Project

General

Profile

Actions
Copy link

tickets #152863

open

Refactor outbound ACLs for IPv4 destinations

Added by crameleon over 1 year ago. Updated 30 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Network
Target version:
-
Start date:
2023-12-21
Due date:
% Done:

0%

Estimated time:

Description

Currently we filter outbound traffic towards servers on the internet which are only reachable via IPv4 on an IPv4 level by whitelisting the machines "pseudo IPv4" (i.e. mapped/NAT64) addresses. This requires us to assign static IPv4 addresses using the "pseudo_ip4" attribute in our infra/hosts.yaml file in order to not rely on dynamic addresses (TAYGA reserves dynamic addresses for about two weeks). This could be avoided, and the "pseudo_ip4" lines for affected hosts dropped, if we instead filter on an IPv6 level (the same way we already do for IPv6 destinations on the internet). It will make configuration of new hosts easier and the NAT setup less confusing.

Current configuration (GitHub as an example, but other destinations which currently have an acl4_internet_* set work the same way):

## /etc/nftables.d/base_inet/sets.nft:
# Pseudo-v4 hosts allowed to reach GitHub
set acl4_internet_github_web {
  type ipv4_addr
  flags interval
  elements = {
   $host4_narwal5,
   $host4_dale,
   ... # various others
  }
}

## /etc/nftables.d/zones/05_nat64.nft:
  # Github API map (api.github.com)
  oifname os-p2p-pub ip saddr @acl4_internet_github_api ip daddr @cloud4_github_api tcp dport https accept

## /etc/nftables.d/zones/1203_os-internal.nft:
  # * -> GitHub (HTTP/HTTPS/SSH) (further restricted using client whitelisting through @acl4_internet_github)
  oifname nat64 ip6 daddr @cloud46_github_web icmpv6 type { echo-request, echo-reply } accept
  oifname nat64 ip6 daddr @cloud46_github_web tcp dport { http, https, ssh } accept #log prefix "[GitHub v6 IN] " accept

Proposed configuration:

IPv6 host addresses instead of IPv4 ones

set acl6_internet_github_web {
type ipv6_addr
flags interval
elements = {
$host6_narwal5,
$host6_dale,
... # various others
}
}

Allow all NAT64 sources to reach the IPv4 destination

oifname os-p2p-pub ip daddr @cloud4_github_api tcp dport https accept

Apply the ACL on the IPv6 sources

oifname nat64 ip6 saddr @acl6_internet_github_web ip6 daddr @cloud46_github_web icmpv6 type { echo-request, echo-reply } accept
oifname nat64 ip6 saddr @acl6_internet_github_web ip6 daddr @cloud46_github_web tcp dport { http, https, ssh } accept #log prefix "[GitHub v6 IN] " accept


Additionally the IPv6 rule could be moved from the 1203_os-internal.conf to forward.conf in order to make things simpler by having one ACL which works for all zones.

To do this the new ACL set needs to be created and then the rules need to be switched over. Afterwards the pseudo_ip4 entries of the listed hosts can be removed, as long as the host does not need to be reachable from Provo/Nuremberg.
Actions
Copy link

Also available in: Atom PDF