F5: Difference between revisions
Content added Content deleted
(→iRule) |
|||
Line 97: | Line 97: | ||
= iRule = |
= iRule = |
||
* |
* iRule is a script that direct traffic though BIG IP , based on TCL command language. |
||
* iRule give control of inbound and outbound traffic from Big IP. |
|||
* Irule contains follwing events ( I rule name ,events ,condtion ,action ) |
|||
* iRule contains following events -> Irule name, events, condition, action |
|||
= Deploy F5 in KVM = |
|||
[10.170.131.132:8443]---------[Mgmt-192.168.122.109:8443] |
|||
[10.170.131.132:443]---------[VIP-192.168.122.110:443] |
|||
* Download the Image from F5 Portal: |
|||
sudo mv BIGIP-16.1.3-0.0.12.qcow2 /var/lib/libvirt/images/ |
|||
''' |
|||
virt-install --name ubuntu-trusty --ram 256 --disk path=/var/kvm/images/trusty.img,size=3 --vcpus 1 --os-type linux --os-variant ubuntutrusty --graphics none --console pty,target_type=serial --location 'http://fr.archive.ubuntu.com/ubuntu/dists/trusty/main/installer-amd64/' --extra-args 'console=ttyS0,115200n8 serial' |
|||
sudo virt-install --name bigip\ |
|||
--ram 4096\ |
|||
--disk path=/var/lib/libvirt/images/BIGIP-17.0.0.1-0.0.4.qcow2\ |
|||
--vcpus 2\ |
|||
--os-type linux\ |
|||
--os-variant rhel6\ |
|||
--graphics spice\ |
|||
--console pty,target_type=serial\ |
|||
--network bridge=virbr0\ |
|||
--noautoconsole\ |
|||
--import |
|||
--extra-args 'console=ttyS0,115200n8 serial'\ |
|||
sudo virt-install \ |
|||
--name=F5-BIGIP \ |
|||
--description="BIG-IP Local Traffic Manager (LTM) Virtual Edition (VE)" \ |
|||
--disk path=/var/lib/libvirt/images/BIGIP-16.1.3-0.0.12.qcow2,bus=virtio,format=qcow2 \ |
|||
--disk path=/var/lib/libvirt/images/BIGIP-16.1.3-0.0.12.DATASTOR.ALL.qcow2,size=8,bus=virtio,format=qcow2 \ |
|||
--network=bridge=virbr0,model=virtio \ |
|||
--graphics vnc,password=admin123,listen=0.0.0.0,port=5902 \ |
|||
--serial tcp,host=:2223,mode=bind,protocol=telnet \ |
|||
--vcpus=2 --cpu host --ram=8096 \ |
|||
--os-type=linux \ |
|||
--os-variant=rhel6 \ |
|||
--import --autostart --noautoconsole |
|||
''' |
|||
''' |
|||
sudo virsh shutdown bigip |
|||
sudo virsh destroy bigip |
|||
sudo virsh undefine --domain bigip |
|||
sudo virsh list --all |
|||
sudo virsh net-dhcp-leases default |
|||
sudo virsh net-dhcp-leases default |
|||
10.170.131.132 |
|||
192.168.122.109 |
|||
sudo virsh console bigip |
|||
Credentials: |
|||
root default |
|||
# config -> Assign IP address for management |
|||
tmsh show sys management-ip --> notworking |
|||
tmsh show running-config |
|||
nano /etc/libvirt/hooks/qemu |
|||
''' |
|||
''' |
|||
#!/bin/bash |
|||
# Hook to insert NEW rule to allow connection for VMs |
|||
# 192.168.122.0/24 is NATed subnet |
|||
# virbr0 is networking interface for VM and host |
|||
# ----------------------------------------------------------------- |
|||
# Written by Vivek Gite under GPL v3.x {https://www.cyberciti.biz} |
|||
# ----------------------------------------------------------------- |
|||
# get count |
|||
################################################################# |
|||
## NOTE replace 192.168.2.0/24 with your public IPv4 sub/net ## |
|||
################################################################# |
|||
v=$(/sbin/iptables -L FORWARD -n -v | /usr/bin/grep 192.168.122.109/32 | /usr/bin/wc -l) |
|||
# avoid duplicate as this hook get called for each VM |
|||
[ $v -le 2 ] && /sbin/iptables -I FORWARD 1 -o virbr0 -m state -s 10.170.131.0/24 -d 192.168.122.109/32 --state NEW,RELATED,ESTABLISHED -j ACCEPT |
|||
''' |
|||
''' |
|||
chmod -v +x /etc/libvirt/hooks/qemu |
|||
vim /etc/ufw/before.rules |
|||
# KVM/libvirt Forward Ports to guests with Iptables (UFW) # |
|||
*nat |
|||
:PREROUTING ACCEPT [0:0] |
|||
-A PREROUTING -d 10.170.131.132 -p tcp --dport 443 -j DNAT --to-destination 192.168.122.109:443 -m comment --comment "Port443 for BigIP" |
|||
COMMIT |
|||
sudo iptables -t nat -I PREROUTING -p tcp -d 10.170.131.132 --dport 8443 -j DNAT --to-destination 192.168.122.109:8443 |
|||
sudo iptables -t nat -I PREROUTING -p tcp -d 10.170.131.132 --dport 80 -j DNAT --to-destination 192.168.122.109:80 |
|||
sudo iptables -I FORWARD -m state -d 192.168.122.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT |
|||
sudo service netfilter-persistent save |
|||
curl -sk -u root:kIr@t#29 -H "Content-Type: application/json" -X GET https://192.168.122.109/mgmt/tm/sys/management-ip | jq -M . |
|||
192.168.122.145 |
|||
root/kIr@t#29 |
|||
tmsh install /sys license registration-key HOBOF-RKGYF-XKFTJ-HLGHP-KDQXQDS |
|||
tmsh install /sys license registration-key CEGMC-JBZNW-LGQZT-GPNOL-WHXDLFL |
|||
tmsh |
|||
modify /security firewall management-ip-rules rules add { example_mgmt_rule { action accept destination { addresses add { 192.168.122.109 } ports add { 443 } } ip-protocol tcp log yes place-before first source { addresses add { 10.170.131.1-10.170.131.254 } ports none } status enabled uuid auto-generate } } |
|||
save /sys config |
|||
''' |
|||
=== Install CentOS === |
|||
wget https://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud.qcow2 |
|||
virt-customize -a CentOS-7-x86_64-GenericCloud-2111.qcow2 --root-password password:DDYrTXJZTJldOqimb68ZK5KCmRpbdBOe |
|||
Now able to login to new guest as root / DDYrTXJZTJldOqimb68ZK5KCmRpbdBOe |
|||
''' |
|||
sudo virt-install \ |
|||
--name=CentOS \ |
|||
--description="CentOS WebServer" \ |
|||
--disk path=/var/lib/libvirt/images/CentOS-7-x86_64-GenericCloud.qcow2,bus=virtio,format=qcow2 \ |
|||
--disk path=/var/lib/libvirt/images/CentOS-7-x86_64-GenericCloud.DATASTOR.ALL.qcow2,size=8,bus=virtio,format=qcow2 \ |
|||
--network=bridge=virbr0,model=virtio \ |
|||
--graphics none \ |
|||
--console pty,target_type=serial \ |
|||
--vcpus=1 --cpu host --ram=2048 \ |
|||
--os-type=linux \ |
|||
--os-variant=rhel6 \ |
|||
--import --autostart --noautoconsole |
|||
''' |
|||
''' |
|||
sudo iptables -t nat -I PREROUTING -p tcp -d 10.170.131.132 --dport 443 -j DNAT --to-destination 192.168.122.98:443 |
|||
sudo iptables -t nat -I PREROUTING -p tcp -d 10.170.131.132 --dport 80 -j DNAT --to-destination 192.168.122.98:80 |
|||
sudo iptables -I FORWARD -m state -d 192.168.122.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT |
|||
''' |