Forum Discussion

superuser_22978's avatar
superuser_22978
Icon for Nimbostratus rankNimbostratus
Nov 04, 2015

irule for range of ports and a few specific ports

Hi Guys..I have request to open up ports from 56000 to 57000 and 3389,10520,10521. I have the irule as below is not working. Connections are getting refused. Please suggest.

 

when CLIENT_ACCEPTED { if {([TCP::local_port] >= 56000 ) && ([TCP::local_port] <= 57000) || ([TCP::local_port] == 3389 ) || ([TCP::local_port] == 10520) || ([TCP::local_port] == 10521) } { pool qa_pool } else reject }

 

application delivery
devops
iRules

9 Replies

Sort By
  • Brad_Parker_139's avatar
    Brad_Parker_139
    Icon for Nacreous rankNacreous
    Nov 04, 2015

    Looks like just a little syntax issues. Try this.

    when CLIENT_ACCEPTED {
    if { (([TCP::local_port] >= 56000) && ([TCP::local_port] <= 57000)) || ([TCP::local_port] == 3389) || ([TCP::local_port] == 10520) || ([TCP::local_port] == 10521) } {
        pool qa_pool
    }
    else {
        reject
    }
}
    • R_Marc_77962's avatar
      R_Marc_77962
      Icon for Nimbostratus rankNimbostratus
      Nov 04, 2015
      that will work, but if you have multiple backend pools for different ports, a switch statement is probably the way to go (it's also more readable, in my opinion) switch [TCP::local_port] { "80" {pool server-80-tcp-pool} "444" {pool server-444-tcp-pool} "443" { if { [class match [IP::client_addr] equals service_client_ip_list] }{ log local0. "Requested from service IP: [IP::client_addr] sending to server-443-tcp-service-pool" pool server-443-tcp-service-pool } else { pool server-443-tcp-pool } } "30200" {pool server-30200-tcp-pool} "30201" {pool server-30201-tcp-pool} "30202" { if {[class match [IP::client_addr] equals service_client_ip_list] }{ log local0. "Requested from IP: [IP::client_addr] send to server-30202-tcp-service-pool" pool server-30202-tcp-service-pool } else { pool server-30202-tcp-pool } } "30203" {pool server-30203-tcp-pool} "30204" {pool server-30204-tcp-pool} "30205" {pool server-30205-tcp-pool} default {discard} }
    • Brad_Parker_139's avatar
      Brad_Parker_139
      Icon for Nacreous rankNacreous
      Nov 05, 2015
      That's true. It's also arguably true that it's cleaner to do it with multiple VS and pools. &128512;
    • superuser_22978's avatar
      superuser_22978
      Icon for Nimbostratus rankNimbostratus
      Nov 05, 2015
      Thank you Brad..But When I used the above rule you suggested, when I do testing virtual server is accepting the telnet on all ports(not only on 3389, 10520, 10521 and 56000 - 57000). Virtual server is not rejecting the connections on different ports other than the ports mentioned in Irule.
  • Brad_Parker's avatar
    Brad_Parker
    Icon for Cirrus rankCirrus
    Nov 04, 2015

    Looks like just a little syntax issues. Try this.

    when CLIENT_ACCEPTED {
    if { (([TCP::local_port] >= 56000) && ([TCP::local_port] <= 57000)) || ([TCP::local_port] == 3389) || ([TCP::local_port] == 10520) || ([TCP::local_port] == 10521) } {
        pool qa_pool
    }
    else {
        reject
    }
}
    • R_Marc_77962's avatar
      R_Marc_77962
      Icon for Nimbostratus rankNimbostratus
      Nov 04, 2015
      that will work, but if you have multiple backend pools for different ports, a switch statement is probably the way to go (it's also more readable, in my opinion) switch [TCP::local_port] { "80" {pool server-80-tcp-pool} "444" {pool server-444-tcp-pool} "443" { if { [class match [IP::client_addr] equals service_client_ip_list] }{ log local0. "Requested from service IP: [IP::client_addr] sending to server-443-tcp-service-pool" pool server-443-tcp-service-pool } else { pool server-443-tcp-pool } } "30200" {pool server-30200-tcp-pool} "30201" {pool server-30201-tcp-pool} "30202" { if {[class match [IP::client_addr] equals service_client_ip_list] }{ log local0. "Requested from IP: [IP::client_addr] send to server-30202-tcp-service-pool" pool server-30202-tcp-service-pool } else { pool server-30202-tcp-pool } } "30203" {pool server-30203-tcp-pool} "30204" {pool server-30204-tcp-pool} "30205" {pool server-30205-tcp-pool} default {discard} }
    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      Nov 05, 2015
      That's true. It's also arguably true that it's cleaner to do it with multiple VS and pools. &128512;
    • superuser_22978's avatar
      superuser_22978
      Icon for Nimbostratus rankNimbostratus
      Nov 05, 2015
      Thank you Brad..But When I used the above rule you suggested, when I do testing virtual server is accepting the telnet on all ports(not only on 3389, 10520, 10521 and 56000 - 57000). Virtual server is not rejecting the connections on different ports other than the ports mentioned in Irule.