How to create an iRules that allowing multiple ports on a single VIP IP address

all ports not range on 50000-60000 can be block.

Hi Maneesh,

I have some few questions:

1. Do i need to create a Standard VIP with all Ports allow then associate the iRules on it.

2. can you check if this is correct:

when CLIENT_ACCEPTED {

 Check if requested port is outside 50000 - 60000 
if{not(([TCP::client_port] > 50000 and [TCP::client_port] < 60000) or [TCP::client_port] == 22) }{ 
    Drop request 
   drop 
} 

}

but we can access other ports. meaning the irules is not working well.

You mean you can access the VIP on other port as well ? apart from the specified range 50000 - 60000 ?

Can you paste the tcpdump output when you try connecting it from outside say TCP port 20.

i think, since we are using all ports on the VIP, that's why we can acess all ports.

can you give me the tcpdump command.

config tcpdump -nni 0.0 host 103.16.170.105 and port 20 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 17:18:16.681324 IP 49.144.189.4.34857 > 103.16.170.105.20: S 1475439677:1475439677(0) win 8192 17:18:16.681374 IP 103.16.170.105.20 > 49.144.189.4.34857: S 262887358:262887358(0) ack 1475439678 win 4380 17:18:16.790526 IP 49.144.189.4.34857 > 103.16.170.105.20: . ack 1 win 17520 17:18:21.426989 IP 49.144.189.4.34857 > 103.16.170.105.20: P 1:3(2) ack 1 win 17520 17:18:21.427026 IP 103.16.170.105.20 > 49.144.189.4.34857: R 1:1(0) ack 3 win 0

config tcpdump -nni 0.0 host 103.16.170.105 and port 21 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 17:18:45.426324 IP 49.144.189.4.34867 > 103.16.170.105.21: S 774155613:774155613(0) win 8192 17:18:45.426360 IP 103.16.170.105.21 > 49.144.189.4.34867: S 2396737405:2396737405(0) ack 774155614 win 4380 17:18:45.535784 IP 49.144.189.4.34867 > 103.16.170.105.21: . ack 1 win 64240 17:18:47.654593 IP 49.144.189.4.34867 > 103.16.170.105.21: P 1:3(2) ack 1 win 64240 17:18:47.654626 IP 103.16.170.105.21 > 49.144.189.4.34867: R 1:1(0) ack 3 win 0

Hi Maneesh,

Still not working.

here are the logs: config tcpdump -nni 0.0 host 103.16.170.105 and port 21 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 11:27:47.982388 IP 112.199.36.158.15008 > 103.16.170.105.21: S 1717557432:1717557432(0) win 8192 11:27:47.982451 IP 103.16.170.105.21 > 112.199.36.158.15008: S 3919905464:3919905464(0) ack 1717557433 win 4356 11:27:48.214953 IP 112.199.36.158.15008 > 103.16.170.105.21: . ack 1 win 65340 11:27:48.215095 IP 103.16.170.105.21 > 112.199.36.158.15008: R 1:1(0) ack 1 win 4356 ^C 4 packets captured 4 packets received by filter 0 packets dropped by kernel

config tcpdump -nni 0.0 host 103.16.170.105 and port 3000 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 11:28:15.306792 IP 112.199.36.158.12289 > 103.16.170.105.3000: S 957326522:957326522(0) win 8192 11:28:15.306851 IP 103.16.170.105.3000 > 112.199.36.158.12289: S 3629030938:3629030938(0) ack 957326523 win 4356 11:28:15.444923 IP 112.199.36.158.12289 > 103.16.170.105.3000: . ack 1 win 65340 11:28:15.445065 IP 103.16.170.105.3000 > 112.199.36.158.12289: R 1:1(0) ack 1 win 4356 ^C 4 packets captured 4 packets received by filter 0 packets dropped by kernel

Hi Maneesh,

Pls. see below output when using a VIP Performance layer 4 associated the i Rules

Accssing Port 22:

Xshell:> telnet 103.16.170.105 22 Connecting to 103.16.170.105:22... Could not connect to '103.16.170.105' (port 22): Connection failed.

config tcpdump -nni 0.0 host 103.16.170.105 and port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 13:08:41.733700 IP 112.199.36.158.38957 > 103.16.170.105.22: S 3489628376:3489628376(0) win 8192 13:08:41.733841 IP 103.16.170.105.22 > 112.199.36.158.38957: R 0:0(0) ack 3489628377 win 0 13:08:42.286396 IP 112.199.36.158.38957 > 103.16.170.105.22: S 3489628376:3489628376(0) win 8192 13:08:42.286525 IP 103.16.170.105.22 > 112.199.36.158.38957: R 0:0(0) ack 1 win 0 13:08:42.849594 IP 112.199.36.158.38957 > 103.16.170.105.22: S 3489628376:3489628376(0) win 8192 13:08:42.849709 IP 103.16.170.105.22 > 112.199.36.158.38957: R 0:0(0) ack 1 win 0 13:08:44.263275 IP 123.183.209.136.48745 > 103.16.170.105.22: S 932940911:932940911(0) win 29200 13:08:44.263404 IP 103.16.170.105.22 > 123.183.209.136.48745: R 0:0(0) ack 932940912 win 0 ^C 8 packets captured 8 packets received by filter 0 packets dropped by kernel

Accessing Port 21:

Xshell:> telnet 103.16.170.105 21 Connecting to 103.16.170.105:21... Could not connect to '103.16.170.105' (port 21): Connection failed.

config tcpdump -nni 0.0 host 103.16.170.105 and port 21 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 13:08:55.352515 IP 112.199.36.158.59299 > 103.16.170.105.21: S 1151819102:1151819102(0) win 8192 13:08:55.352657 IP 103.16.170.105.21 > 112.199.36.158.59299: R 0:0(0) ack 1151819103 win 0 13:08:55.905954 IP 112.199.36.158.59299 > 103.16.170.105.21: S 1151819102:1151819102(0) win 8192 13:08:55.906070 IP 103.16.170.105.21 > 112.199.36.158.59299: R 0:0(0) ack 1 win 0 13:08:56.471243 IP 112.199.36.158.59299 > 103.16.170.105.21: S 1151819102:1151819102(0) win 8192 13:08:56.471367 IP 103.16.170.105.21 > 112.199.36.158.59299: R 0:0(0) ack 1 win 0 ^X^C 6 packets captured 6 packets received by filter 0 packets dropped by kernel

Additional for Port 50000:

Xshell:> telnet 103.16.170.105 50000 Connecting to 103.16.170.105:50000... Could not connect to '103.16.170.105' (port 50000): Connection failed.

config tcpdump -nni 0.0 host 103.16.170.105 and port 50000 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 13:13:43.833730 IP 112.199.36.158.49801 > 103.16.170.105.50000: S 657302319:657302319(0) win 8192 13:13:43.833864 IP 103.16.170.105.50000 > 112.199.36.158.49801: R 0:0(0) ack 657302320 win 0 13:13:44.388163 IP 112.199.36.158.49801 > 103.16.170.105.50000: S 657302319:657302319(0) win 8192 13:13:44.388285 IP 103.16.170.105.50000 > 112.199.36.158.49801: R 0:0(0) ack 1 win 0 13:13:44.949583 IP 112.199.36.158.49801 > 103.16.170.105.50000: S 657302319:657302319(0) win 8192 13:13:44.949695 IP 103.16.170.105.50000 > 112.199.36.158.49801: R 0:0(0) ack 1 win 0 ^X^C 6 packets captured 6 packets received by filter 0 packets dropped by kernel

the Pool associated to VIP is configured in all protocol with port 22 monitor. since they disable the ICMP.

So you able to telnet on port 22 to the server ?

Hi Maneesh,

do we need this iRules

if{([TCP::local_port] > 50000 and [TCP::local_port] < 60000)} { permit elseif {[TCP::local_port] == 22 }{ permit } else { Drop request drop }

or this one

when CLIENT_ACCEPTED {

if{not(([TCP::local_port] > 50000 and [TCP::local_port] < 60000) or [TCP::local_port] == 22) }{

drop } }