Forum Discussion

Nimbostratus

Aug 30, 2011

Need iRule for specfic sources to specfic ports going to the Same VS for Proxy LB

~~Access Control Based on specfic sources to specfic ports going to the Same VS for Proxy LB~~

~~I found "Access Control Based On Network Or Host" http://devcentral.f5.com/wiki/iRule...rHost.ashx~~

It is the closest thing I’ve seen to what I need. I am very new to this and don’t really understand the tcl language or the iRules in general. It seems this scripts references all of those sources and access all of those ports to those destinations?

Our company has tons of security restrictions so I would need to be specific with certain sources only going to specific ports. This would always be going to the same destination, which is the F5 VIP of proxy pool. Everything else would get denied.

We have proxy servers that we want to create a wild card virtual server which listens for all ports. Then we want to create\modify your script to specify which sources can access the vip on which ports. We have about 100 forwarders that traverse the proxy and 75 socks, ftp & sftp connections.

I would also like to explicitly reference multiple sources (can I do this with “,” or “;” instead of classes? Seems like it would be easier to put it all in the script then have many classes –what are your thoughts on this?)

I’m thinking for every source\port connection I copy and modify the code over and over, making sure to add granular descriptions of each one as I go. I just need to get the initial code together first before I can duplicate it for all my connections. I’m expecting this to be a very big file.

~~***~~

~~So as a sample for basic code I need to allow the following:~~

~~1. Blackberry Servers for LB to proxy~~

~~Blackberry sources:~~

~~111.111.111.111~~

~~112.112.112.112~~

~~113.113.113.113~~

~~Port:~~

~~3101~~

~~(what if I wanted to add multiple ports –hypothetically 22)~~

~~Destination:~~

~~F5 VIP of Proxy pool~~

~~***~~

~~(I’m assuming there will be some if statement between each acl)~~

~~***~~

~~2. Misc App Servers for LB to proxy~~

~~Misc app sources:~~

~~114.114.114.114~~

~~115.115.115.115~~

~~116.116.116.116~~

~~Port:~~

~~1212~~

~~Destination:~~

~~F5 VIP of Proxy pool~~

~~***~~

~~Then I would copy the above code for all my connections~~

~~***~~

At the end I would deny everything else.

~~***~~

~~I don’t think I need the admin _datagroup since all connections will be restricted~~

~~Any help would be greatly appreciated. Kinda lost on this one.~~

~~Joe~~

14 Replies

hoolio

Cirrostratus

Sep 07, 2011

Hi Joe,

I think the previous format will work. Here's an example datagroup:


class fw_tcp_rules_class {
   {
      host 10.1.1.1.2 { "192.168.1.1:3101" }
      host 10.1.1.1.3 { "192.168.1.1:3101" }
      host 10.1.1.1.4 { "192.168.1.1:3101" }
      host 10.1.1.1.5 { "192.168.1.1:3101" }
      network 10.10.21.0/24 { "192.168.1.1:1212" }
      network 10.10.22.0/24 { "192.168.1.1:1212" }
      network 10.10.23.0/24 { "192.168.1.1:1212" }
   }
}

And a slightly trimmed version of the iRule which checks the datagroup:


when RULE_INIT {
    Log debug to /var/log/ltm? 1=yes, 0=no
   set static::fw_debug 1
}
when CLIENT_ACCEPTED {
   if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: destination:\
      [IP::local_addr]:[TCP::local_port]"}
    Check the requested protocol (defined in /etc/protocols)
   switch [IP::protocol] {
      6 {
          TCP
          Do nothing, all other protocols will be disallowed
      }
      default {
          Unmatched protocol
         if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Disallowed protocol"}
          Drop?
         drop
          Reject?
         reject
          Exit this event in this rule
         return
      }
   }
    If we are still in the rule the protocol matched our allowed list
    Check if the corresponding datagroup exists
   if {not [class exists fw_tcp_rules_class]}{
       Datagroup does not exist!
      log local0. "[IP::client_addr]:[TCP::client_port]: Datagroup fw_tcp_rules_class does not exist\
         for lookup to [IP::local_addr]:[TCP::local_port]!"
       Drop?
      drop
       Reject?
      reject
   }
    Do the datagroup lookup against the protocol specific datagroup 
    which maps source networks/hosts to allowed destination host:ports
   set allowed_dest_list [split [class match -value [IP::client_addr] equals fw_tcp_rules_class] ","]
   if {$allowed_dest_list ne ""}{
      if {[matchclass "[IP::local_addr]:[TCP::local_port]" equals $allowed_dest_list]}{
          Destination host:port is allowed
         if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Allowing connection"}
      } else {
          Destination host:port is not allowed
         if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Blocking connection"}
          Drop?
         drop
          Reject?
         reject
      }
   }
}

Aaron

Joe_Rindfleisch
Nimbostratus
Sep 09, 2011
So here's what i have found out.

host and network need to be unique, if you have a host that is able to get to multiple ports you have to set your class like this

class fw_tcp_rules_class {

{

host 10.1.1.1.2 { "192.168.1.1:3101,1111,1112,11112" }

}

}

Here are the other problems i'm having.

1. if an ip is in the data class it will show if the connection is accepted or blocking the connection.

if the ip is not in the data class it does show in the log but doesn't show if it's blocking or allowing the connection.

2. With the wild card virtual server when i try connect to a port the I'm not supposed to connect to, I'm expecting the following:

Connecting To X.X.X.X...Could not open connection to the host, on port 1101:

Connect failed.

But it looks like it open the connection whether it is only to the F5 and dies, i'm concerned that DOS could try and eat up all the ports.

I thought this was supposed to close the connection?
hoolio
Cirrostratus
Sep 12, 2011
You'd actually need to list the destination IP and port for each destination:

host 10.1.1.1.2 { "192.168.1.1:3101,192.168.1.1:1111,192.168.1.1:1112,192.168.1.1:11113" }

TMM will complete a three way handshake no matter what. You can either send a reset (with the reject command) or drop (with the drop command) the connection table entry using the iRule.

Aaron
Joe_Rindfleisch
Nimbostratus
Sep 14, 2011
Here is the problem i'm having.

If an ip is in the data class it will show if the connection is accepted or blocking the connection.

if the ip is not in the data class it does show in the log but doesn't show if it's blocking or allowing the connection.

Example of this:

Here is an ip in data class

Mon Sep 12 16:02:47 EDT 2011 info local/tmm1 tmm1[4578] Rule proxy-acl : 10.10.44.111:1202: destination: 10.10.10.31:3101

Mon Sep 12 16:02:47 EDT 2011 info local/tmm1 tmm1[4578] Rule proxy-acl : 10.10.44.111:1202: Allowing connection

Mon Sep 12 16:03:02 EDT 2011 info local/tmm tmm[4577] Rule proxy-acl : 10.10.44.111:1203: destination: 10.10.10.31:1111

Mon Sep 12 16:03:02 EDT 2011 info local/tmm tmm[4577] Rule proxy-acl : 10.10.44.111:1203: Blocking connection

Here is an ip not in data class

Mon Sep 12 16:04:17 EDT 2011 info local/tmm tmm[4577] Rule proxy-acl : 10.10.44.242:2643: destination: 10.10.10.31:1111

Mon Sep 12 16:04:47 EDT 2011 info local/tmm tmm[4577] Rule proxy-acl : 10.10.44.242:2649: destination: 10.10.10.31:3101

Do i need another log statement to get whether the unmatched ip is accepting or blocking?