Forum Discussion
toshi_01_132399
Nimbostratus
Nimbostratusmysql ip access control
I would like to do the ip access control by using a irule. However, I failed in the following way.
pool-allowhost-01 have kept some mysql.
when CLIENT_ACCEPTED {
if { [IP::addr [IP::remote_addr] equals 192.168.1.0/24] } {
pool pool-allowhost-01
} else {
reject
}
}
allowed host can not access pooling mysql.
[localhost ~]$ mysql -u user -ppass -h lbaddr
Warning: Using a password on the command line interface can be insecure.
stay stopping
nitassEmployee
have you checked tcpdump?
e.g.
tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host x.x.x.x or host y.y.y.y x.x.x.x is client ip y.y.y.y is server/pool member ip
toshi_01_132399Thank you. i have checked tcpdump at all member servers. however i could not confirm ip packet from load balancer. ip packet seem to have stopped in load balancer.- nitasscan you run tcpdump on bigip?
- toshi_01_132399Unfortunately, i do not have permission to login to bigip. If possible, I asked administrator.
nitass_89166Noctilucent
have you checked tcpdump?
e.g.
tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host x.x.x.x or host y.y.y.y x.x.x.x is client ip y.y.y.y is server/pool member ip- toshi_01_132399Thank you. i have checked tcpdump at all member servers. however i could not confirm ip packet from load balancer. ip packet seem to have stopped in load balancer.
- nitass_89166can you run tcpdump on bigip?
- toshi_01_132399Unfortunately, i do not have permission to login to bigip. If possible, I asked administrator.
- Kevin_Stewart
Just to be clear, "lbaddr" in your mysql statement is the virtual server IP address, and "pool-allowhost-01" is a pool that contains the IP address and listening port of the actual mysql servers. You didn't specify a port in the mysql statement, so your virtual server should probably also be listening on TCP port 3306. If that's true, I'll also assume that the pool is bound to the virtual server configuration. Your iRule can then be a little simpler:
when CLIENT_ACCEPTED { if { not ( [IP::addr [IP::client_addr] equals 192.168.1.0/24] ) } { reject } }If the client's source address does not match the given subnet, reject. Otherwise the request will be sent to the assigned pool. Now, with all of those pieces in place, Nitass' suggestion to use TCPDUMP is probably your best bet at troubleshooting. You'll want to look for the client's IP address coming to the VIP address on the BIG-IP's external interface, and subsequently the client's IP address (or SNAT address) going to the mysql server on the BIG-IP's internal interface. There's a good chance that one of those aren't happening.
- toshi_01_132399
Thank you Kevin Stewart and nittas. I have also tried the above method already, but the result did not change.
my environment is following
client(192.168.1.30) -----> bigip and iRule(172.20.1.262:3306) pool-allowhost-01 -----> 192.168.1.50:3306 -----> 192.168.1.51:3306 -----> 192.168.1.52:3306I guess that It must add the address of the VIP?
when CLIENT_ACCEPTED { if { not ( [IP::addr [IP::client_addr] equals 192.168.1.0/24] ) and not ( [IP::addr [IP::client_addr] equals 172.20.1.262] )} { reject } } - nitass_89166
as Kevin suggested, have you tried to enable snat automap under virtual server configuration? does this virtual server work without the irule?
- toshi_01_132399If no iRule, client could access pooling MySQLserver.
- nitass
as Kevin suggested, have you tried to enable snat automap under virtual server configuration? does this virtual server work without the irule?
- toshi_01_132399If no iRule, client could access pooling MySQLserver.
- Kevin_Stewart
Okay, unless I'm just missing it, the iRule looks fine. Can you add in some logging and report back the results?
when CLIENT_ACCEPTED { if { not ( [IP::addr [IP::client_addr] equals 192.168.1.0/24] ) and not ( [IP::addr [IP::client_addr] equals 172.20.1.262] ) } { log local0. "Rejecting client: [IP::client_addr]" reject } else { log local0. "Allowing client: [IP::client_addr]" } } - nitass
if { not ( [IP::addr [IP::client_addr] equals 192.168.1.0/24] ) and not ( [IP::addr [IP::client_addr] equals 172.20.1.262] ) } {
doesn't it return false when client is from 192.168.1.0/24?
- toshi_01_132399
doesn't it return false when client is from 192.168.1.0/24?
What about the syntax of the following
when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 172.20.1.262] } log local0. "Allowing client VIP: [IP::client_addr]" pool pool-allowhost-01 or forward } elseif {[IP::addr [IP::client_addr] equals 192.168.1.0/24] } { log local0. "Allowing client: [IP::client_addr]" pool pool-allowhost-01 or forward } else { log local0. "Rejecting client: [IP::client_addr]" reject } } - nitass_89166
i think the original irule below is okay.
when CLIENT_ACCEPTED { if { [IP::addr [IP::remote_addr] equals 192.168.1.0/24] } { pool pool-allowhost-01 } else { reject } }may you add log command to the irule something like what kevin suggested? also, i think it would be helpful if you can run tcpdump on bigip.
e.g.
tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host 192.168.1.30 or host 192.168.1.50 or host 192.168.1.51 or host 192.168.1.52and can you post the virtual server, pool and snatpool configuration here?
tmsh list ltm virtual (virtual server name) tmsh list ltm pool (pool name) tmsh list ltm snatpool (snatpool name)just my 2 cents.
- toshi_01_132399Thank you. I will try to challenge on the basis by information of everyone
