We have a new Rancher cluster, and I’m troubleshooting some network/connectivity issues.
In the iptables rules, in the CATTLE_PREROUTING chain, I’m not seeing any rules for ports 500/udp or 4500/udp. Any idea why not?
The doc Troubleshooting : HOW TO CHECK IPTABLES RULES ARE NOT BEING MALFORMED? shows the following:
Chain CATTLE_PREROUTING (1 references)
num target prot opt source destination
1 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL tcp dpt:80 to:10.42.160.45:8080
2 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL udp dpt:4500 to:10.42.179.222:4500
3 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL udp dpt:500 to:10.42.179.222:500
However, our own rules don’t have a rule for 500/udp or 4500/udp, at least not in the CATTLE_PREROUTING table. I do see some related rules in the “DOCKER” chain.
[root@docker1 ~]# iptables --list --table -n nat
Chain CATTLE_PREROUTING (1 references)
target prot opt source destination
DNAT tcp -- 10.42.0.0/16 10.42.0.1 tcp dpt:domain to:169.254.169.250
DNAT udp -- 10.42.0.0/16 10.42.0.1 udp dpt:domain to:169.254.169.250
MARK all -- !10.42.0.0/16 169.254.169.250 MAC 02:AA:38:B5:37:AA MARK set 0x16284
MARK all -- !10.42.0.0/16 169.254.169.250 MAC 02:AA:38:12:CE:AA MARK set 0x2266e
MARK all -- !10.42.0.0/16 169.254.169.250 MAC 02:AA:38:56:14:AA MARK set 0xf2697
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
DNAT udp -- anywhere anywhere udp dpt:ipsec-nat-t to:172.17.0.2:4500
DNAT udp -- anywhere anywhere udp dpt:isakmp to:172.17.0.2:500
[root@docker1 ~]#
The Rancher Network Agent seems to be running:
[root@docker1 ~]# docker ps
adsddasdasas rancher/agent-instance:v0.8.3 "/etc/init.d/agent-in" 13 minutes ago Up 13 minutes 0.0.0.0:500->500/udp, 0.0.0.0:4500->4500/udp asdasd-asdsad-asdasd-asdasd-876c1d6473f0
asdasdasdasd rancher/agent:v1.0.2 "/run.sh run" 19 minutes ago Up 19 minutes rancher-agent