Vils_96460
Sep 24, 2008Nimbostratus
irule to forward based on domain-name
I am trying to create an iRule that will only allow my webfarm to go out the internet based on destination domains.
Similar implementations exist for the popular linux proxy called squid with the directive called 'dstdomain'
I already have a rule that does selective snat to the internet but I wanted to lock it down further to only allow certain domains. An example domain would be say .microsoft.com (so I can get patches) and maybe symantec so I can get virus sig updates and deny anything else.
DATA_GROUP_DDM_SRCIP_OUTBOUND (a list of servers allowed to go out the internet)
DATA_GROUP_DDM_DSTIP_OUTBOUND_VIP_BOUNCEBACK ( a list of destination vips)
SNAT_POOL_DDM (snat pool to use for VIP bouncebacks to the destination vips)
rule IRULE_SELECTIVE_SNAT_OUTBOUND {
when CLIENT_ACCEPTED {
if { ([matchclass [IP::client_addr] equals $::DATA_GROUP_DDM_SRCIP_OUTBOUND]) } {
if { ([matchclass [IP::local_addr] equals $::DATA_GROUP_DDM_SRCIP_OUTBOUND]) } {
if { ([matchclass [IP::local_addr] equals $::DATA_GROUP_DDM_DSTIP_OUTBOUND_VIP_BOUNCEBACK]) } {
snatpool SNAT_POOL_DDM
} else {
forward
}
forward (used only for troubleshooting)
} else {
snatpool SNAT_POOL_DDM
}
} else {
forward
}
}
}
virtual forwarding_virtual {
destination any:any
profile fastL4_14400
rule IRULE_SELECTIVE_SNAT_OUTBOUND
}