Forum Discussion
Nick_68091
Nimbostratus
NimbostratusRPC iRule
All,
I am new to this for sure. I am trying to do an iRule that will allow RPC traffic to pass to a single VIP with one pool associated to it. I have tried the two iRules below with no success:
===================================
when CLIENT_ACCEPTED {
if { [TCP::server_port] == 135 }
{
forward
}
elseif { [TCP::server_port] > 1023 and [TCP::server_port] < 65534 }
{
forward
}
else {
discard
}
}
==================================
when CLIENT_ACCEPTED {
if { [TCP::local_port] == 135 or \
( [TCP::local_port] >= 1024 and [TCP::local_port] < 65534 ) } {
forward
} else {
discard
}
}
==================================
Any ideas??
Thanks,
Nick
5 Replies
hwidjaja_37598Altostratus
What type of Virtual Server (or VIP) is this iRule applied to? Without this iRule applied, are you able to access the pool?
hoolioCirrostratus
As Humphrey is hinting at, using the forward command (Click here) will bypass load balancing and cause LTM to send the packets to the same IP and port that the client requested. So you wouldn't want to use this on a standard IP VIP if you want the request to be load balanced to the pool. If you are wanting to use a pool, you can change the iRule slightly:when CLIENT_ACCEPTED { if { [TCP::local_port] == 135 or ( [TCP::local_port] >= 1024 and [TCP::local_port] < 65534 ) } { Do nothing. The default pool on the VIP will be used. } else { Drop the packets. discard } }
Aaron
Nick_68091Hoolio / Humphrey I can't thank you guys enough. That makes perfect sense. Thanks a ton.- Nick_68091Guys I must still be missing something and my bad for not providing more details. I have a VIP setup for TCP 135 and I want the portmapper traffic to be allowed through less I create 65k VIP's. I applied what you mentioned Hoolio, but I still can't get the portmapper ports (<1023) to pass through the LTM. Here is more detailed information:
[root@xxxxxxx:Active] / b virtual Exch_135_vs
VIRTUAL 10.10.1.100 UNIT 1
| ARP: enabled
| (cur, max, limit, tot) = (0, 81, 0, 2345)
| (pkts,bits) in = (40493, 62.77M), out = (41673, 259.2M)
+-> SERVER Exch_135_vs SERVICE 135
| PVA acceleration none
| (cur, max, limit, tot) = (0, 42, 0, 859)
| (pkts,bits) in = (3675, 3.378M), out = (3245, 3.682M)
| requests (total) = 649
+-> RULE Exch_rpc_test
| +-> CLIENT_ACCEPTED 1 total 0 fail 0 abort
+-> POOL Exch_135_pl LB METHOD round robin MIN/CUR ACTIVE MEMBERS: 0/2
| conns (cur, max, limit, tot) = (0, 7, 0, 110)
| (pkts,bits) in = (2021, 2.112M), out = (1802, 2.995M)
+-> POOL MEMBER Exch_135_pl/10.10.10.8:135 ACTIVE,UP SESSIONS ENABLED
| | priority 1 ratio 1 dynamic ratio 1
| | conns (cur, max, limit, tot) = (0, 4, 0, 30)
| | (pkts,bits) in = (1241, 1.433M), out = (1160, 2.186M)
| | requests (total) = 30
+-> POOL MEMBER Exch_135_pl/10.10.10.45:135 ACTIVE,UP SESSIONS ENABLED
| priority 1 ratio 1 dynamic ratio 1
| conns (cur, max, limit, tot) = (0, 3, 0, 80)
| (pkts,bits) in = (780, 678680), out = (642, 809248)
| requests (total) = 80
[root@xxxxxxx:Active] /
[root@xxxxxxx:Active] / b virtual Exch_135_vs list
virtual Exch_135_vs {
destination 10.10.1.100:135
snatpool Exch_135_sn_pl
ip protocol tcp
persist source_addr
pool Exch_135_pl
rule Exch_rpc_test
}
[root@xxxxxxx:Active] /
[root@xxxxxxx:Active] /
[root@xxxxxxx:Active] / b pool Exch_135_pl
POOL Exch_135_pl LB METHOD round robin MIN/CUR ACTIVE MEMBERS: 0/2
| conns (cur, max, limit, tot) = (0, 7, 0, 110)
| (pkts,bits) in = (2021, 2.112M), out = (1802, 2.995M)
+-> POOL MEMBER Exch_135_pl/10.10.10.8:135 ACTIVE,UP SESSIONS ENABLED
| | priority 1 ratio 1 dynamic ratio 1
| | conns (cur, max, limit, tot) = (0, 4, 0, 30)
| | (pkts,bits) in = (1241, 1.433M), out = (1160, 2.186M)
| | requests (total) = 30
+-> POOL MEMBER Exch_135_pl/10.10.10.45:135 ACTIVE,UP SESSIONS ENABLED
| priority 1 ratio 1 dynamic ratio 1
| conns (cur, max, limit, tot) = (0, 3, 0, 80)
| (pkts,bits) in = (780, 678680), out = (642, 809248)
| requests (total) = 80
[root@xxxxxxx:Active] / b pool Exch_135_pl list
pool Exch_135_pl {
monitor all tcp
member 10.10.10.8:135
member 10.10.10.45:135
}
[root@xxxxxxx:Active] /
[root@xxxxxxx:Active] / b snatpool Exch_135_sn_pl list
snatpool Exch_135_sn_pl {
member 10.1.1.55
}
[root@xxxxxxx:Active] /
Is this LTM aware of what the portmapped port is and then only allows the mapped port back though (in which case my testing if the problem - not the iRule)? Any ideas? - hoolioDo you want all traffic sent to the pool members on port 135 or the port that the client made the request to? If the latter, you'll need to change the pool members to listen on port 0 (any).
Also, if you're using a snatpool of 10.1.1.55 and you have a subnet more specific than 255.0.0.0, the pool members would need to have a route back to the BIG-IP for the snat IP. It might be better to use a SNAT address in the same subnet as the pool members (or use SNAT automap).
Aaron
