cancel
Showing results for 
Search instead for 
Did you mean: 

Packet filter does not work

Geethanjali_321
Nimbostratus
Nimbostratus

HI All,

 

 

I have implemented a packet filter to block access to a VS from all IP addresses except one. I tried the same through an iRule. But it did not seem to work. Here is the iRule:

 

 

when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals x.x.x.x] } { drop return } }

When I tried doing the same with packet filter, by creating a rule which says,

 

"action:accept" for "source ip:x.x.x.x" and "destination ip: (the ip for that virtual service)".

 

This should allow only this x.x.x.x ip to access the virtual service. But, all the IPs are having access to the virtual service and looks like the rule is not implemented correctly. Can someone help me with this?

 

Thanks and Regards,

 

Geethanjali

 

15 REPLIES 15

nitass
F5 Employee
F5 Employee
this is mine.

 

 

[root@ve10:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.79:80 ip protocol 6 } [root@ve10:Active] config b packet filter list packet filter { allow trusted {} } packet filter Allow_192.168.206.57 { order 5 action accept vlan external log enable filter { ( src host 192.168.206.57 ) and ( dst host 172.28.19.79 ) } } packet filter Deny_All { order 10 action reject vlan external log enable filter { ( dst host 172.28.19.79 ) } } [root@ve10:Active] config tail /var/log/pktfilter Oct 25 11:24:14 local/tmm notice tmm[7926]: 01250004:5: Deny_All (2): reject on external, len: 74 [IPv4 60 172.28.20.11 -> 172.28.19.79 TCP 59195 -> 80 S] Oct 25 11:24:21 local/tmm notice tmm[7926]: 01250002:5: Allow_192.168.206.57 (88): accept on external, len: 66 [IPv4 52 192.168.206.57 -> 172.28.19.79 TCP 63782 -> 80 S]

What_Lies_Bene1
Cirrostratus
Cirrostratus
In case it's not clear, nitass is saying you need two packet filters. One to allow the host you want to, one to deny everything else.

What_Lies_Bene1
Cirrostratus
Cirrostratus
Great. There's a couple of ways you can do this. For pure simplicity you could just modify the if statement;

 

 

if { ( ! [IP::addr [IP::client_addr] equals x.x.x.x]) or ( ! [IP::addr [IP::client_addr] equals y.y.y.y]) or ( ! [IP::addr [IP::client_addr] equals z.z.z.z]) But the best way would be to use a Data Group and reference that. I'm sure nitass will be along with an example any minute!

nitass
F5 Employee
F5 Employee
e.g.

 

 

[root@ve10:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.79:80 ip protocol 6 rules myrule } [root@ve10:Active] config b rule myrule list rule myrule { when CLIENT_ACCEPTED { if { ! [class match -- [IP::client_addr] equals ip_class] } { log local0. "Reject [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]" reject } } when SERVER_CONNECTED { log local0. "Allow [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -> [IP::remote_addr]:[TCP::remote_port]" } } [root@ve10:Active] config b class ip_class list class ip_class { { host 172.28.19.251 host 192.168.206.57 } } [root@ve10:Active] config tail -f /var/log/ltm Oct 25 22:57:44 local/tmm info tmm[7926]: Rule myrule : Reject 172.28.20.11:59229 -> 172.28.19.79:80 Oct 25 22:57:53 local/tmm info tmm[7926]: Rule myrule : Allow 192.168.206.57:65000 -> 172.28.19.79:80 -> 200.200.200.101:80 Oct 25 22:58:12 local/tmm info tmm[7926]: Rule myrule : Allow 172.28.19.251:37085 -> 172.28.19.79:80 -> 200.200.200.101:80

What_Lies_Bene1
Cirrostratus
Cirrostratus
Told ya!

Geethanjali_321
Nimbostratus
Nimbostratus

Thanks again. You guys are awesome! But I am still stuck with errors...

 

config b virtual bar list

 

virtual bar {

 

snat automap

 

pool foo

 

destination 63.166.192.203:80

 

ip protocol 6

 

rules myrule

 

}

 

config b rule myrule list

 

rule myrule {

 

when CLIENT_ACCEPTED {

 

if { ! [class match -- [IP::client_addr] equals ip_class] } {

 

log local0. "Reject [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"

 

reject

 

}

 

}

 

when SERVER_CONNECTED {

 

log local0. "Allow [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -> [IP::remote_addr]:[TCP::remote_port]"

 

}

 

}

 

config b class ip_class list

 

class ip_class {

 

{

 

host 209.190.232.172

 

host 63.166.192.140

 

host 4.30.227.210

 

host 68.14.227.130

 

}

 

}

 

 

 

When I type this is the iRule editor in the configuration utility, I am getting this error!!!

 

01070151:3: Rule [/Common/New_Rule] error:

 

line 1: [undefined procedure: config] [config b virtual bar list]

 

line 2: [command is not valid in the current scope] [virtual bar {

 

snat automap

 

pool foo

 

destination 63.166.192.203:80

 

ip protocol 6

 

rules myrule

 

}]

 

line 10: [undefined procedure: rule] [rule myrule {

 

when CLIENT_ACCEPTED {

 

if { ! [class match -- [IP::client_addr] equals ip_class] } {

 

log local0. "Reject [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"

 

reject

 

}

 

}

 

when SERVER_CONNECTED {

 

log local0. "Allow [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -> [IP::remote_addr]:[TCP::remote_port]"

 

}

 

}]

 

line 22: [command is not valid in the current scope] [class ip_class {

 

{

 

host 209.190.232.172

 

host 63.166.192.140

 

host 4.30.227.210

 

host 68.14.227.130

 

}

 

}]

 

 

 

I am really sorry if I ask lame questions. I am new to these codes. So, please help me out to learn and implement this...

 

 

Thanks and Regards,

 

Geethanjali

 

 

 

What_Lies_Bene1
Cirrostratus
Cirrostratus
Assuming you are using the GUI, you should only paste this into the text box for the new iRule;

 

 

when CLIENT_ACCEPTED { if { ! [class match -- [IP::client_addr] equals ip_class] } { log local0. "Reject [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]" reject } } when SERVER_CONNECTED { log local0. "Allow [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -> [IP::remote_addr]:[TCP::remote_port]" } }

 

 

You should manually create the Data Group.

What_Lies_Bene1
Cirrostratus
Cirrostratus
You're welcome, glad it's all good.

Geethanjali_321
Nimbostratus
Nimbostratus

Now that everything is working successfully, I have a question regarding the code I gave into the load balancer...

 

when CLIENT_ACCEPTED { if { ! [class match -- [IP::client_addr] equals ip_class] } { log local0. "Reject [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]" reject } } when SERVER_CONNECTED { log local0. "Allow [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -> [IP::remote_addr]:[TCP::remote_port]" } }

 

In this code, may I know what does this log.local0 signify? I guess it should be a log, in that case, where can I find the log? If my guess is wrong, I would like to know what does mean in the code?

 

 

Thanks and Regards,

 

Geethanjali

 

nathe
Cirrocumulus
Cirrocumulus
Geethanjali

 

 

Log local0. means log to the local0 facility - this will be by default in /var/log/ltm. These logs show in the GUI too, System - Logs - Local Traffic

 

 

Hope this helps

 

N

Geethanjali_321
Nimbostratus
Nimbostratus

Hi,

 

 

I am not able to access this through the GUI. I don't find an option under system

 

What_Lies_Bene1
Cirrostratus
Cirrostratus
Do you at least have System > Logs?

nathe
Cirrocumulus
Cirrocumulus
What user role are you?

 

 

Specifies log access by user role. You can allow or deny access for each user role except Administrator and Resource Administrator, which are always set to Allow. When the field is set to Deny, the Logs tab is not present for users of that role type, and trying to access the log directly results in a no-access message.

Geethanjali_321
Nimbostratus
Nimbostratus

Hi,

 

I am sorry. I got it now. Can you please explain what this code does? I understood the basic function, that it rejects all other IPs apart from the ones in the data group ip_class. But I dindn't get the log.local0 part and the server connected's syntax...Can you please expalin it to me?

 

 

when CLIENT_ACCEPTED { if { ! [class match -- [IP::client_addr] equals ip_class] } { log local0. "Reject [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]" reject } } when SERVER_CONNECTED { log local0. "Allow [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -> [IP::remote_addr]:[TCP::remote_port]" } }

 

Thanks and Regards,

 

Geethanjali

 

nathe
Cirrocumulus
Cirrocumulus
See https://devcentral.f5.com/wiki/irules.server_connected.ashx

 

 

The log local0. command is simply grabbing all the information it gets from the request in the [] brackets e.g. the client ip address/port, and writing a log to detail the connection in a readable format.