For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Joe_Rindfleisch's avatar
Joe_Rindfleisch
Icon for Nimbostratus rankNimbostratus
Aug 30, 2011

Need iRule for specfic sources to specfic ports going to the Same VS for Proxy LB

Access Control Based on specfic sources to specfic ports going to the Same VS for Proxy LB     I found "Access Control Based On Network Or Host" http://...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Sep 07, 2011
Hi Joe,

I think the previous format will work. Here's an example datagroup:


class fw_tcp_rules_class {
   {
      host 10.1.1.1.2 { "192.168.1.1:3101" }
      host 10.1.1.1.3 { "192.168.1.1:3101" }
      host 10.1.1.1.4 { "192.168.1.1:3101" }
      host 10.1.1.1.5 { "192.168.1.1:3101" }
      network 10.10.21.0/24 { "192.168.1.1:1212" }
      network 10.10.22.0/24 { "192.168.1.1:1212" }
      network 10.10.23.0/24 { "192.168.1.1:1212" }
   }
}

And a slightly trimmed version of the iRule which checks the datagroup:


when RULE_INIT {
    Log debug to /var/log/ltm? 1=yes, 0=no
   set static::fw_debug 1
}
when CLIENT_ACCEPTED {
   if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: destination:\
      [IP::local_addr]:[TCP::local_port]"}
    Check the requested protocol (defined in /etc/protocols)
   switch [IP::protocol] {
      6 {
          TCP
          Do nothing, all other protocols will be disallowed
      }
      default {
          Unmatched protocol
         if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Disallowed protocol"}
          Drop?
         drop
          Reject?
         reject
          Exit this event in this rule
         return
      }
   }
    If we are still in the rule the protocol matched our allowed list
    Check if the corresponding datagroup exists
   if {not [class exists fw_tcp_rules_class]}{
       Datagroup does not exist!
      log local0. "[IP::client_addr]:[TCP::client_port]: Datagroup fw_tcp_rules_class does not exist\
         for lookup to [IP::local_addr]:[TCP::local_port]!"
       Drop?
      drop
       Reject?
      reject
   }
    Do the datagroup lookup against the protocol specific datagroup 
    which maps source networks/hosts to allowed destination host:ports
   set allowed_dest_list [split [class match -value [IP::client_addr] equals fw_tcp_rules_class] ","]
   if {$allowed_dest_list ne ""}{
      if {[matchclass "[IP::local_addr]:[TCP::local_port]" equals $allowed_dest_list]}{
          Destination host:port is allowed
         if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Allowing connection"}
      } else {
          Destination host:port is not allowed
         if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Blocking connection"}
          Drop?
         drop
          Reject?
         reject
      }
   }
}

Aaron