6. Networking

Posted by Manish Panchmatia on Saturday, November 13, 2021 Labels: , , ,

Session state: New, Established, Related : (1) related DNS queries, (2) netfilter need protocol specific module. E.g. FTP, VoIP require extra kernel module.

specify module "-m state --state" OR "-m conntrack --ctstate). state module is subest of conntrack module)

Invalid: out of sequence traffic. 

Anatomy of filter

1. Where to apply filter? (input, output, forward) chain



2. Which traffic to filter? (source and destination match criteria) 

3. What action? chain are grouped in tables, as per action (filter, NAT, mangle, raw, security) 

Applicable to both firewall and nwpolicy

chain v/s action

Action: PreRouting Input Output Forward PostRouting
raw Y N Y N N
mangle Y Y Y Y Y
nat Y N Y N Y
filter N Y Y Y N
security N Y Y Y N

Filter table in input, output, forward chain with actions: ACCEPT, DROP, REJECT
NAT table in PreRouting, Output and PostRouting with actions SNAT, DNAT, masquerade
Mangle in all chain for specialized packet alteration 
Raw in PreRouting and Output, to configure exception from connection tracking. Action: NOTRACK
Security in Input, Output and Forward with action SECMARK, CONNSECMARK 

Actions: Accept, Drop, Reject, SNAT, DNAT< masquerade, NOTRACK, SECMARK, CONNSECMARK
Matches: address (L1 | L3), protocol, port, state, 

Please refer iptables-extensions(8) and firewalld.richlanguage(5) man pages for limiting connection rate etc. 

netfilter is in kernel
at user space
1. iptables

iptables variants
1. iptables
2. ip6tables
3. ebtables

useful command to list all tables
iptables -vnL

on top of iptables
1. fwbuilder (GUI)
2. turtle firewall (GUI)
3. ipmenu (CLI)

Note: direct changes done in netfilter chains are not visible at GUI. 

2. firewalld-service
on top of firewalld-service
1. firewall-config
2. firewall-cmd

firewalld features
- timed rules
- rich language for specific firewall rules
- NAT support
- firewall zones
- DBUS API

firewalld support
- Network Manager
- libvert
- docker
- fail2ban (intrusion prevention software framework-Python)
etc.

Each firewall zone has "zone"_direct chain. Firewalld allow to insert rule at front in this chain

Netfilter hooks

nftables replaces: iptables, ip6tables, arptables, ebtables
they are on top of netfilter. netfilter has predefined hooks: raw, filter, NAT, mangle, raw, security
netfilter hooks are for different types of packets
ip, ip6, inet, arp, bridge, netdev. netdev handles packets from ingress.

it can be invoked with 'nft' command. pass file with 'nft -f' command. nft shell also accept file, with first word as nft in each line of file. 

firewalld can use FirewallBackend=nftables| iptables  in  /etc/firewalld/firewalld.conf file.

nftables configuration file
/etc/nftables.conf (Ubuntu)
/etc/sysconfig/nftables.conf (Fedora) it includes /etc/nftables/*.nft


Calico leverage WorkloadEndpoint resource to configure Calico container and host communication. HostEndPoint 

Calico-GlobalNetworkPolicy configure connectivity rules to join WokrloadEndpoint and HostEndPoint in all NS. It has precedence over Profiles. Profiles used before Calico-NetworkPolicy is functional. 

Calico n/w policy has

* (1) policy ordering/priority, (2) deny rules, and (3) more flexible match rules, over default K8s policy. 

* K8s n/w policy is only for pods. Calico n/w policy is for pod, VM, host interfaces.

* along with Istio it supports securing 5-7 layers match criteria & cryptographic identity. 

* works for all cloud provider. 

========

* Neither Ingress nor Egress is specified then default is Ingress

* If no policy then all traffic allowed for pod

* If Ingress policy then only those ingress traffic is allowed. 

* If egress policy then only those egress traffic is allowed. 

* If no policy then all traffic denied for node

Reference: https://docs.projectcalico.org/security/calico-network-policy

WireGuard: VPN

- easy to use

- less feature

- speed

- with Calico clusters

Ingress Controller: Envoy Proxy, NGINX, Traefik, Ambassador


We need to add annotations accordingly to "Ingress" resource

kubernetes.io/ingress.class: haproxy

kubernetes.io/ingress.class: nginx

We can use https://nip.io/ to convert IP and DNS which contain IP. 

In local setup, without Load Balancer, when we use NodePort, we have to use higher port in HOST, while using curl to ingress controller. E.g. 

 curl http://192.168.49.3 -H 'Host: nginx.192.168.49.3.nip.io:32735'

Service Mesh: Istio (security features: peer authentication, authorization, identity management. Zero-Trust Networking), Linkerd (for security), Countour (VMWare), Aspen (old name nginx. F5 purchased nginx and renamed as Aspen) 

0 comments:

Post a Comment