Intelligent_I_ Rule_ No_SNAT
Problem this snippet solves:
This Intelligent I-Rule allows you configure a Global SNAT with a set of exceptions based on ip addresses.
Code :
# 1) Is to create your Datagroups that will included in the I-Rule class nosnat { host X.X.X.X host X.X.X.X host X.X.X.X } class snat { host X.X.X.X host X.X.X.X host X.X.X.X host X.X.X.X } # 2) Paste in this Intelligent I-Rule with your datagroups listed (do not _ or - in the datagroup names they will not work) rule intelligent-nosnat { # *** When using this iRule, you must turn off global SNAT, if in use*** # Debug is turned on with '1', turned off by '0'. Messages will be logged to /var/log/ltm/ local0 # Below states if the two datagroups; 'nosnat' and 'snat' are NOT matched as the local and remote IP, then SNAT all other traffic as X.X.X.X when CLIENT_ACCEPTED { set DEBUG 0 if { not ([matchclass [IP::local_addr] equals $::nosnat ] ) and ( [matchclass [IP::remote_addr] equals $::snat ] ) } { if { $DEBUG } { log local0. "DEBUG: Remote IP: [IP::remote_addr] matched nosnat AND Local IP: [IP::local_addr] Did not match snat" } snat X.X.X.X } } } # 3) Then apply the Intelligent I-Rule were it needs to be used. Or you can adjust for snat automap (contributed by Bhattman) when RULE_INIT { # Debug off (0), Errors-only(1) set DEBUG 0 } when CLIENT_ACCEPTED { if { ( ![matchclass [IP::local_addr] equals $::nosnat ] ) and ( ![matchclass [IP::remote_addr] equals $::snat ] ) } { if { $DEBUG } { log local0. "DEBUG: Remote IP: [IP::remote_addr] matched nosnat AND Local IP: [IP::local_addr] Did not match snat" } snat automap } }
Published Mar 18, 2015
Version 1.0sltjr_85808
Nimbostratus
Joined October 19, 2007
sltjr_85808
Nimbostratus
Joined October 19, 2007
No CommentsBe the first to comment