Forum Discussion
NimbostratusNeed iRule for specfic sources to specfic ports going to the Same VS for Proxy LB
Access Control Based on specfic sources to specfic ports going to the Same VS for Proxy LB
Our company has tons of security restrictions so I would need to be specific with certain sources only going to specific ports. This would always be going to the same destination, which is the F5 VIP of proxy pool. Everything else would get denied.
We have proxy servers that we want to create a wild card virtual server which listens for all ports. Then we want to create\modify your script to specify which sources can access the vip on which ports. We have about 100 forwarders that traverse the proxy and 75 socks, ftp & sftp connections.
I would also like to explicitly reference multiple sources (can I do this with “,” or “;” instead of classes? Seems like it would be easier to put it all in the script then have many classes –what are your thoughts on this?)
I’m thinking for every source\port connection I copy and modify the code over and over, making sure to add granular descriptions of each one as I go. I just need to get the initial code together first before I can duplicate it for all my connections. I’m expecting this to be a very big file.
***
So as a sample for basic code I need to allow the following:
1. Blackberry Servers for LB to proxy
Blackberry sources:
111.111.111.111
112.112.112.112
113.113.113.113
Port:
3101
(what if I wanted to add multiple ports –hypothetically 22)
Destination:
F5 VIP of Proxy pool
***
(I’m assuming there will be some if statement between each acl)
***
2. Misc App Servers for LB to proxy
Misc app sources:
114.114.114.114
115.115.115.115
116.116.116.116
Port:
1212
Destination:
F5 VIP of Proxy pool
***
Then I would copy the above code for all my connections
At the end I would deny everything else.
***
I don’t think I need the admin _datagroup since all connections will be restricted
14 Replies
Joe_RindfleischI just recieved this from my SE
But i would also need to specify networks also.
Is this the best approach for what i need?
iRule for VIP any to restrict ports and IPs allowed.
There are two look-ups here, first the port , and then for that port number you must match the source IP address.
There are multiple ways of doing it but, the simplest in terms design and maintenance is to create one STRING type class (data-group) as follows:Key vlaue443:10.0.1.2 “”443:11.1.1.4 “”443:12.1.1.4 “”8080:12.0.1.2 “”8080:13.1.1.4 “”8080:14.1.1.4 “”Internal class:class port_to_IP_whitelist {{"443:10.0.1.2" { "" }"443:11.0.1.3" { "" }"8080:10.0.1.2" { "" }"8080:11.0.1.3" { "" }"8081:14.0.1.2" { "" }"8081:15.0.1.3" { "" }}}External class:Create file as below:File saved here:/config/port_to_IP_whitelist.dat:Contents of file:"443:10.0.1.2" := "","443:11.0.1.2" := "","8080:12.0.1.2" := "","8080:13.0.1.2" := "","8081:14.0.1.2" := "","8081:15.0.1.2" := "",Configure external class vai GUI, the following shows in the config file:class port_to_IP_whitelist {type stringfilename port_to_IP_whitelist.dat}Here is the irule which matches that design:When CLIENT_ACCEPTED {set search_key [TCP::local_port]:[IP::client_addr]if { not ( [class lookup $search_key port_to_IP_whitelist]) } {log local0. "Search key $search_key not in whitelist Rejecting connection."discardevent disable allreturn}}
Michael_YatesHi Joe,
I am glad to see that you got the solution to your problem.
Thank you for posting your solution. Others that have similar problems will probably find it very helpful.
As you pointed out there are numerous ways to do this, some more efficient than others. What it comes down to more than anything is how supportable your solution is for you and the others that you work with.
You could build everything into one large iRule, but you start to lose efficiency when you do this which is why most people favor classes. An additional advantage when using classes is that the iRule does not have to be altered at all when adding and removing qualifying IP Addresses / Ranges or Ports.- Joe_RindfleischIn the above scenario, is there a way to add networks
hoolioCirrostratus
Not really. Your SE gave you a novel solution. But the shortcoming is that it don't support the native network parsing of an address type datagroup.
Another approach would be to create a separate set of datagroups per protocol. This will support source networks, but not destination networks. If you want destination network support, I think you'd need to change datagroups with one source network datagroup which points to other destination datagroups.class fw_icmp_rules_class { { network 10.10.14.0/24 {"8.8.8.8:8,4.2.2.2:8,4.2.2.1:8"} network 10.11.14.0/24 {"4.2.2.4:8,4.2.2.3:8,4.2.2.2:8,4.2.2.1:8"} network 10.12.14.0/24 {"203.8.183.1:8"} } } class fw_tcp_rules_class { { network 10.10.14.0/24 { "63.166.98.107:80,1.2.3.4:80,1.2.3.4:443" } network 10.11.14.0/24 { "63.166.98.107:80,1.2.3.4:80,1.2.3.4:443" } } } class fw_udp_rules_class { { network 10.10.14.0/24 { "4.2.2.1:53,4.2.2.2:53,4.2.2.3:53" } network 10.11.14.0/24 { "8.8.8.8:53,4.2.2.1:53,4.2.2.2:53,4.2.2.3:53" } } }
You can then use the class command to do the network lookup with the -value flag to get the list of destinations that are allowed. You could then call matchclass (yes the old command) to match the against that list.
Here's an example:when RULE_INIT { Log debug to /var/log/ltm? 1=yes, 0=no set static::fw_debug 1 } when CLIENT_ACCEPTED { if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: destination:\ [IP::local_addr]:[TCP::local_port]"} Check the requested protocol (defined in /etc/protocols) switch [IP::protocol] { 1 { ICMP set proto icmp } 6 { TCP set proto tcp } 17 { UDP set proto udp } default { Unmatched protocol if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Disallowed protocol"} Drop? drop Reject? reject Exit this event in this rule return } } if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Protocol: $proto"} If we are still in the rule the protocol matched our allowed list Check if the corresponding datagroup exists if {not [class exists fw_${proto}_rules_class]}{ Datagroup does not exist! log local0. "[IP::client_addr]:[TCP::client_port]: Datagroup fw_${proto}_rules_class does not exist\ for lookup to [IP::local_addr]:[TCP::local_port]!" Drop? drop Reject? reject } Do the datagroup lookup against the protocol specific datagroup which maps source networks/hosts to allowed destination host:ports set allowed_dest_list [split [class match -value [IP::client_addr] equals fw_${proto}_rules_class] ","] if {$allowed_dest_list ne ""}{ if {[matchclass "[IP::local_addr]:[TCP::local_port]" equals $allowed_dest_list]}{ Destination host:port is allowed if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Allowing connection"} } else { Destination host:port is not allowed if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Blocking connection"} Drop? drop Reject? reject } } }
Aaron- Joe_RindfleischThat looks like it would work for me.
but
All of my forwarding,SOCKS,FTP,SFTP connections will Be protocol 6 (TCP)
i will not need other class based on protocol .
Is there a way for me to manage all of these source\port connections by creating classes in some meaningful way?
maybe by:
costumer connections
or
by type of connection (FWD, SOCKS,SFT,FTP)
or the most granular
by port (listing all sources that can get to those ports)
would be best if i didn't have to modify the iRule just add classes with a name that will cause it to match within the rule.
I could just keep this:
6 {
TCP
set proto tcp
}
and put all in one tcp class (not sure how manageable or scalable will it be? - Joe_Rindfleisch
It posted twice!
- hoolioHi Joe,
Can you give me a dozen or so lines of sample firewall rules you'd like to implement? Can you note where you'd like to support networks in addition to single hosts? Here's an example of what I'm looking for:
source | port -> destination | port
any | any -> any | 80
host | any -> net1 | 22
host | any -> net2 | 22
net3 | any -> net5 | 8080
net4 | any -> net6 | 8080
net7 | any -> host | 24
net8 | any -> host | 24
Aaron - Joe_RindfleischDestination will always be the wild card virtual server VIP.
source | port -> destination | port
blackberry
10.1.1.1.2,10.1.1.1.3,10.1.1.1.4,10.1.1.1.5|3101->192.168.1.1|3101
app-1
10.10.21.0/24,10.10.22.0/24,10.10.23.0/24|1212->192.168.1.1|1212
app-2
10.10.24.0/24,10.10.25.0/24,10.10.26.0/24|1027,2022->192.168.1.1|1027,2022
app-80
10.10.40.0/24,10.10.41.0/24,10.10.42.10,10.10.42.11,10.10.42.11,10.10.42.12|3333->192.168.1.1|3333
SOCKS (proxy just needs to get the 1080 traffic it will send out correct port as it traverses it)
10.10.50.0/24,10.10.51.10|1080->192.168.1.1|1080
FTP
10.10.60.0/24,10.10.61./24,10.10.62.10|20,21->192.168.1.1|20,21
Again, thanks for the help - Joe_Rindfleisch
another double post :-(
- Joe_Rindfleischlet me know if you need more lines of code. also would there be a chance to use hostnames and RegEx to provide a little flexability in adding rules. Just smack me on the head if i'm going overboard ;-)
