Forum Discussion

Joe_Rindfleisch's avatar
Joe_Rindfleisch
Icon for Nimbostratus rankNimbostratus
Aug 30, 2011

Need iRule for specfic sources to specfic ports going to the Same VS for Proxy LB

Access Control Based on specfic sources to specfic ports going to the Same VS for Proxy LB

 

 

I found "Access Control Based On Network Or Host" http://devcentral.f5.com/wiki/iRule...rHost.ashx

 

 

It is the closest thing I’ve seen to what I need. I am very new to this and don’t really understand the tcl language or the iRules in general. It seems this scripts references all of those sources and access all of those ports to those destinations?

 

 

Our company has tons of security restrictions so I would need to be specific with certain sources only going to specific ports. This would always be going to the same destination, which is the F5 VIP of proxy pool. Everything else would get denied.

 

 

We have proxy servers that we want to create a wild card virtual server which listens for all ports. Then we want to create\modify your script to specify which sources can access the vip on which ports. We have about 100 forwarders that traverse the proxy and 75 socks, ftp & sftp connections.

 

 

I would also like to explicitly reference multiple sources (can I do this with “,” or “;” instead of classes? Seems like it would be easier to put it all in the script then have many classes –what are your thoughts on this?)

 

 

I’m thinking for every source\port connection I copy and modify the code over and over, making sure to add granular descriptions of each one as I go. I just need to get the initial code together first before I can duplicate it for all my connections. I’m expecting this to be a very big file.

 

***

 

So as a sample for basic code I need to allow the following:

 

 

1. Blackberry Servers for LB to proxy

 

Blackberry sources:

 

111.111.111.111

 

112.112.112.112

 

113.113.113.113

 

 

Port:

 

3101

 

(what if I wanted to add multiple ports –hypothetically 22)

 

 

Destination:

 

F5 VIP of Proxy pool

 

***

 

(I’m assuming there will be some if statement between each acl)

 

***

 

2. Misc App Servers for LB to proxy

 

Misc app sources:

 

114.114.114.114

 

115.115.115.115

 

116.116.116.116

 

 

Port:

 

1212

 

 

Destination:

 

F5 VIP of Proxy pool

 

***

 

Then I would copy the above code for all my connections

 

***

 

 

At the end I would deny everything else.

 

***

 

I don’t think I need the admin _datagroup since all connections will be restricted

 

 

Any help would be greatly appreciated. Kinda lost on this one.

 

 

Joe
application delivery
dev
devops
iRules

14 Replies

Sort By
  • Joe_Rindfleisch's avatar
    Joe_Rindfleisch
    Icon for Nimbostratus rankNimbostratus
    Aug 30, 2011
    I just recieved this from my SE

     

     

    But i would also need to specify networks also.

     

     

    Is this the best approach for what i need?

     

     

    iRule for VIP any to restrict ports and IPs allowed.

     

     

    There are two look-ups here, first the port , and then for that port number you must match the source IP address.

     

     

    There are multiple ways of doing it but, the simplest in terms design and maintenance is to create one STRING type class (data-group) as follows:

     

     

    Key vlaue

     

    443:10.0.1.2 “”

     

    443:11.1.1.4 “”

     

    443:12.1.1.4 “”

     

    8080:12.0.1.2 “”

     

    8080:13.1.1.4 “”

     

    8080:14.1.1.4 “”

     

     

    Internal class:

     

    class port_to_IP_whitelist {

     

    {

     

    "443:10.0.1.2" { "" }

     

    "443:11.0.1.3" { "" }

     

    "8080:10.0.1.2" { "" }

     

    "8080:11.0.1.3" { "" }

     

    "8081:14.0.1.2" { "" }

     

    "8081:15.0.1.3" { "" }

     

    }

     

    }

     

     

     

    External class:

     

    Create file as below:

     

     

    File saved here:

     

    /config/port_to_IP_whitelist.dat:

     

     

    Contents of file:

     

    "443:10.0.1.2" := "",

     

    "443:11.0.1.2" := "",

     

    "8080:12.0.1.2" := "",

     

    "8080:13.0.1.2" := "",

     

    "8081:14.0.1.2" := "",

     

    "8081:15.0.1.2" := "",

     

     

     

    Configure external class vai GUI, the following shows in the config file:

     

    class port_to_IP_whitelist {

     

    type string

     

    filename port_to_IP_whitelist.dat

     

    }

     

     

     

     

    Here is the irule which matches that design:

     

     

     

     

     

    When CLIENT_ACCEPTED {

     

    set search_key [TCP::local_port]:[IP::client_addr]

     

    if { not ( [class lookup $search_key port_to_IP_whitelist]) } {

     

    log local0. "Search key $search_key not in whitelist Rejecting connection."

     

    discard

     

    event disable all

     

    return

     

    }

     

    }

     

  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Aug 30, 2011
    Hi Joe,

     

     

    I am glad to see that you got the solution to your problem.

     

     

    Thank you for posting your solution. Others that have similar problems will probably find it very helpful.

     

     

    As you pointed out there are numerous ways to do this, some more efficient than others. What it comes down to more than anything is how supportable your solution is for you and the others that you work with.

     

     

    You could build everything into one large iRule, but you start to lose efficiency when you do this which is why most people favor classes. An additional advantage when using classes is that the iRule does not have to be altered at all when adding and removing qualifying IP Addresses / Ranges or Ports.

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Sep 01, 2011
    Not really. Your SE gave you a novel solution. But the shortcoming is that it don't support the native network parsing of an address type datagroup.

    Another approach would be to create a separate set of datagroups per protocol. This will support source networks, but not destination networks. If you want destination network support, I think you'd need to change datagroups with one source network datagroup which points to other destination datagroups. 

    class fw_icmp_rules_class {
   {
      network 10.10.14.0/24 {"8.8.8.8:8,4.2.2.2:8,4.2.2.1:8"}
      network 10.11.14.0/24 {"4.2.2.4:8,4.2.2.3:8,4.2.2.2:8,4.2.2.1:8"}
      network 10.12.14.0/24 {"203.8.183.1:8"}
   }
}
class fw_tcp_rules_class {
   {
      network 10.10.14.0/24 { "63.166.98.107:80,1.2.3.4:80,1.2.3.4:443" }
      network 10.11.14.0/24 { "63.166.98.107:80,1.2.3.4:80,1.2.3.4:443" }
   }
}
class fw_udp_rules_class {
   {
      network 10.10.14.0/24 { "4.2.2.1:53,4.2.2.2:53,4.2.2.3:53" }
      network 10.11.14.0/24 { "8.8.8.8:53,4.2.2.1:53,4.2.2.2:53,4.2.2.3:53" }
   }
}

    You can then use the class command to do the network lookup with the -value flag to get the list of destinations that are allowed. You could then call matchclass (yes the old command) to match the against that list.

    Here's an example: 

    when RULE_INIT {
    Log debug to /var/log/ltm? 1=yes, 0=no
   set static::fw_debug 1
}
when CLIENT_ACCEPTED {
   if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: destination:\
      [IP::local_addr]:[TCP::local_port]"}
    Check the requested protocol (defined in /etc/protocols)
   switch [IP::protocol] {
      1 {
          ICMP
         set proto icmp
      }
      6 {
          TCP
         set proto tcp
      }
      17 {
          UDP
         set proto udp
      }
      default {
          Unmatched protocol
         if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Disallowed protocol"}
          Drop?
         drop
          Reject?
         reject
          Exit this event in this rule
         return
      }
   }
   if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Protocol: $proto"}
    If we are still in the rule the protocol matched our allowed list
    Check if the corresponding datagroup exists
   if {not [class exists fw_${proto}_rules_class]}{
       Datagroup does not exist!
      log local0. "[IP::client_addr]:[TCP::client_port]: Datagroup fw_${proto}_rules_class does not exist\
         for lookup to [IP::local_addr]:[TCP::local_port]!"
       Drop?
      drop
       Reject?
      reject
   }
    Do the datagroup lookup against the protocol specific datagroup 
    which maps source networks/hosts to allowed destination host:ports
   set allowed_dest_list [split [class match -value [IP::client_addr] equals fw_${proto}_rules_class] ","]
   if {$allowed_dest_list ne ""}{
      if {[matchclass "[IP::local_addr]:[TCP::local_port]" equals $allowed_dest_list]}{
          Destination host:port is allowed
         if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Allowing connection"}
      } else {
          Destination host:port is not allowed
         if {$static::fw_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Blocking connection"}
          Drop?
         drop
          Reject?
         reject
      }
   }
}

    Aaron
  • Joe_Rindfleisch's avatar
    Joe_Rindfleisch
    Icon for Nimbostratus rankNimbostratus
    Sep 01, 2011
    That looks like it would work for me.

     

     

    but

     

     

    All of my forwarding,SOCKS,FTP,SFTP connections will Be protocol 6 (TCP)

     

    i will not need other class based on protocol .

     

     

    Is there a way for me to manage all of these source\port connections by creating classes in some meaningful way?

     

     

    maybe by:

     

    costumer connections

     

    or

     

    by type of connection (FWD, SOCKS,SFT,FTP)

     

    or the most granular

     

    by port (listing all sources that can get to those ports)

     

     

    would be best if i didn't have to modify the iRule just add classes with a name that will cause it to match within the rule.

     

     

    I could just keep this:

     

    6 {

     

    TCP

     

    set proto tcp

     

    }

     

     

    and put all in one tcp class (not sure how manageable or scalable will it be?
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Sep 02, 2011
    Hi Joe,

     

     

    Can you give me a dozen or so lines of sample firewall rules you'd like to implement? Can you note where you'd like to support networks in addition to single hosts? Here's an example of what I'm looking for:

     

     

    source | port -> destination | port

     

    any | any -> any | 80

     

    host | any -> net1 | 22

     

    host | any -> net2 | 22

     

    net3 | any -> net5 | 8080

     

    net4 | any -> net6 | 8080

     

    net7 | any -> host | 24

     

    net8 | any -> host | 24

     

     

    Aaron
  • Joe_Rindfleisch's avatar
    Joe_Rindfleisch
    Icon for Nimbostratus rankNimbostratus
    Sep 02, 2011
    Destination will always be the wild card virtual server VIP.

     

    source | port -> destination | port

     

    blackberry

     

    10.1.1.1.2,10.1.1.1.3,10.1.1.1.4,10.1.1.1.5|3101->192.168.1.1|3101

     

    app-1

     

    10.10.21.0/24,10.10.22.0/24,10.10.23.0/24|1212->192.168.1.1|1212

     

    app-2

     

    10.10.24.0/24,10.10.25.0/24,10.10.26.0/24|1027,2022->192.168.1.1|1027,2022

     

    app-80

     

    10.10.40.0/24,10.10.41.0/24,10.10.42.10,10.10.42.11,10.10.42.11,10.10.42.12|3333->192.168.1.1|3333

     

    SOCKS (proxy just needs to get the 1080 traffic it will send out correct port as it traverses it)

     

    10.10.50.0/24,10.10.51.10|1080->192.168.1.1|1080

     

    FTP

     

    10.10.60.0/24,10.10.61./24,10.10.62.10|20,21->192.168.1.1|20,21

     

     

    Again, thanks for the help
  • Joe_Rindfleisch's avatar
    Joe_Rindfleisch
    Icon for Nimbostratus rankNimbostratus
    Sep 06, 2011
    let me know if you need more lines of code. also would there be a chance to use hostnames and RegEx to provide a little flexability in adding rules. Just smack me on the head if i'm going overboard ;-)