Always masquerade node-originating traffic with a service VIP source ip

pkg/proxy/ipvs/proxier.go

@@ -1218,17 +1218,25 @@ func (proxier *Proxier) writeIptablesRules() {
 			"-A", string(kubeServicesChain),
 			"-m", "comment", "--comment", proxier.ipsetList[kubeClusterIPSet].getComment(),
 			"-m", "set", "--match-set", kubeClusterIPSet,
-			"dst,dst",
 		)
 		if proxier.masqueradeAll {
-			writeLine(proxier.natRules, append(args, "-j", string(KubeMarkMasqChain))...)
+			writeLine(proxier.natRules, append(args, "dst,dst", "-j", string(KubeMarkMasqChain))...)
 		} else if len(proxier.clusterCIDR) > 0 {
 			// This masquerades off-cluster traffic to a service VIP.  The idea
 			// is that you can establish a static route for your Service range,
 			// routing to any node, and that node will bridge into the Service
 			// for you.  Since that might bounce off-node, we masquerade here.
 			// If/when we support "Local" policy for VIPs, we should update this.
-			writeLine(proxier.natRules, append(args, "! -s", proxier.clusterCIDR, "-j", string(KubeMarkMasqChain))...)
+			writeLine(proxier.natRules, append(args, "dst,dst", "! -s", proxier.clusterCIDR, "-j", string(KubeMarkMasqChain))...)
+		} else {
+			// Masquerade all OUTPUT traffic coming from a service ip.
+			// The kube dummy interface has all service VIPs assigned which
+			// results in the service VIP being picked as the source IP to reach
+			// a VIP. This leads to a connection from VIP:<random port> to
+			// VIP:<service port>.
+			// Always masquerading OUTPUT (node-originating) traffic with a VIP
+			// source ip and service port destination fixes the outgoing connections.
+			writeLine(proxier.natRules, append(args, "src,dst", "-j", string(KubeMarkMasqChain))...)
 		}
 	}