iRule for port forwarding ssh to port 2222 on Pool

Question

Hi,
hope anybody can help 🙂
I have two LBs (activ/activ) and two Server in the Pool called RealSERVER, which are load balanced with lc.
On the two Real Server i have two sshd, which are listening to Port 22 and Port 2222.
The sshd (on both machines), which is listening to Port 2222 has the same rsa/dsa key, because i don't want a conflict, if the client wants to connect to the VIP. 
If the Client wants to connect to the VIP via SSH, it would be great, if the LBs redirect traffic from 22 to Port 2222.
I've tested two iRules but both didn't work:

when CLIENT_ACCEPTED {

if { [TCP::local_port] == 22 } {

pool RealServer 2222

}

and

when CLIENT_ACCEPTED {

switch [TCP::local_port 22] {

2222 { pool RealSERVER}

default { discard } 
}

}

If i use this iRule:
when CLIENT_ACCEPTED {

if { [TCP::local_port] == 22 } {

node 192.xxx.xxx.xxx 2222  IP RS1

node 192.xxx.xxx.xxx 2222  IP RS2
}

}

the connection will be redirect from 22 to 2222 but the load balance didn't work. Every time I connect via ssh to the VIP, i'm on RS1. If i open a second terminal i'm also connected to RS1.

binarycanary_19 · Answer

I think you should not need an irule here. One of your servers is listening on port 22, the other is on port 2222. You can have a pool where one member is on port 22 and the other member is on port 2222.&nbsp;
A standard vip should be able to loadbalance to these servers and correct the ports as needed... &nbsp;

royal_131741 · Answer

Thx for the fast reply and the good idea, &nbsp;
but i would like to know the port forwarding rule. i think it's better to know different ways to the goal ;-)&nbsp;
i have already three virtual servers on both LBs (ssh, http, ftp) and just one pool. i wouldn't like to add another server... &nbsp;

routingloop_179 · Answer

As AFanen said you can achieve this using standard LTM config. but you can also achieve using an irule you were pretty much there with your first one. If you want to load balance across your pool using 2222 need to create a pool using members using 2222, otherwise you can specifically specify individual pool members and ports. also I think you'll need to consider persistence since you are using SSH. Here's some code that may help.&nbsp;    when CLIENT_ACCEPTED {

if { [TCP::local_port] == 22 } {

log "ssh_server_pool with members 192.168.101.11:2222 192.168.101.12:2222 - using source address persistence"

necessary if not configured in the virtual server configuration - translate address from VIP to member - translate port from 22 to 2222.
        translate address enable
        translate port enable

load balance across pool
        pool ssh_server_pool
        as we're talking ssh we need to set a persistence profile
        persist source_addr 255.255.255.255 0

log the localport 
        log "localport: [TCP::local_port] "

}

when SERVER_CONNECTED {
        just for logging/debugging
    log "serverport: [TCP::server_port] "

}cont...&nbsp;

routingloop_179 · Answer

The LTM config (I used a IP forwarding VS to listen on the VIP as the irule specifies the pool and a pool configured with members using port 2222 - seems like F5 recognises 2222 as rockwell-csp2 😞
    ltm pool ssh_server_pool {
    description "2222 backend port"
    members {
        DNS1:rockwell-csp2 {
            address 192.168.101.11
        }
        DNS2:rockwell-csp2 {
            address 192.168.101.12
        }
    }
}

ltm virtual ssh_test {
    description ssh_test
    destination 86.189.0.240:any
    ip-forward
    ip-protocol tcp
    mask 255.255.255.255
    profiles {
        fastL4 { }
    }
    rules {
        ssh_test
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vs-index 11
}

log and connection entries:
(cfg-sync Changes Pending)(Active)(/Common)(tmos.ltm) show /sys conn cs-client-addr 10.12.13.3
    Sys::Connections
    10.12.13.3:56841  86.189.0.240:22  10.12.13.3:56841  192.168.101.11:2222  tcp  3  (tmm: 1)  none
Aug 16 11:47:06 bnvf5wl001 info tmm[11396]: 01220002:6: Rule /Common/ssh_test : ssh_server_pool with members 192.168.101.11:2222 192.168.101.12:2222 - using source address persistence
Aug 16 11:47:06 bnvf5wl001 info tmm[11396]: 01220002:6: Rule /Common/ssh_test : localport: 22
Aug 16 11:47:06 bnvf5wl001 info tmm[11396]: 01220002:6: Rule /Common/ssh_test : serverport: 2222

Hope it helps, Adrian.

royal_131741 · Answer

Many thx. I will test it :-)&nbsp;

Forum Discussion

iRule for port forwarding ssh to port 2222 on Pool

7 Replies

Recent Discussions

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Related Content

SMTP Traffic Forward to M365 on Port 587

Policy to forward to a range of ports

Assistance with iRule using port ranges

irule ports

BIG-IP DNS Forwarder Support via iRule