Forum Discussion

Israel_01_14942's avatar
Israel_01_14942
Icon for Nimbostratus rankNimbostratus
Dec 10, 2018

Irules for a specific tcp ports and https

Hello everyone

 

I am not expert in F5, and I need help with a VIP for all ports, and I only need to allow the ports 443 and from the TCP 7000 to 7010

 

Currently I have this configuration:

 

when CLIENT_ACCEPTED { log local0. "Accepted--start iRule" if {([TCP::local_port] < 7000 ) && ([TCP::local_port] > 7010) && ([TCP::local_port] != 443) } { log local0. "[IP::client_addr] rejected on TCP [TCP::local_port]" reject } if {([TCP::local_port] >= 7000 ) && ([TCP::local_port] <= 7010) } { log local0. "[IP::client_addr] accepted on TCP [TCP::local_port]" pool pool01 } if {([TCP::local_port] == 443) } { log local0. "[IP::client_addr] accepted on TCP [TCP::local_port]" set proto "https" SSL::profile client.clientssl pool http_pool } log local0. "Ended--iRule completed" }

 

But the https access is not working, I am not able to reach any node.

 

application delivery
iRules
LTM
  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Dec 10, 2018

    Hi,

    you can test this irule:

    when CLIENT_ACCEPTED { 

log local0. "Accepted--start iRule" 
if {([TCP::client_port] <= 1000  && [TCP::client_port] >= 65000) && ([TCP::local_port] == 443) } {
     do nothing
} else {
    log local0. "[IP::client_addr] rejected on TCP [TCP::client_port]" 
    reject

}
}

    For info:

    [TCP::client_port]
    is your source/local port in your context (clientside)

    [TCP::local_port]
    is your destination port in your context (clientside)

    This article can help you:

    https://devcentral.f5.com/Wiki/iRules.TCP__local_port.ashx

    regards