Forum Discussion
John_Masgalas_4
Nimbostratus
Nimbostratussmtp access control
We are testing prrof of concept of load balancing our smtp servers. It seems to be working fine except that the smtp servers see the bigip IP address instead of the client address. This is due to us using SNAT. This in turn takes the acl on the smtp servers completely out. So I wanted to see whether I could write an iRule to only accept certain clients. Something like the below:
If client ip matches (10.32.77.2, 10.32.77.84, 172.17.40.26)
use pool (smtp_pool)
else reject
Now I am not good at writing iRules at all so I am not sure how to go about it. Can someone help me out?
kykong_107132Hi,
you can use match class. create a data group (class) with all the legitimate client IP addresses. using iRule to check if not the IP address within the data group, drop it.
class clientIP{
1.1.1.1
2.2.2.2
3.3.3.3
}
when CLIENT_ACCEPTED {
if { [matchclass [IP::remote_addr] equals $::clientIP] } {
pool smtp_pool
} else {
reject
}
}
regards,
KY- kykong_107132HI Nat,
I agreed with you.packet filter is another option, just that must be very careful when configure packet filter, because it might affect other traffic to other virtual server.
regards,
KY