github.com/aporeto-inc/trireme-lib@v10.358.0+incompatible/controller/internal/supervisor/iptablesctrl/rules_rhel6.go (about) 1 // +build rhel6 2 3 package iptablesctrl 4 5 var triremChains = ` 6 {{if isLocalServer}} 7 -t {{.MangleTable}} -N {{.HostInput}} 8 -t {{.MangleTable}} -N {{.HostOutput}} 9 -t {{.MangleTable}} -N {{.NetworkSvcInput}} 10 -t {{.MangleTable}} -N {{.NetworkSvcOutput}} 11 -t {{.MangleTable}} -N {{.TriremeInput}} 12 -t {{.MangleTable}} -N {{.TriremeOutput}} 13 {{end}} 14 -t {{.MangleTable}} -N {{.NfqueueOutput}} 15 -t {{.MangleTable}} -N {{.NfqueueInput}} 16 -t {{.MangleTable}} -N {{.MangleProxyAppChain}} 17 -t {{.MangleTable}} -N {{.MainAppChain}} 18 -t {{.MangleTable}} -N {{.MainNetChain}} 19 -t {{.MangleTable}} -N {{.MangleProxyNetChain}} 20 -t {{.NatTable}} -N {{.NatProxyAppChain}} 21 -t {{.NatTable}} -N {{.NatProxyNetChain}} 22 ` 23 24 var globalRules = ` 25 26 {{$.MangleTable}} {{$.NfqueueInput}} -j MARK --set-mark {{.DefaultInputMark}} 27 {{$.MangleTable}} {{$.NfqueueInput}} -m mark --mark {{.DefaultInputMark}} -j NFQUEUE --queue-balance {{queueBalance}} --queue-bypass 28 29 {{$.MangleTable}} {{$.NfqueueOutput}} -j MARK --set-mark 0 30 {{$.MangleTable}} {{$.NfqueueOutput}} -m mark --mark 0 -j NFQUEUE --queue-balance {{queueBalance}} --queue-bypass 31 32 {{.MangleTable}} INPUT -m set ! --match-set {{.ExclusionsSet}} src -j {{.MainNetChain}} 33 {{.MangleTable}} {{.MainNetChain}} -p udp --sport 53 -j ACCEPT 34 {{.MangleTable}} {{.MainNetChain}} -j {{ .MangleProxyNetChain }} 35 36 {{/* tcp rules */}} 37 38 {{.MangleTable}} {{.MainNetChain}} -p tcp -m mark --mark {{.PacketMarkToSetConnmark}} -j CONNMARK --set-mark {{.DefaultExternalConnmark}} 39 {{.MangleTable}} {{.MainNetChain}} -p tcp -m mark --mark {{.PacketMarkToSetConnmark}} -j ACCEPT 40 {{.MangleTable}} {{.MainNetChain}} -m connmark --mark {{.DefaultExternalConnmark}} -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT 41 {{.MangleTable}} {{$.MainNetChain}} -m set --match-set {{$.TargetTCPNetSet}} src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j {{.NfqueueInput}} 42 43 {{/* tcp rules ends */}} 44 45 {{/* udp rules */}} 46 47 {{.MangleTable}} {{$.MainNetChain}} -p udp -m string --string {{$.UDPSignature}} --algo bm --to 65535 -j {{.NfqueueInput}} 48 {{.MangleTable}} {{.MainNetChain}} -p udp -m connmark --mark {{.DefaultDropConnmark}} -m comment --comment "Drop UDP ACL" -j DROP 49 {{.MangleTable}} {{.MainNetChain}} -m connmark --mark {{.DefaultConnmark}} -p udp -j ACCEPT 50 51 {{/* udp rules ends */}} 52 53 {{if isLocalServer}} 54 {{.MangleTable}} {{.MainNetChain}} -j {{.TriremeInput}} 55 {{.MangleTable}} {{.MainNetChain}} -j {{.NetworkSvcInput}} 56 {{.MangleTable}} {{.MainNetChain}} -j {{.HostInput}} 57 {{end}} 58 59 {{.MangleTable}} OUTPUT -m set ! --match-set {{.ExclusionsSet}} dst -j {{.MainAppChain}} 60 {{.MangleTable}} {{.MainAppChain}} -p udp --dport 53 -j ACCEPT 61 62 {{.MangleTable}} {{.MainAppChain}} -m mark --mark {{.PacketMarkToSetConnmark}} -j CONNMARK --set-mark {{.DefaultExternalConnmark}} 63 {{.MangleTable}} {{.MainAppChain}} -p tcp -m mark --mark {{.PacketMarkToSetConnmark}} -j ACCEPT 64 65 {{.MangleTable}} {{.MainAppChain}} -p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark {{.DefaultExternalConnmark}} 66 67 {{.MangleTable}} {{.MainAppChain}} -j {{.MangleProxyAppChain}} 68 {{.MangleTable}} {{.MainAppChain}} -m connmark --mark {{.DefaultExternalConnmark}} -j ACCEPT 69 {{.MangleTable}} {{.MainAppChain}} -p udp -m connmark --mark {{.DefaultDropConnmark}} -m comment --comment "Drop UDP ACL" -j DROP 70 {{.MangleTable}} {{.MainAppChain}} -m connmark --mark {{.DefaultConnmark}} -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT 71 {{.MangleTable}} {{.MainAppChain}} -m connmark --mark {{.DefaultConnmark}} -p udp -j ACCEPT 72 {{.MangleTable}} {{.MainAppChain}} -m mark --mark {{.RawSocketMark}} -j ACCEPT 73 {{$.MangleTable}} {{$.MainAppChain}} -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j {{.NfqueueOutput}} 74 75 {{if isLocalServer}} 76 {{.MangleTable}} {{.MainAppChain}} -j {{.TriremeOutput}} 77 {{.MangleTable}} {{.MainAppChain}} -j {{.NetworkSvcOutput}} 78 {{.MangleTable}} {{.MainAppChain}} -j {{.HostOutput}} 79 {{end}} 80 81 {{.MangleTable}} {{.MangleProxyAppChain}} -m mark --mark {{.ProxyMark}} -j ACCEPT 82 {{.MangleTable}} {{.MangleProxyNetChain}} -m mark --mark {{.ProxyMark}} -j ACCEPT 83 84 {{.NatTable}} {{.NatProxyAppChain}} -m mark --mark {{.ProxyMark}} -j ACCEPT 85 {{.NatTable}} {{.NatProxyNetChain}} -m mark --mark {{.ProxyMark}} -j ACCEPT 86 ` 87 88 // cgroupCaptureTemplate is not used for rhel6 89 var cgroupCaptureTemplate = `` 90 91 // containerChainTemplate is not used for rhel6 92 var containerChainTemplate = `` 93 94 // istioChainTemplate is not used for rhel6 95 var istioChainTemplate = `` 96 97 var acls = ` 98 {{range .RejectObserveContinue}} 99 {{joinRule .}} 100 {{end}} 101 102 {{range .RejectNotObserved}} 103 {{joinRule .}} 104 {{end}} 105 106 {{range .RejectObserveApply}} 107 {{joinRule .}} 108 {{end}} 109 110 {{range .AcceptObserveContinue}} 111 {{joinRule .}} 112 {{end}} 113 114 {{range .AcceptNotObserved}} 115 {{joinRule .}} 116 {{end}} 117 118 {{range .AcceptObserveApply}} 119 {{joinRule .}} 120 {{end}} 121 122 {{range .ReverseRules}} 123 {{joinRule .}} 124 {{end}} 125 ` 126 127 var preNetworkACLRuleTemplate = ` 128 {{/* matches syn and ack packets */}} 129 {{$.MangleTable}} {{$.NetChain}} -p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j {{.NfqueueInput}} 130 ` 131 132 // packetCaptureTemplate are the rules that trap traffic towards the user space. 133 var packetCaptureTemplate = ` 134 135 {{.MangleTable}} {{.AppChain}} -p icmp -j NFQUEUE --queue-balance {{queueBalance}} 136 {{.MangleTable}} {{.NetChain}} -p icmp -j NFQUEUE --queue-balance {{queueBalance}} 137 138 {{$.MangleTable}} {{$.AppChain}} -m set --match-set {{$.TargetTCPNetSet}} dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT 139 {{$.MangleTable}} {{$.AppChain}} -m set --match-set {{$.TargetTCPNetSet}} dst -p tcp -j MARK --set-mark {{packetMark}} 140 {{$.MangleTable}} {{$.AppChain}} -p udp -m set --match-set {{$.TargetUDPNetSet}} dst -j MARK --set-mark {{packetMark}} 141 {{$.MangleTable}} {{$.AppChain}} -m mark --mark {{packetMark}} -j NFQUEUE --queue-balance {{queueBalance}} --queue-bypass 142 143 {{.MangleTable}} {{.AppChain}} -p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT 144 145 {{.MangleTable}} {{.AppChain}} -p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT 146 147 {{range appAnyRules}} 148 {{joinRule .}} 149 {{end}} 150 151 {{.MangleTable}} {{.AppChain}} -d {{.DefaultIP}} -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix {{.AppNFLOGPrefix}} 152 {{if isAppDrop}} 153 {{.MangleTable}} {{.AppChain}} -d {{.DefaultIP}} -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix {{.AppNFLOGDropPacketLogPrefix}} 154 {{end}} 155 {{.MangleTable}} {{.AppChain}} -d {{.DefaultIP}} -j {{.AppDefaultAction}} 156 157 {{.MangleTable}} {{.NetChain}} -p tcp -m set --match-set {{$.TargetTCPNetSet}} src -m tcp --tcp-flags SYN NONE -j {{.NfqueueInput}} 158 {{.MangleTable}} {{.NetChain}} -p udp -m set --match-set {{.TargetUDPNetSet}} src --match limit --limit 1000/s -j {{.NfqueueInput}} 159 160 {{.MangleTable}} {{.NetChain}} -p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT 161 162 {{range netAnyRules}} 163 {{joinRule .}} 164 {{end}} 165 166 {{.MangleTable}} {{.NetChain}} -s {{.DefaultIP}} -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix {{.NetNFLOGPrefix}} 167 {{if isNetDrop}} 168 {{.MangleTable}} {{.NetChain}} -s {{.DefaultIP}} -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix {{.NetNFLOGDropPacketLogPrefix}} 169 {{end}} 170 {{.MangleTable}} {{.NetChain}} -s {{.DefaultIP}} -j {{.NetDefaultAction}} 171 ` 172 173 // proxyDNSChainTemplate is not used for rhel6 174 var proxyDNSChainTemplate = `` 175 176 // proxyChainTemplate is not used for rhel6 177 var proxyChainTemplate = `` 178 179 var globalHooks = ` 180 {{.MangleTable}} INPUT -m set ! --match-set {{.ExclusionsSet}} src -j {{.MainNetChain}} 181 {{.MangleTable}} OUTPUT -m set ! --match-set {{.ExclusionsSet}} dst -j {{.MainAppChain}} 182 {{.NatTable}} PREROUTING -p tcp -m addrtype --dst-type LOCAL -m set ! --match-set {{.ExclusionsSet}} src -j {{.NatProxyNetChain}} 183 {{.NatTable}} OUTPUT -m set ! --match-set {{.ExclusionsSet}} dst -j {{.NatProxyAppChain}} 184 ` 185 186 var legacyProxyRules = ` 187 {{.MangleTable}} {{.MangleProxyAppChain}} -p tcp -m tcp --sport {{.ProxyPort}} -j ACCEPT 188 {{if enableDNSProxy}} 189 {{.MangleTable}} {{.MangleProxyAppChain}} -p udp -m udp --sport {{.DNSProxyPort}} -j ACCEPT 190 {{end}} 191 {{.MangleTable}} {{.MangleProxyAppChain}} -p tcp -m set --match-set {{.SrvIPSet}} src -j ACCEPT 192 {{.MangleTable}} {{.MangleProxyAppChain}} -p tcp -m set --match-set {{.DestIPSet}} dst,dst -m mark ! --mark {{.ProxyMark}} -j ACCEPT 193 194 {{.MangleTable}} {{.MangleProxyNetChain}} -p tcp -m set --match-set {{.DestIPSet}} src,src -j ACCEPT 195 {{.MangleTable}} {{.MangleProxyNetChain}} -p tcp -m set --match-set {{.SrvIPSet}} src -m addrtype --src-type LOCAL -j ACCEPT 196 {{.MangleTable}} {{.MangleProxyNetChain}} -p tcp -m tcp --dport {{.ProxyPort}} -j ACCEPT 197 {{if enableDNSProxy}} 198 {{.MangleTable}} {{.MangleProxyNetChain}} -p udp -m udp --dport {{.DNSProxyPort}} -j ACCEPT 199 {{end}} 200 201 {{if isCgroupSet}} 202 {{.NatTable}} {{.NatProxyAppChain}} -p tcp -m set --match-set {{.DestIPSet}} dst,dst -m mark ! --mark {{.ProxyMark}} -m multiport --source-ports {{.TCPPorts}} -j REDIRECT --to-ports {{.ProxyPort}} 203 {{else}} 204 {{.NatTable}} {{.NatProxyAppChain}} -p tcp -m set --match-set {{.DestIPSet}} dst,dst -m mark ! --mark {{.ProxyMark}} -j REDIRECT --to-ports {{.ProxyPort}} 205 {{end}} 206 207 {{if enableDNSProxy}} 208 {{.NatTable}} {{.NatProxyAppChain}} -p udp --dport 53 -m mark ! --mark {{.ProxyMark}} -j REDIRECT --to-ports {{.DNSProxyPort}} 209 {{end}} 210 211 {{.NatTable}} {{.NatProxyNetChain}} -p tcp -m set --match-set {{.SrvIPSet}} dst -m mark ! --mark {{.ProxyMark}} -j REDIRECT --to-ports {{.ProxyPort}}`