how kubernetes service works?

kube-proxy in each node listen to any new service/endpoint in master API controller

Kubernetes uses etcd to share the current cluster configuration information across all nodes (including pods, services, deployments, etc.).

If there is any new service/endpoint, it adds a rule to that node's iptables

Internally kubernetes has a so called Endpoint Controller that is responsible for modifying the DNS configuration of the virtual cluster network to make service endpoints available via DNS (and environment variables).

For NodePort service, external client has to access new service through one of the node's ip and NodePort. The node will forward the request to the new service IP

Depending on the service type additional action is taken, e.g. to make a port available on the nodes through an automatically created clusterIP service for type nodePort. Or an external load balancer is created with the cloud provider, etc.

Are services lying within nodes? If so, can we ssh into nodes and inspect how services work?

As explained, services are manifested in the cluster configuration, the endpoint controller as well as additional things, like the clusterIP services, load balancers, etc. I cannot see a need to ssh into nodes to inspect services. Typically interacting with the cluster api should be sufficient to investigate/update the service configuration.

Are service IPs virtual IPs and only accessible within nodes?

Service IPs, like POD IPs are virtual and accessible from within the cluster network. There is a global allocation map in etcd that maintains the complete list that allows allocating unique new ones. For more information on the networking model read this blog.

For more detailed information see the docs for kubernetes components and services.