For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

hc_andy_35682's avatar
hc_andy_35682
Icon for Nimbostratus rankNimbostratus
Apr 11, 2010

Request: Help with iRule for Wildcard SSH

Hi All,   Currently we have a SSH VIP for every single inside vlan. To remove the many SSH VIP's per inside vlan, I just want to have one WILDCARD SSH VIP, but I need an iRule to (1) permit clien...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Apr 12, 2010
Hi Andy,

You could create separate datagroups for each set of clients and servers and then use an iRule to check the source (IP::client_addr) and destination (IP::local_addr) host or network. So if a.a.a.a can access b.b.b.b, add a.a.a.a to an allowed clients datagroup and b.b.b.b to an allowed destinations datagroup. And if x.x.x.x can access z.z.z.z, then add those two hosts (or sets of hosts and/or networks) to two datagroups. You could then check each pair of datagroups in an if/elseif/else chain.

If you're on 10.1 you could use a new feature of address datagroups to specify the name of the destination host datagroup in a single clients datagroup:

http://devcentral.f5.com/Default.aspx?tabid=53&aft=1167195 

class allowed_clients_class {
   {
      host 1.1.1.1 { "allowed_dest_a_class" }
      network 2.2.2.0/24 { "allowed_dest_a_class" }
      network 10.0.0.0/8 { "allowed_dest_c_class" }
      network 172.16.0.0/12 { "allowed_dest_b_class" }
      network 192.168.0.0/16 { "allowed_dest_c_class" }
   }
}

You could then check the client IP against this allowed_clients_class and then check the destination IP against the class value returned from the first search: 

when CLIENT_ACCEPTED {
    Look up the client IP in the allowed clients class
    If found, get the corresponding destination class name
   set dest_class [class search -value allowed_clients_class equals [IP::client_addr]]
    Check if there was a match in the clients class
   if {$dest_class ne ""}{
       Check the destination host against the returned class name
      if {[class match [IP::local_addr] equals $dest_class]}{
          Allowed source/destination pair, so exit the rule
         return
      }
   }
    If we're still in the rule, it's an invalid source/destination IP pair, so reject the connection
   reject
}

If you want to enable SNAT automap dynamically you could use an iRule like this: 

 http://devcentral.f5.com/wiki/default.aspx/iRules/SelectiveSNAT.html
when LB_SELECTED {  
   if {[IP::addr "[IP::client_addr]/24" equals "[LB::server addr]/24"]} {  
      snat automap 
   }
}

Aaron