Forum Discussion

Shaheryar's avatar
Shaheryar
Icon for Nimbostratus rankNimbostratus
Aug 07, 2018

iRule to pass original client IP in SSH proxy

We have planned to perform SSH load balancing on our F5 ADC. In our scenario it is mandatory for us to perform SNAT and hence original IP cannot be recorded on the servers. We need an iRule to forward original client IP to servers to manage accountability on them.

 

I went through this article: https://devcentral.f5.com/questions/how-to-pass-client-ip-onto-access-logs-for-tcp-port22-connections-56770

 

In the light of aforementioned link, which iRule can be used to inject original client IP to initial SSH version handshake.

 

application delivery
BIG-IP
iRules

1 Reply

Sort By
  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    Aug 07, 2018

    The solutions provided in the other post don't seem to work. I've tried to change the client identification string by using the iRule below, but it will prevent the client from connecting. The following error shows:

    ssh_dispatch_run_fatal: Connection to 10.23.98.218: incorrect signature

    It seems the client identification string is used during the key exchange, to prevent MITM attacks.

    when CLIENT_ACCEPTED {
    TCP::collect
}

when CLIENT_DATA {
    set payload [TCP::payload]
    
    if { [scan [TCP::payload] {%[^-]-%[^-]-%s} protocol protocolVersion softwareVersion ] == 3 } {
       log local0. "DEBUG: protocol = $protocol"
       log local0. "DEBUG: protocolVersion = $protocolVersion"
       log local0. "DEBUG: softwareVersion = $softwareVersion"
       
       set clientIP [IP::client_addr]
       
        use format: SSH-2.0-softwareversion SP comments CR LF
       set newPayload "$protocol-$protocolVersion-$softwareVersion $clientIP\r\n"
       
       TCP::payload replace 0 [TCP::payload length] $newPayload
    }
    
    TCP::release
}

    I think it's impossible to forward the originating client IP-address when using SNAT.