Forum Discussion

LeanderV_365921's avatar
Feb 07, 2019

FTP Proxy , user based forwarding with iRule

Im looking into using a VS as an FTP Proxy towards my backend webserver. Currently i already works for one webserver behind the VS.

Im now trying to write an iRule to forward traffic to the right server based on the username the ftp-connection is initiated with. Secondly i need to rewrite the username and remove the web-paramater

Example:

USER1 connects to with following credential USER1@WEB1

@WEB1 is removed from the credential and forwarded towards pool WEB1

Anybody any ideas how to do this last part ?

 

9 Replies

  • Just working on a similar project extracting user credentials from SMTPS requests.

    First nothing in the FTP iRule commands that can do this for you so you need to read the TCP payload to locate and extract the data you need.

    To do this you need to work out a flow where you enable collection of the next clientside and/or serverside payload using $1 (or $1 if you are using SSL offload) then identify the payload with the $1 details and do some manipulation with the $1TCP::release`.

    Best is look at the following code share examples which you can hopefully use as a base:

  • So currently i can redirect traffic to the right server based on username.

    But the username gets modified when sending it to the server from F5 somehow. I use following to change the tcp::payload

    TCP::payload replace 0 [TCP::payload length] ""
    set packetdata "USER $user"
    TCP::payload replace 0 0 $packetdata
    

    serverside we see the following

    [pid 31210] FTP command: Client "::ffff:10.1.1.1", "USER usernameSYST"
    

    when i log tcp::payload on F5 i see "USER username". So i have no idea where the SYST part comes from

  • It's the following.

    log local0. [TCP::payload]
    this gives username@ftp1
    regexp "USER \(\[a-zA-Z0-9_-]+)"  [TCP::payload] all user
    log local0. "$user"
    this gives username
    
  • Try this:

    TCP::payload replace 0 [TCP::payload length] "" 
    TCP::payload replace 0 0 "USER $user\r\n"
    

    The

    \r\n
    I think is needed as the end of the FTP command.

  • Any idea on how to read out, the password? I have only succes connecting if i place the password in the tcp::payload.

     set packetdata "USER $user\r\nPASS test123\r\n"
    

    I could set up a datagroup with all users and passwords on F5 but that is something i would like to avoid.

  • From what I have seen FTP

    PASS
    command is sent separately following a
    331
    request from the FTP server.

    This is from an example PCAP file I found online:

    < 220-
    < 220 6bone.informatik.uni-leipzig.de FTP server (NetBSD-ftpd 20041119) ready.
    > USER anonymous
    < 331 Guest login ok, type your name as password.
    > PASS IEUser@
    < 230 Guest login ok, access restrictions apply.
    > opts utf8 on
    < 502 Unknown command 'utf8'.
    > syst
    < 215 UNIX Type: L8 Version: NetBSD-ftpd 20041119
    > site help
    < 214-
    

    If this is the case for your client and server I would expect the F5 can simply pass through the password in the next payload.

    It is possible that different authentication methods are available (Hit this issue when writing extract iRule for SMTP authentication) so you would need to check as I do not know FTP in that much detail.