Forum Discussion
hc_andy_35682
Nimbostratus
NimbostratusiRule to mimic Cisco ACL for Forwarding VIP
Hi All,
Can somebody please help me write an iRule that will permit/deny the outside world from accessing the real servers behind the F5???
For example I have an inside_vlan_502 (forwarding VIP) configured that forwards all ip traffic for 210.15.210.0/24 from the outside_vlan. Is there something similar to Cisco's ACL that I can incorporate into an iRule to permit/deny certain IP's or TCP connections to the real servers.
Say for example I want the following:
1/ Allow 172.16.9.0/24 to access any real servers in 210.15.210.0/24
2/ Allow a single host 172.16.10.1 to access any real servers on port 80 only
3/ Deny everything else
In Cisco ACL, I would write it like so...
permit ip 172.16.9.0 0.0.0.255 210.15.210.0 0.0.0.255
permit tcp host 172.16.10.1 210.15.210.0 0.0.0.255 eq 80
deny ip any any
How might this be done with an iRule for a forwarding VIP?
Thanks.
Andy
14 Replies
hoolioCirrostratus
Hi Andy,
You can use IP::addr to compare a single IP or subnet against another single IP or subnet. Or you can use matchclass to compare a single IP or subnet against an address type datagroup of IP addresses or subnets.
Here are a few related links:
http://devcentral.f5.com/wiki/default.aspx/iRules/ip__addr
http://devcentral.f5.com/wiki/default.aspx/iRules/matchclass
http://devcentral.f5.com/wiki/default.aspx/iRules/AccessControlBasedOnIP.html
http://devcentral.f5.com/wiki/default.aspx/iRules/AccessControlBasedOnNetworkOrHost.html
Aaron
hc_andy_35682Great!!! Thanks a bunch Aaron.
I read this article you mentioned and it's doing exactly what I want.
http://devcentral.f5.com/wiki/default.aspx/iRules/AccessControlBasedOnIP.html
Quick question...say from the real server I ping www.google.com (which isn't listed in the trustedAddresses class).
I'm still getting a reply back from google. This is great but I was wondering that given google ip's are not in the trustedAddresses classs, why am I getting a ping response back. I can only suspect that because the connection was initiated from the real server that the F5 implements some tracking like how a Cisco ACL might do it with a "permit tcp any any established" command.
Can someone please explain why this might be happening? Thanks.
Andy- hoolioHi Andy,
In the first Codeshare link, traffic through the VIP is validated based on the client IP address being in the datagroup. So a trusted address will be able to send traffic to any destination. Is the real server IP in the datagroup?
Aaron - hc_andy_35682Hi Aaron,
Yes the real server is in the trustedAddresses data group.
My understanding is very flawed I know, but I was under the assumption that return traffic to the real server via the forwarding VIP would also be validating against the irule.
Below is how I picture a ping from the real server to google would look like with the irule coming to play on the inside_vlan_210_15_210 VIP when a reply comes back from google - hence why I was puzzled that given that google isn't in the trustedAddresses data group, wouldn't the traffic be dropped?
real (210.15.210.x) -> F5 (inside_vlan_to_any VIP) -> default gw -> Google
Google -> F5 (inside_vlan_210_15_210 VIP) -> real
Thanks.,
Andy - hoolioHi Andy,
Thanks for clarifying; you were on the right track. LTM is stateful in that it tracks the ICMP request in its connection table and allows the response back to the client that originated the request. This is the same behavior for TCP and UDP. The google host wouldn't be able to originate requests through the LTM VIP as it's not in the trusted address datagroup.
You could (and should) only enable the forwarding virtual server on the internal VLAN that the hosts you want to allow are on. This adds another layer of protection against accidental routing of unwanted traffic through LTM.
Aaron - hc_andy_35682Hi Aaron,
Thanks for clearing that up.
I've been able to deploy the irule for forwading VIPS which are set to Service Port: All Ports; Type: Forwarding (IP); Protocol: All.
However, I am having trouble with the irule for VIPS set to answer on a specific port - eg: Service Port: 80; Type: Performance (L4); Protocol: TCP. When the irule is applied to this sort of VIP (eg: 210.15.254.x:80) the irule stops any incoming connection eventhough I am trying to access the VIP from an IP address in the trustedAddresses data group - not sure why this is happening when the irule is applied to a VIP that is port-specific????
I have copy/paste this irule to use.
http://devcentral.f5.com/wiki/default.aspx/iRules/AccessControlBasedOnIP.html
Thanks.
Andy - hoolioDo you have a pool added to the port 80 VIP? Do you have SNAT enabled? If you remove the iRule does the port specific VIP work? If so, can you remove the forward command from the iRule you're using on the port 80 VIP. If that doesn't work, can you add logging to the iRule to see which conditions are being hit?
Thanks,
Aaron - hoolioCan you make a copy of the iRule to use just for the port 80 VIP and remove the forward command from that version?
Requests from untrusted clients will be dropped and all others will go to the VIP's default pool. The forward command stops LTM from doing destination address translation and sends the request out according to the routing table.
You can check the /var/log/ltm log file for output from iRules logging to local0. 'tail -f /var/log/ltm' allows you to watch the end of the ltm log file. Type Ctrl+c to stop the tail command from running.
Aaron - hc_andy_35682Hi Aaron,
I found out that if leave out the "forward" command from the irule, it works for both forwarding VIPS and port-specific VIPS. I guess this means that I can use the same irule for both forwarding and port-specific VIPS without including the "forward" command in the irule. Is this generally a good thing to do???
Without the "forward" command, the request will goto the VIP's deafult pool and I guess if there isn't a pool configured, it will use the routing table - is this a correct assumption???
Thanks.
Andy - hoolioHi Andy,
The default action for a forwarding VIP is to forward the connection with the destination IP address untranslated. So you don't need to specify forward in the iRule. You can just drop or reject any connections you don't want to forward.
If you don't use the forward command on the FastL4 VIP with a default pool configured, the VIP's pool will be used for requests which don't match the iRule logic for dropping/rejecting connections. If there isn't a pool configured the request will be dropped--not forwarded.
Aaron
