skiptomyliu/envoy_tcp_dns_rbac.yaml

## envoy_tcp_dns_rbac.yaml
# Corresponding iptables rules:
##!/bin/bash
#sudo iptables -t nat -F
#sudo iptables --table nat --new-chain INTERNAL_TRAFFIC

## dont forward root traffic and envoyuser traffic
#sudo iptables --table nat --append INTERNAL_TRAFFIC -m owner --uid-owner root -j RETURN
#sudo iptables --table nat --append INTERNAL_TRAFFIC -m owner --uid-owner envoyuser -j RETURN

## trap ubuntu user traffic
#sudo iptables --table nat --append INTERNAL_TRAFFIC -m owner --uid-owner ubuntu --protocol udp --dport 53 --jump DNAT --to-destination 127.0.0.1:5353
#sudo iptables --table nat --append INTERNAL_TRAFFIC --protocol tcp -m owner --uid-owner ubuntu --dport 443 --jump REDIRECT --to-port 10000
#sudo iptables --table nat --append INTERNAL_TRAFFIC --protocol tcp -m owner --uid-owner ubuntu --dport 80 --jump REDIRECT --to-port 10000

#sudo iptables --table nat --append OUTPUT -j INTERNAL_TRAFFIC


admin:
  access_log_path: /tmp/admin_access.log
  address:
    socket_address:
      protocol: TCP
      address: 127.0.0.1
      port_value: 9901
static_resources:
  listeners:
  - name: listener_2
    address:
      socket_address:
        protocol: UDP
        address: 127.0.0.1
        port_value: 5353
    reuse_port: true
    listener_filters:
      name: envoy.filters.udp.dns_filter
      typed_config:
        "@type": "type.googleapis.com/envoy.extensions.filters.udp.dns_filter.v3alpha.DnsFilterConfig"
        stat_prefix: "dns_filter_prefix"
        client_config:
          resolver_timeout: 5s
          upstream_resolvers:
          - socket_address:
              address: "8.8.8.8"
              port_value: 53
          - socket_address:
              address: "8.8.4.4"
              port_value: 53
          max_pending_lookups: 5
        server_config:
          inline_dns_table:
            external_retry_count: 0
            known_suffixes:
            - suffix: "example.org"
            - suffix: "example.com"
            - suffix: "lyft.com"
            - suffix: "tacos.com"
            - suffix: "yahoo.com"
            - suffix: "google.com"
            virtual_domains:
              - name: "www.example.org"
                endpoint:
                  address_list:
                    address:
                    - 93.184.216.34
              - name: "www.example.com"
                endpoint:
                  address_list:
                    address:
                    - 93.184.216.34
              - name: "www.yahoo.com"
                endpoint:
                  address_list:
                    address:
                    - 74.6.231.20
              - name: "www.lyft.com"
                endpoint:
                  address_list:
                    address:
                    - 1.1.1.2
              - name: "www.google.com"
                endpoint:
                  address_list:
                    address:
                    - 172.217.4.36

  - name: listener_0
    address:
      socket_address:
        protocol: TCP
        address: 0.0.0.0
        port_value: 10000
    listener_filters:
      - name: envoy.filters.listener.original_dst
        typed_config: {}
    filter_chains:
      - filters:
          - name: envoy.filters.network.rbac
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC
              stat_prefix: rbac_rules
              rules:
                action: ALLOW
                policies:
                  "allow-rules":
                    permissions:
                      # checking connection: requestedServerName: , sourceIP: 10.0.0.232:38802, directRemoteIP: 10.0.0.232:38802,remoteIP: 10.0.0.232:38802, localAddress: 127.0.0.1:10000, ssl: none, dynamicMetadata:
                      - or_rules:
                          rules:
                            - destination_ip:
                                address_prefix: 93.184.216.34
                                prefix_len: 32
                            - destination_ip:
                                address_prefix: 143.204.0.169
                                prefix_len: 32
                            - destination_ip:
                                address_prefix: 172.217.4.36
                                prefix_len: 32
                    principals:
                      any: true
          - name: envoy.tcp_proxy
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
              stat_prefix: tcp
              cluster: original_dst_cluster
  clusters:
  - name: original_dst_cluster
    connect_timeout: 5s
    lb_policy: CLUSTER_PROVIDED
    type: ORIGINAL_DST
    connect_timeout: 2s
    dns_lookup_family: V4_ONLY
	# Corresponding iptables rules:
	##!/bin/bash
	#sudo iptables -t nat -F
	#sudo iptables --table nat --new-chain INTERNAL_TRAFFIC

	## dont forward root traffic and envoyuser traffic
	#sudo iptables --table nat --append INTERNAL_TRAFFIC -m owner --uid-owner root -j RETURN
	#sudo iptables --table nat --append INTERNAL_TRAFFIC -m owner --uid-owner envoyuser -j RETURN

	## trap ubuntu user traffic
	#sudo iptables --table nat --append INTERNAL_TRAFFIC -m owner --uid-owner ubuntu --protocol udp --dport 53 --jump DNAT --to-destination 127.0.0.1:5353
	#sudo iptables --table nat --append INTERNAL_TRAFFIC --protocol tcp -m owner --uid-owner ubuntu --dport 443 --jump REDIRECT --to-port 10000
	#sudo iptables --table nat --append INTERNAL_TRAFFIC --protocol tcp -m owner --uid-owner ubuntu --dport 80 --jump REDIRECT --to-port 10000

	#sudo iptables --table nat --append OUTPUT -j INTERNAL_TRAFFIC


	admin:
	access_log_path: /tmp/admin_access.log
	address:
	socket_address:
	protocol: TCP
	address: 127.0.0.1
	port_value: 9901
	static_resources:
	listeners:
	- name: listener_2
	address:
	socket_address:
	protocol: UDP
	address: 127.0.0.1
	port_value: 5353
	reuse_port: true
	listener_filters:
	name: envoy.filters.udp.dns_filter
	typed_config:
	"@type": "type.googleapis.com/envoy.extensions.filters.udp.dns_filter.v3alpha.DnsFilterConfig"
	stat_prefix: "dns_filter_prefix"
	client_config:
	resolver_timeout: 5s
	upstream_resolvers:
	- socket_address:
	address: "8.8.8.8"
	port_value: 53
	- socket_address:
	address: "8.8.4.4"
	port_value: 53
	max_pending_lookups: 5
	server_config:
	inline_dns_table:
	external_retry_count: 0
	known_suffixes:
	- suffix: "example.org"
	- suffix: "example.com"
	- suffix: "lyft.com"
	- suffix: "tacos.com"
	- suffix: "yahoo.com"
	- suffix: "google.com"
	virtual_domains:
	- name: "www.example.org"
	endpoint:
	address_list:
	address:
	- 93.184.216.34
	- name: "www.example.com"
	endpoint:
	address_list:
	address:
	- 93.184.216.34
	- name: "www.yahoo.com"
	endpoint:
	address_list:
	address:
	- 74.6.231.20
	- name: "www.lyft.com"
	endpoint:
	address_list:
	address:
	- 1.1.1.2
	- name: "www.google.com"
	endpoint:
	address_list:
	address:
	- 172.217.4.36

	- name: listener_0
	address:
	socket_address:
	protocol: TCP
	address: 0.0.0.0
	port_value: 10000
	listener_filters:
	- name: envoy.filters.listener.original_dst
	typed_config: {}
	filter_chains:
	- filters:
	- name: envoy.filters.network.rbac
	typed_config:
	"@type": type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC
	stat_prefix: rbac_rules
	rules:
	action: ALLOW
	policies:
	"allow-rules":
	permissions:
	# checking connection: requestedServerName: , sourceIP: 10.0.0.232:38802, directRemoteIP: 10.0.0.232:38802,remoteIP: 10.0.0.232:38802, localAddress: 127.0.0.1:10000, ssl: none, dynamicMetadata:
	- or_rules:
	rules:
	- destination_ip:
	address_prefix: 93.184.216.34
	prefix_len: 32
	- destination_ip:
	address_prefix: 143.204.0.169
	prefix_len: 32
	- destination_ip:
	address_prefix: 172.217.4.36
	prefix_len: 32
	principals:
	any: true
	- name: envoy.tcp_proxy
	typed_config:
	"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
	stat_prefix: tcp
	cluster: original_dst_cluster
	clusters:
	- name: original_dst_cluster
	connect_timeout: 5s
	lb_policy: CLUSTER_PROVIDED
	type: ORIGINAL_DST
	connect_timeout: 2s
	dns_lookup_family: V4_ONLY