Forum Discussion
eric_haupt1
Dec 19, 2018Nimbostratus
GTM / DNS Restrict source ports from GTM when LB DNS to Microsoft servers
Due to security restrictions, I need to have GTM use source ports 49152-65535 from the self-IP it uses to LB DNS traffic to the DNS servers. I've attempted to force avoidance of certain ports with ir...
Steve_Lyons
Ret. Employee
I have tested the following iRule and it seems to accomplish what you are looking for. Let me know if this works.
when RULE_INIT {
On the line below, select which IP's are to be part of the SNAT list
set static::ip_list [list 10.1.20.254 ]
}
when CLIENT_ACCEPTED {
set random_snat_ip [lindex $static::ip_list [expr {int(rand()*[llength $static::ip_list])}]]
On line below this one, replace "http_pool" with the correct pool name where traffic will be load balanced to
set available_pool_member [active_members -list demo_dns_pool]
set random_pool_member [lindex [lindex $available_pool_member [expr {int(rand()*[llength $available_pool_member])}]] 0]
On line below, replace "80" with pool members listening port. Values of 50000, 49152 and 65535 represent "hint port", minimum port and maximum port, respectively.
set random_port [UDP::unused_port $random_pool_member 53 $random_snat_ip 50000 49152 65535 ]
snat $random_snat_ip $random_port
pool demo_dns_pool member $random_pool_member
}
Steve_Lyons
Jan 03, 2019Ret. Employee
This iRule was tested on both 14.1 and 13.1.1.2 virtual appliances with a GTM only license though both GTM and LTM were provisioned.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects