irule to forward based on domain-name

Question

I am trying to create an iRule that will only allow my webfarm to go out the internet based on destination domains. 
&nbsp;  
&nbsp; Similar implementations exist for the popular linux proxy called squid with the directive called 'dstdomain' 
&nbsp; I already have a rule that does selective snat to the internet but I wanted to lock it down further to only allow certain domains.  An example domain would be say .microsoft.com (so I can get patches) and maybe symantec so I can get virus sig updates and deny anything else. 
&nbsp;  
&nbsp; DATA_GROUP_DDM_SRCIP_OUTBOUND (a list of servers allowed to go out the internet) 
&nbsp; DATA_GROUP_DDM_DSTIP_OUTBOUND_VIP_BOUNCEBACK ( a list of destination vips) 
&nbsp; SNAT_POOL_DDM (snat pool to use for VIP bouncebacks to the destination vips) 
&nbsp;  
&nbsp; rule IRULE_SELECTIVE_SNAT_OUTBOUND { 
&nbsp;    when CLIENT_ACCEPTED { 
&nbsp;   if { ([matchclass [IP::client_addr] equals $::DATA_GROUP_DDM_SRCIP_OUTBOUND]) } { 
&nbsp;       if { ([matchclass [IP::local_addr] equals $::DATA_GROUP_DDM_SRCIP_OUTBOUND]) } { 
&nbsp;           if { ([matchclass [IP::local_addr] equals $::DATA_GROUP_DDM_DSTIP_OUTBOUND_VIP_BOUNCEBACK]) } { 
&nbsp;               snatpool SNAT_POOL_DDM 
&nbsp;           } else { 
&nbsp;               forward 
&nbsp;           } 
&nbsp;            forward (used only for troubleshooting) 
&nbsp;       } else { 
&nbsp;           snatpool SNAT_POOL_DDM 
&nbsp;       } 
&nbsp;   } else { 
&nbsp;       forward 
&nbsp;   } 
&nbsp; } 
&nbsp; } 
&nbsp; virtual forwarding_virtual { 
&nbsp;    destination any:any 
&nbsp;    profile fastL4_14400 
&nbsp;    rule IRULE_SELECTIVE_SNAT_OUTBOUND 
&nbsp; } 
&nbsp;

nicolas_menant · Answer

Hi, 
&nbsp;  
&nbsp; you can try to use: NAME::lookup to translate the IP requested by the user in the domain name and then do a matchclass to check if it is part of the allow domain (Click here).  
&nbsp;  
&nbsp; The problem with NAME command is that it doesn't stop processing traffic until the name resolution is done, so you'll need to do it yourself using TCP::collect and TCP::release.  
&nbsp;  
&nbsp; If i remember you'll need to do some specific configuration to make the lookup work :Click here 
&nbsp;  
&nbsp; HTH

vils_96460 · Answer

Thanks nmenant! 
&nbsp;  
&nbsp; I will give that a unit test. 
&nbsp;  
&nbsp; I have quite a lot of domain target, so is it possible to put the matchclass in a datagroup as a list for the Name:lookup or do I have to use a "switch" logic to be more flexible? 
&nbsp;  
&nbsp; I see a partial solution for my situation in here http://devcentral.f5.com/wiki/default.aspx/iRules/DestinationSnatUsingDNS.html 
&nbsp; but I need the hostname to be a variable list. 
&nbsp;  
&nbsp; Thanks, 
&nbsp; Vilson 
&nbsp;  
&nbsp;  &nbsp;

Forum Discussion

irule to forward based on domain-name

2 Replies

Recent Discussions

Pricing when used with aws waf

F5 Rseries R2600 Tenant sizing

iRule help masking IBM host URL/URI

Need advise to setup a policy on F5

Advise on setting up IRULE

Related Content

X-Forwarded-For not working

Use x-forwarded-for to bypass authentication?

Universal Persistence with X-forwarder

LTM - X-Forwarded-for - Policy - Route domain id

domain name monitor