Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

FTP Proxy , user based forwarding with iRule

Im looking into using a VS as an FTP Proxy towards my backend webserver. Currently i already works for one webserver behind the VS.

Im now trying to write an iRule to forward traffic to the right server based on the username the ftp-connection is initiated with. Secondly i need to rewrite the username and remove the web-paramater

Example:

USER1 connects to ftp.f5.com with following credential USER1@WEB1

@WEB1 is removed from the credential and forwarded towards pool WEB1

Anybody any ideas how to do this last part ?

0
Rate this Question
Comments on this Question
Comment made 1 month ago by LeanderV 65

So currently i can redirect traffic to the right server based on username.

But the username gets modified when sending it to the server from F5 somehow. I use following to change the tcp::payload

TCP::payload replace 0 [TCP::payload length] ""
set packetdata "USER $user"
TCP::payload replace 0 0 $packetdata

serverside we see the following

[pid 31210] FTP command: Client "::ffff:10.1.1.1", "USER usernameSYST"

when i log tcp::payload on F5 i see "USER username". So i have no idea where the SYST part comes from

0
Comment made 1 month ago by Andy McGrath 2370

Can you share the value you're setting the variable user in your iRule?

0
Comment made 1 month ago by LeanderV 65

It's the following.

log local0. [TCP::payload]
#this gives username@ftp1
regexp "USER \(\[a-zA-Z0-9_-]+)"  [TCP::payload] all user
log local0. "$user"
#this gives username
0
Comment made 1 month ago by Andy McGrath 2370

Try this:

TCP::payload replace 0 [TCP::payload length] "" 
TCP::payload replace 0 0 "USER $user\r\n"

The \r\n I think is needed as the end of the FTP command.

0
Comment made 1 month ago by LeanderV 65

Thanks thats correct!

Username is correct now on the serverside.

0
Comment made 1 month ago by Andy McGrath 2370

Good glad it worked for you :D

0
Comment made 4 weeks ago by LeanderV 65

Any idea on how to read out, the password? I have only succes connecting if i place the password in the tcp::payload.

 set packetdata "USER $user\r\nPASS test123\r\n"

I could set up a datagroup with all users and passwords on F5 but that is something i would like to avoid.

0
Comment made 4 weeks ago by Andy McGrath 2370

From what I have seen FTP PASS command is sent separately following a 331 request from the FTP server.

This is from an example PCAP file I found online:

< 220-
< 220 6bone.informatik.uni-leipzig.de FTP server (NetBSD-ftpd 20041119) ready.
> USER anonymous
< 331 Guest login ok, type your name as password.
> PASS IEUser@
< 230 Guest login ok, access restrictions apply.
> opts utf8 on
< 502 Unknown command 'utf8'.
> syst
< 215 UNIX Type: L8 Version: NetBSD-ftpd 20041119
> site help
< 214-

If this is the case for your client and server I would expect the F5 can simply pass through the password in the next payload.

It is possible that different authentication methods are available (Hit this issue when writing extract iRule for SMTP authentication) so you would need to check as I do not know FTP in that much detail.

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Just working on a similar project extracting user credentials from SMTPS requests.

First nothing in the FTP iRule commands that can do this for you so you need to read the TCP payload to locate and extract the data you need.

To do this you need to work out a flow where you enable collection of the next clientside and/or serverside payload using TCP::collect (or SSL::collect if you are using SSL offload) then identify the payload with the USER details and do some manipulation with the TCP::payload' command. Don't forget to release the payload usingTCP::release`.

Best is look at the following code share examples which you can hopefully use as a base:

0
Comments on this Answer
Comment made 1 month ago by LeanderV 65

Thanks for the comment and info. I already looked at those code shares and they were a help.

But currently i'm having the following issue. Following

TCP::payload replace 0 [TCP::payload length] ""
set packetdata "USER $user"
TCP::payload replace 0 0 $packetdata

to rewrite the data. But the server sees the username as follow userSYST. And i have no idea where the SYST part comes from.

The output of TCP::payload on the f5 gives me : USER username and not USER usernameSYST

0