Forum Discussion
eric_haupt1
Nimbostratus
NimbostratusGTM / DNS Restrict source ports from GTM when LB DNS to Microsoft servers
Due to security restrictions, I need to have GTM use source ports 49152-65535 from the self-IP it uses to LB DNS traffic to the DNS servers. I've attempted to force avoidance of certain ports with ir...
I have tested the following iRule and it seems to accomplish what you are looking for. Let me know if this works.
when RULE_INIT {
On the line below, select which IP's are to be part of the SNAT list
set static::ip_list [list 10.1.20.254 ]
}
when CLIENT_ACCEPTED {
set random_snat_ip [lindex $static::ip_list [expr {int(rand()*[llength $static::ip_list])}]]
On line below this one, replace "http_pool" with the correct pool name where traffic will be load balanced to
set available_pool_member [active_members -list demo_dns_pool]
set random_pool_member [lindex [lindex $available_pool_member [expr {int(rand()*[llength $available_pool_member])}]] 0]
On line below, replace "80" with pool members listening port. Values of 50000, 49152 and 65535 represent "hint port", minimum port and maximum port, respectively.
set random_port [UDP::unused_port $random_pool_member 53 $random_snat_ip 50000 49152 65535 ]
snat $random_snat_ip $random_port
pool demo_dns_pool member $random_pool_member
}
eric_haupt1It doesn't appear to be randomizing the port. I'm using it in this fashion since I do not require pool member randomization or self-IP randomization. Logs show that only the hint port is used and in TCPdump and in stats monitoring for the listener I see flow stats drop to "1" while this is in place.
when LB_SELECTED { set gtm_random_port [UDP::unused_port [IP::remote_addr] [UDP::remote_port] [IP::local_addr] 50000 49152 65535 ] snat [IP::local_addr] $gtm_random_port log local0. [IP::local_addr]:$gtm_random_port }This iRule was tested on both 14.1 and 13.1.1.2 virtual appliances with a GTM only license though both GTM and LTM were provisioned.