For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_Phillips's avatar
Chris_Phillips
Icon for Nimbostratus rankNimbostratus
Sep 13, 2006

unique snat address with minimal overhead

 

Hi,

 

 

One of our pairs of F5's sits infront of a firewall which in turn is infront of the servers. we have a lot of clients hitting virtual servers and need to retain visibilty of the client ip's onwards past the big-ip's for debugging and logging etc... at the same time we still need to snat the ip address on the big-ips as otherwise the firewall can't distinguish between forwarded LTM traffic or direct hits.

 

 

As such i am thinking that the best way is to write an irule that can basically convert any ip into a manually translatable address that is still unique. as this is likely to be used on 95% of the traffic running through the box I am keen to ensure the overhead is as low as possible.

 

 

My thoughts initially would be to do a bit flip on the first bit of the address. i.e. do a logical AND with 127.0.0.0 so 10.xy.z. would emerge as 137.x.y.z and 192.168.y.x would emerge as 64.168.y.z (if my maths is right there...) this potentially seems simpler than adding 1 to the first octet as it's doing it at a lower level, but here's where i'd like to open it to the floor for either a basic principle or example iRule to do this sort of thing with the absolute minimum of impact where possible.

 

 

hope this makes sense.

 

 

cheers

 

 

Chris
application delivery
dev
devops
iRules

3 Replies

  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Sep 14, 2006
    Well, my first question would be, is there a reason that you can't just include the original IP address in a header and have the back-end application look for it there? This is done all the time with HTTP requests using the X-Forwarded-For header.

     

     

    Colin
  • Chris_Phillips's avatar
    Chris_Phillips
    Icon for Nimbostratus rankNimbostratus
    Sep 14, 2006
    hi,

     

     

    while the majority of traffic is likely to http there is still a lot of stuff that is not. rdp, ldap etc... the main purpose of this is to pass through a chekcpoint IP1220 firewall, so the logic is to be able to put basic rulesets on the boxes to allow the converted ip addresses and not the original ones. the focus is not on the virtual server or the nodes it is balancing against but how to keep a sembalance of generic low level security in that network.

     

     

    thanks

     

     

    chris
  • Chris_Phillips's avatar
    Chris_Phillips
    Icon for Nimbostratus rankNimbostratus
    Sep 20, 2006
    hi,

    Is anyone able to comment further on this? I've got this basic irule which seems to do the job fine

       when CLIENT_ACCEPTED {
     scan [IP::client_addr] "%d.%s" a bcd
     snat [expr $a ^ 128 ].$bcd
  }
    but would still possibly like to remove the intermediate variables and such.

    thanks

    Chris