the host itself has no iptables applied other than what k8s has added, it's all NFTables - restarting the cilium pod sometimes helps, restarting the kube-proxy pod sometimes helps, sometimes doing a

nft flush ruleset

and waiting a minute helps, the only reliable answer is to reboot the worker node