Forum Discussion
18 Replies
- Michael_JenkinsCirrostratus
You could follow the idea laid out in the wiki entry. There's also SOL6018 which talks about port range checking in iRules.
when CLIENT_ACCEPTED { Check the data group if { ! ([class match [IP::client_addr] equals NETWORK_DATAGROUP_NAME] && ([TCP::local_port] >= 50000) && ([TCP::local_port] <= 59999)) } { Not valid client drop } }
- Justin_106597Nimbostratus
I have tried the irule below and the port range doesn't work. Any idea's?
when CLIENT_ACCEPTED { Check if client IP is not defined in the allowed_clients datagroup if { not ([class match [IP::client_addr] equals Admin_Data_Group]) } { Client not in allowed IP list, one more check to see whether destination TCP port is in the range of 50000 to 59999 inclusive if { [TCP::remote_port] >= 80 or [TCP::remote_port] <= 443 } { Drop further packets from the client drop } } }
- Justin_106597Nimbostratus
Codewhen CLIENT_ACCEPTED { Check if client IP is not defined in the allowed_clients datagroup if { not ([class match [IP::client_addr] equals Admin_Data_Group]) } { Client not in allowed IP list, one more check to see whether destination TCP port is in the range of 50000 to 59999 inclusive if { [TCP::remote_port] >= 80 or [TCP::remote_port] <= 443 } { Drop further packets from the client drop } }
}
- Michael_JenkinsCirrostratus
Try adding some logging to see what happens and look in the LTM logs to verify things are coming in as expected. And you're trying to drop all connections with IPs in the data group and ports 80-443 (inclusive)?
when CLIENT_ACCEPTED { Check if client IP is not defined in the allowed_clients datagroup log local0. "IP address: [IP::client_addr]" if { not ([class match [IP::client_addr] equals Admin_Data_Group]) } { Client not in allowed IP list, one more check to see whether destination TCP port is in the range of 50000 to 59999 inclusive log local0. " Port: [TCP::remote_port]" if { [TCP::remote_port] >= 80 or [TCP::remote_port] <= 443 } { Drop further packets from the client drop } }
- Justin_106597Nimbostratus
I'm trying to allow anyone in the admin data group (any port for admin access) and also allow any source address but only on 50,000 to 59,999 port range.
- Justin_106597Nimbostratus
this is the error I get when applying this irule
Check if client IP is not defined in the allowed_clients datagroup01070151:3: Rule [/Common/Infoblox_Management] error: /Common/Infoblox_Management:1: error: [parse error: missing close-brace][{
log local0. "IP address: [IP::client_addr]" if { not ([class match [IP::client_addr] equals Infoblox_Management]) } {
Client not in allowed IP list, one more check to see whether destination TCP port is in the range of 50000 to 59999 inclusivelog local0. " Port: [TCP::remote_port]" if { [TCP::remote_port] >= 80 or [TCP::remote_port] <= 443 } {
Drop further packets from the clientdrop } }] /Common/Infoblox_Management:3: error: [command is not valid in the current scope][log local0. "IP address: [IP::client_addr]"] /Common/Infoblox_Management:3: error: [command is not valid in the current scope][IP::client_addr] /Common/Infoblox_Management:4: error: [command is not valid in the current scope][if { not ([class match [IP::client_addr] equals I
- Michael_JenkinsCirrostratus
how bout try this and see what you get in the logs
when CLIENT_ACCEPTED { Check if client IP is not defined in the allowed_clients datagroup log local0. "IP address: [IP::client_addr]" if { [class match [IP::client_addr] equals Admin_Data_Group] } { Client in allowed IP list, so no more checks. ALLOW ACCESS log local0. " ALLOWED by IP address" return } log local0. "Source Port: [TCP::remote_port]" if { [TCP::remote_port] >= 50000 && [TCP::remote_port] <= 59999 } { log local0. " IP in ALLOW range" return } Drop any connections that don't fit the previous criteria log local0. "IP and Port checks failed. DROPPING connection" drop }
- Justin_106597Nimbostratus
that works. I checked the logs and the f5 is dropping my connection. My ip address is in the data group which should be allowed on any port.
- Michael_JenkinsCirrostratusCouple things then. 1. What type of data group are you using? Did you create it as an "address" group? 2. What are the entries you have in your data group and what's your ip that's coming through (in the log)
- Justin_106597Nimbostratus
ok i found part of the problem. The irule is checking to make sure my ip is not in the data group. I need to make sure it checks that my ip is in the data group. I removed my ip from the data group and i can access the box now. almost there.
- Michael_JenkinsCirrostratusah. good catch. I updated my most recent code block with the right code. You just need to take out the NOT in the if statement for the ip.
- Justin_106597Nimbostratus
yep I removed not and I can connect to the end device through the f5. You can see below I removed the not. I also changed the port range from 22 to 23 for testing. I can have another machine not in the admin group try to ssh to the vserver address but doesn't get anything.
when CLIENT_ACCEPTED { Check if client IP is not defined in the allowed_clients datagroup log local0. "IP address: [IP::client_addr]" if { ([class match [IP::client_addr] equals Infoblox_Management]) } { Client in allowed IP list, so no more checks. ALLOW ACCESS log local0. " ALLOWED by IP address" return } log local0. "Source Port: [TCP::remote_port]" if { [TCP::client_port] >= 22 && [TCP::client_port] <= 23 } { log local0. " IP in ALLOW range" return } Drop any connections that don't fit the previous criteria log local0. "IP and Port checks failed. DROPPING connection" drop
}
- Michael_JenkinsCirrostratusI notice you are using TCP::client_port instead of TCP::remote_port... That may have something to do with it.