I cannot seem to get an access control iRule working. I am trying to limit access to a virtual server to only two external IP addresses. I have copied and modified an iRule found on F5 support site but when applied it blocks all traffic to this VS.

It would probably be easier to configure the source on the virtual server (Link to guide) or do this on a firewall. When configuring a virtual sever, you can specify an IP address or network from which the virtual server will accept traffic. For this setting to function properly, you must specify a value other than 0.0.0.0/0 or ::/0 (that is, any/0, any6/0). To maximize utility of this setting, specify the most specific address prefixes spanning all customer addresses and no others. Let's say you wanted to allow 198.x.y.50 and 198.x.y.51. In the source field you would have 198.x.y.50/31. You might want to doublecheck the /31 with documentation, or one of the others here can confirm this.

Can you post the iRule you are working from Terry?

when CLIENT_ACCEPTED { while {1} { set dcfw_vdg [ class match -value [virtual name] equals /Common/rtp_allow ] if { ! [ class exists $dcfw_vdg ] } { break } if { ! [ class match [IP::remote_addr] equals $dcfw_vdg ] } { break } return } discard }

This did not work. I need to allow only two IP addresses to get through to the VS and reject all other IP address connections. The code above gave an error about the log local0 line

access control iRule

20 Replies

Cory_50405

Noctilucent

Jun 10, 2014

Good catch mimlo. This one should work properly with parentheses:

when CLIENT_ACCEPTED {
 if { ! ([IP::addr [IP::client_addr] equals 10.10.10.10] or [IP::addr [IP::client_addr] equals 10.10.10.20])} {
     reject
     log local0. "Connection dropped from [IP::client_addr]"
  }
}

Terry_Schmidt_1
Nimbostratus
Jun 10, 2014
good enough. It let me load this latest iRule and we are currently testing. If this works in dev then we'll apply to prod.
Terry_Schmidt_1
Nimbostratus
Jun 10, 2014
unfortunately this iRule blocked all traffic to this VS.
Cory_50405
Noctilucent
Jun 10, 2014
Stupid question but did you change the IP addresses in the rule to the two hosts that you want to permit?

Kevin_Davies_40

Nacreous

Jun 10, 2014

Just another way of doing the same...

when CLIENT_ACCEPTED {
  switch [IP::client_addr] {
    10.10.10.10 -
    10.10.10.20 { return }
  }
  reject 
  log local0. "Connection rejected from [IP::client_addr]"
}

Terry_Schmidt_1
Nimbostratus
Jun 11, 2014
Valid question Cory, but yes, I am replacing the 10.x.x.x addresses with two external addresses with 67.x.x.x and 65.x.x.x. I'll keep working on this.
- Cory_50405
  Noctilucent
  Jun 11, 2014
  Is the iRule logging the rejection messages to /var/log/ltm from the two IP addresses you have specified that should be permitted?
Terry_Schmidt_1
Nimbostratus
Jun 11, 2014
Thanks Cory, but I think we have solved this by using this code:

when CLIENT_ACCEPTED { if { not ( [class match [IP::client_addr] equals rtp_allow] ) } { reject } }

This has a Data Group (rtp_allow) with the two IP address in it that are to be allowed. In testing we were able to include my IP address in this Data Group and I was able to access the internal web server page and when my IP address gets removed from the Data Group the web page is not available.
- Cory_50405
  Noctilucent
  Jun 11, 2014
  That's a good scaling solution if you want to add more addresses to it moving forward. Glad to hear you got it working.

Forum Discussion

access control iRule

20 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

F5 Networks F5CAB1 Exam - Need Help Regarding Prep

Username is not filled in EdgeClient in the Modern customization

The GSLB pool is providing an incorrect IP to end users

iRule causing requests to be duplicated (sometimes)

Cisco TACACS+ Config on ISE LTM Pair

Related Content

Overview of API Access Control and implementing API key access control with BIG-IP APM

API Security: How to implement API Access Control with F5

iControl REST Fine-Grained Role Based Access Control

Privileged Access in Action: Technical Controls for Real-World Environments

Mitigating OWASP Web Application Risk: Broken Access Control using BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS