Iptables: 'CATTLE_PREROUTING' doesn't show ports 500 & 4500

Rancher 1.x
1

We have a new Rancher cluster, and I’m troubleshooting some network/connectivity issues.

In the iptables rules, in the CATTLE_PREROUTING chain, I’m not seeing any rules for ports 500/udp or 4500/udp. Any idea why not?

The doc Troubleshooting : HOW TO CHECK IPTABLES RULES ARE NOT BEING MALFORMED? shows the following:

Chain CATTLE_PREROUTING (1 references)
num  target     prot opt source               destination
1    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL tcp dpt:80 to:10.42.160.45:8080
2    DNAT       udp  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL udp dpt:4500 to:10.42.179.222:4500
3    DNAT       udp  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL udp dpt:500 to:10.42.179.222:500

However, our own rules don’t have a rule for 500/udp or 4500/udp, at least not in the CATTLE_PREROUTING table. I do see some related rules in the “DOCKER” chain.

[root@docker1 ~]# iptables --list --table -n nat
Chain CATTLE_PREROUTING (1 references)
target     prot opt source               destination         
DNAT       tcp  --  10.42.0.0/16         10.42.0.1            tcp dpt:domain to:169.254.169.250
DNAT       udp  --  10.42.0.0/16         10.42.0.1            udp dpt:domain to:169.254.169.250
MARK       all  -- !10.42.0.0/16         169.254.169.250      MAC 02:AA:38:B5:37:AA MARK set 0x16284
MARK       all  -- !10.42.0.0/16         169.254.169.250      MAC 02:AA:38:12:CE:AA MARK set 0x2266e
MARK       all  -- !10.42.0.0/16         169.254.169.250      MAC 02:AA:38:56:14:AA MARK set 0xf2697

Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            
DNAT       udp  --  anywhere             anywhere             udp dpt:ipsec-nat-t to:172.17.0.2:4500
DNAT       udp  --  anywhere             anywhere             udp dpt:isakmp to:172.17.0.2:500
[root@docker1 ~]#

The Rancher Network Agent seems to be running:

[root@docker1 ~]# docker ps
adsddasdasas        rancher/agent-instance:v0.8.3   "/etc/init.d/agent-in"   13 minutes ago      Up 13 minutes       0.0.0.0:500->500/udp, 0.0.0.0:4500->4500/udp   asdasd-asdsad-asdasd-asdasd-876c1d6473f0
asdasdasdasd        rancher/agent:v1.0.2            "/run.sh run"            19 minutes ago      Up 19 minutes                                                      rancher-agent