Forum Discussion

krelm_52303's avatar
krelm_52303
Icon for Nimbostratus rankNimbostratus
Nov 18, 2009

Simple IP & Port Forwarding irule

I'm moving some dumb port-forwarding function from a proxy server to the LTM, and want to write an irule to facilitate this. No authentication or anything fancy - just direct translation of dest IP : Port, based on the IP : Port the request was received on. So...

 

 

Port Forward IP range - 10.10.10.0/24 (all client connections go direct to this IP range).

 

 

Destination 10.10.10.1:8080 - forward to 192.168.1.1:8080

 

Destination 10.10.10.2:9001 - forward to 192.168.2.1:80

 

Destination 10.10.10.3:1111 - forward to 172.16.1.10:1234

 

etc.

 

 

Also, the LB needs to use a particular SNAT when sending out, but presume I just add this to the VIP config, not in an irule?

 

 

Do I need to add each forwarded IP : Port as an individual pool, or can I just forward the connection somehow directly via the irule? No need for health monitoring of the destinations, so I'd rather not mess up the webgui with 50+ pools when I don;t care about balancing or stats etc.

 

 

I have approx 50 port forwarding rules on the proxy, and would love to simplify this and future additions like it by using a data class group somehow.

 

 

Any pointers appreciated (version 9.2)

 

 

 

 

application delivery
dev
devops
iRules
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Nov 18, 2009
    You're running 9.2?! You should upgrade when you have a chance as that is old and unsupported. 9.4.x or 10.x have a lot of stability and security enhancements over 9.2.

    Here is an example iRule which can be used on a performance layer4 VIP to look up the client's destination IP:port against a string datagroup (or a TCL list in this example) and translate the destination IP and port using the findclass and node commands. Make sure (destination) address and port translation are enabled on the VIP. Make sure to use a string datagroup and disable/comment out the logging once you're done testing. 

      
  when RULE_INIT {  
    
      Replace this test TCL list with a "string" type datagroup   
       and then delete the RULE_INIT event  
     set destination_translations_class [list \  
        "10.2.135.100:80 192.168.135.100:8080" \  
        "10.2.135.101:8080 192.168.135.101:8888" \  
     ]  
  }        
  when CLIENT_ACCEPTED {  
    
     log local0. "[IP::client_addr]:[TCP::client_port]: New TCP connection to [IP::local_addr]:[TCP::local_port]"  
    
      Look up the destination address:port in a datagroup  
     set dest [findclass [IP::local_addr]:[TCP::local_port] $::destination_translations_class " "]  
     log local0. "[IP::client_addr]:[TCP::client_port]: Matched \$dest: $dest"  
    
      Check if there was a match  
     if {$dest ne ""}{  
    
        log local0. "[IP::client_addr]:[TCP::client_port]: Using node [split $dest ":"]"  
         Set the destination IP and port using the node command  
        node [split $dest ":"]  
     }  
  }

    Aaron
  • krelm_52303's avatar
    krelm_52303
    Icon for Nimbostratus rankNimbostratus
    Nov 18, 2009
    Excellent - really appreciate your help Hoolio. I'll set this up in the lab and let you know how I get on. Hadn't come across the "node" command before, so good to learn something new. I always do on this forum!

     

     

  • krelm_52303's avatar
    krelm_52303
    Icon for Nimbostratus rankNimbostratus
    Nov 20, 2009
    One more thing - how would I best add an access-list type function too, to verify source host or network is also matched/allowed before forwarding? Some dest's have 3 or 4 allowed hosts, others no restriction. Data classes for each destination with allowed hosts/networks in it maybe?
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Nov 21, 2009
    Take a look at matchclass

     

     

    http://devcentral.f5.com/Wiki/default.aspx/iRules/matchclass.html

     

     

    Bhattman