Last active
April 13, 2021 23:31
-
-
Save skiptomyliu/b944666b13097a6d31bc1c6d832cb768 to your computer and use it in GitHub Desktop.
Envoy original dst cluster with DNS and RBAC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Corresponding iptables rules: | |
##!/bin/bash | |
#sudo iptables -t nat -F | |
#sudo iptables --table nat --new-chain INTERNAL_TRAFFIC | |
## dont forward root traffic and envoyuser traffic | |
#sudo iptables --table nat --append INTERNAL_TRAFFIC -m owner --uid-owner root -j RETURN | |
#sudo iptables --table nat --append INTERNAL_TRAFFIC -m owner --uid-owner envoyuser -j RETURN | |
## trap ubuntu user traffic | |
#sudo iptables --table nat --append INTERNAL_TRAFFIC -m owner --uid-owner ubuntu --protocol udp --dport 53 --jump DNAT --to-destination 127.0.0.1:5353 | |
#sudo iptables --table nat --append INTERNAL_TRAFFIC --protocol tcp -m owner --uid-owner ubuntu --dport 443 --jump REDIRECT --to-port 10000 | |
#sudo iptables --table nat --append INTERNAL_TRAFFIC --protocol tcp -m owner --uid-owner ubuntu --dport 80 --jump REDIRECT --to-port 10000 | |
#sudo iptables --table nat --append OUTPUT -j INTERNAL_TRAFFIC | |
admin: | |
access_log_path: /tmp/admin_access.log | |
address: | |
socket_address: | |
protocol: TCP | |
address: 127.0.0.1 | |
port_value: 9901 | |
static_resources: | |
listeners: | |
- name: listener_2 | |
address: | |
socket_address: | |
protocol: UDP | |
address: 127.0.0.1 | |
port_value: 5353 | |
reuse_port: true | |
listener_filters: | |
name: envoy.filters.udp.dns_filter | |
typed_config: | |
"@type": "type.googleapis.com/envoy.extensions.filters.udp.dns_filter.v3alpha.DnsFilterConfig" | |
stat_prefix: "dns_filter_prefix" | |
client_config: | |
resolver_timeout: 5s | |
upstream_resolvers: | |
- socket_address: | |
address: "8.8.8.8" | |
port_value: 53 | |
- socket_address: | |
address: "8.8.4.4" | |
port_value: 53 | |
max_pending_lookups: 5 | |
server_config: | |
inline_dns_table: | |
external_retry_count: 0 | |
known_suffixes: | |
- suffix: "example.org" | |
- suffix: "example.com" | |
- suffix: "lyft.com" | |
- suffix: "tacos.com" | |
- suffix: "yahoo.com" | |
- suffix: "google.com" | |
virtual_domains: | |
- name: "www.example.org" | |
endpoint: | |
address_list: | |
address: | |
- 93.184.216.34 | |
- name: "www.example.com" | |
endpoint: | |
address_list: | |
address: | |
- 93.184.216.34 | |
- name: "www.yahoo.com" | |
endpoint: | |
address_list: | |
address: | |
- 74.6.231.20 | |
- name: "www.lyft.com" | |
endpoint: | |
address_list: | |
address: | |
- 1.1.1.2 | |
- name: "www.google.com" | |
endpoint: | |
address_list: | |
address: | |
- 172.217.4.36 | |
- name: listener_0 | |
address: | |
socket_address: | |
protocol: TCP | |
address: 0.0.0.0 | |
port_value: 10000 | |
listener_filters: | |
- name: envoy.filters.listener.original_dst | |
typed_config: {} | |
filter_chains: | |
- filters: | |
- name: envoy.filters.network.rbac | |
typed_config: | |
"@type": type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC | |
stat_prefix: rbac_rules | |
rules: | |
action: ALLOW | |
policies: | |
"allow-rules": | |
permissions: | |
# checking connection: requestedServerName: , sourceIP: 10.0.0.232:38802, directRemoteIP: 10.0.0.232:38802,remoteIP: 10.0.0.232:38802, localAddress: 127.0.0.1:10000, ssl: none, dynamicMetadata: | |
- or_rules: | |
rules: | |
- destination_ip: | |
address_prefix: 93.184.216.34 | |
prefix_len: 32 | |
- destination_ip: | |
address_prefix: 143.204.0.169 | |
prefix_len: 32 | |
- destination_ip: | |
address_prefix: 172.217.4.36 | |
prefix_len: 32 | |
principals: | |
any: true | |
- name: envoy.tcp_proxy | |
typed_config: | |
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy | |
stat_prefix: tcp | |
cluster: original_dst_cluster | |
clusters: | |
- name: original_dst_cluster | |
connect_timeout: 5s | |
lb_policy: CLUSTER_PROVIDED | |
type: ORIGINAL_DST | |
connect_timeout: 2s | |
dns_lookup_family: V4_ONLY | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment