Forum Discussion
Goldz_180077
Nimbostratus
NimbostratusHow to create an iRules that allowing multiple ports on a single VIP IP address
How to create an iRules that allowing multiple ports on a single VIP IP address. Example i have 1 VIP 10.10.10.10 with port range 50000-60000 for SFTP active, with pool member 20.20.20.20 port: 50000...
Additionally with the same i-rule can you change your VIP to performance layer 4 instead of standard and then check do a tcpdump to see whether the VIP is doing a 3way handshake.
Maneesh_72711
Cirrostratus
CirrostratusGoldz the backend server is listening on port 22 ?
Goldz_180077the Pool associated to VIP is configured in all protocol with port 22 monitor. since they disable the ICMP.
- Maneesh_72711
So you able to telnet on port 22 to the server ?
- Goldz_180077
Hi Maneesh,
do we need this iRules
if{([TCP::local_port] > 50000 and [TCP::local_port] < 60000)} { permit elseif {[TCP::local_port] == 22 }{ permit } else { Drop request drop }
or this one
when CLIENT_ACCEPTED {
if{not(([TCP::local_port] > 50000 and [TCP::local_port] < 60000) or [TCP::local_port] == 22) }{
drop } }
- Goldz_180077
Hi Maneesh,
from F5, we can telnet direct the pool member with port 22.
Output: config telnet 172.21.20.30 22 Trying 172.21.20.30... Connected to 172.21.20.30. Escape character is '^]'. 220 Welcome to BBB Center SFTP... ^C^X^Z
- Maneesh_72711
This one.
when CLIENT_ACCEPTED {
if{not(([TCP::local_port] > 50000 and [TCP::local_port] < 60000) or [TCP::local_port] == 22) }{
drop } }
- Goldz_180077
Hi Maneesh,
config tcpdump -nni 0.0 host 103.16.170.105 and port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 14:46:45.787599 IP 112.199.36.158.33836 > 103.16.170.105.22: S 3342366270:3342366270(0) win 8192 14:46:45.787736 IP 103.16.170.105.22 > 112.199.36.158.33836: R 0:0(0) ack 3342366271 win 0 14:46:46.339597 IP 112.199.36.158.33836 > 103.16.170.105.22: S 3342366270:3342366270(0) win 8192 14:46:46.339729 IP 103.16.170.105.22 > 112.199.36.158.33836: R 0:0(0) ack 1 win 0 14:46:46.902088 IP 112.199.36.158.33836 > 103.16.170.105.22: S 3342366270:3342366270(0) win 8192 14:46:46.902200 IP 103.16.170.105.22 > 112.199.36.158.33836: R 0:0(0) ack 1 win 0 ^C 6 packets captured 6 packets received by filter 0 packets dropped by kernel
config tcpdump -nni 0.0 host 103.16.170.105 and port 21 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 14:47:07.091104 IP 112.199.36.158.10863 > 103.16.170.105.21: S 4160497959:4160497959(0) win 8192 14:47:07.091226 IP 103.16.170.105.21 > 112.199.36.158.10863: R 0:0(0) ack 4160497960 win 0 14:47:07.636932 IP 112.199.36.158.10863 > 103.16.170.105.21: S 4160497959:4160497959(0) win 8192 14:47:07.637034 IP 103.16.170.105.21 > 112.199.36.158.10863: R 0:0(0) ack 1 win 0 14:47:08.191518 IP 112.199.36.158.10863 > 103.16.170.105.21: S 4160497959:4160497959(0) win 8192 14:47:08.191637 IP 103.16.170.105.21 > 112.199.36.158.10863: R 0:0(0) ack 1 win 0 ^C 6 packets captured 6 packets received by filter 0 packets dropped by kernel
config tcpdump -nni 0.0 host 103.16.170.105 and port 50000 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 14:47:28.240221 IP 112.199.36.158.53438 > 103.16.170.105.50000: S 743398140:743398140(0) win 8192 14:47:28.240347 IP 103.16.170.105.50000 > 112.199.36.158.53438: R 0:0(0) ack 743398141 win 0 14:47:28.795108 IP 112.199.36.158.53438 > 103.16.170.105.50000: S 743398140:743398140(0) win 8192 14:47:28.795217 IP 103.16.170.105.50000 > 112.199.36.158.53438: R 0:0(0) ack 1 win 0 14:47:29.391220 IP 112.199.36.158.53438 > 103.16.170.105.50000: S 743398140:743398140(0) win 8192 14:47:29.391351 IP 103.16.170.105.50000 > 112.199.36.158.53438: R 0:0(0) ack 1 win 0 ^C 6 packets captured 6 packets received by filter 0 packets dropped by kernel