Forum Discussion
Damián_41877
Nimbostratus
NimbostratusSNAT only for outbonding connections to external IP addressess
Hi guys
I need to create a iRule to SNAT the outbonding connections ONLY when their destination is internet, i.e., when the destination IP address does not belong to the internal addresses (INTRANET):
10.9.0.0/16 are the INTRANET IP addresses.
172.172.172.0/24 are the private IP addresses.
200.201.202.0/24 are the (fictitious) PUBLIC IP addresses
When a *private* node (for instance, 172.172.172.11) tries to open a connection to internet (FTP, wget,...) the company firewall denies. Therefore, I must ask to security team to allow EVERY connection to go out through the firewall.
But if those outbonding connections might be originated from a PUBLIC IP address (for instance 200.201.202.5), no request to security team would be needed (because the firewall allows outbonding connections from any PUBLIC node). My idea is use SNAT ONLY in those cases.
What is the most event suitable event?
Thanx in advance
nitassEmployee
can u try this?
when CLIENT_ACCEPTED {
if {!([IP::addr [IP::local_addr] equals 10.9.0.0/16]) and \
!([IP::addr [IP::local_addr] equals 172.172.172.0/24]) and \
!([IP::addr [IP::local_addr] equals 200.201.202.0/24])} {
snat X.X.X.X
}
}
hooleylistCirrostratus
Or you could add the IP ranges to an address type datagroup and then use the class match command (v10) or matchclass command (v9) to look up the client's destination address:
http://devcentral.f5.com/wiki/default.aspx/iRules/class
http://devcentral.f5.com/wiki/default.aspx/iRules/matchclass
Aaron- Generally speaking the class commands (v10) are going to be faster than a multiple if comparison, if performance is an issue. They're also far more scalable.
Colin 
Damián_41877Thanks everybody
The iRule code provided by nitass worked fine!
And the matchclass command also run fine.- Awesome, that's good news. Keep DC in mind if you've got more questions.
Colin
