iRule Implementation (SNAT)

Hi All

 

 

I do not know how to modify the format of the message which I posted. So I make a better one and hope anyone could help. Thank you

 

 

I am new about F5 iRule and facing a problem about iRule implementation on F5. I was struggling with it for more than two weeks. Really hope if there is someone could help me to solve it.

 

 

My scenario is below.

 

 

I get two servers and a F5.

 

 

IP for server1: 192.168.1.2

 

IP for server2: 192.168.2.2 (In the virtual server pool)

 

IP for virtual server: 192.168.1.3

 

IP for translatation: 192.168.2.3

 

 

Now I want to do is to SSH from 1.2 to 2.2 via F5 virtual server.

 

 

ssh 192.168.1.3

 

 

Then virtual server should forward this request to 2.2 and I will be in the 2.2 with source 2.3 not 1.2.

 

 

The iRule I generate is

 

 

 

when CLIENT_ACCEPTED {

 

if {[matchclass [IP::remote_addr] equals 192.168.1.3] and [matchclass [IP::client_addr] equals 192.168.1.2]} {

 

snat 192.168.2.3

 

}else {

 

snat none

 

}

 

}

 

 

 

But after implementing this rule to the virtual server, it does not work at all. So is there anyone could help me? Thank you very much. :-(

Hi Touch,

 

I think the problem might be due because you are trying to matchclass the node before the server side is connected.

 

 

Try the following code

 

I.E.

 

when CLIENT_ACCEPTED {
    log local0 "The Client IP is [IP::client_addr] and the node IP is [IP::remote_addr]"
    if {[matchclass [IP::client_addr] equals 192.168.1.2]} {
      snat 192.168.2.3
     } else {
      snat none
    }
}

 

 

I hope this helps

 

 

Bhattman

 

 

 

Bhattman

Hi Bhattman

 

 

Thank you very much for your very useful and quick reply. I am so sorry I did not make my scenario clear. The reason for me to want to use iRule is to distinguish the destinations. In my story, on the destination side, I get many servers which have their own IPs. But all I want to do is only to translate source IP when the package goes to particular destination.

 

 

For example, in my virtual server pool, i have several nodes like (192.168.2.2, 192.168.2.4, 192.168.2.5) and I only want to translate the source IP when the package goes to 192.168.2.2. For the rest packages go to other destinations, F5 does not do any thing.

 

 

That is why I identified not only destination but also source in my iRule at same time. Not sure I make myself clear or not? Looking forward to see your reply. Thank you again.

Hi Touch,

Undestood. Thank you for the clarification.

Let me rephrase the what I think might be happening and what you can do.

There are 2 items that might be causing your issue

1) You are using matchclass command without a datagroup

2) The iRule event you are using (CLIENT_ACCEPTED) is only triggered when the client side of the connection is established but before the F5 has choosen the server IP through it's normal load balancing decision that you have configured.

My thoughts are to use LB_SELECTED event which is triggered after the F5 has choosen the pool member and replacing the matchclass command

The iRule would look like the following

when LB_SELECTED {
    log local0 "The Client IP is [IP::client_addr] and the node IP is [IP::remote_addr]"
    if {[IP::addr [IP::client_addr] equals 192.168.1.2] and [IP::addr [LB::server addr] equals 192.168.2.2]} {
      snat 192.168.2.3
     } else {
      snat none
    }
}

I hope this helps

Bhattman

Hi Bhattman

 

 

Thank you very much for your help and so nice to have you to answer my question.

 

 

I tried to use the iRule you posted into my F5 and then use the following command

 

 

ssh 192.168.2.2 or ssh 192.168.1.3.

 

 

I get no response from the server I want to connect to. The log has been checked but no useful message. So could you please show me or give me some tip about what I should do next? Thank you very much and hope to see your reply soon. :-P

 

 

Touch