[root@bsl-node-2 vagrant]# ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 52:54:00:26:10:60 brd ff:ff:ff:ff:ff:ff inet 10.0.2.15/24 brd 10.0.2.255 scope global noprefixroute dynamic eth0 valid_lft 81229sec preferred_lft 81229sec inet6 fe80::5054:ff:fe26:1060/64 scope link valid_lft forever preferred_lft forever 3: eth1: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 08:00:27:01:65:1b brd ff:ff:ff:ff:ff:ff inet 240.0.0.5/24 brd 240.0.0.255 scope global noprefixroute eth1 valid_lft forever preferred_lft forever inet6 fe80::a00:27ff:fe01:651b/64 scope link valid_lft forever preferred_lft forever 4: docker0: mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:6e:f6:29:cb brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever 5: nomad: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 42:b3:97:70:94:b6 brd ff:ff:ff:ff:ff:ff inet 172.26.64.1/20 brd 172.26.79.255 scope global nomad valid_lft forever preferred_lft forever inet6 fe80::40b3:97ff:fe70:94b6/64 scope link valid_lft forever preferred_lft forever 12: veth6d79382f@if3: mtu 1500 qdisc noqueue master nomad state UP group default link/ether 72:2c:9d:12:1d:19 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet6 fe80::702c:9dff:fe12:1d19/64 scope link valid_lft forever preferred_lft forever 13: veth5a50fbf5@if3: mtu 1500 qdisc noqueue master nomad state UP group default link/ether 3a:4f:a6:64:26:a9 brd ff:ff:ff:ff:ff:ff link-netnsid 1 inet6 fe80::384f:a6ff:fe64:26a9/64 scope link valid_lft forever preferred_lft forever [root@bsl-node-2 vagrant]# ^C [root@bsl-node-2 vagrant]# sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination CNI-FORWARD all -- anywhere anywhere /* CNI firewall plugin rules */ DOCKER-USER all -- anywhere anywhere DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain CNI-FORWARD (1 references) target prot opt source destination NOMAD-ADMIN all -- anywhere anywhere /* CNI firewall plugin rules */ NOMAD-ADMIN all -- anywhere anywhere /* CNI firewall plugin rules */ ACCEPT all -- anywhere 172.26.64.44 ctstate RELATED,ESTABLISHED ACCEPT all -- 172.26.64.44 anywhere ACCEPT all -- anywhere 172.26.64.49 ctstate RELATED,ESTABLISHED ACCEPT all -- 172.26.64.49 anywhere ACCEPT all -- anywhere 172.26.64.48 ctstate RELATED,ESTABLISHED ACCEPT all -- 172.26.64.48 anywhere ACCEPT all -- anywhere 172.26.64.50 ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere 172.26.64.51 ctstate RELATED,ESTABLISHED ACCEPT all -- 172.26.64.50 anywhere ACCEPT all -- 172.26.64.51 anywhere Chain DOCKER (1 references) target prot opt source destination Chain DOCKER-ISOLATION-STAGE-1 (1 references) target prot opt source destination DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-ISOLATION-STAGE-2 (1 references) target prot opt source destination DROP all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-USER (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain NOMAD-ADMIN (2 references) target prot opt source destination ACCEPT all -- anywhere 172.26.64.0/20 [root@bsl-node-2 vagrant]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL CNI-HOSTPORT-DNAT all -- anywhere anywhere ADDRTYPE match dst-type LOCAL Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination DOCKER all -- anywhere !loopback/8 ADDRTYPE match dst-type LOCAL CNI-HOSTPORT-DNAT all -- anywhere anywhere ADDRTYPE match dst-type LOCAL Chain POSTROUTING (policy ACCEPT) target prot opt source destination CNI-HOSTPORT-MASQ all -- anywhere anywhere /* CNI portfwd requiring masquerade */ MASQUERADE all -- 172.17.0.0/16 anywhere CNI-c38109d2a8fe74a1cab4b004 all -- 172.26.64.49 anywhere /* name: "nomad" id: "2db262e1-e823-f314-6c1c-f6216171e358" */ CNI-a7a0b7884bc8aa5787a2adb9 all -- 172.26.64.48 anywhere /* name: "nomad" id: "e256dffc-d2b0-2a0a-e6a0-1aac891cc741" */ CNI-a7a0b7884bc8aa5787a2adb9 all -- 172.26.64.51 anywhere /* name: "nomad" id: "e256dffc-d2b0-2a0a-e6a0-1aac891cc741" */ CNI-c38109d2a8fe74a1cab4b004 all -- 172.26.64.50 anywhere /* name: "nomad" id: "2db262e1-e823-f314-6c1c-f6216171e358" */ Chain CNI-DN-a7a0b7884bc8aa5787a2a (2 references) target prot opt source destination CNI-HOSTPORT-SETMARK tcp -- 172.26.64.48 anywhere tcp dpt:24542 CNI-HOSTPORT-SETMARK tcp -- localhost anywhere tcp dpt:24542 DNAT tcp -- anywhere anywhere tcp dpt:24542 to:172.26.64.48:24542 CNI-HOSTPORT-SETMARK udp -- 172.26.64.48 anywhere udp dpt:24542 CNI-HOSTPORT-SETMARK udp -- localhost anywhere udp dpt:24542 DNAT udp -- anywhere anywhere udp dpt:24542 to:172.26.64.48:24542 CNI-HOSTPORT-SETMARK tcp -- 172.26.64.48 anywhere tcp dpt:dynamid CNI-HOSTPORT-SETMARK tcp -- localhost anywhere tcp dpt:dynamid DNAT tcp -- anywhere anywhere tcp dpt:dynamid to:172.26.64.48:9002 CNI-HOSTPORT-SETMARK udp -- 172.26.64.48 anywhere udp dpt:dynamid CNI-HOSTPORT-SETMARK udp -- localhost anywhere udp dpt:dynamid DNAT udp -- anywhere anywhere udp dpt:dynamid to:172.26.64.48:9002 CNI-HOSTPORT-SETMARK tcp -- 172.26.64.51 anywhere tcp dpt:24542 DNAT tcp -- anywhere anywhere tcp dpt:24542 to:172.26.64.51:24542 CNI-HOSTPORT-SETMARK udp -- 172.26.64.51 anywhere udp dpt:24542 DNAT udp -- anywhere anywhere udp dpt:24542 to:172.26.64.51:24542 CNI-HOSTPORT-SETMARK tcp -- 172.26.64.51 anywhere tcp dpt:dynamid DNAT tcp -- anywhere anywhere tcp dpt:dynamid to:172.26.64.51:9002 CNI-HOSTPORT-SETMARK udp -- 172.26.64.51 anywhere udp dpt:dynamid DNAT udp -- anywhere anywhere udp dpt:dynamid to:172.26.64.51:9002 Chain CNI-DN-c38109d2a8fe74a1cab4b (2 references) target prot opt source destination CNI-HOSTPORT-SETMARK tcp -- 172.26.64.49 anywhere tcp dpt:20112 CNI-HOSTPORT-SETMARK tcp -- localhost anywhere tcp dpt:20112 DNAT tcp -- anywhere anywhere tcp dpt:20112 to:172.26.64.49:20112 CNI-HOSTPORT-SETMARK udp -- 172.26.64.49 anywhere udp dpt:20112 CNI-HOSTPORT-SETMARK udp -- localhost anywhere udp dpt:20112 DNAT udp -- anywhere anywhere udp dpt:20112 to:172.26.64.49:20112 CNI-HOSTPORT-SETMARK tcp -- 172.26.64.50 anywhere tcp dpt:20112 DNAT tcp -- anywhere anywhere tcp dpt:20112 to:172.26.64.50:20112 CNI-HOSTPORT-SETMARK udp -- 172.26.64.50 anywhere udp dpt:20112 DNAT udp -- anywhere anywhere udp dpt:20112 to:172.26.64.50:20112 Chain CNI-HOSTPORT-DNAT (2 references) target prot opt source destination CNI-DN-c38109d2a8fe74a1cab4b tcp -- anywhere anywhere /* dnat name: "nomad" id: "2db262e1-e823-f314-6c1c-f6216171e358" */ multiport dports 20112 CNI-DN-c38109d2a8fe74a1cab4b udp -- anywhere anywhere /* dnat name: "nomad" id: "2db262e1-e823-f314-6c1c-f6216171e358" */ multiport dports 20112 CNI-DN-a7a0b7884bc8aa5787a2a tcp -- anywhere anywhere /* dnat name: "nomad" id: "e256dffc-d2b0-2a0a-e6a0-1aac891cc741" */ multiport dports 24542,dynamid CNI-DN-a7a0b7884bc8aa5787a2a udp -- anywhere anywhere /* dnat name: "nomad" id: "e256dffc-d2b0-2a0a-e6a0-1aac891cc741" */ multiport dports 24542,dynamid Chain CNI-HOSTPORT-MASQ (1 references) target prot opt source destination MASQUERADE all -- anywhere anywhere mark match 0x2000/0x2000 MASQUERADE all -- anywhere anywhere mark match 0x2000/0x2000 Chain CNI-HOSTPORT-SETMARK (18 references) target prot opt source destination MARK all -- anywhere anywhere /* CNI portfwd masquerade mark */ MARK or 0x2000 MARK all -- anywhere anywhere /* CNI portfwd masquerade mark */ MARK or 0x2000 Chain CNI-a7a0b7884bc8aa5787a2adb9 (2 references) target prot opt source destination ACCEPT all -- anywhere 172.26.64.0/20 /* name: "nomad" id: "e256dffc-d2b0-2a0a-e6a0-1aac891cc741" */ MASQUERADE all -- anywhere !base-address.mcast.net/4 /* name: "nomad" id: "e256dffc-d2b0-2a0a-e6a0-1aac891cc741" */ Chain CNI-c38109d2a8fe74a1cab4b004 (2 references) target prot opt source destination ACCEPT all -- anywhere 172.26.64.0/20 /* name: "nomad" id: "2db262e1-e823-f314-6c1c-f6216171e358" */ MASQUERADE all -- anywhere !base-address.mcast.net/4 /* name: "nomad" id: "2db262e1-e823-f314-6c1c-f6216171e358" */ Chain DOCKER (2 references) target prot opt source destination RETURN all -- anywhere anywhere [root@bsl-node-2 vagrant]#