Forum Discussion

John_Ogle_45372's avatar
John_Ogle_45372
Icon for Nimbostratus rankNimbostratus
Aug 19, 2013

SNAT iRule needed - 1:1 mappings

I have a situation where logging is needed for the admins to see the real ip addresses but I need to keep snat in place. Can someone provide a sample iRule that will allow me to make static nat mappings to each of the four "important" clients. The rest of the clients can use the default automap snat. If I can use four SNAT addresses but always have a particular snat to to a specific client address then I can log this and satisfy the security need. They just need to see who is hitting the vip, especially the four specific clients.

 

Thank you,

 

7 Replies

  • At a minimum, perhaps something like this:

    when CLIENTED_ACCEPTED {
        switch [IP::client_addr] {
            "10.10.10.10" { snat 192.169.42.10 }
            "10.10.10.11" { snat 192.168.42.11 }
            "10.10.10.12" { snat 192.168.42.12 }
            "10.10.10.13" { snat 192.168.42.13 }
            default { snat automap }
        }
    }
    

    You could also do this very nicely with a datagroup definition. I'd also add that enabling an X-Forwarded-For header for HTTP traffic is as easy as enabling it in the HTTP profile.

  • Are these https connectrions? If so then you can simply enable xforwarding in the http profile and see the source of all http connections in the apache or iis logs.

     

  • uni's avatar
    uni
    Icon for Altostratus rankAltostratus

    There are several other ways you could tackle this problem.

    I think the simplest is to enable the "Insert X-Forwarded-For" in the http profile attached to your virtual server. Doing this, you will be able to parse the web servers' log files for the clients you are interested in.

    Alternatively, you can add a simple irule to the virtual which logs to the BigIP itself, then you can log in the /var/log/ltm:

    ltm data-group internal big-customer-class {
        records {
            10.1.2.3/32 { }
            10.2.3.4/32 { }
            10.3.4.5/32 { }
            10.4.5.6/32 { }
        }
        type ip
    }
    
    ltm rule log-big-customers-rule {
        when HTTP_REQUEST {
            if { [class match [IP::client_addr] equals big-customer-class] } {
                log  "Customer [IP::client_addr] requested [HTTP::host][HTTP::uri]"
            }
        }
    }
    

    Or, you can do it the way you suggested, create a data-group with the client IPs and the corresponding SNAT addresses:

    ltm data-group internal big-customer-class {
        records {
            10.1.2.3/32 { 192.168.1.1 }
            10.2.3.4/32 { 192.168.1.2 }
            10.3.4.5/32 { 192.168.1.3 }
            10.4.5.6/32 { 192.168.1.4 }
        }
        type ip
    }
    
    ltm rule snat-big-customers-rule {
        when HTTP_REQUEST {
            if { [class match [IP::client_addr] equals big-customer-class] } {
                snat [class match -value [IP::client_addr] equals big-customer-class]
            }
        }
    }
    
  • is SNAT an actual requirement? you could always set the default gateway of the servers to be the LTM floating IP and disable SNAT, that way you get the true client IP for anything and is useful if the app doesn't support the x-forwarded-for header (or it a non HTTP/HTTPS app)

     

  • lapayne,

     

    The non-http servers do not reside on the same subnet as the LTM. This is a one-armed config with one external vlan. Everything is routing at this point.

     

    to disable snat.... If I do an additional vlan and plug into the servers vlan, then I could point them to the F5 as their default gateway but that will also require a 0.0.0.0 forward VS, correct?

     

    Thank you,

     

  • to disable snat.... If I do an additional vlan and plug into the servers vlan, then I could point them to the F5 as their default gateway but that will also require a 0.0.0.0 forward VS, correct?

     

    yes. anyway, don't you have wildcard virtual server (i.e. 0.0.0.0:0/0) currently? how do you apply the snat?