Forum Discussion
eric_haupt1
Nimbostratus
NimbostratusGTM / DNS Restrict source ports from GTM when LB DNS to Microsoft servers
Due to security restrictions, I need to have GTM use source ports 49152-65535 from the self-IP it uses to LB DNS traffic to the DNS servers. I've attempted to force avoidance of certain ports with irules, but it doesn't appear to be working fully. Here are the irules I've tried - I'm looking for a better solution. Is there any way to restrict GTM source port ranges?
when SERVER_CONNECTED {
if { [class match [UDP::local_port] equals hbss-port-exception] } {
log local0. "HBSS EXCEPTION LOG: [IP::server_addr]:[UDP::local_port] - GTM dropping UDP"
UDP::drop }
}
when SERVER_CONNECTED {
if { [class match [TCP::local_port] equals hbss-port-exception] } {
log local0. "HBSS EXCEPTION LOG: [IP::server_addr]:[TCP::local_port] - GTM dropping"
TCP::close }
}
I have tested the following iRule and it seems to accomplish what you are looking for. Let me know if this works.
when RULE_INIT { On the line below, select which IP's are to be part of the SNAT list set static::ip_list [list 10.1.20.254 ] } when CLIENT_ACCEPTED { set random_snat_ip [lindex $static::ip_list [expr {int(rand()*[llength $static::ip_list])}]] On line below this one, replace "http_pool" with the correct pool name where traffic will be load balanced to set available_pool_member [active_members -list demo_dns_pool] set random_pool_member [lindex [lindex $available_pool_member [expr {int(rand()*[llength $available_pool_member])}]] 0] On line below, replace "80" with pool members listening port. Values of 50000, 49152 and 65535 represent "hint port", minimum port and maximum port, respectively. set random_port [UDP::unused_port $random_pool_member 53 $random_snat_ip 50000 49152 65535 ] snat $random_snat_ip $random_port pool demo_dns_pool member $random_pool_member }
eric_haupt1It doesn't appear to be randomizing the port. I'm using it in this fashion since I do not require pool member randomization or self-IP randomization. Logs show that only the hint port is used and in TCPdump and in stats monitoring for the listener I see flow stats drop to "1" while this is in place.
when LB_SELECTED { set gtm_random_port [UDP::unused_port [IP::remote_addr] [UDP::remote_port] [IP::local_addr] 50000 49152 65535 ] snat [IP::local_addr] $gtm_random_port log local0. [IP::local_addr]:$gtm_random_port }This iRule was tested on both 14.1 and 13.1.1.2 virtual appliances with a GTM only license though both GTM and LTM were provisioned.
I have tested the following iRule and it seems to accomplish what you are looking for. Let me know if this works.
when RULE_INIT { On the line below, select which IP's are to be part of the SNAT list set static::ip_list [list 10.1.20.254 ] } when CLIENT_ACCEPTED { set random_snat_ip [lindex $static::ip_list [expr {int(rand()*[llength $static::ip_list])}]] On line below this one, replace "http_pool" with the correct pool name where traffic will be load balanced to set available_pool_member [active_members -list demo_dns_pool] set random_pool_member [lindex [lindex $available_pool_member [expr {int(rand()*[llength $available_pool_member])}]] 0] On line below, replace "80" with pool members listening port. Values of 50000, 49152 and 65535 represent "hint port", minimum port and maximum port, respectively. set random_port [UDP::unused_port $random_pool_member 53 $random_snat_ip 50000 49152 65535 ] snat $random_snat_ip $random_port pool demo_dns_pool member $random_pool_member }- eric_haupt1
It doesn't appear to be randomizing the port. I'm using it in this fashion since I do not require pool member randomization or self-IP randomization. Logs show that only the hint port is used and in TCPdump and in stats monitoring for the listener I see flow stats drop to "1" while this is in place.
when LB_SELECTED { set gtm_random_port [UDP::unused_port [IP::remote_addr] [UDP::remote_port] [IP::local_addr] 50000 49152 65535 ] snat [IP::local_addr] $gtm_random_port log local0. [IP::local_addr]:$gtm_random_port } This iRule was tested on both 14.1 and 13.1.1.2 virtual appliances with a GTM only license though both GTM and LTM were provisioned.
