Forum Discussion
Royal_131741
Nimbostratus
NimbostratusiRule for port forwarding ssh to port 2222 on Pool
Hi,
hope anybody can help 🙂
I have two LBs (activ/activ) and two Server in the Pool called RealSERVER, which are load balanced with lc.
On the two Real Server i have two sshd, which are listening to Port 22 and Port 2222.
The sshd (on both machines), which is listening to Port 2222 has the same rsa/dsa key, because i don't want a conflict, if the client wants to connect to the VIP.
If the Client wants to connect to the VIP via SSH, it would be great, if the LBs redirect traffic from 22 to Port 2222.
I've tested two iRules but both didn't work:
when CLIENT_ACCEPTED {
if { [TCP::local_port] == 22 } {
pool RealServer 2222
}
}
and
when CLIENT_ACCEPTED {
switch [TCP::local_port 22] {
2222 { pool RealSERVER}
default { discard }
}
}
If i use this iRule:
when CLIENT_ACCEPTED {
if { [TCP::local_port] == 22 } {
node 192.xxx.xxx.xxx 2222 IP RS1
node 192.xxx.xxx.xxx 2222 IP RS2
}
}
the connection will be redirect from 22 to 2222 but the load balance didn't work. Every time I connect via ssh to the VIP, i'm on RS1. If i open a second terminal i'm also connected to RS1.
I think you should not need an irule here. One of your servers is listening on port 22, the other is on port 2222. You can have a pool where one member is on port 22 and the other member is on port 2222.
A standard vip should be able to loadbalance to these servers and correct the ports as needed...
hooleylistCirrostratus
Agreed. I'd use a FastL4 VS as there's nothing to do at L7 for SSH traffic.
Royal_131741Thx for the fast reply and the good idea,
but i would like to know the port forwarding rule. i think it's better to know different ways to the goal ;-)
i have already three virtual servers on both LBs (ssh, http, ftp) and just one pool. i wouldn't like to add another server...
RoutingLoop_179Cirrus
As AFanen said you can achieve this using standard LTM config. but you can also achieve using an irule you were pretty much there with your first one. If you want to load balance across your pool using 2222 need to create a pool using members using 2222, otherwise you can specifically specify individual pool members and ports. also I think you'll need to consider persistence since you are using SSH. Here's some code that may help.
when CLIENT_ACCEPTED { if { [TCP::local_port] == 22 } { log "ssh_server_pool with members 192.168.101.11:2222 192.168.101.12:2222 - using source address persistence" necessary if not configured in the virtual server configuration - translate address from VIP to member - translate port from 22 to 2222. translate address enable translate port enable load balance across pool pool ssh_server_pool as we're talking ssh we need to set a persistence profile persist source_addr 255.255.255.255 0 log the localport log "localport: [TCP::local_port] " } } when SERVER_CONNECTED { just for logging/debugging log "serverport: [TCP::server_port] " }cont...
- RoutingLoop_179
The LTM config (I used a IP forwarding VS to listen on the VIP as the irule specifies the pool and a pool configured with members using port 2222 - seems like F5 recognises 2222 as rockwell-csp2 😞
ltm pool ssh_server_pool { description "2222 backend port" members { DNS1:rockwell-csp2 { address 192.168.101.11 } DNS2:rockwell-csp2 { address 192.168.101.12 } } } ltm virtual ssh_test { description ssh_test destination 86.189.0.240:any ip-forward ip-protocol tcp mask 255.255.255.255 profiles { fastL4 { } } rules { ssh_test } source 0.0.0.0/0 translate-address disabled translate-port disabled vs-index 11 }log and connection entries:
(cfg-sync Changes Pending)(Active)(/Common)(tmos.ltm) show /sys conn cs-client-addr 10.12.13.3 Sys::Connections 10.12.13.3:56841 86.189.0.240:22 10.12.13.3:56841 192.168.101.11:2222 tcp 3 (tmm: 1) none Aug 16 11:47:06 bnvf5wl001 info tmm[11396]: 01220002:6: Rule /Common/ssh_test : ssh_server_pool with members 192.168.101.11:2222 192.168.101.12:2222 - using source address persistence Aug 16 11:47:06 bnvf5wl001 info tmm[11396]: 01220002:6: Rule /Common/ssh_test : localport: 22 Aug 16 11:47:06 bnvf5wl001 info tmm[11396]: 01220002:6: Rule /Common/ssh_test : serverport: 2222Hope it helps, Adrian.
- Royal_131741
Many thx. I will test it :-)
gongyaAltocumulus
Does it work. I have the same issue:
I got the following
ssh_exchange_identification: read: Connection reset by peerwhen -vvv
OpenSSH_7.2p2 Ubuntu-4ubuntu2.8, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /root/.ssh/config
debug3: kex names ok: [diffie-hellman-group1-sha1]
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "x.x.x.x" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to x.x.x.x [x.x.x.x] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
write: Connection reset by peer
