no yes nat.PREROUTING nat.OUTPUT KUBE-SERVICES Match a svc cluster IP? KUBE-MARK-MASQ Masquerade all? KUBE-SVC-* no no yes yes Match a svc external IP? KUBE-MARK-MASQ From off-node? no yes To local IP? yes Route to Network Match a svc LB IP? yes KUBE-FW-* Svc traffic policy local? no KUBE-MARK-MASQ