F5 LTM Single VS to multiple pools port mapping

Scenario: 1 to 1 mapping of ports on an IP for SSL termination to a corresponding inside port on a local server.

Rather than creating a VS on the same IP for each individual port I decided to create the pools containing the same node but with individual ports and manage the VS part with an iRule.


pool0 –
pool1 –
pool2 –

An iRule was then created on a VS listening on all ports to redirect as required.

SSL Profile (Client): [ your SSL profile ]
VLAN and Tunnel Traffic: Enabled on… [ appropriate interface ]
Source Address Translation: Auto Map
Address Translation: [ Should be ticked ]
Port Transation: Tick
Resources: [ Pick the iRule ]


    switch [TCP::local_port] {
        "5000" { pool pool0 }
        "5001" { pool pool1 } 
        "5002" { pool pool2 } 
        default { reject }

Seems to work OK!

NB: I found a gotcha here as I was replacing an existing VS with a specific port. If you have a VS for a specific port and shut it down, then create a VS on the same IP listening on all ports, incoming connections to the port on the shutdown VS will be denied! You can get around this by changing the original VS to an unused port to allow for reverting or just delete it.

X11 forwarding over SSH on firewalled CentOS host

I had a few issues with X11 forwarding over SSH on one of my CentOS hosts. After a bit of fiddling, I discovered that there were a couple of things I hadn’t taken into account.

I’d set my putty session up to allow X11 fowarding, and set the X display location to “localhost”. On the server, I installed xclock and its dependencies for testing, and set the following in /etc/ssh/sshd_config:

X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes

I restarted sshd, however this still wasn’t working.

In short, I was missing two things:

1) xauth wasn’t installed. This is required!
2) I wasn’t allowing connections to localhost in my iptables config. This was fixed in my ruleset with:

iptables -A INPUT -i lo -j ACCEPT

sshd was restarted after installing xauth and adding the firewall rule and it now works a treat!