Forum Discussion
redheadontherun
Nimbostratus
NimbostratusBlock Source IP using a blocklist hosted on a webserver
Currently we utilize a web server to host a blocklist that some of our other security devices use to block IP addresses. It allows us to maintain 1 list for all devices. Can the F5 ASM or LTM utilize...
Yann_Desmarest_
Nacreous
NacreousHi,
this list can be uploaded as an ifile. You can also do a lookup using sideband connections in irules
Yann_Desmarest_Nacreous
NacreousHere a small Proof of Concept.
when HTTP_REQUEST {
set file [ifile get domains]
log local0. "$file"
set domain "amazon.co.uk.security-check.ga"
if { [string match "*$domain*" $file] } {
log local0. "succeeded"
HTTP::respond 200 content "ok"
} else {
log local0. "failed"
}
}
Note : should test performance impact, memory consumption and stuff like that before switching something in production
- nitass
Employee
first of all, i'm not an expert but just wann help if i can. :-)
what is nodes' default gateway? is it bigip?
if so, would u mind trying to remove snat under virtual config?
the other way is to use x-forwarded-for http header.
sol4816: Using the X-Forwarded-For HTTP header to preserve the original client IP address for traffic translated by a SNAT
http://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.html
cheer! 
al_kabeer_2905hi and thx for reply,
nodes are the physical machine (server) there are two nodes (phyiscal machine) in diagram 192.168.1.2 and 192.168.1.1, it is not gateway or bigip
i have configured the virtual server (192.168.1.3) SNAT Pool to "automap", should i return to "none", i am new to bigip can you please tell me more about snat what it do ?
is it oridnary NAT ?
Big thanksssssssssssssssssss even if u r not expert :):)
HamishCirrocumulus
SNAT is literally Source-NAT. Basically its telling the VS to act as a proxy... So the backend (Poolmembers) see the IP connection coming from one of the BigIP's addresses (Automap will use the floating self-ip of the interface that routes to the poolmembers).
To have the client IP preserved, disable SNAT, enable NAT (The F5 then NAT's the proxied connection back to the address and port of the client). The poolmembers then need to use the F5 (SelfIP) as the default gateway back to the client.
H- al_kabeer_2905when i put the snat none, the virtual server is not working
how to enable nat ? - HamishAbout 5 items below the SNAT option when configuring the Virtual Server. There's separate options for 'Address Translation' and 'Port Translation'. Select both. Then make sure the default gateway back to the client IP is via the F5 floating self-ip address that directly connects to the poolmembers. (I suspect that's already done, unless you were running the poolmembers in a kind of n-path configuration)
I think it's more likely that the only thing wrong is your poolmembers are routing back direct to the client via a separate router, since it looks like you're running the F5 single armed (Sorry, can't see your picture, so no network diagram to verify)...
H - nitass
when i put the snat none, the virtual server is not working
nodes are using bigip as their default gateway?
what is client ip address? it isn't in virtual subnet (192.168.1.0), is it? - al_kabeer_2905hi, in the attachment there is full diagram of what i am discussing
hoolioCirrostratus
As Nitass and Hamish have suggested, if you have the default gateway on 192.168.1.1 and 192.168.1.2 set to the LTM self IP on the 192.168.1.0/24 subnet, you can set SNAT on the virtual server to none and the servers will see the original client IP address. As Hamish said, make sure to leave (destination) address and (destination) port translation enable on the virtual server properties.
Aaron- al_kabeer_2905thanks Boss for yr reply i will try it and give my feedback
- al_kabeer_2905i have tried it i cant remote desktop or access http servers now , since i change the default gateway to ip of Bigip not coreswitch
any suggestion ?
![\"F5](\"https://www.f5.com/content/dam/f5/f5-logo.svg\"){kind=logo}
