How to block a TCP Port on KEMP Loadmaster with ACL's

The LoadMaster can blacklist or whitelist IP addresses but you cannot block ports using an Access Control List (ACL). This article shows you how to block a port for a particular IP address and port combination. If you are using a wildcard Virtual Service, which is marked with an asterisk (*) symbol as the port number, it enables all ports to connect to that Virtual IP (VIP).

If you want to block a specific port from accessing this Virtual Service, create a new Virtual Service using the same VIP and the port you want to block.  

By adding a Real Server to the Virtual Service that has the port you want to block, you mark the Virtual Service as up and healthy. If the service is marked as down, then connections go to the wildcard Virtual Service. Therefore, you should use either a ping health check or set the health check to None. When the health check is set to None, the LoadMaster assumes the Virtual Service is up and healthy. You always want the health check to pass.

After this is done, you can make a whitelist inside the new Virtual Service using the access control feature.

Insert 127.0.0.1 for a whitelist.

This allows only this IP address, which is the localhost IP address, and blocks every other connection from any IP address trying to access this Virtual Service on this port.

When using ACLs on a virtual service that has the same IP address as an interface, (which is not recommend), the following ports will never be blocked 443(wui),22(ssh),161 (snmp) and 53 (dns).

Blow is a table highlighting the scenarios of using Whitelist/Blacklist.

Also note we do not recommend using a Whitelist & Blacklist on the same VS

mceclip0.png

To verify that TCP port is being blocked you can capture a TCP dump on the Loadmaster.

Go into the KEMP WUI > System Configuration > Logging Options > System Log Files > Debug Option > TCP dump > select the interface and type the Port number and click Start.

Try to create traffic from a workstation, try to establish  a number of TCP sessions and on the  KEMP Loadmaster and click stop capturing.

Download and Open the pcap with Wireshark.

Note: With the rejection method set to Drop, the LoadMaster will not reply

With the rejection method set to Reject, the LoadMaster sends out an Internet Control Message Protocol (ICMP) destination unreachable packet.

Was this article helpful?

0 out of 0 found this helpful

Comments