Support for iptables rules

[zayhanlon]

Problem

As an administrator of Fleet, I have Linux hosts that only have default iptables rules today. I need them to have a certain set of rules, but ip_tables was deprecated in osquery and moved to nftables. newer linux distributions have moved from iptables to nftables. Osquery cannot parse the native nftables interfaces.

I would like to get iptables rules with Fleet.

customer-rocher - https://fleetdm.slack.com/archives/C04JD2Z4M1B/p1694467903019529 customer-ufa - https://fleetdm.slack.com/archives/C01QH02FV1N/p1693265256405769

Potential solutions

1. osquery repo issue: https://github.com/osquery/osquery/issues/7323

[noahtalerman]

Hey @zwass do you know how we would approach this? Do we need to add a new table to get iptable rules?

[noahtalerman]

@zayhanlon heads up, this didn't make the 3 week drafting timeline so we're removing it from the drafting board. Bringing back to feature fest.

[zwass]

Generally I imagine the customers are actually using the new nftables and so this issue would apply: https://github.com/osquery/osquery/issues/7323

[noahtalerman]

Zach: We might have to implement a new nftables table (or more than one table) because the data might be different. It might not map to the existing iptables table columns.

Zach: Check out alf- and lxd- tables as potential examples.

[noahtalerman]

Hey @Patagonia121 heads up, this customer request didn't make it through drafting in the current design sprint.

Bringing it back to feature fest.

[noahtalerman]

Hey @Patagonia121, heads up, we didn't have the space to take this one on in the current design sprint (4.48).

Please feel free to bring this back to the next feature fest if it's still relevant to the customers.

[noahtalerman]

Hey @zwass, do you have the capacity to drive this one?

[noahtalerman]

cc @Patagonia121 ^^

[noahtalerman]

@Patagonia121 we discussed this during the last feature fest.

Let's see if Zach can help us PM this one.

Removing from feature fest.

[nonpunctual]

@noahtalerman @zwass @eashaw

For reference: https://github.com/fleetdm/fleet/issues/4410 - iptables table was removed.

osquery has now re-added the iptables table again to their schema: https://www.osquery.io/schema/5.12.1/#iptables

Does this mean we don't have to do anything to add iptables into the Fleet schema as we fully adopt core osquery? Is there something we need to do to enable it because it was removed?

If the iptables table will magically reappear on a future fleetd update this issue can be closed.

[zwass]

I'm not sure why iptables table was brought back but I think there is still work to do here. Modern Linux is not using iptables and we need to build an nftables table. A customer of ours actually has a POC for this which I will help bring to production.

[nonpunctual]

@zwass @noahtalerman i think adding the additional table is great but as for iptables (which our customer has explicitly said they want) will it come back into Fleet & fleetd & the table docs because it is in osquery core? If not, customer is requesting that it be enabled. Thanks.

[zwass]

AFAICT the iptables table was never removed (see the git history with no changes in the last 7 years https://github.com/osquery/osquery/commits/master/specs/linux/iptables.table)... I see the linked issue above where the documentation was removed from the Fleet UI at Mike's request. I'm guessing because iptables is generally not used anymore?

I don't think we have capabilities to remove core osquery tables from fleetd so I'm guessing it's just not showing in the Fleet UI but should work on any version of Fleet/fleetd. Is that incorrect?

@nonpunctual If we have customers that want to use this table, I agree that we should bring it back into the schema Fleet publishes -- and include a note indicating that it's only for legacy systems.

[nonpunctual]

@zwass @noahtalerman

2 updates on this:

1) customer-domon deploys vanilla osquery with Fleet. Queries using iptables work in his environment. I think this confirms what Zach said about the table still working?

2) I am going to enroll a proxmox Ubuntu instance but right at the moment I can't enroll any of my Ubuntu test VMs so I don't know if an iptables query using fleetd osquery will work. Can someone check please?

[zwass]

@nonpunctual can we sync up to debug why you can't enroll VMs?

[nonpunctual]

@noahtalerman @zwass I am going to be using proxmox but the reason I don't have any Ubuntu VMs enrolled is I have an Apple SIlicon Mac & the Fleet stuff isn't compiled for arm64. Also the Ubuntu fleetctl package for Linux seems not to work even in x86 emulation on arm64.

Here is a list of issues related to not supporting arm64:

https://github.com/fleetdm/fleet/issues/1031 https://github.com/fleetdm/fleet/issues/1845 https://github.com/fleetdm/fleet/issues/2466 https://github.com/fleetdm/fleet/issues/4420 https://github.com/fleetdm/fleet/issues/4430 https://github.com/fleetdm/fleet/issues/8257 https://github.com/fleetdm/fleet/issues/8904 https://github.com/fleetdm/fleet/issues/9047 https://github.com/fleetdm/fleet/issues/10864 https://github.com/fleetdm/fleet/issues/18532

Thanks.

[noahtalerman]

Zay: What’s the general ask - I want to validate Linux host firewall operation and configuration.

[nonpunctual]

@noahtalerman please see @zwass comment https://github.com/fleetdm/fleet/issues/15651#issuecomment-2103124916

The table is currently listed in the osquery schema docs. Because we include osquery core (unless I am misunderstanding Zach) all we need to do is make it visible & add it to our data table docs. customer-domon has need for this.

I also agree w Zach that we should either enhance this table for nftables support or make new separate one for this. Obviously, there's a need for both. Thanks. cc @zayhanlon

[zayhanlon]

@nonpunctual i discussed this with noah this morning, and we are in agreement that we're okay to make it visible again (at the time, Mo/Mike agreed to hide it because we were receiving a bunch of bug reports about the table not working) with the caveat that there are notes about the limitations of where it's supported. can you own updating the note for the table when it's published?

@eashaw can you unhide the iptables table? https://github.com/fleetdm/fleet/blob/main/schema/tables/iptables.yml

approved by @noahtalerman

[eashaw]

@zayhanlon @nonpunctual I just merged a PR that unhides the iptables table (https://github.com/fleetdm/fleet/pull/21956)