Forum Discussion

Goldz_180077's avatar
Goldz_180077
Icon for Nimbostratus rankNimbostratus
Jan 30, 2017

How to create an iRules that allowing multiple ports on a single VIP IP address

How to create an iRules that allowing multiple ports on a single VIP IP address. Example i have 1 VIP 10.10.10.10 with port range 50000-60000 for SFTP active, with pool member 20.20.20.20 port: 50000...
application delivery
iRules
LTM
security
  • Maneesh_72711's avatar
    Maneesh_72711
    Feb 01, 2017

    Additionally with the same i-rule can you change your VIP to performance layer 4 instead of standard and then check do a tcpdump to see whether the VIP is doing a 3way handshake.

     

Maneesh_72711's avatar
Maneesh_72711
Icon for Cirrostratus rankCirrostratus
Jan 31, 2017

hmmmm thanks can you try below i-rule instead.

 

when CLIENT_ACCEPTED {

 

>>>>>>> Check if requested port is outside 50000 - 60000

if{not(([TCP::local_port] > 50000 and [TCP::local_port] < 60000) or [TCP::local_port] == 22) }{

 

Drop request

 

drop

 

}

 

  • Goldz_180077's avatar
    Goldz_180077
    Icon for Nimbostratus rankNimbostratus
    Feb 01, 2017

    Hi Maneesh,

     

    Still not working.

     

    here are the logs: config tcpdump -nni 0.0 host 103.16.170.105 and port 21 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 11:27:47.982388 IP 112.199.36.158.15008 > 103.16.170.105.21: S 1717557432:1717557432(0) win 8192 11:27:47.982451 IP 103.16.170.105.21 > 112.199.36.158.15008: S 3919905464:3919905464(0) ack 1717557433 win 4356 11:27:48.214953 IP 112.199.36.158.15008 > 103.16.170.105.21: . ack 1 win 65340 11:27:48.215095 IP 103.16.170.105.21 > 112.199.36.158.15008: R 1:1(0) ack 1 win 4356 ^C 4 packets captured 4 packets received by filter 0 packets dropped by kernel

     

    config tcpdump -nni 0.0 host 103.16.170.105 and port 3000 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 11:28:15.306792 IP 112.199.36.158.12289 > 103.16.170.105.3000: S 957326522:957326522(0) win 8192 11:28:15.306851 IP 103.16.170.105.3000 > 112.199.36.158.12289: S 3629030938:3629030938(0) ack 957326523 win 4356 11:28:15.444923 IP 112.199.36.158.12289 > 103.16.170.105.3000: . ack 1 win 65340 11:28:15.445065 IP 103.16.170.105.3000 > 112.199.36.158.12289: R 1:1(0) ack 1 win 4356 ^C 4 packets captured 4 packets received by filter 0 packets dropped by kernel