For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JasonC_40913's avatar
JasonC_40913
Icon for Nimbostratus rankNimbostratus
Jan 25, 2010

Route Back to the Original Server through VIP

Hello everyone,

 

 

I received a request on establishing a very simple (but looks stupid) connection, but I don't really know how to make it successful. Hope someone could help here.

 

 

Source: One of the Load Balanced servers

 

Source IP: its own real IP

 

 

Destination: This server itself

 

Destination IP: Load Balanced VIP

 

 

 

I tried to use the following iRule but cannot make it

 

 

when CLIENT_ACCEPTED {

 

if { ([IP::addr [IP::client_addr] equals *source_ip*]) and ([IP::addr [IP::local_addr] equals *destination_vip*]) } {

 

node *source_ip*}

 

}

 

 

I know the requester has some limitations on the application so that he must work this way. Any idea how to solve this puzzle?

 

application delivery
dev
devops
iRules

5 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 25, 2010
    Hi Jason,

     

     

    So you're trying to send the request to the source IP for specific requests? That rule looks okay for the most part. One question: Is the destination IP of the VIP a network? If not, why are you checking the local address?

     

     

    If you're forcing the load balance selection to the client IP address, you'll need to use source address translation to ensure the server replies back to itself through LTM. You can do this in the iRule using the 'snat automap' command in the same section as the node command.

     

     

    Aaron
  • JasonC_40913's avatar
    JasonC_40913
    Icon for Nimbostratus rankNimbostratus
    Jan 28, 2010
    Hi Aaron,

     

     

    Thanks for the reply and suggestion. I further fine tune the iRule like below

     

     

    when CLIENT_ACCEPTED {

     

    if { ([IP::addr [IP::client_addr] equals *source_ip*]) and ([matchclass [TCP::remote_port] equals 80]) } {

     

    node *source_ip*

     

    snat automap}

     

    }

     

     

    I tried to foward all port 80 traffic from this server back to itself, but it still could not work. Any idea? I tested it by using C:\telnet *VIP* 80
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 28, 2010
    You would only need to use matchclass if you wanted to check if the remote port was in a datagroup. Also, TCP::remote_port in a clientside event like CLIENT_ACCEPTED will return the client's source port. TCP::local_port will check the client's destination port.

    Can you try this: 

     
 when CLIENT_ACCEPTED { 
  
    log local0. "[IP::client_addr]:[TCP::client_port]: New connection to [IP::local_addr]:[TCP::local_port]" 
  
    if { ([IP::addr [IP::client_addr] equals 1.1.1.1]) and ([TCP::local_port] equals 80]) } { 
       log local0. "[IP::client_addr]:[TCP::client_port]: Matched IP/port check" 
       node [IP::client_addr] 
       snat automap 
    } 
 }

    Aaron
  • JasonC_40913's avatar
    JasonC_40913
    Icon for Nimbostratus rankNimbostratus
    Feb 05, 2010
    Thanks a lot Aaron!

     

    The rule works great and the user is extremely happy with that!

     

     

    I have learned a lot here too~~

     

     

    Thanks again!