For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Vils_96460's avatar
Vils_96460
Icon for Nimbostratus rankNimbostratus
Sep 24, 2008

irule to forward based on domain-name

I am trying to create an iRule that will only allow my webfarm to go out the internet based on destination domains.

 

 

Similar implementations exist for the popular linux proxy called squid with the directive called 'dstdomain'

 

I already have a rule that does selective snat to the internet but I wanted to lock it down further to only allow certain domains. An example domain would be say .microsoft.com (so I can get patches) and maybe symantec so I can get virus sig updates and deny anything else.

 

 

DATA_GROUP_DDM_SRCIP_OUTBOUND (a list of servers allowed to go out the internet)

 

DATA_GROUP_DDM_DSTIP_OUTBOUND_VIP_BOUNCEBACK ( a list of destination vips)

 

SNAT_POOL_DDM (snat pool to use for VIP bouncebacks to the destination vips)

 

 

rule IRULE_SELECTIVE_SNAT_OUTBOUND {

 

when CLIENT_ACCEPTED {

 

if { ([matchclass [IP::client_addr] equals $::DATA_GROUP_DDM_SRCIP_OUTBOUND]) } {

 

if { ([matchclass [IP::local_addr] equals $::DATA_GROUP_DDM_SRCIP_OUTBOUND]) } {

 

if { ([matchclass [IP::local_addr] equals $::DATA_GROUP_DDM_DSTIP_OUTBOUND_VIP_BOUNCEBACK]) } {

 

snatpool SNAT_POOL_DDM

 

} else {

 

forward

 

}

 

forward (used only for troubleshooting)

 

} else {

 

snatpool SNAT_POOL_DDM

 

}

 

} else {

 

forward

 

}

 

}

 

}

 

virtual forwarding_virtual {

 

destination any:any

 

profile fastL4_14400

 

rule IRULE_SELECTIVE_SNAT_OUTBOUND

 

}

 

application delivery
dev
devops
iRules

2 Replies

  • Nicolas_Menant's avatar
    Nicolas_Menant
    Icon for Employee rankEmployee
    Sep 25, 2008
    Hi,

     

     

    you can try to use: NAME::lookup to translate the IP requested by the user in the domain name and then do a matchclass to check if it is part of the allow domain (Click here).

     

     

    The problem with NAME command is that it doesn't stop processing traffic until the name resolution is done, so you'll need to do it yourself using TCP::collect and TCP::release.

     

     

    If i remember you'll need to do some specific configuration to make the lookup work :Click here

     

     

    HTH
  • Vils_96460's avatar
    Vils_96460
    Icon for Nimbostratus rankNimbostratus
    Sep 25, 2008
    Thanks nmenant!

     

     

    I will give that a unit test.

     

     

    I have quite a lot of domain target, so is it possible to put the matchclass in a datagroup as a list for the Name:lookup or do I have to use a "switch" logic to be more flexible?

     

     

    I see a partial solution for my situation in here http://devcentral.f5.com/wiki/default.aspx/iRules/DestinationSnatUsingDNS.html

     

    but I need the hostname to be a variable list.

     

     

    Thanks,

     

    Vilson