Forum Discussion
Need iRule for specfic sources to specfic ports going to the Same VS for Proxy LB
Access Control Based on specfic sources to specfic ports going to the Same VS for Proxy LB
Our company has tons of security restrictions so I would need to be specific with certain sources only going to specific ports. This would always be going to the same destination, which is the F5 VIP of proxy pool. Everything else would get denied.
We have proxy servers that we want to create a wild card virtual server which listens for all ports. Then we want to create\modify your script to specify which sources can access the vip on which ports. We have about 100 forwarders that traverse the proxy and 75 socks, ftp & sftp connections.
I would also like to explicitly reference multiple sources (can I do this with “,” or “;” instead of classes? Seems like it would be easier to put it all in the script then have many classes –what are your thoughts on this?)
I’m thinking for every source\port connection I copy and modify the code over and over, making sure to add granular descriptions of each one as I go. I just need to get the initial code together first before I can duplicate it for all my connections. I’m expecting this to be a very big file.
***
So as a sample for basic code I need to allow the following:
1. Blackberry Servers for LB to proxy
Blackberry sources:
111.111.111.111
112.112.112.112
113.113.113.113
Port:
3101
(what if I wanted to add multiple ports –hypothetically 22)
Destination:
F5 VIP of Proxy pool
***
(I’m assuming there will be some if statement between each acl)
***
2. Misc App Servers for LB to proxy
Misc app sources:
114.114.114.114
115.115.115.115
116.116.116.116
Port:
1212
Destination:
F5 VIP of Proxy pool
***
Then I would copy the above code for all my connections
At the end I would deny everything else.
***
I don’t think I need the admin _datagroup since all connections will be restricted
- Joe_RindfleischNimbostratusI just recieved this from my SE
Key vlaue443:10.0.1.2 “”443:11.1.1.4 “”443:12.1.1.4 “”8080:12.0.1.2 “”8080:13.1.1.4 “”8080:14.1.1.4 “”Internal class:class port_to_IP_whitelist {{"443:10.0.1.2" { "" }"443:11.0.1.3" { "" }"8080:10.0.1.2" { "" }"8080:11.0.1.3" { "" }"8081:14.0.1.2" { "" }"8081:15.0.1.3" { "" }}}External class:Create file as below:File saved here:/config/port_to_IP_whitelist.dat:Contents of file:"443:10.0.1.2" := "","443:11.0.1.2" := "","8080:12.0.1.2" := "","8080:13.0.1.2" := "","8081:14.0.1.2" := "","8081:15.0.1.2" := "",Configure external class vai GUI, the following shows in the config file:class port_to_IP_whitelist {type stringfilename port_to_IP_whitelist.dat}Here is the irule which matches that design:When CLIENT_ACCEPTED {set search_key [TCP::local_port]:[IP::client_addr]if { not ( [class lookup $search_key port_to_IP_whitelist]) } {log local0. "Search key $search_key not in whitelist Rejecting connection."discardevent disable allreturn}} - Michael_YatesNimbostratusHi Joe,
- Joe_RindfleischNimbostratusIn the above scenario, is there a way to add networks
- hoolioCirrostratusNot really. Your SE gave you a novel solution. But the shortcoming is that it don't support the native network parsing of an address type datagroup.
class fw_icmp_rules_class { { network 10.10.14.0/24 {"8.8.8.8:8,4.2.2.2:8,4.2.2.1:8"} network 10.11.14.0/24 {"4.2.2.4:8,4.2.2.3:8,4.2.2.2:8,4.2.2.1:8"} network 10.12.14.0/24 {"203.8.183.1:8"} } } class fw_tcp_rules_class { { network 10.10.14.0/24 { "63.166.98.107:80,1.2.3.4:80,1.2.3.4:443" } network 10.11.14.0/24 { "63.166.98.107:80,1.2.3.4:80,1.2.3.4:443" } } } class fw_udp_rules_class { { network 10.10.14.0/24 { "4.2.2.1:53,4.2.2.2:53,4.2.2.3:53" } network 10.11.14.0/24 { "8.8.8.8:53,4.2.2.1:53,4.2.2.2:53,4.2.2.3:53" } } }
when RULE_INIT { Log debug to /var/log/ltm? 1=yes, 0=no set static::fw_debug 1 } when CLIENT_ACCEPTED { if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: destination:\ [IP::local_addr]:[TCP::local_port]"} Check the requested protocol (defined in /etc/protocols) switch [IP::protocol] { 1 { ICMP set proto icmp } 6 { TCP set proto tcp } 17 { UDP set proto udp } default { Unmatched protocol if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Disallowed protocol"} Drop? drop Reject? reject Exit this event in this rule return } } if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Protocol: $proto"} If we are still in the rule the protocol matched our allowed list Check if the corresponding datagroup exists if {not [class exists fw_${proto}_rules_class]}{ Datagroup does not exist! log local0. "[IP::client_addr]:[TCP::client_port]: Datagroup fw_${proto}_rules_class does not exist\ for lookup to [IP::local_addr]:[TCP::local_port]!" Drop? drop Reject? reject } Do the datagroup lookup against the protocol specific datagroup which maps source networks/hosts to allowed destination host:ports set allowed_dest_list [split [class match -value [IP::client_addr] equals fw_${proto}_rules_class] ","] if {$allowed_dest_list ne ""}{ if {[matchclass "[IP::local_addr]:[TCP::local_port]" equals $allowed_dest_list]}{ Destination host:port is allowed if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Allowing connection"} } else { Destination host:port is not allowed if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Blocking connection"} Drop? drop Reject? reject } } }
- Joe_RindfleischNimbostratusThat looks like it would work for me.
- Joe_RindfleischNimbostratus
It posted twice!
- hoolioCirrostratusHi Joe,
- Joe_RindfleischNimbostratusDestination will always be the wild card virtual server VIP.
- Joe_RindfleischNimbostratus
another double post :-(
- Joe_RindfleischNimbostratuslet me know if you need more lines of code. also would there be a chance to use hostnames and RegEx to provide a little flexability in adding rules. Just smack me on the head if i'm going overboard ;-)
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com