Experiments with ExternalIP in Kubernetes networking 101 - (Basic) External access into the cluster emphasize that when response packets from the cluster's external hosts are returned from ubuntu2, replace the source address with 169.10 .10.1
The original source is:
It is not possible to reverse a DNAT pointing to a pod if the request does not return that host. In this case, reversing the DNAT means changing the source of the packet back to the original pre-DNAT source of 169.10.10.1. So, as you can see, the masquerading rules are very important to ensure that the external IP structure works properly.
I also did this experiment, but I'm not sure how masquerade can replace the source address with 169.10.10.1?
- All computers appear to have the same IP
- This is done with Network Adress Translation
- It’s easy to fake the “outgoing packet”
- “Incoming packets” must be translated too
- Port translation - a must
For example, this command
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
The packet goes out of interface ppp0, then the source address is replaced with the ip address of ppp0.
But 169.10.10.1 is actually a virtual address and does not belong to any interface on node, so how can masquerade replace the source address with 169.10.10.1?