Forum Discussion

Nimbostratus

Mar 10, 2010

Destination Based SNAT / NO SNAT

I wanted to see if it was possible to create an iRule that I could apply to an IP forwarding VIP to remove a SNAT. Example: Say Network 172.16.0.0/24 wants to talk to 10....

Cirrostratus

Mar 11, 2010

Hi,

That's a good start. If traffic hits this VIP and doesn't match the allowed client IP's class and/or destination port class, what do you want to do with the traffic? Traffic which hits this VIP wouldn't default to using the default SNAT, so you'd want to handle those cases explicitly in the iRule. Here is a cleaned up example with more accurate names:

Also note that if you're on 9.4.4+ you should remove the $:: prefix from the class names in the iRule.

  
  class allowed_clients_class {  
     network 172.16.0.0/24  
  }

  
  class allowed_destination_ports {  
     22  
     80  
     110  
  }

  
  when CLIENT_ACCEPTED {  
    
      Check if client IP is allowed  
     if { [matchclass [IP::client_addr] equals $::allowed_clients_class]} {  
    
         Check if the requested port is allowed  
        if { [matchclass [TCP::local_port] equals $::allowed_destination_ports]} {  
    
            Disable SNAT for this connection  
           snat none  
    
        } else {  
            Take some action for disallowed destination ports?  
   drop  
        }  
     } else {  
    
         Take some action for disallowed client IPs?  
        drop  
     }  
  }

Aaron

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)