search

metal-stack / firewall-controller

A kubernetes controller running on bare-metal firewalls, creating nftables rules, configures suricata, collects network metrics
MIT License
47 stars 4 forks source link

Nftables rules for transparent DNS proxy #84

Closed mwindower closed 3 years ago

mwindower commented 3 years ago

For transparently proxying DNS traffic with the firewall-controller we need to catch all DNS traffic arriving at firewall nodes. We can achieve this with three changes to our nftables rule set:

  1. DNAT to public address

Because the firewall-controller runs in the internet VRF we need to DNAT DNS requests arriving at the private VRF to the public IP.

chain prerouting {
    type nat hook prerouting priority filter;
    iifname "vlan<Private>" tcp dport { 53 } dnat to <PublicIP> counter accept comment "transparent proxying DNS/TCP"
    iifname "vlan<Private>" udp dport { 53 } dnat to <PublicIP> counter accept comment "transparent proxying DNS/UDP"
}
  1. Allow Forwarding to the public ip
chain forward {
    type filter hook forward priority 1;
    ip saddr == @cluster_prefixes ip daddr { <PublicIP> } tcp dport { 53 } counter accept comment "forwarding DNS/TCP"
    ip saddr == @cluster_prefixes ip daddr { <PublicIP> } udp dport { 53 } counter accept comment "forwarding DNS/UDP"
}
  1. Exclude public IP for masquerading
chain postrouting {
    type nat hook postrouting priority filter;
    oifname "vlan104009" ip saddr <PrivateNet>/22 ip daddr != { <PublicIP> } counter masquerade comment "snat (networkid: internet)"
}
Gerrit91 commented 3 years ago

Closed by https://github.com/metal-stack/metal-networker/pull/56.