k8s ex01: iptables and docker

In this entry, I’ll dig into some basic network principals of iptables, which is used as the base for kube-proxy service.

Anyone used linux should have used iptables in some ways, but it is confusing when it comes to containers. I will illustrate the basic flow of the packet step by step, though it’s not 100% correct diagram but I hope it helps someone to grasp how iptables works.

And this is what I’m going to explain…The docker container which runs nginx is waiting to serve web page on port 80, while the client request the page on port 8080. Still the client can get the web page, because iptables rewrite the ip packet accordingly.

Request from the client to the container

In the image below, I highlighted the table which docker modified specifically for this port forwarding only. Usually there is a catch-all rule to either forward or drop the packet in each table.

 

Response from the container to the client