For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

anuj_2931's avatar
anuj_2931
Icon for Nimbostratus rankNimbostratus
Aug 13, 2012

SNAT irule question

Hi Guys,

On a Virtual server, which has apache servers as pool memebers, we have snat enabled on it. The servers are in 192.168.14.0/24 subnet. The other subnet in our network is192.168.10.0. The f5 ltm has floating IP's in for both subnets.

Now I want to remove SNAT because, we want to get client IP's which come over the internet to access our webservers.

Currently on our apache server, the default gateway is set as 192.168.14.1 (edge firewall).

This is my plan to make this happen. Please let me know if this looks good.

1. Remove SNAT on virtual server.

2. Add irule which does "snat automap" if the client is local 192.168.10.0/24 and 14.0/24. Otherwise just forward.

when CLIENT_ACCEPTED {

    check if client_addr = any in the class
   if { [matchclass [IP::client_addr] equals $::Hosts]} {

     
         snat automap

      } else {
          don't do any source address translation
         forward
      }
}
3. Add default gateway as 14.236 (floating ip of LTM). Add static routes for 10.0/24 and 14.0/24
pointing to fiewall (14.1).
Do you think this will work.

application delivery
dev
devops
iRules

3 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 14, 2012
    Hi Anuj,

    That sounds about right. If you're on 9.4.4 or higher, you should remove the $:: prefix on the Hosts data group name. Also, you don't need to use the forward command to avoid SNAT--just leave the else clause off and any client IP which isn't in the Hosts data group will not be SNAT'd:

    Hi Anuj,

    If the clients are on the same subnet as the servers you must SNAT them to ensure the servers reply back to the client through LTM. If the servers' default gateway is set to the LTM self IP on their subnet, all clients not local to the server subnet would be fine without SNAT. To do this a bit simpler, you could use this iRule:

    http://devcentral.f5.com/wiki/iRules.SelectiveSNAT.ashx

    If you do need to specify other subnets you want to SNAT, you can use this simplified iRule. Note that for 9.4.4 and higher, you should remove the $:: prefix from the data group name in the iRule. And you don't need to use the forward command to avoid SNAT--just leave out the else clause. 

    
when CLIENT_ACCEPTED {

    Check if client_addr is in the Hosts data group
   if { [matchclass [IP::client_addr] equals Hosts] } {

       Apply SNAT just for this connection
      snat automap
   }
}

    Aaron
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 14, 2012
    Here's the selective SNAT example I was referring to. You can use this if you want to only SNAT when the client and server are on the same subnet. 

    
when LB_SELECTED {  
   if {[IP::addr "[IP::client_addr]/24" equals "[LB::server addr]/24"]} {  
      snat automap 
   }
}

    Aaron
  • anuj_2931's avatar
    anuj_2931
    Icon for Nimbostratus rankNimbostratus
    Aug 14, 2012
    Thanks Aaron for the response.

     

     

    The reason I want to snat other subnets in out network is because, I want ssh, syslog, ntp etc.. to work between the other subnet and apache server behind ltm. LTM will not be used for those protocols. Hence, I mentioned that I will add a static route for 192.168.10.0/24 pointing to firewall on the apache servers, and hence I will need snat automap for the http traffic to go back to the ltm if the source is 192.168.10.x.

     

     

    Anuj