Request: Help with iRule for Wildcard SSH
Hi All,
Currently we have a SSH VIP for every single inside vlan. To remove the many SSH VIP's per inside vlan, I just want to have one WILDCARD SSH VIP, but I need an iRule to (1) permit client address x.x.x.x to destination network y.y.y.y:22 only and likewise permit client address a.a.a.a to b.b.b.b:22 only, etc...I don't want x.x.x.x to be able to access b.b.b.b:22 and a.a.a.a to have access to y.y.y.y:22. (2) Also need to SNAT the connections from the clients that are in the same subnet as the nodes.
I was able to apply the access restrictions to each SSH VIP per inside vlan with the following iRules.
1/ Permit specific source address
when RULE_INIT {
v1.0 - basic ACL.
October, 2007
Tested on BigIP version 9.4.
Purpose:
Bind this rule to a network virtual server to simply allow or disallow traffic based on source IP.
This rule expects a datagroup named trustedAddresses that lists the addresses you wish to allow.
By default, traffic will be dropped.
}
when CLIENT_ACCEPTED {
if { [matchclass [IP::client_addr] equals trustedAddresses] }{
Uncomment the line below to turn on logging.
log local0. "Valid client IP: [IP::client_addr] - forwarding traffic"
} else {
Uncomment the line below to turn on logging.
log local0. "Invalid client IP: [IP::client_addr] - discarding"
discard
}
}
2/ Apply SNAT if the client is in the same subnet as the node.
when CLIENT_ACCEPTED {
if {[IP::addr [IP::client_addr]/24 equals "210.15.210.0"] } {
snat 210.15.210.77
}
}
I guess with the SNAT issue, I can just add mulitple IF...ELSE statements for each inside vlan, but not sure how to restrict access so that x.x.x.x only has access to y.y.y.y:22 and not to b.b.b.b:22.
Thanks,
Andy