Forum Discussion

toshi_01_132399's avatar
toshi_01_132399
Icon for Nimbostratus rankNimbostratus
Aug 30, 2013

mysql ip access control

I would like to do the ip access control by using a irule. However, I failed in the following way.

pool-allowhost-01 have kept some mysql.

when CLIENT_ACCEPTED {
    if { [IP::addr [IP::remote_addr] equals 192.168.1.0/24] } {
         pool pool-allowhost-01
    } else {
         reject
    }
}

allowed host can not access pooling mysql.

[localhost ~]$  mysql -u user -ppass -h lbaddr
Warning: Using a password on the command line interface can be insecure.

stay stopping

application delivery
devops
iRules

21 Replies

Sort By
Show More
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Aug 31, 2013

    i think the original irule below is okay.

    when CLIENT_ACCEPTED {
    if { [IP::addr [IP::remote_addr] equals 192.168.1.0/24] } {
         pool pool-allowhost-01
    } else {
         reject
    }
}

    may you add log command to the irule something like what kevin suggested? also, i think it would be helpful if you can run tcpdump on bigip.

    e.g.

     tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host 192.168.1.30 or host 192.168.1.50 or host 192.168.1.51 or host 192.168.1.52

    and can you post the virtual server, pool and snatpool configuration here?

     tmsh list ltm virtual (virtual server name)
 tmsh list ltm pool (pool name)
 tmsh list ltm snatpool (snatpool name)

    just my 2 cents.