Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Irules for a specific tcp ports and https

Hello everyone

I am not expert in F5, and I need help with a VIP for all ports, and I only need to allow the ports 443 and from the TCP 7000 to 7010

Currently I have this configuration:

when CLIENT_ACCEPTED { log local0. "Accepted--start iRule" if {([TCP::local_port] < 7000 ) && ([TCP::local_port] > 7010) && ([TCP::local_port] != 443) } { log local0. "[IP::client_addr] rejected on TCP [TCP::local_port]" reject } if {([TCP::local_port] >= 7000 ) && ([TCP::local_port] <= 7010) } { log local0. "[IP::client_addr] accepted on TCP [TCP::local_port]" pool pool01 } if {([TCP::local_port] == 443) } { log local0. "[IP::client_addr] accepted on TCP [TCP::local_port]" set proto "https" SSL::profile client.clientssl pool http_pool } log local0. "Ended--iRule completed" }

But the https access is not working, I am not able to reach any node.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

you can test this irule:

when CLIENT_ACCEPTED { 

log local0. "Accepted--start iRule" 
if {([TCP::client_port] <= 1000  && [TCP::client_port] >= 65000) && ([TCP::local_port] == 443) } {
    # do nothing
} else {
    log local0. "[IP::client_addr] rejected on TCP [TCP::client_port]" 
    reject

}
}

For info:

[TCP::client_port] is your source/local port in your context (clientside)

[TCP::local_port] is your destination port in your context (clientside)

This article can help you:

https://devcentral.f5.com/Wiki/iRules.TCP__local_port.ashx

regards

0
Comments on this Answer
Comment made 2 months ago by Israel 01 1

HI, thanks for your reply, but that configuration does not have the ssl profile

The original request for the VIP is

VIP: 10.21.51.41 for ports 443, 7000 to 7010 (TCP) Nodes: 10.21.9.17, 10.21.9.18

for the port 443, I need to use ssl offloading, due the nodes are listening in the port 80.

The easiest way to do this would be.. have 2 VIPs, one for the 443 and other for the ports 7000 to 7010

But does anyone know if there is a configuration that i can use to have only one VIP

This is my actual configuration:

when CLIENT_ACCEPTED {

log local0. "Accepted--start iRule"

if {([TCP::local_port] < 7000 ) && ([TCP::local_port] > 7010) && ([TCP::local_port] != 443) } {

  log local0. "[IP::client_addr] rejected on TCP [TCP::local_port]"

  reject

}

if {([TCP::local_port] >= 7000 ) && ([TCP::local_port] <= 7010) } {

  log local0. "[IP::client_addr] accepted on TCP [TCP::local_port]"

   pool pool01

} 

if {([TCP::local_port] == 443) } {

  log local0. "[IP::client_addr] accepted on TCP [TCP::local_port]"

  set proto "https"

   SSL::profile client.clientssl

  pool http_pool

} 

log local0. "Ended--iRule completed"

}

0
Comment made 2 months ago by youssef 3588

HI,

It's a misunerstanding because in your first request you said "allow the ports 443 and from the TCP 7000 to 7010" and I thought that you want to restrict client port... Anyway.

you can do it easly:

when CLIENT_ACCEPTED {

if { ([TCP::local_port] < 7000 ) && ([TCP::local_port] > 7010)} {

    SSL::disable
    log local0. "[IP::client_addr] accepted on TCP [TCP::local_port]"
    pool pool01


} elseif { [TCP::local_port] == 443 } {

log local0. "[IP::client_addr] accepted on TCP [TCP::local_port]"
set proto "https"
SSL::profile client.clientssl
pool http_pool

} else { 

  log local0. "[IP::client_addr] rejected on TCP [TCP::local_port]"
  reject

}
}

As you can noticed I just remove Client SSL profile using "SSL::disable" when port is not 443

https://devcentral.f5.com/wiki/iRules.SSL__disable.ashx

Keep me in touch.

regards,

0
Comment made 2 months ago by Israel 01 1

Hi, Sorry for the confusion, my fault, I made the change, and now I am able to reach the page where i need to accept the certificate (I am using the ip instead of the name due this is a test enviroment) when I accept the certificate I am getting the msg, this site can't be reached, the servers are in the same interface where the requests come, so i have the source address translation as Automap, but i still are not able to reach to any server.

0
Comment made 2 months ago by youssef 3588

Can you confirm that you set an HTTP profile? It require in this kind of deployment.

0
Comment made 2 months ago by Israel 01 1

Yes, I set the http option in the HTTP profile

0
Comment made 2 months ago by youssef 3588

Using tmsh (cli) can you send us the vs config:

tmsh list ltm virtual "your vs name"

Are you using my irule or your?

Last important point. During your test can you check ltm logs if you have an TCL error: use this command

tailf /var/log/ltm

0
Comment made 2 months ago by Israel 01 1

Sorry for the delay, Yesterday I had to work in a different issue.

I used both configurations:

  • MINE

when CLIENT_ACCEPTED {

log local0. "Accepted--start iRule"

if {([TCP::local_port] < 7000 ) && ([TCP::local_port] > 7010) && ([TCP::local_port] != 443) } {

log local0. "[IP::client_addr] rejected on TCP [TCP::local_port]"

reject

}

if {([TCP::local_port] >= 7000 ) && ([TCP::local_port] <= 7010) } {

log local0. "[IP::client_addr] accepted on TCP [TCP::local_port]"

SSL::disable

pool clientweb_pool

}

if {([TCP::local_port] == 443) } {

log local0. "[IP::client_addr] accepted on TCP [TCP::local_port]"

set proto "https"

SSL::profile clientweb.clientssl

pool clientweb_http_pool

}

log local0. "Ended--iRule completed" }

ltm virtual clientweb_tcp {

description "TCP VIP for clientWeb"

destination 10.21.51.41:any

ip-protocol tcp

mask 255.255.255.255

persist {

clientweb-source {

default yes

}

}

pool clientweb_pool

profiles {

clientssl {

context clientside

}

client-lan-optimized {

context serverside

}

client-wan-optimized {

context clientside

}

http { }

}

rules {

clientweb_filter_tcp

}

source 0.0.0.0/0

source-address-translation {

type automap

}

translate-address enabled

translate-port disabled

vs-index 54

}

###########################################################################################

Dec 11 09:58:57 F5-02 info tmm1[17449]: Rule /Common/clientweb_filter_tcp : Accepted--start iRule

Dec 11 09:58:57 F5-02 info tmm1[17449]: Rule /Common/clientweb_filter_tcp <CLIENT_ACCEPTED>: 10.21.9.253 accepted on TCP 443

Dec 11 09:58:57 F5-02 info tmm1[17449]: Rule /Common/clientweb_filter_tcp <CLIENT_ACCEPTED>: Ended--iRule completed

Dec 11 09:59:00 F5-02 info tmm1[17449]: Rule /Common/clientweb_filter_tcp <CLIENT_ACCEPTED>: Accepted--start iRule

Dec 11 09:59:00 F5-02 info tmm1[17449]: Rule /Common/clientweb_filter_tcp <CLIENT_ACCEPTED>: 10.21.9.253 accepted on TCP 443

Dec 11 09:59:00 F5-02 info tmm1[17449]: Rule /Common/clientweb_filter_tcp <CLIENT_ACCEPTED>: Ended--iRule completed

Dec 11 09:59:00 F5-02 info tmm[17449]: Rule /Common/clientweb_filter_tcp <CLIENT_ACCEPTED>: Accepted--start iRule

Dec 11 09:59:00 F5-02 info tmm[17449]: Rule /Common/clientweb_filter_tcp <CLIENT_ACCEPTED>: 10.21.9.253 accepted on TCP 443

Dec 11 09:59:00 F5-02 info tmm[17449]: Rule /Common/clientweb_filter_tcp <CLIENT_ACCEPTED>: Ended--iRule completed
  • YOURS:

when CLIENT_ACCEPTED {

if { ([TCP::local_port] < 7000 ) && ([TCP::local_port] > 7010)} {

SSL::disable

log local0. "[IP::client_addr] accepted on TCP [TCP::local_port]"

pool clientweb_pool

} elseif { [TCP::local_port] == 443 } {

log local0. "[IP::client_addr] accepted on TCP [TCP::local_port]"

set proto "https"

SSL::profile clientweb.clientssl

pool clientweb_http_pool

} else {

log local0. "[IP::client_addr] rejected on TCP [TCP::local_port]"

reject

} }

ltm virtual clientweb_tcp {

description "TCP VIP for clientWeb"

destination 10.21.51.41:any

ip-protocol tcp

mask 255.255.255.255

persist {

clientweb-source {

default yes

}

}

pool clientweb_pool

profiles {

clientssl {

context clientside

}

client-lan-optimized {

context serverside

}

client-wan-optimized {

context clientside

}

http { }

}

rules {

clientweb_filter_tcp

}

source 0.0.0.0/0

source-address-translation {

type automap

}

translate-address enabled

translate-port disabled

vs-index 54

}

Dec 11 10:12:39 F5-cs02 info tmm1[17449]: Rule /Common/clientweb_filter_tcp : 10.21.9.253 accepted on TCP 443

Dec 11 10:12:42 F5-cs02 info tmm[17449]: Rule /Common/clientweb_filter_tcp : 10.21.9.253 accepted on TCP 443

Dec 11 10:12:42 F5-cs02 info tmm[17449]: Rule /Common/clientweb_filter_tcp : 10.21.9.253 accepted on TCP 443

I still see the page to accept the certificate, but after I accepted it, I got the error: this page cannot be displayed, this in both configurations

0
Comment made 2 months ago by youssef 3588

Hi,

Important point, I noticed that you disable/uncheck "Port Translation":

translate-port disabled

That's means that when you try to reach your VS unsing 443 your request is forward to your backend on port 443. But you told me that your backend listen on port 80 (only?).

If your backend listen only on port 80 you have to enable "translate-port" in your VS configuration...

I think that is your problem, can you confirm the following point:

  • your backend server listen only on 80 (not in 443 or 7000 to 7010).

  • when client send a request to vs ip:443 your request is send to pool:80

  • when client send a request to vs ip:7000-to-7010 your request is send to pool:80

Keep me in touch about this point...

regards,

0
Comment made 2 months ago by Israel 01 1

Hi Youssef

The backend servers listen for 80 and 7000 to 7010

I enabled the translate-port for 443 and I disabled it for the ports 7000-7010, also I fixed this [TCP::local_port] < 7000 ) && ([TCP::local_port] > 7010 to this [TCP::local_port] >= 7000 ) && ([TCP::local_port] <= 7010) and now it is working as expected

0