redirect by ip to pool

i was hoping something like this would work...

 

 

 

if { [IP::remote_addr] == 192.168.1.1 }

 

and

 

if { [TCP::remote_port] == 3306 }

 

 

{ use pool mysql }

Actually this would be more like what I would like to do.

 

 

if { [IP::remote_addr] == 192.168.1.1 }

 

and

 

if { [TCP::remote_port] == 3306 } {

 

use pool mysql

 

} else {

 

reject

 

}

Hello,

I'm not entirely certain what criteria you want to use to accept or reject connection requests, but hopefully these examples will get you started.

You can either defined a class to use in the rule to set which clients you want to accept/reject, or you can specify them directly in the rule. If it's more than a few items, it's probably cleaner and more efficient to use the class.

Class/Rule example:

class my_hosts_networks_class  {
   network 10.0.0.0 mask 255.0.0.0
   host 192.168.0.100
}
rule filter_clients_rule {
   when CLIENT_ACCEPTED {
      if { [matchclass [IP::remote_addr] equals $::my_hosts_networks_class] and [TCP::local_port] == 3306 } {
         log local0.info "accepted connection from [IP::remote_addr]"
         pool http_pool
      } else {
         log local0.info "rejected connection from [IP::remote_addr]"
         reject
      }
   }
}

Rule example:

rule filter_clients_rule {
   when CLIENT_ACCEPTED {
      if { [IP::remote_addr] == 192.168.1.1 and [TCP::local_port] == 3306 } {
         log local0.info "accepted connection from [IP::remote_addr]"
         pool http_pool
      } else {
         log local0.info "rejected connection from [IP::remote_addr]"
         reject
      }
   }
}

Note that in the client_accepted context, remote_addr would be the client IP address, local_addr would be the VIP, and remote_port would be the client's source port and local_port would be the destination port.

Also, BIG-IP will translate the destination port the client makes a request to, to the node's port, if you have port translation enabled on the VIP (which is enabled by default).

Aaron

I guess I should add in a bit more. Basically I want to connect to some of our database servers, however they are on a different network. So the idea would be for the load balancer to drop any traffic on that port that didn't orginate from our external ip.

I gave this a try.

rule filter_clients_rule {
   when CLIENT_ACCEPTED {
      if { [IP::remote_addr] == $ext_ip and [TCP::local_port] == 3306 } {
         log local0.info "accepted connection from [IP::remote_addr]"
         pool mysql
      } else {
         log local0.info "rejected connection from [IP::remote_addr]"
         reject
      }
   }
}

But it threw up a few errors when I went to save.

Hello,

 

 

The first thing I notice is that in your example, you are referencing a local variable, $ext_ip, but that variable isn't defined previously in the rule.

 

 

If you're referncing a class, then you need to reference it as a global variable, using this format:

 

 

$::ext_ip

 

 

What exactly were the errors?

 

 

Aaron

the varible $ext_ip, is not in the code I'm trying to use. I just didn't want to post our ip address on the forum. In that spot I have a actual ip address.

 

 

here is the error it is posting.

 

 

01070151:3: Rule [ext_mysql] error:

 

line 1: [undefined procedure: rule] [rule filter_clients_rule {

 

when CLIENT_ACCEPTED {

 

if { [IP::remote_addr] ==

 

and [TCP::local_port] == 3306 } {

 

log local0.info "accepted connection from [IP::remote_addr]"

 

pool http_pool

 

} else {

 

log local0.info "rejected connection from [IP::remote_addr]"

 

reject

 

}

 

}

 

}]

It sounds like you're adding this to your BIG-IP via the GUI, correct?

 

 

If so, try this instead:

 

 

   when CLIENT_ACCEPTED {
      if { [IP::remote_addr] == $ext_ip and [TCP::local_port] == 3306 } {
         log local0.info "accepted connection from [IP::remote_addr]"
         pool mysql
      } else {
         log local0.info "rejected connection from [IP::remote_addr]"
         reject
      }
   }

 

 

Changing the $ext_ip bit to your IP, of course.

 

 

The

 rule name { } 

pieces are only needed if you're adding this directly to the configuration file. The GUI automatically adds those around the code you paste into the text box.

 

 

Colin

when using this code

 

 

when CLIENT_ACCEPTED {
      if { [IP::remote_addr] == $ext_ip and [TCP::local_port] == 3306 } {
         log local0.info "accepted connection from [IP::remote_addr]"
         pool mysqlcluster
      } else {
         log local0.info "rejected connection from [IP::remote_addr]"
         reject
      }
}

 

 

where $ext_ip is our ip address I get the following error.

 

 

01070151:3: Rule [ext_mysql] error:

 

line 2: [parse error: PARSE syntax 60 {syntax error in expression " [IP::remote_addr] == $ext_ip and [TCP::local_port] ==...": extra tokens at end of expression}] [{ [IP::remote_addr] == $ext_ip and [TCP::local_port] == 3306 }]

picky is an understatement. Any suggestions on this error?

 

 

01070151:3: Rule [ext_mysql] error:

 

line 2: [parse error: PARSE syntax 60 {syntax error in expression " ( [IP::remote_addr] == $ext_ip ) and ( [TCP::local_p...": looking for close parenthesis}] [{ ( [IP::remote_addr] == $ext_ip ) and ( [TCP::local_port] == 3306 ) }]

I can't believe no one has mentioned that you should probably be using the IP::addr command to compare IP addresses. Though what you have will work, it will result in an inefficient string comparison.

Instead you should use this to compare IP addresses:

if { [IP::addr [IP::remote_addr] eq $ext_ip] and ( [TCP::local_port] == 3306 ) } {

Also, your most recent error is probably due to missing whitespace between the closing parenthesis and closing brace... Tcl is very picky about whitespace.