Forum Discussion
Telnet Proxy iRule
We would like an iRule that would accept a client connection on port 23, prompt the user for the desired destination (host name or IP), and then open an associated telnet session to an external host.
Our site doesn't allow employees to go directly to these external servers. Currently, our firewalls perform this proxy function, but they are being migrated to another platform that doesn't support this feature.
The virtual server associated with this iRule would be a host address and not associated with any pool; it would likely do SNAT Automap also.
Generally, we guess it would be something like:
when CLIENT_ACCEPTED {
Send Prompt Message across client connection asking client for desired destination device
}
when CLIENT_DATA {
collect data ...
if valid IP address connect to server
if valid hostname, resolve externally and then connect to server
if neither valid IP address or hostname prompt user again
}
Does this sound plausible? Any hints or help would be appreciated.
thanks
- Thanks, Colin. This is a beginning. Hmm. I see your suggestion seems to include a SERVER_CONNECTED event .... and while this should happen in this application, no decisions are needed at that point. I suspect I didn't explain the problem well or I don't understand your solution.
The TCP::respond command looks very useful. It would seem we would have something like:
Client side connection, iRule sends prompt, gathers client input
when CLIENT_ACCEPTED {
TCP::respond "Enter the IP address of destination site.\r\n"
TCP::collect 20
}
Once client data collected, verify whether it's a valid IP
when CLIENT_DATA {
set ip [regexp -inline {([:digit:]{1,3}\.){3}[:digit:]{1,3}} [TCP::payload] ]
if { [matchclass $ip equals $::validIPs] } {
node $ip
additional statement to open serverside connection if ip is valid
} else {
TCP::respond "The IP address is invalid. Hostnames are currently not supported...\r\n"
}
TCP::release
}
Now, once we have a valid IP address (I'm letting host names go for now), we would need to open a telnet connection to that device. It would seem appropriate if we could do that once the ip address is deemed valid .. just after "node" is assigned $ip.
Once the server side connection is formed, the iRule is no longer needed.
We'll keep working on it, but I know we've got a bit to go.
Thanks again! - Well, we've got our base functionality working with this:
when CLIENT_ACCEPTED {
TCP::respond "Enter the IP address of destination site.\r\n"
TCP::collect 15
}
when CLIENT_DATA {
set ip "[TCP::payload]"
node $ip
TCP::release
}
It's not user friendly; they must enter IP addresses in XXX.XXX.XXX.XXX format (leading zeros when needed) and host names aren't supported, but it works. Next two steps: add SNAT for return routing and make the IP address input better. If all goes well, then add hostname support.
