Get iptables rules from specific pod
- Get pod pid
1
2
| crictl ps
crictl inspect ccb81ebe7a080 # id from previus command
|
We see some info about container
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| "namespaces": [
{
"type": "pid"
},
{
"type": "ipc",
"path": "/proc/3932/ns/ipc"
},
{
"type": "uts",
"path": "/proc/3932/ns/uts"
},
{
"type": "mount"
},
{
"type": "network",
"path": "/proc/3932/ns/net"
}
],
|
- Get namespace for pid 3932
1
2
3
4
5
6
7
8
9
10
| lsns --output NS,TYPE,PID,COMMAND|grep 3932
4026532826 mnt 3932 /pause
4026532827 ipc 3932 /pause
4026532828 pid 3932 /pause
# OR
ps -e -o pid,netns,ipcns,mntns,pidns,userns,utsns,comm,user |grep 3932
# OR
ll /proc/3932/ns
|
- Get iptables rules for this
Lol this pid does not have network namespace.
But there must be
Identify namespace:
1
2
3
| # OR for network
ip netns identify 3707
cni-af645ffa-2dcf-10ce-0a8d-b6f970f7c235
|
1
| ip netns exec cni-af645ffa-2dcf-10ce-0a8d-b6f970f7c235 iptables -t nat -n -L
|
Some commands
List all namespace
List network namespace
1
2
| lsns --type=net
ip netns list
|
List namespace for pid
List columns
1
| lsns --output NS,TYPE,PID,COMMAND
|
list iptables by namespace
1
| ip netns exec cni-71108cea-44fb-7d93-8e48-cbcaf8f0d678 iptables -t nat -n -L
|
###
Check packet from namespace
1
| ip netns exec myns1 nc 127.0.0.1 8083 -v -G3 -w3
|
List route namespace
1
2
| ip netns exec myns1 route -n
ip netns exec cni-71108cea-44fb-7d93-8e48-cbcaf8f0d678 ip route list
|
Ping from namespace
1
| ip netns exec myns1 ping 10.1.1.3
|
P.S
How to Create a Network Namespace and add iptables rules and Test it
Good things
