Forum Discussion
NimbostratusiRule to pass original client IP in SSH proxy
We have planned to perform SSH load balancing on our F5 ADC. In our scenario it is mandatory for us to perform SNAT and hence original IP cannot be recorded on the servers. We need an iRule to forward original client IP to servers to manage accountability on them.
I went through this article: https://devcentral.f5.com/questions/how-to-pass-client-ip-onto-access-logs-for-tcp-port22-connections-56770
In the light of aforementioned link, which iRule can be used to inject original client IP to initial SSH version handshake.
1 Reply
The solutions provided in the other post don't seem to work. I've tried to change the client identification string by using the iRule below, but it will prevent the client from connecting. The following error shows:
ssh_dispatch_run_fatal: Connection to 10.23.98.218: incorrect signatureIt seems the client identification string is used during the key exchange, to prevent MITM attacks.
when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { set payload [TCP::payload] if { [scan [TCP::payload] {%[^-]-%[^-]-%s} protocol protocolVersion softwareVersion ] == 3 } { log local0. "DEBUG: protocol = $protocol" log local0. "DEBUG: protocolVersion = $protocolVersion" log local0. "DEBUG: softwareVersion = $softwareVersion" set clientIP [IP::client_addr] use format: SSH-2.0-softwareversion SP comments CR LF set newPayload "$protocol-$protocolVersion-$softwareVersion $clientIP\r\n" TCP::payload replace 0 [TCP::payload length] $newPayload } TCP::release }I think it's impossible to forward the originating client IP-address when using SNAT.
