opa-iptables: Extension for managing IPTables using policy

OPA-IPTables Extending OPA to manage IPTable rules through policy Urvil
Patel Twitter: @UrvilPatel12 Github : urvil38

The Problems we trying to solve: • How to use
policy to manage(insert/delete) IPTable rules? • How to query the rules which are stored in OPA? • In which format we are going to store IPTable rules into OPA? • Providing precise & easy to use interface(API) for doing all of this things.

Design Goals: • Simple Architecture and Fast • Low overhead
on server [use as few resources(memory,CPU) as possible] • Stateless (mostly) • Clear Design • Provides as much as ﬂexibility as possible

Architecture: • This extension contains HTTP Server which runs on
port “33455”. • It provides following API: • POST /v1/iptables/insert?q= • POST /v1/iptables/delete?q= • GET /v1/iptables/list/{table_name}/{chain_name} • GET /v1/iptables/list/all?verbose= • POST /v1/iptables/json

Example: - We want to log every incoming packets of
server running on port “9090”. iptables -t FILTER -I INPUT -p tcp --dport 9090 -j LOG --log-prefix "opa-iptables" -m comment --comment “log incoming traffic of web server running on port 9090” But, OPA requires to store this IPTable rules in JSON format.

There is an API for converting raw iptables rules to
JSON formatted rule. curl -X POST localhost:33455/v1/iptables/json -d 'iptables -t FILTER -I INPUT -p tcp --dport 9090 -j LOG --log-prefix "opa-iptables" -m comment --comment "log incoming traffic of web server running on port 9090"' { "table": "filter", "chain": "INPUT", "destination_port": "9090", "jump": "LOG", "protocol": "tcp", "tcp_flags": {}, "ctstate": [ "" ], "match": [ "comment" ], "log_prefix": "opa-iptables", "comment": "log incoming traffic of web server running on port 9090" }

How to store rules into OPA? { "metadata":{ "_id":"..", .
. . }, “rules" : [ . . . ] } This extension uses speciﬁc data structure called “RuleSet”. { "metadata": { "_id": "day123", "type":"logging", "owner":"bob", "user":["qa","dev"] }, "rules": [ { "table": "filter", "chain": "INPUT", "destination_port": "9090", "jump": "LOG", "protocol": "tcp", "log_prefix":"opa-iptables", "tcp_flags": {}, "ctstate": [ "" ], "match": [ "comment" ], "comment": "log incoming traffic" } ] }

How insertion/deletion of the rules works? Insertion API: POST /v1/iptables/insert?q=
Content-Type: application/json Request Headers: Body: { “input”: { . . . } } queryPath Object pass to the query

package iptables import iptables.ruleset validate(user, secret) { userauth[user] == secret
} logging_rules = result { validate(input.user, input.secret) set := ruleset[_] set.metadata.user[_] == input.user set.metadata.type == input.type result = set } curl -X POST http://127.0.0.1:33455/v1/iptables/insert?q=iptables/logging_rules -H 'Content-Type: application/json’ -d '{ "input" : { "type" : "logging", "user" : “qa”, "secret" : “secretqa” } }' policy.rego

{ } ruleset.json policy.rego 1 Add RuleSet and policy into
OPA

curl -X POST http://127.0.0.1:33455/v1/iptables/insert?q=iptables/logging_rules -H 'Content-Type: application/json’ -d '{ "input"
: { "type" : "logging", "user" : “qa”, "secret" : “secretqa” } }' 2 Using Insertion API query the RuleSet from OPA

{ "metadata": { "_id": "day123", "type":"logging", "owner":"bob", "user":["qa","dev"] }, "rules":
[ { "table": "filter", "chain": "INPUT", "destination_port": "9090", "jump": "LOG", "protocol": "tcp", "log_prefix":"opa-iptables", "tcp_flags": {}, "ctstate": [ "" ], "match": [ "comment" ], "comment": "log incoming traffic" } ] } 3 OPA performs the query and returns appropriate ruleset according to query

Linux IPTable Module iptables -t FILTER -I INPUT -p tcp
--dport 9090 -j LOG --log-prefix "opa-iptables" -m comment -- comment "log incoming traffic of web server running on port 9090" 4 opa-iptables extracts the iptables JSON formatted rules from the ruleset and converts it into valid iptables rules that we can insert into kernel. { "metadata": { "_id": "day123", "type":"logging", "owner":"bob", "user":["qa","dev"] }, "rules": [ { "table": "filter", "chain": "INPUT", "destination_port": "9090", "jump": "LOG", "protocol": "tcp", "log_prefix":"opa-iptables", "tcp_flags": {}, "ctstate": [ "" ], "match": [ "comment" ], "comment": "log incoming traffic" } ] }

Resources: • Project Repository • Tutorial • Documentation

opa-iptables: Extension for managing IPTables u...

opa-iptables: Extension for managing IPTables using policy

Urvil

More Decks by Urvil

Other Decks in Programming

Featured

Transcript

OPA-IPTables Extending OPA to manage IPTable rules through policy Urvil

The Problems we trying to solve: • How to use

Design Goals: • Simple Architecture and Fast • Low overhead

Architecture: • This extension contains HTTP Server which runs on

Example: - We want to log every incoming packets of

There is an API for converting raw iptables rules to

How to store rules into OPA? { "metadata":{ "_id":"..", .

How insertion/deletion of the rules works? Insertion API: POST /v1/iptables/insert?q=

package iptables import iptables.ruleset validate(user, secret) { userauth[user] == secret

{ } ruleset.json policy.rego 1 Add RuleSet and policy into

curl -X POST http://127.0.0.1:33455/v1/iptables/insert?q=iptables/logging_rules -H 'Content-Type: application/json’ -d '{ "input"

{ "metadata": { "_id": "day123", "type":"logging", "owner":"bob", "user":["qa","dev"] }, "rules":

Linux IPTable Module iptables -t FILTER -I INPUT -p tcp

Resources: • Project Repository • Tutorial • Documentation