FTP_ Proxy_v10

Problem this snippet solves:

iRule was created to allow ADC to mimic the FTP Proxy connectivity such as the ones found on Bluecoats and Cisco Ironports.

How to use this snippet:

How it works

FTP client (CuteFTP/WS_FTP, etc) is configured to explicitly point to a FTP Proxy VIP containing the iRule below on port 21 and utilize the authentication type USER@.

Special Considerations

If the ftp site is remote from the F5 ADC then consider Autosnat either in the iRule OR configured at the VIP level.

Limitations

Since the Remote FTP server is connected on demand, it doesn't perform any healthchecks.

Additional Notes

Feel free to make improvements such as adding the ability to use hostnames, which will involve lookups. This might also require https://support.f5.com/kb/en-us/solutions/public/8000/400/sol8437.html to make the hostname resolution to work.

If you need code that works in v9.3.x then please go to the following link http://devcentral.f5.com/wiki/default.aspx/iRules/FTP_Proxy_LITE.html

Code :

when CLIENT_ACCEPTED {
TCP::respond "220 Welcome to the F5 FTP Proxy v10\r\n"
#log local0. "client accepted"
TCP::collect
}


when CLIENT_DATA {
set ftplogin [TCP::payload]
log local0. "login is $ftplogin"
if { $ftplogin starts_with "USER" } {
# You can set it up to use any DNS server you want.
set dnslookup "4.2.2.1"
set cuser [TCP::payload]
scan $cuser {%[^@]@%s} garbage sitename
scan $garbage %s%s cmd uid
set ips [RESOLV::lookup @$dnslookup -a $sitename]
if {$ips eq "" } {
# Input wasn't an IP address, take some default action?
reject
} else { 
TCP::payload replace 0 [TCP::payload length] ""
set ftp_serv "[lindex $ips 0]"

node [lindex $ips 0] [TCP::local_port]
}
}
TCP::release
}

when SERVER_CONNECTED {
    TCP::collect
}

when SERVER_DATA {
    set serv_data [TCP::payload]

if { $serv_data contains "220" } {
TCP::respond "USER $uid\r\n"
TCP::payload replace 0 [TCP::payload length] ""
}
TCP::release
}
Published Mar 17, 2015
Version 1.0
No CommentsBe the first to comment