MARK and 0xfff1ffff cali-from-hep-forward all -- 0.0.0.0/0 0.0.0.0/0 /* cali:A_sPAO0mcxbT9mOV */ mark match 0x0/0x10000 cali-from-wl-dispatch all -- 0.0.0.0/0 0.0.0.0/0 /* cali:8ZoYfO5HKXWbB3pk */ cali-to-wl-dispatch all -- 0.0.0.0/0 0.0.0.0/0 /* cali:jdEuaPBe14V2hutn */ cali-to-hep-forward all -- 0.0.0.0/0 0.0.0.0/0 /* cali:12bc6HljsMKsmfr- */ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:MH9kMp5aNICL-Olv */ /* Policy explicitly accepted packet. */ mark match 0x10000/0x10000 Chain cali-INPUT (1 references) target prot opt source destination ACCEPT 4 -- 0.0.0.0/0 0.0.0.0/0 /* cali:PajejrV4aFdkZojI */ /* Allow IPIP packets from Calico hosts */ match-set cali40all-hosts-net src ADDRTYPE match dst-type LOCAL DROP 4 -- 0.0.0.0/0 0.0.0.0/0 /* cali:_wjq-Yrma8Ly1Svo */ /* Drop IPIP packets from non-Calico hosts */ MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:ss8lEMQsXi-s6qYT */ MARK and 0xfffff cali-forward-check all -- 0.0.0.0/0 0.0.0.0/0 /* cali:PgIW-V0nEjwPhF_8 */ RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:QMJlDwlS0OjHyfMN */ mark match ! 0x0/0xfff00000 cali-wl-to-host all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:nDRe73txrna-aZjG */ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:iX2AYvqGXaVqwkro */ mark match 0x10000/0x10000 MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:bhpnxD5IRtBP8KW0 */ MARK and 0xfff0ffff cali-from-host-endpoint all -- 0.0.0.0/0 0.0.0.0/0 /* cali:H5_bccAbHV0sooVy */ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:inBL01YlfurT0dbI */ /* Host endpoint policy accepted packet. */ mark match 0x10000/0x10000 Chain cali-OUTPUT (1 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:Mq1_rAdXXH3YkrzW */ mark match 0x10000/0x10000 cali-forward-endpoint-mark all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:5Z67OUUpTOM7Xa1a */ mark match ! 0x0/0xfff00000 RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:M2Wf0OehNdig8MHR */ ACCEPT 4 -- 0.0.0.0/0 0.0.0.0/0 /* cali:AJBkLho_0Qd8LNr3 */ /* Allow IPIP packets to other Calico hosts */ match-set cali40all-hosts-net dst ADDRTYPE match src-type LOCAL MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:iz2RWXlXJDUfsLpe */ MARK and 0xfff0ffff cali-to-host-endpoint all -- 0.0.0.0/0 0.0.0.0/0 /* cali:hXojbnLundZDgZyw */ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:wankpMDC2Cy1KfBv */ /* Host endpoint policy accepted packet. */ mark match 0x10000/0x10000 Chain cali-failsafe-in (0 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:wWFQM43tJU7wwnFZ */ multiport dports 22 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 /* cali:LwNV--R8MjeUYacw */ multiport dports 68 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:QOO5NUOqOSS1_Iw0 */ multiport dports 179 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:cwZWoBSwVeIAZmVN */ multiport dports 2379 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:7FbNXT91kugE_upR */ multiport dports 2380 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:ywE9WYUBEpve70WT */ multiport dports 6666 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:l-WQSVBf_lygPR0J */ multiport dports 6667 Chain cali-failsafe-out (0 references) target prot opt source destination ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 /* cali:82hjfji-wChFhAqL */ multiport dports 53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 /* cali:TNM3RfEjbNr72hgH */ multiport dports 67 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:ycxKitIl4u3dK0HR */ multiport dports 179 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:hxjEWyxdkXXkdvut */ multiport dports 2379 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:cA_GLtruuvG88KiO */ multiport dports 2380 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:Sb1hkLYFMrKS6r01 */ multiport dports 6666 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* cali:UwLSebGONJUG4yG- */ multiport dports 6667 Chain cali-forward-check (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:Pbldlb4FaULvpdD8 */ ctstate RELATED,ESTABLISHED cali-set-endpoint-mark tcp -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:ZD-6UxuUtGW-xtzg */ /* To kubernetes NodePort service */ multiport dports 30000:32767 match-set cali40this-host dst cali-set-endpoint-mark udp -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:CbPfUajQ2bFVnDq4 */ /* To kubernetes NodePort service */ multiport dports 30000:32767 match-set cali40this-host dst cali-set-endpoint-mark all -- 0.0.0.0/0 0.0.0.0/0 /* cali:jmhU0ODogX-Zfe5g */ /* To kubernetes service */ ! match-set cali40this-host dst Chain cali-forward-endpoint-mark (1 references) target prot opt source destination cali-from-endpoint-mark all -- 0.0.0.0/0 0.0.0.0/0 /* cali:O0SmFDrnm7KggWqW */ mark match ! 0x100000/0xfff00000 cali-to-wl-dispatch all -- 0.0.0.0/0 0.0.0.0/0 /* cali:aFl0WFKRxDqj8oA6 */ cali-to-hep-forward all -- 0.0.0.0/0 0.0.0.0/0 /* cali:AZKVrO3i_8cLai5f */ MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:96HaP1sFtb-NYoYA */ MARK and 0xfffff ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:VxO6hyNWz62YEtul */ /* Policy explicitly accepted packet. */ mark match 0x10000/0x10000 Chain cali-from-endpoint-mark (1 references) target prot opt source destination cali-fw-cali9cc79d59e5d all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:Gm1ikEnMBr6hRwJz */ mark match 0xacb00000/0xfff00000 DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:3t4xbsdTFdFxXxvW */ /* Unknown interface */ Chain cali-from-hep-forward (1 references) target prot opt source destination Chain cali-from-host-endpoint (1 references) target prot opt source destination Chain cali-from-wl-dispatch (2 references) target prot opt source destination cali-fw-cali9cc79d59e5d all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:he0BKY807zxtVTUp */ DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:iG7FfbrpA1Bpm0KH */ /* Unknown interface */ Chain cali-fw-cali9cc79d59e5d (2 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:l7eqFyRRQEAHlpp2 */ ctstate RELATED,ESTABLISHED DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:fcLc8CNsT9x6yJTx */ ctstate INVALID MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:ZN_BlmBY8nZGwgt2 */ MARK and 0xfffeffff cali-pro-kns.kube-system all -- 0.0.0.0/0 0.0.0.0/0 /* cali:qTVlLi-i7pEquM2Z */ RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:JZAHx5JK39Ms4hhp */ /* Return if profile accepted */ mark match 0x10000/0x10000 cali-pro-_u2Tn2rSoAPffvE7JO6 all -- 0.0.0.0/0 0.0.0.0/0 /* cali:GSq-8LxHf-4soOIG */ RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:_FkI68Hr2i1WjBYk */ /* Return if profile accepted */ mark match 0x10000/0x10000 DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:Mz9dGcQJ6eLA6tPG */ /* Drop if no profiles matched */ Chain cali-pri-_u2Tn2rSoAPffvE7JO6 (1 references) target prot opt source destination Chain cali-pri-kns.kube-system (1 references) target prot opt source destination MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:zoH5gU6U55FKZxEo */ MARK or 0x10000 RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:bcGRIJcyOS9dgBiB */ mark match 0x10000/0x10000 Chain cali-pro-_u2Tn2rSoAPffvE7JO6 (1 references) target prot opt source destination Chain cali-pro-kns.kube-system (1 references) target prot opt source destination MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:-50oJuMfLVO3LkBk */ MARK or 0x10000 RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:ztVPKv1UYejNzm1g */ mark match 0x10000/0x10000 Chain cali-set-endpoint-mark (3 references) target prot opt source destination cali-sm-cali9cc79d59e5d all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:JZ3mkAU0yAf22BQY */ DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:igvFJFJCAv6nZ5ZP */ /* Unknown endpoint */ MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:MEjrdt5JdlL79y7w */ /* Non-Cali endpoint mark */ MARK xset 0x100000/0xfff00000 Chain cali-sm-cali9cc79d59e5d (1 references) target prot opt source destination MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:fwDVWmQI4iGv6UiA */ MARK xset 0xacb00000/0xfff00000 Chain cali-to-hep-forward (2 references) target prot opt source destination Chain cali-to-host-endpoint (1 references) target prot opt source destination Chain cali-to-wl-dispatch (2 references) target prot opt source destination cali-tw-cali9cc79d59e5d all -- 0.0.0.0/0 0.0.0.0/0 [goto] /* cali:Y_gfJ3fP8-aP6fI4 */ DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:_jShSKZp1wsT0LDF */ /* Unknown interface */ Chain cali-tw-cali9cc79d59e5d (1 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* cali:jBjfd9DBvVFgSf6K */ ctstate RELATED,ESTABLISHED DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:O6ssWUf2ORg6dO__ */ ctstate INVALID MARK all -- 0.0.0.0/0 0.0.0.0/0 /* cali:mKKfbY8Hsgs2jTAg */ MARK and 0xfffeffff cali-pri-kns.kube-system all -- 0.0.0.0/0 0.0.0.0/0 /* cali:QBdwWq17N4YzI-Rd */ RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:RWwYFJm4093K17M1 */ /* Return if profile accepted */ mark match 0x10000/0x10000 cali-pri-_u2Tn2rSoAPffvE7JO6 all -- 0.0.0.0/0 0.0.0.0/0 /* cali:2j1XBAbZbn37uCGj */ RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:rquwngzyzZX-VMub */ /* Return if profile accepted */ mark match 0x10000/0x10000 DROP all -- 0.0.0.0/0 0.0.0.0/0 /* cali:Q1JuCSgQp3FccTuF */ /* Drop if no profiles matched */ Chain cali-wl-to-host (1 references) target prot opt source destination cali-from-wl-dispatch all -- 0.0.0.0/0 0.0.0.0/0 /* cali:Ee9Sbo10IpVujdIY */ RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* cali:sO1YJiY1b553biDi */ /* Configured DefaultEndpointToHostAction */