Forum Discussion

eric_haupt1's avatar
eric_haupt1
Icon for Nimbostratus rankNimbostratus
Dec 19, 2018

GTM / DNS Restrict source ports from GTM when LB DNS to Microsoft servers

Due to security restrictions, I need to have GTM use source ports 49152-65535 from the self-IP it uses to LB DNS traffic to the DNS servers. I've attempted to force avoidance of certain ports with irules, but it doesn't appear to be working fully. Here are the irules I've tried - I'm looking for a better solution. Is there any way to restrict GTM source port ranges?

when SERVER_CONNECTED {
       if { [class match [UDP::local_port] equals hbss-port-exception] } { 
            log local0. "HBSS EXCEPTION LOG: [IP::server_addr]:[UDP::local_port] - GTM dropping UDP" 
            UDP::drop }
}

when SERVER_CONNECTED {
       if { [class match [TCP::local_port] equals hbss-port-exception] } { 
            log local0. "HBSS EXCEPTION LOG: [IP::server_addr]:[TCP::local_port] - GTM dropping" 
            TCP::close }
}
application delivery
BIG-IP DNS

6 Replies

Sort By
  • Steve_Lyons_236's avatar
    Steve_Lyons_236
    Historic F5 Account
    Dec 31, 2018

    I have tested the following iRule and it seems to accomplish what you are looking for. Let me know if this works.

    when RULE_INIT {

 On the line below, select which IP's are to be part of the SNAT list
set static::ip_list [list 10.1.20.254 ]
}
when CLIENT_ACCEPTED {
set random_snat_ip [lindex $static::ip_list [expr {int(rand()*[llength $static::ip_list])}]]

 On line below this one, replace "http_pool" with the correct pool name where traffic will be load balanced to
set available_pool_member [active_members -list demo_dns_pool]

set random_pool_member [lindex [lindex $available_pool_member [expr {int(rand()*[llength $available_pool_member])}]] 0]

 On line below, replace "80" with pool members listening port. Values of 50000, 49152 and 65535 represent "hint port", minimum port and maximum port, respectively.
set random_port [UDP::unused_port $random_pool_member 53 $random_snat_ip 50000 49152 65535 ]

snat $random_snat_ip $random_port
pool demo_dns_pool member $random_pool_member
}
    • eric_haupt1's avatar
      eric_haupt1
      Icon for Nimbostratus rankNimbostratus
      Jan 02, 2019

      It doesn't appear to be randomizing the port. I'm using it in this fashion since I do not require pool member randomization or self-IP randomization. Logs show that only the hint port is used and in TCPdump and in stats monitoring for the listener I see flow stats drop to "1" while this is in place.

      when LB_SELECTED {
set gtm_random_port [UDP::unused_port [IP::remote_addr] [UDP::remote_port] [IP::local_addr] 50000 49152 65535 ]
snat [IP::local_addr] $gtm_random_port
log local0. [IP::local_addr]:$gtm_random_port
}
    • Steve_Lyons_236's avatar
      Steve_Lyons_236
      Historic F5 Account
      Jan 03, 2019

      This iRule was tested on both 14.1 and 13.1.1.2 virtual appliances with a GTM only license though both GTM and LTM were provisioned.

       

  • Steve_Lyons's avatar
    Steve_Lyons
    Ret. Employee
    Dec 31, 2018

    I have tested the following iRule and it seems to accomplish what you are looking for. Let me know if this works.

    when RULE_INIT {

 On the line below, select which IP's are to be part of the SNAT list
set static::ip_list [list 10.1.20.254 ]
}
when CLIENT_ACCEPTED {
set random_snat_ip [lindex $static::ip_list [expr {int(rand()*[llength $static::ip_list])}]]

 On line below this one, replace "http_pool" with the correct pool name where traffic will be load balanced to
set available_pool_member [active_members -list demo_dns_pool]

set random_pool_member [lindex [lindex $available_pool_member [expr {int(rand()*[llength $available_pool_member])}]] 0]

 On line below, replace "80" with pool members listening port. Values of 50000, 49152 and 65535 represent "hint port", minimum port and maximum port, respectively.
set random_port [UDP::unused_port $random_pool_member 53 $random_snat_ip 50000 49152 65535 ]

snat $random_snat_ip $random_port
pool demo_dns_pool member $random_pool_member
}
    • eric_haupt1's avatar
      eric_haupt1
      Icon for Nimbostratus rankNimbostratus
      Jan 02, 2019

      It doesn't appear to be randomizing the port. I'm using it in this fashion since I do not require pool member randomization or self-IP randomization. Logs show that only the hint port is used and in TCPdump and in stats monitoring for the listener I see flow stats drop to "1" while this is in place.

      when LB_SELECTED {
set gtm_random_port [UDP::unused_port [IP::remote_addr] [UDP::remote_port] [IP::local_addr] 50000 49152 65535 ]
snat [IP::local_addr] $gtm_random_port
log local0. [IP::local_addr]:$gtm_random_port
}
    • Steve_Lyons's avatar
      Steve_Lyons
      Ret. Employee
      Jan 03, 2019

      This iRule was tested on both 14.1 and 13.1.1.2 virtual appliances with a GTM only license though both GTM and LTM were provisioned.