I am new to Irules and TCL. I have a need to create SNATs for my mail servers. What I am looking for is the syntax for parsing a field. So if I have a series of addresses defined as hosts class hosts { 192.168.16.112 198.212.10.112 192.168.16.108 198.212.10.108 } I would like to inspect it and if the address is the 1st field then the SNAT will be the second field. Any help would be greatly appreciated.

You can use the findclass (Click here) command to return the matching field. The first example on the wiki page is pretty close to what you're trying to do. Aaron

hmmm, I'm gonna go out on a limb here & suggest an iRule is not the answer here. Unless you need the iRule to do something else, I'd just create one-to-one SNATs in the GUI instead & enable them on the server vlan... /d

I agree, except that because of some other configuration issues that wont work for me. Basically I will be using forwarding servers to my firewall. The concern is that there would be leakage using the 1 to 1 SNATS

Whether you use a simple iRule as mentioned in your original post to map the origin to the SNAT addr, or define 1-1 SNATs, the end result (src addr of the egress packet based on src addr of ingress packet) will be the same. You might need the iRule to only SNAT under certain conditions, such as traffic bound for internal destinations only. In that case, you can condition the SNAT & use a class like the one you've created. The class would be type String, and an iRule to be applied to a wildcard forwarding VS would have the following logic: when CLIENT_ACCEPTED { if {[IP::addr [IP::local_addr] equals 192.168.1.0/24] }{ set snat_addr [findclass [IP::remote_addr] $::hosts " "] if {!($snat_addr eq "") }{ snat $snat_addr } } }The direction is outbound from the servers, so the server in this case is the client, and remote_addr is the server address. Because it's a wildcard virtual server, local_addr is the endpoint destination address. So in this comparison you would replace the 192.168 addr with the subnet your servers that should be SNAT'd is on. If more than one dest subnet requires SNAT, or if you want to specify only certain addresses, you could do the comparison to more destinations by using another class with matchclass in the first condition. HTH /d

The direction is outbound from the servers, so the server in this case is the client, and remote_addr is the server address. Because it's a wildcard virtual server, local_addr is the endpoint destination address. So in this comparison you would replace the 192.168 addr with the subnet your servers that should be SNAT'd is on. whoops, I so didn't say that right -- see, it can be confusing! This instead:So in this comparison you would replace the 192.168 addr with the destination subnet to which the traffic should be SNAT. /d

Snat for mail servers

16 Replies

Ian_Smith
Ret. Employee
Mar 16, 2009
you wrote this:

when CLIENT_ACCEPTED {

if { [TCP::local_port] == 25} {

switch [ IP::client_addr ] {

192.168.246.151 { snat 198.212.12.151 }

192.168.246.150 { snat 198.212.12.150 }

default { forward }

{log local0. "[ IP::client_addr ] snatted"}

}

}

}

but you can't put the logging line inside the switch statement (at least at the place where you put it). Try this:

when CLIENT_ACCEPTED { if [ [TCP::local_port] == 25 ] { switch [ IP::client_addr ] { 192.168.246.151 { snat 198.212.12.151 } 192.168.246.150 { snat 198.212.12.150 } default { forward } } log local0. "[IP::client] snatted" } else { forward } }
Casa_Henry_1360
Nimbostratus
Mar 16, 2009
That generates a parsing error.

Mar 16 13:24:05 bigipf51 mcpd[1655]: 01070151:3: Rule [iRuler_Parse_Test_Rule] error: line 8: [undefined procedure: IP::client] [IP::client] line 10: [undefined procedure: else] [else {forward}]
Ian_Smith
Ret. Employee
Mar 16, 2009
oops -

[IP::client] should be [IP::client_addr]
Casa_Henry_1360
Nimbostratus
Mar 16, 2009
Now it just gives line 10: [undefined procedure: else] [else {forward}]
CharlesCS
Cirrus
Mar 16, 2009
Try enclosing the test condition of the if statement in curly braces.
lmwf1_55268
Nimbostratus
Mar 18, 2009
I know this one looks a bit long compare to the aboves, but this one saved without any error and looks a bit easier for me to debug and maintain. Hope it helps.

when CLIENT_ACCEPTED {

if { [IP::addr [IP::client_addr] equals 192.168.246.151] and [TCP::local_port] == 25} {

snat 198.212.12.15

forward

} elseif { [IP::addr [IP::client_addr] equals 192.168.246.150] and [TCP::local_port] == 25} {

snat 198.212.12.150

forward

} else {

forward

}

}

Forum Discussion

Snat for mail servers

16 Replies

Recent Discussions

Rundeck ansible F5 errors

What is the meaning is 52% block in WAF

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

SNAT IP address logging

How to get Virtual servers associated with a specific SNAT pool

F5 Distributed Cloud Origin Server Subset Rules

SNAT pool persistence

F5 virtual server not using static route when SNAT is set to none.