Forum Discussion

toshi_01_132399's avatar
toshi_01_132399
Icon for Nimbostratus rankNimbostratus
Aug 30, 2013

mysql ip access control

I would like to do the ip access control by using a irule. However, I failed in the following way.

pool-allowhost-01 have kept some mysql.

when CLIENT_ACCEPTED {
    if { [IP::addr [IP::remote_addr] equals 192.168.1.0/24] } {
         pool pool-allowhost-01
    } else {
         reject
    }
}

allowed host can not access pooling mysql.

[localhost ~]$  mysql -u user -ppass -h lbaddr
Warning: Using a password on the command line interface can be insecure.

stay stopping

application delivery
devops
iRules

21 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Aug 30, 2013

    have you checked tcpdump?

    e.g.

     tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host x.x.x.x or host y.y.y.y

x.x.x.x is client ip
y.y.y.y is server/pool member ip
    • toshi_01_132399's avatar
      toshi_01_132399
      Icon for Nimbostratus rankNimbostratus
      Aug 30, 2013
      Thank you. i have checked tcpdump at all member servers. however i could not confirm ip packet from load balancer. ip packet seem to have stopped in load balancer.
    • toshi_01_132399's avatar
      toshi_01_132399
      Icon for Nimbostratus rankNimbostratus
      Aug 30, 2013
      Unfortunately, i do not have permission to login to bigip. If possible, I asked administrator.
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Aug 30, 2013

    have you checked tcpdump?

    e.g.

     tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host x.x.x.x or host y.y.y.y

x.x.x.x is client ip
y.y.y.y is server/pool member ip
    • toshi_01_132399's avatar
      toshi_01_132399
      Icon for Nimbostratus rankNimbostratus
      Aug 30, 2013
      Thank you. i have checked tcpdump at all member servers. however i could not confirm ip packet from load balancer. ip packet seem to have stopped in load balancer.
    • toshi_01_132399's avatar
      toshi_01_132399
      Icon for Nimbostratus rankNimbostratus
      Aug 30, 2013
      Unfortunately, i do not have permission to login to bigip. If possible, I asked administrator.
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 30, 2013

    Just to be clear, "lbaddr" in your mysql statement is the virtual server IP address, and "pool-allowhost-01" is a pool that contains the IP address and listening port of the actual mysql servers. You didn't specify a port in the mysql statement, so your virtual server should probably also be listening on TCP port 3306. If that's true, I'll also assume that the pool is bound to the virtual server configuration. Your iRule can then be a little simpler:

    when CLIENT_ACCEPTED {
    if { not ( [IP::addr [IP::client_addr] equals 192.168.1.0/24] ) } {
         reject
    }
}

    If the client's source address does not match the given subnet, reject. Otherwise the request will be sent to the assigned pool. Now, with all of those pieces in place, Nitass' suggestion to use TCPDUMP is probably your best bet at troubleshooting. You'll want to look for the client's IP address coming to the VIP address on the BIG-IP's external interface, and subsequently the client's IP address (or SNAT address) going to the mysql server on the BIG-IP's internal interface. There's a good chance that one of those aren't happening.

  • toshi_01_132399's avatar
    toshi_01_132399
    Icon for Nimbostratus rankNimbostratus
    Aug 31, 2013

    Thank you Kevin Stewart and nittas. I have also tried the above method already, but the result did not change.

    my environment is following

    client(192.168.1.30)   ----->    bigip and iRule(172.20.1.262:3306)
                                       pool-allowhost-01  -----> 192.168.1.50:3306
                    -----> 192.168.1.51:3306                                                                  
    -----> 192.168.1.52:3306

    I guess that It must add the address of the VIP? 

    when CLIENT_ACCEPTED { 
    if { not ( [IP::addr [IP::client_addr] equals 192.168.1.0/24] ) and not ( [IP::addr [IP::client_addr] equals 172.20.1.262] )} { 
   reject 
   } 
}
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Aug 31, 2013

    as Kevin suggested, have you tried to enable snat automap under virtual server configuration? does this virtual server work without the irule?

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Aug 31, 2013

    as Kevin suggested, have you tried to enable snat automap under virtual server configuration? does this virtual server work without the irule?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 31, 2013

    Okay, unless I'm just missing it, the iRule looks fine. Can you add in some logging and report back the results?

    when CLIENT_ACCEPTED { 
    if { not ( [IP::addr [IP::client_addr] equals 192.168.1.0/24] ) and not ( [IP::addr [IP::client_addr] equals 172.20.1.262] ) } { 
        log local0. "Rejecting client: [IP::client_addr]"
        reject 
    } else {
        log local0. "Allowing client: [IP::client_addr]"
    }
}
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Aug 31, 2013

    if { not ( [IP::addr [IP::client_addr] equals 192.168.1.0/24] ) and not ( [IP::addr [IP::client_addr] equals 172.20.1.262] ) } {

     

    doesn't it return false when client is from 192.168.1.0/24?

     

  • toshi_01_132399's avatar
    toshi_01_132399
    Icon for Nimbostratus rankNimbostratus
    Aug 31, 2013

    doesn't it return false when client is from 192.168.1.0/24?

    What about the syntax of the following 

    when CLIENT_ACCEPTED { 
    if { [IP::addr [IP::client_addr] equals 172.20.1.262] }
        log local0. "Allowing client VIP: [IP::client_addr]"
        pool pool-allowhost-01  or forward
   
    } elseif {[IP::addr [IP::client_addr] equals 192.168.1.0/24] } { 
        log local0. "Allowing client: [IP::client_addr]"
        pool pool-allowhost-01  or forward
   
    } else {
        log local0. "Rejecting client: [IP::client_addr]"
        reject
    }
}
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Aug 31, 2013

    i think the original irule below is okay.

    when CLIENT_ACCEPTED {
    if { [IP::addr [IP::remote_addr] equals 192.168.1.0/24] } {
         pool pool-allowhost-01
    } else {
         reject
    }
}

    may you add log command to the irule something like what kevin suggested? also, i think it would be helpful if you can run tcpdump on bigip.

    e.g.

     tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host 192.168.1.30 or host 192.168.1.50 or host 192.168.1.51 or host 192.168.1.52

    and can you post the virtual server, pool and snatpool configuration here?

     tmsh list ltm virtual (virtual server name)
 tmsh list ltm pool (pool name)
 tmsh list ltm snatpool (snatpool name)

    just my 2 cents.

    • toshi_01_132399's avatar
      toshi_01_132399
      Icon for Nimbostratus rankNimbostratus
      Sep 01, 2013
      Thank you. I will try to challenge on the basis by information of everyone
Related Content