Istio-proxy outbound traffic redirection - how does it work without causing an infinite traffic redirection loop?


I am trying to understand how the sidecar traffic interception model works with istio-init creating a bunch of iptables rules.


  • Istio 1.9.2 on AWS EKS installed using istioctl install --verify
  • I am SSH’ed directly on a worker node as root, and running iptables commands in the namespace of specific containers.
  • My default namespace is labeled istio-injection=enabled

What I understand: When listing the iptables rules applied to my container, I correctly see the iptables rules:

$ docker ps | grep my-test-pod
$ docker top 69da64cc59cf
UID                 PID                 PPID                C                   STIME               TTY                 TIME                CMD
root                15107               15077               0                   16:37               pts/0               00:00:00            /bin/sh

$ sudo nsenter -n --target 15107 iptables -t nat -S
-A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001

Which specifically shows that all the outgoing container traffic is routed to the Envoy proxy running in istio-proxy sidecar and listening on port 15001.

Question: The two containers (my-test-container and istio-proxy) share the same network namespace. Consequently, the istio-proxy container also has an iptables rule redirecting all outbound traffic… to itself on port 15001. Then, how come traffic ever manages to go out? Is there some kind of iptables magic happening that I am missing?

Thank you

There are some rules that check the UID/GID of the process and exclude 1337, which the proxy runs as

1 Like

Thanks John, that’s super useful.

So in theory, if the sidecar container is killed and my container spawns a process as uid/guid 1337 listening on port 15001, it would receive all outbound traffic of the container - correct?