Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

iRule to randomly change source IP

Hi,

Still to new to iRules so I have problem figuring out rule that will simulate clients coming from different geolocations when traffic is generated from limited pool of private ip addresses. So something like that: 1. Packet is coming with private IP 2. Random generator (I will find code for that but if somebody has ready one allowing to generate country located ip I will appreciate sharing) is generating some IP and replacing original one with generated before sending request to server - actually it would be great if it could be changed on client side but I doubt it is possible? I would like to generate some date for Analytic and other statistic modules on LTM 3. Before sending response packet destination IP is changed back to original source IP before sending back to the client

Piotr

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

And maybe you find these useful as well:

when CLIENT_ACCEPTED {     
    snat 10.10.10.[expr ( [getfield [IP::client_addr] "." 4] % 32 ) + 1]
#   snat 10.10.[getfield [IP::client_addr] "." 3].[getfield [IP::client_addr] "." 4]
}

The following one simulates varying clients by inserting a randomized X-Forwarded-For and uses another internal virtual server for processing:

when HTTP_REQUEST {
    snat automap
    HTTP::header insert X-Forwarded-For [expr int(rand()*128) + 32].[expr int(rand()*254)].[expr int(rand()*254)].[expr int(rand()*254)]    
    virtual vs_internal
}
1
Comments on this Answer
Comment made 10-Mar-2015 by Piotr Lewandowski 1162
Thanks again, will play around and check which solution will work better for me.
0
Comment made 11-Mar-2015 by Piotr Lewandowski 1162
Stephan, First of all thanks a lot, your solution with two vs is working beautifully :-). I assume that you missed virtual vs_internal from iRule with snat (without X-Forwarded-For header insertion). After adding everything almost started to work, because of some glitches in my VE 1.2.0 after first try I had two issues: 1. VIP for newly created VS was not answering to ARP requests - I had to failover Active to Standby and back - then ARP started to work 2. After ARP fix for some strange reason I was receiving just empty page - even if target VS was showing received HTTP request - I had to hit target VS directly from the host and then random_ip VS started to work as expected. Wonder why you changed random IP generator code in above iRules? The first one seems to create much wider country coverage. Anyway, great tips! Piotr
0
Comment made 11-Mar-2015 by Stephan Manthey 3803
Hi Piotr, I´m using these iRules in multiple contexts and sometimes in front of emulated servers (represented by a second BIG-IP VE with a "reflector" iRule [to be posted soon]). The "rand" command provides a random number to be multiplied with a fixed factor. This way I can modify the range of clients and emulate to test the GeoIP database or analytics. The other example uses a modulus to limit the range of SNATs to 32. In any case the real server needs a route back to the SNAT. And as long as the SNATs do not belong to a locally attached network you don´t need to care about ARP. Thanks, Stephan
0
Comment made 19-Mar-2018 by Stephan Manthey 3803

Please note the iRule above just inserts an X-Forwarded-For header with a random IP address. Source address translation will still be based on SNAT AutoMap here. Set the logging directive on the internal webserver / virtual server to track the X-Forwarded-For header values. To modify the source IP randomly the iRule must not use snat automap. Instead apply the randomized SNAT from the iRule below:

snat [expr { int(rand()*193) + 1}].[expr { int(rand()*254) + 1}].[expr { int(rand()*254) +1}].[expr { int(rand()*253) +1}]

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Piotr,
here is a sample iRule to do exactly this:

when CLIENT_ACCEPTED {
    snat [expr { int(rand()*193) + 1}].[expr { int(rand()*254) + 1}].[expr { int(rand()*254) +1}].[expr { int(rand()*253) +1}]
}

Thanks, Stephan

1
Comments on this Answer
Comment made 10-Mar-2015 by Piotr Lewandowski 1162
Hi, Thanks, I will test it, wonder which IP analytic profile is using for Client IP Addresses charts. I am afraid that those present on client side connection not server side. If it is so this solution will not really help with geolocation related tests. Piotr
0
Comment made 10-Mar-2015 by Stephan Manthey 3803
Hi Piotr, just see the other iRule below which applies random SNAT and forwards to another internal virtual server. The internal virtual server has the analytics profile assigned. Thanks, Stephan
1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I'm trying to do this random_ip_irule (device) but won't works. With 2 VS and iRules. Could you tell me if had some changes to 13.1.0.2?

0
Comments on this Answer
Comment made 19-Mar-2018 by Stephan Manthey 3803

Hi Dojs, you are trying to use this one:

when CLIENT_ACCEPTED {
    snat [expr { int(rand()*193) + 1}].[expr { int(rand()*254) + 1}].[expr { int(rand()*254) +1}].[expr { int(rand()*253) +1}]
}

Please provide the following:

tmsh list ltm rule <your-irule-name>
tmsh list ltm virtual <your-virtual-name>

The code should work in v13+ as well. Perhaps you disabled SNAT on pool level by accident or simply did establish a new connection after assigning the iRule? iRule logic will apply to new connections only. Existing connection (same browser window etc.) won´t be affected. Cheers, Stephan

0
Comment made 19-Mar-2018 by Dojs 110

Hi Stephan,

i made different with a friend and works wery well For ASM and Analytics Image Text

Was used 2 VS, the first without Pool,. 1.VS - create a http profile with XFF - new VS, using the profile that you created - insert irule below

when HTTP_REQUEST {
snat automap
HTTP::header insert X-Forwarded-For [expr int(rand()*128) + 32].[expr int(rand()*254)].[expr int(rand()*254)].[expr int(rand()*254)]    
virtual YOUR_2VS

}

2.VS - create your real vs, pool, http profile

For ASM, i used the Trust XFF Header in my securitt policies

Its working, thanks a lot

1
Comment made 19-Mar-2018 by Stephan Manthey 3803

Fine. Thanks for the update. :)

0