Forum Discussion

toshi_01_132399's avatar
toshi_01_132399
Icon for Nimbostratus rankNimbostratus
Aug 30, 2013

mysql ip access control

I would like to do the ip access control by using a irule. However, I failed in the following way. pool-allowhost-01 have kept some mysql. when CLIENT_ACCEPTED { if { [IP::addr [IP::remote_a...
application delivery
devops
iRules
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Aug 30, 2013

Just to be clear, "lbaddr" in your mysql statement is the virtual server IP address, and "pool-allowhost-01" is a pool that contains the IP address and listening port of the actual mysql servers. You didn't specify a port in the mysql statement, so your virtual server should probably also be listening on TCP port 3306. If that's true, I'll also assume that the pool is bound to the virtual server configuration. Your iRule can then be a little simpler:

when CLIENT_ACCEPTED {
    if { not ( [IP::addr [IP::client_addr] equals 192.168.1.0/24] ) } {
         reject
    }
}

If the client's source address does not match the given subnet, reject. Otherwise the request will be sent to the assigned pool. Now, with all of those pieces in place, Nitass' suggestion to use TCPDUMP is probably your best bet at troubleshooting. You'll want to look for the client's IP address coming to the VIP address on the BIG-IP's external interface, and subsequently the client's IP address (or SNAT address) going to the mysql server on the BIG-IP's internal interface. There's a good chance that one of those aren't happening.