Forum Discussion

hc_andy_35682's avatar
hc_andy_35682
Icon for Nimbostratus rankNimbostratus
Apr 11, 2010

Request: Help with iRule for Wildcard SSH

Hi All,

 

Currently we have a SSH VIP for every single inside vlan. To remove the many SSH VIP's per inside vlan, I just want to have one WILDCARD SSH VIP, but I need an iRule to (1) permit client address x.x.x.x to destination network y.y.y.y:22 only and likewise permit client address a.a.a.a to b.b.b.b:22 only, etc...I don't want x.x.x.x to be able to access b.b.b.b:22 and a.a.a.a to have access to y.y.y.y:22. (2) Also need to SNAT the connections from the clients that are in the same subnet as the nodes.

 

 

I was able to apply the access restrictions to each SSH VIP per inside vlan with the following iRules.

 

 

1/ Permit specific source address

 

when RULE_INIT {

 

v1.0 - basic ACL.

 

October, 2007

 

Tested on BigIP version 9.4.

 

 

Purpose:

 

Bind this rule to a network virtual server to simply allow or disallow traffic based on source IP.

 

This rule expects a datagroup named trustedAddresses that lists the addresses you wish to allow.

 

By default, traffic will be dropped.

 

}

 

when CLIENT_ACCEPTED {

 

 

if { [matchclass [IP::client_addr] equals trustedAddresses] }{

 

 

Uncomment the line below to turn on logging.

 

log local0. "Valid client IP: [IP::client_addr] - forwarding traffic"

 

 

} else {

 

 

Uncomment the line below to turn on logging.

 

log local0. "Invalid client IP: [IP::client_addr] - discarding"

 

discard

 

}

 

}

 

2/ Apply SNAT if the client is in the same subnet as the node.

 

 

when CLIENT_ACCEPTED {

 

if {[IP::addr [IP::client_addr]/24 equals "210.15.210.0"] } {

 

snat 210.15.210.77

 

}

 

}

 

I guess with the SNAT issue, I can just add mulitple IF...ELSE statements for each inside vlan, but not sure how to restrict access so that x.x.x.x only has access to y.y.y.y:22 and not to b.b.b.b:22.

 

Thanks,

 

Andy

 

application delivery
dev
devops
iRules

2 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Apr 12, 2010
    Hi Andy,

    You could create separate datagroups for each set of clients and servers and then use an iRule to check the source (IP::client_addr) and destination (IP::local_addr) host or network. So if a.a.a.a can access b.b.b.b, add a.a.a.a to an allowed clients datagroup and b.b.b.b to an allowed destinations datagroup. And if x.x.x.x can access z.z.z.z, then add those two hosts (or sets of hosts and/or networks) to two datagroups. You could then check each pair of datagroups in an if/elseif/else chain.

    If you're on 10.1 you could use a new feature of address datagroups to specify the name of the destination host datagroup in a single clients datagroup:

    http://devcentral.f5.com/Default.aspx?tabid=53&aft=1167195 

    class allowed_clients_class {
   {
      host 1.1.1.1 { "allowed_dest_a_class" }
      network 2.2.2.0/24 { "allowed_dest_a_class" }
      network 10.0.0.0/8 { "allowed_dest_c_class" }
      network 172.16.0.0/12 { "allowed_dest_b_class" }
      network 192.168.0.0/16 { "allowed_dest_c_class" }
   }
}

    You could then check the client IP against this allowed_clients_class and then check the destination IP against the class value returned from the first search: 

    when CLIENT_ACCEPTED {
    Look up the client IP in the allowed clients class
    If found, get the corresponding destination class name
   set dest_class [class search -value allowed_clients_class equals [IP::client_addr]]
    Check if there was a match in the clients class
   if {$dest_class ne ""}{
       Check the destination host against the returned class name
      if {[class match [IP::local_addr] equals $dest_class]}{
          Allowed source/destination pair, so exit the rule
         return
      }
   }
    If we're still in the rule, it's an invalid source/destination IP pair, so reject the connection
   reject
}

    If you want to enable SNAT automap dynamically you could use an iRule like this: 

     http://devcentral.f5.com/wiki/default.aspx/iRules/SelectiveSNAT.html
when LB_SELECTED {  
   if {[IP::addr "[IP::client_addr]/24" equals "[LB::server addr]/24"]} {  
      snat automap 
   }
}

    Aaron
  • hc_andy_35682's avatar
    hc_andy_35682
    Icon for Nimbostratus rankNimbostratus
    Apr 12, 2010
    Thanks Aaron.

     

     

    I will give the code you pasted a go.

     

     

    Cheers.

     

     

    Andy