Forum Discussion

mohamed_80579's avatar
mohamed_80579
Icon for Nimbostratus rankNimbostratus
Feb 19, 2013

Irule for IP forwarding based on remote port

I Need the virtual server 0.0.0.0/0 with IP fowarding as virtual Type. Now the traffic is initiated from server to internet gateway device via F5 LTM and response is fine.

 

Now i need to create iRule to allow only the particular port such SMTP , DNS UDP and TLS for security reason

 

 

Note : Destination IP is any

 

 

 

6 Replies

  • Here you go;

    
    Create a Class (called allowed_ports below) with just strings 
    containing the ports you wish to allow
    
    when CLIENT_ACCEPTED {
     if { [class match [string [TCP::local_port] equals allowed_ports] } {
      return }
     else {
      drop }
    }
    
  • To allow just SMTP, DNS, and TLS, you can use the above data group method (preferred for complex filtering) or this simple iRule:

    
    when CLIENT_ACCEPTED {
    if { not ( [TCP::local_port] eq "53" or [TCP::local_port] eq "443" or [TCP::local_port] eq "25" ) } {
    drop
    }
    }
    

    If you literally meant "DNS UDP", then you could expand the evaluation like this:

    not ( ( [TCP::local_port] eq "53" and [IP::protocol] eq "17" ) or [TCP::local_port] eq "443" or [TCP::local_port] eq "25" )

    and if you literally meant "TLS" versus SSL, you could add something like the following:

    not ( ( [TCP::local_port] eq "53" and [IP::protocol] eq "17" ) or ( [TCP::local_port] eq "443" and [SSL::cipher version] eq "TLSv1" ) or [TCP::local_port] eq "25" )

    You should also be able to configure BIG-IP packet filters rules to accommodate your needs.
  • Kevin, are you suggesting the TCP::local_port command will return 53 even if traffic is UDP?

     

    Also, can you use SSL::cipher in the CLIENT_ACCEPTED event? The wiki doesn't have any information.

     

  • Phew!

     

     

    Added this after: Also, can you use SSL::cipher in the CLIENT_ACCEPTED event? The wiki doesn't have any information.
  • You're on fire today Steve. ;)

     

     

    Hoping Mohamed didn't literally mean "TLS"... Come to think of it, given that there's most likely no client SSL profile on an IP forwarding virtual server, the SSL version would be difficult to determine. Not impossible though.