Forum Discussion
NimbostratusRequest: Help with iRule for Wildcard SSH
Hi All,
Currently we have a SSH VIP for every single inside vlan. To remove the many SSH VIP's per inside vlan, I just want to have one WILDCARD SSH VIP, but I need an iRule to (1) permit client address x.x.x.x to destination network y.y.y.y:22 only and likewise permit client address a.a.a.a to b.b.b.b:22 only, etc...I don't want x.x.x.x to be able to access b.b.b.b:22 and a.a.a.a to have access to y.y.y.y:22. (2) Also need to SNAT the connections from the clients that are in the same subnet as the nodes.
I was able to apply the access restrictions to each SSH VIP per inside vlan with the following iRules.
1/ Permit specific source address
when RULE_INIT {
v1.0 - basic ACL.
October, 2007
Tested on BigIP version 9.4.
Purpose:
Bind this rule to a network virtual server to simply allow or disallow traffic based on source IP.
This rule expects a datagroup named trustedAddresses that lists the addresses you wish to allow.
By default, traffic will be dropped.
}
when CLIENT_ACCEPTED {
if { [matchclass [IP::client_addr] equals trustedAddresses] }{
Uncomment the line below to turn on logging.
log local0. "Valid client IP: [IP::client_addr] - forwarding traffic"
} else {
Uncomment the line below to turn on logging.
log local0. "Invalid client IP: [IP::client_addr] - discarding"
discard
}
}
2/ Apply SNAT if the client is in the same subnet as the node.
when CLIENT_ACCEPTED {
if {[IP::addr [IP::client_addr]/24 equals "210.15.210.0"] } {
snat 210.15.210.77
}
}
I guess with the SNAT issue, I can just add mulitple IF...ELSE statements for each inside vlan, but not sure how to restrict access so that x.x.x.x only has access to y.y.y.y:22 and not to b.b.b.b:22.
Thanks,
Andy
2 Replies
hoolioCirrostratus
Hi Andy,
You could create separate datagroups for each set of clients and servers and then use an iRule to check the source (IP::client_addr) and destination (IP::local_addr) host or network. So if a.a.a.a can access b.b.b.b, add a.a.a.a to an allowed clients datagroup and b.b.b.b to an allowed destinations datagroup. And if x.x.x.x can access z.z.z.z, then add those two hosts (or sets of hosts and/or networks) to two datagroups. You could then check each pair of datagroups in an if/elseif/else chain.
If you're on 10.1 you could use a new feature of address datagroups to specify the name of the destination host datagroup in a single clients datagroup:
http://devcentral.f5.com/Default.aspx?tabid=53&aft=1167195class allowed_clients_class { { host 1.1.1.1 { "allowed_dest_a_class" } network 2.2.2.0/24 { "allowed_dest_a_class" } network 10.0.0.0/8 { "allowed_dest_c_class" } network 172.16.0.0/12 { "allowed_dest_b_class" } network 192.168.0.0/16 { "allowed_dest_c_class" } } }
You could then check the client IP against this allowed_clients_class and then check the destination IP against the class value returned from the first search:when CLIENT_ACCEPTED { Look up the client IP in the allowed clients class If found, get the corresponding destination class name set dest_class [class search -value allowed_clients_class equals [IP::client_addr]] Check if there was a match in the clients class if {$dest_class ne ""}{ Check the destination host against the returned class name if {[class match [IP::local_addr] equals $dest_class]}{ Allowed source/destination pair, so exit the rule return } } If we're still in the rule, it's an invalid source/destination IP pair, so reject the connection reject }
If you want to enable SNAT automap dynamically you could use an iRule like this:http://devcentral.f5.com/wiki/default.aspx/iRules/SelectiveSNAT.html when LB_SELECTED { if {[IP::addr "[IP::client_addr]/24" equals "[LB::server addr]/24"]} { snat automap } }
Aaron
hc_andy_35682Thanks Aaron.
I will give the code you pasted a go.
Cheers.
Andy
