Forum Discussion
NimbostratusPacket filter does not work
HI All,
I have implemented a packet filter to block access to a VS from all IP addresses except one. I tried the same through an iRule. But it did not seem to work. Here is the iRule:
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals x.x.x.x] } {
drop
return
}
}When I tried doing the same with packet filter, by creating a rule which says,
"action:accept" for "source ip:x.x.x.x" and "destination ip: (the ip for that virtual service)".
This should allow only this x.x.x.x ip to access the virtual service. But, all the IPs are having access to the virtual service and looks like the rule is not implemented correctly. Can someone help me with this?
Thanks and Regards,
Geethanjali
15 Replies
- nitass
Employee
this is mine.[root@ve10:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.79:80 ip protocol 6 } [root@ve10:Active] config b packet filter list packet filter { allow trusted {} } packet filter Allow_192.168.206.57 { order 5 action accept vlan external log enable filter { ( src host 192.168.206.57 ) and ( dst host 172.28.19.79 ) } } packet filter Deny_All { order 10 action reject vlan external log enable filter { ( dst host 172.28.19.79 ) } } [root@ve10:Active] config tail /var/log/pktfilter Oct 25 11:24:14 local/tmm notice tmm[7926]: 01250004:5: Deny_All (2): reject on external, len: 74 [IPv4 60 172.28.20.11 -> 172.28.19.79 TCP 59195 -> 80 S] Oct 25 11:24:21 local/tmm notice tmm[7926]: 01250002:5: Allow_192.168.206.57 (88): accept on external, len: 66 [IPv4 52 192.168.206.57 -> 172.28.19.79 TCP 63782 -> 80 S] 
What_Lies_Bene1Cirrostratus
In case it's not clear, nitass is saying you need two packet filters. One to allow the host you want to, one to deny everything else.- What_Lies_Bene1Great. There's a couple of ways you can do this. For pure simplicity you could just modify the if statement;
if { ( ! [IP::addr [IP::client_addr] equals x.x.x.x]) or ( ! [IP::addr [IP::client_addr] equals y.y.y.y]) or ( ! [IP::addr [IP::client_addr] equals z.z.z.z]) But the best way would be to use a Data Group and reference that. I'm sure nitass will be along with an example any minute! - nitasse.g.
[root@ve10:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.79:80 ip protocol 6 rules myrule } [root@ve10:Active] config b rule myrule list rule myrule { when CLIENT_ACCEPTED { if { ! [class match -- [IP::client_addr] equals ip_class] } { log local0. "Reject [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]" reject } } when SERVER_CONNECTED { log local0. "Allow [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -> [IP::remote_addr]:[TCP::remote_port]" } } [root@ve10:Active] config b class ip_class list class ip_class { { host 172.28.19.251 host 192.168.206.57 } } [root@ve10:Active] config tail -f /var/log/ltm Oct 25 22:57:44 local/tmm info tmm[7926]: Rule myrule : Reject 172.28.20.11:59229 -> 172.28.19.79:80 Oct 25 22:57:53 local/tmm info tmm[7926]: Rule myrule : Allow 192.168.206.57:65000 -> 172.28.19.79:80 -> 200.200.200.101:80 Oct 25 22:58:12 local/tmm info tmm[7926]: Rule myrule : Allow 172.28.19.251:37085 -> 172.28.19.79:80 -> 200.200.200.101:80 - What_Lies_Bene1Told ya!
Geethanjali_321Thanks again. You guys are awesome! But I am still stuck with errors...
config b virtual bar list
virtual bar {
snat automap
pool foo
destination 63.166.192.203:80
ip protocol 6
rules myrule
}
config b rule myrule list
rule myrule {
when CLIENT_ACCEPTED {
if { ! [class match -- [IP::client_addr] equals ip_class] } {
log local0. "Reject [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
reject
}
}
when SERVER_CONNECTED {
log local0. "Allow [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -> [IP::remote_addr]:[TCP::remote_port]"
}
}
config b class ip_class list
class ip_class {
{
host 209.190.232.172
host 63.166.192.140
host 4.30.227.210
host 68.14.227.130
}
}When I type this is the iRule editor in the configuration utility, I am getting this error!!!
01070151:3: Rule [/Common/New_Rule] error:
line 1: [undefined procedure: config] [config b virtual bar list]
line 2: [command is not valid in the current scope] [virtual bar {
snat automap
pool foo
destination 63.166.192.203:80
ip protocol 6
rules myrule
}]
line 10: [undefined procedure: rule] [rule myrule {
when CLIENT_ACCEPTED {
if { ! [class match -- [IP::client_addr] equals ip_class] } {
log local0. "Reject [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
reject
}
}
when SERVER_CONNECTED {
log local0. "Allow [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -> [IP::remote_addr]:[TCP::remote_port]"
}
}]
line 22: [command is not valid in the current scope] [class ip_class {
{
host 209.190.232.172
host 63.166.192.140
host 4.30.227.210
host 68.14.227.130
}
}]I am really sorry if I ask lame questions. I am new to these codes. So, please help me out to learn and implement this...
Thanks and Regards,
Geethanjali
- What_Lies_Bene1Assuming you are using the GUI, you should only paste this into the text box for the new iRule;
when CLIENT_ACCEPTED { if { ! [class match -- [IP::client_addr] equals ip_class] } { log local0. "Reject [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]" reject } } when SERVER_CONNECTED { log local0. "Allow [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -> [IP::remote_addr]:[TCP::remote_port]" } }
You should manually create the Data Group. - What_Lies_Bene1You're welcome, glad it's all good.
- Geethanjali_321
Now that everything is working successfully, I have a question regarding the code I gave into the load balancer...
when CLIENT_ACCEPTED { if { ! [class match -- [IP::client_addr] equals ip_class] } { log local0. "Reject [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]" reject } } when SERVER_CONNECTED { log local0. "Allow [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -> [IP::remote_addr]:[TCP::remote_port]" } }In this code, may I know what does this log.local0 signify? I guess it should be a log, in that case, where can I find the log? If my guess is wrong, I would like to know what does mean in the code?
Thanks and Regards,
Geethanjali
natheCirrocumulus
Geethanjali
Log local0. means log to the local0 facility - this will be by default in /var/log/ltm. These logs show in the GUI too, System - Logs - Local Traffic
Hope this helps
N
