HI All, I have implemented a packet filter to block access to a VS from all IP addresses except one. I tried the same through an iRule. But it did not seem to work. Here is the iRule: when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals x.x.x.x] } { drop return } } When I tried doing the same with packet filter, by creating a rule which says, "action:accept" for "source ip:x.x.x.x" and "destination ip: (the ip for that virtual service)". This should allow only this x.x.x.x ip to access the virtual service. But, all the IPs are having access to the virtual service and looks like the rule is not implemented correctly. Can someone help me with this? Thanks and Regards, Geethanjali

In case it's not clear, nitass is saying you need two packet filters. One to allow the host you want to, one to deny everything else.

e.g. [root@ve10:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.79:80 ip protocol 6 rules myrule } [root@ve10:Active] config b rule myrule list rule myrule { when CLIENT_ACCEPTED { if { ! [class match -- [IP::client_addr] equals ip_class] } { log local0. "Reject [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]" reject } } when SERVER_CONNECTED { log local0. "Allow [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -> [IP::remote_addr]:[TCP::remote_port]" } } [root@ve10:Active] config b class ip_class list class ip_class { { host 172.28.19.251 host 192.168.206.57 } } [root@ve10:Active] config tail -f /var/log/ltm Oct 25 22:57:44 local/tmm info tmm[7926]: Rule myrule : Reject 172.28.20.11:59229 -> 172.28.19.79:80 Oct 25 22:57:53 local/tmm info tmm[7926]: Rule myrule : Allow 192.168.206.57:65000 -> 172.28.19.79:80 -> 200.200.200.101:80 Oct 25 22:58:12 local/tmm info tmm[7926]: Rule myrule : Allow 172.28.19.251:37085 -> 172.28.19.79:80 -> 200.200.200.101:80

Packet filter does not work

15 Replies

nitass

Employee

Oct 25, 2012

this is mine.

[root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:80
   ip protocol 6
}

[root@ve10:Active] config  b packet filter list
packet filter {
   allow trusted  {}
}
packet filter Allow_192.168.206.57 {
   order 5
   action accept
   vlan external
   log enable
   filter { ( src host 192.168.206.57 ) and ( dst host 172.28.19.79 ) }
}
packet filter Deny_All {
   order 10
   action reject
   vlan external
   log enable
   filter { ( dst host 172.28.19.79 ) }
}

[root@ve10:Active] config  tail /var/log/pktfilter
Oct 25 11:24:14 local/tmm notice tmm[7926]: 01250004:5: Deny_All (2): reject on external, len: 74 [IPv4 60 172.28.20.11 -> 172.28.19.79 TCP 59195 -> 80 S]
Oct 25 11:24:21 local/tmm notice tmm[7926]: 01250002:5: Allow_192.168.206.57 (88): accept on external, len: 66 [IPv4 52 192.168.206.57 -> 172.28.19.79 TCP 63782 -> 80 S]

What_Lies_Bene1
Cirrostratus
Oct 25, 2012
In case it's not clear, nitass is saying you need two packet filters. One to allow the host you want to, one to deny everything else.

What_Lies_Bene1

Cirrostratus

Oct 25, 2012

Great. There's a couple of ways you can do this. For pure simplicity you could just modify the if statement;

 
    if { ( ! [IP::addr [IP::client_addr] equals x.x.x.x]) or ( ! [IP::addr [IP::client_addr] equals y.y.y.y]) or ( ! [IP::addr [IP::client_addr] equals z.z.z.z])  
  
 But the best way would be to use a Data Group and reference that. I'm sure nitass will be along with an example any minute!

nitass

Employee

Oct 25, 2012

e.g.

[root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:80
   ip protocol 6
   rules myrule
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
   if { ! [class match -- [IP::client_addr] equals ip_class] } {
      log local0. "Reject [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
      reject
   }
}
when SERVER_CONNECTED {
   log local0. "Allow [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -> [IP::remote_addr]:[TCP::remote_port]"
}
}
[root@ve10:Active] config  b class ip_class list
class ip_class {
   {
      host 172.28.19.251
      host 192.168.206.57
   }
}

[root@ve10:Active] config  tail -f /var/log/ltm
Oct 25 22:57:44 local/tmm info tmm[7926]: Rule myrule : Reject 172.28.20.11:59229 -> 172.28.19.79:80
Oct 25 22:57:53 local/tmm info tmm[7926]: Rule myrule : Allow 192.168.206.57:65000 -> 172.28.19.79:80 -> 200.200.200.101:80
Oct 25 22:58:12 local/tmm info tmm[7926]: Rule myrule : Allow 172.28.19.251:37085 -> 172.28.19.79:80 -> 200.200.200.101:80

What_Lies_Bene1
Cirrostratus
Oct 25, 2012
Told ya!
Geethanjali_321
Nimbostratus
Oct 25, 2012
Thanks again. You guys are awesome! But I am still stuck with errors...

config b virtual bar list

virtual bar {

snat automap

pool foo

destination 63.166.192.203:80

ip protocol 6

rules myrule

}

config b rule myrule list

rule myrule {

when CLIENT_ACCEPTED {

if { ! [class match -- [IP::client_addr] equals ip_class] } {

log local0. "Reject [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"

reject

}

}

when SERVER_CONNECTED {

log local0. "Allow [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -> [IP::remote_addr]:[TCP::remote_port]"

}

}

config b class ip_class list

class ip_class {

{

host 209.190.232.172

host 63.166.192.140

host 4.30.227.210

host 68.14.227.130

}

}

When I type this is the iRule editor in the configuration utility, I am getting this error!!!

01070151:3: Rule [/Common/New_Rule] error:

line 1: [undefined procedure: config] [config b virtual bar list]

line 2: [command is not valid in the current scope] [virtual bar {

snat automap

pool foo

destination 63.166.192.203:80

ip protocol 6

rules myrule

}]

line 10: [undefined procedure: rule] [rule myrule {

when CLIENT_ACCEPTED {

if { ! [class match -- [IP::client_addr] equals ip_class] } {

log local0. "Reject [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"

reject

}

}

when SERVER_CONNECTED {

log local0. "Allow [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -> [IP::remote_addr]:[TCP::remote_port]"

}

}]

line 22: [command is not valid in the current scope] [class ip_class {

{

host 209.190.232.172

host 63.166.192.140

host 4.30.227.210

host 68.14.227.130

}

}]

I am really sorry if I ask lame questions. I am new to these codes. So, please help me out to learn and implement this...

Thanks and Regards,

Geethanjali

What_Lies_Bene1

Cirrostratus

Oct 25, 2012

Assuming you are using the GUI, you should only paste this into the text box for the new iRule;


   when CLIENT_ACCEPTED {
   if { ! [class match -- [IP::client_addr] equals ip_class] } {
      log local0. "Reject [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
      reject
   }
}
when SERVER_CONNECTED {
   log local0. "Allow [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -> [IP::remote_addr]:[TCP::remote_port]"
}
}

You should manually create the Data Group.

What_Lies_Bene1
Cirrostratus
Oct 25, 2012
You're welcome, glad it's all good.

Geethanjali_321

Nimbostratus

Oct 26, 2012

Now that everything is working successfully, I have a question regarding the code I gave into the load balancer...

 when CLIENT_ACCEPTED {
   if { ! [class match -- [IP::client_addr] equals ip_class] } {
      log local0. "Reject [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
      reject
   }
}
when SERVER_CONNECTED {
   log local0. "Allow [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -> [IP::remote_addr]:[TCP::remote_port]"
}
}

In this code, may I know what does this log.local0 signify? I guess it should be a log, in that case, where can I find the log? If my guess is wrong, I would like to know what does mean in the code?

Thanks and Regards,

Geethanjali

nathe
Cirrocumulus
Oct 26, 2012
Geethanjali

Log local0. means log to the local0 facility - this will be by default in /var/log/ltm. These logs show in the GUI too, System - Logs - Local Traffic

Hope this helps

N

Forum Discussion

Packet filter does not work

15 Replies

Recent Discussions

F5Access | MacOS Sonoma

Active- Active HA setup

syslog server connection

Cannot see floating MAC address outside of ESXi

Rewrite uri translation not working

Related Content

Automating Packet Captures on BIG-IP

F5 packet buffer

BGP - filtering kernel redistribution

monitor does not work https

Packet Tracing in BIG-IP AFM