Intelligent_I_ Rule_ No_SNAT

Problem this snippet solves:

This Intelligent I-Rule allows you configure a Global SNAT with a set of exceptions based on ip addresses.

Code :

# 1) Is to create your Datagroups that will included in the I-Rule 

class nosnat {
   host X.X.X.X
   host X.X.X.X
   host X.X.X.X
}
class snat {
   host X.X.X.X
   host X.X.X.X
   host X.X.X.X
   host X.X.X.X
}


# 2) Paste in this Intelligent I-Rule with your datagroups listed (do not _ or - in the datagroup names they will not work)

rule intelligent-nosnat {
# *** When using this iRule, you must turn off global SNAT, if in use*** 
# Debug is turned on with '1', turned off by '0'. Messages will be logged to /var/log/ltm/ local0 
# Below states if the two datagroups; 'nosnat' and 'snat' are NOT matched as the local and remote IP, then SNAT all other traffic as X.X.X.X
   when CLIENT_ACCEPTED {
        set DEBUG 0    
if { not ([matchclass [IP::local_addr] equals $::nosnat ] ) and ( [matchclass [IP::remote_addr] equals $::snat ] ) } {
                if { $DEBUG } { log local0. "DEBUG: Remote IP: [IP::remote_addr] matched nosnat AND Local IP: [IP::local_addr] Did not match snat" }

     snat X.X.X.X 
         }
}
}

# 3) Then apply the Intelligent I-Rule were it needs to be used. Or you can adjust for snat automap (contributed by Bhattman)

when RULE_INIT {
   # Debug off (0), Errors-only(1)
   set DEBUG 0
 }
when CLIENT_ACCEPTED { 
     if { ( ![matchclass [IP::local_addr] equals $::nosnat ] ) and ( ![matchclass [IP::remote_addr] equals $::snat ] ) } {
          if { $DEBUG } { log local0. "DEBUG: Remote IP: [IP::remote_addr] matched nosnat AND Local IP: [IP::local_addr] Did not match snat" }
          snat automap
     }
 }
Published Mar 18, 2015
Version 1.0
No CommentsBe the first to comment