access control iRule

It would probably be easier to configure the source on the virtual server (Link to guide) or do this on a firewall.

When configuring a virtual sever, you can specify an IP address or network from which the virtual server will accept traffic. For this setting to function properly, you must specify a value other than 0.0.0.0/0 or ::/0 (that is, any/0, any6/0). To maximize utility of this setting, specify the most specific address prefixes spanning all customer addresses and no others.

Let's say you wanted to allow 198.x.y.50 and 198.x.y.51. In the source field you would have 198.x.y.50/31. You might want to doublecheck the /31 with documentation, or one of the others here can confirm this.

Can you post the iRule you are working from Terry?

when CLIENT_ACCEPTED { while {1} { set dcfw_vdg [ class match -value [virtual name] equals /Common/rtp_allow ] if { ! [ class exists $dcfw_vdg ] } { break } if { ! [ class match [IP::remote_addr] equals $dcfw_vdg ] } { break } return } discard }

Try this one:

when CLIENT_ACCEPTED {
 if { [IP::addr [IP::client_addr] equals 10.10.10.10] or [IP::addr [IP::client_addr] equals 10.10.10.20]} {
     reject
     log local0. "Connection dropped from [IP::client_addr]"
  }
}

This did not work. I need to allow only two IP addresses to get through to the VS and reject all other IP address connections. The code above gave an error about the log local0 line

Apologies for the oversight. This should allow only the two addresses specified:

when CLIENT_ACCEPTED {
 if { ! [IP::addr [IP::client_addr] equals 10.10.10.10] or [IP::addr [IP::client_addr] equals 10.10.10.20]} {
     reject
     log local0. "Connection dropped from [IP::client_addr]"
  }
}

I loaded this in my 11.4.1 LTM without issue. What was the error you are seeing for the previous rule? Error when trying to load it, or error in the log?

I am on 11.2.1 and I got this when loading the iRule:

01070151:3: Rule [/external_part/rtp_ip_allow2] error: line 1: [parse error: missing close-brace] [{ if { ! [IP::addr [IP::client_addr] equals xx.xxx.xxx.x] or [IP::addr [IP::client_addr] equals xx.xxx.xx.x]} { reject log local0. "Connection dropped from [IP::client_addr]"] line 2: [parse error: missing close-brace] [{ reject log local0. "Connection dropped from [IP::client_addr]"] line 3: [command is not valid in the current scope] [reject] line 4: [command is not valid in the current scope] [log local0. "Connection dropped from [IP::client_addr]"] line 4: [command is not valid in the current scope] [IP::client_addr]

Try copying the rule in its entirety as I posted it above. Looks like maybe some braces/brackets aren't lining up according to what already exists in your iRule.

Or post your full iRule here and we can help format it.

The above pastes in fine on my 11.2.1. It looks like you are missing a closing }

Also, won't the above !(not) only apply to the first portion of the if statement? Isn't it required after the or as well?

It just seems like the 'reject' statement would deny the IP addresses in the parameters. I have two external IP addresses the need to be the only source addresses allowed to get to this external facing virtual server.