Allow specfic list of IP address to connect to VIP

This shouldn't be too hard with an iRule and a Data Group. Would it not be better to just deny the RFC1918 addresses? Are there really 900 individual addresses or would using network ranges reduce the number?

i have different remote sites not all ip addresses are allowed to access the VIP.

 

ex: remote site 10.10.10.0 / 24

 

only 10.10.10.100, 10.10.10.102, 10.10.10.150 are allowed to access

 

another subnet 10.10.20.0/24 also some IP's to access another subnet 10.10.30.0/24 and another 100 site

 

all of these subnet can access the VIP only 900 IP addresses should be allowed to have access to login page VIP which is internal http site the other users should not see the login page.

 

RFC 1918 will not help in this case because different IP address from same subnet are allowed and others are not allowed.

 

I am new to iRule so please help in this

 

 

thanksssssssssssssssssssss

OK, so you'll need to create a Data Group containing all the subnets, as this would take an age in the CLI I'd recommend you use tmsh and obviously supernet where you can;

tmsh ltm data-group internal create name type ip records add { 10.10.10.0/24 10.10.11.0/24 another/24 ... }

Then use an iRule to reference the Data Group and reject traffic not in the group (or you could use 'drop' to silently drop it);

 

 
 when CLIENT_ACCEPTED { 
  if { not [class match [IP::addr [IP::client_addr] equals some-dg] } { 
    reject } 
 } 
 [/code

thanks,

 

As i understand i will do the followiing

 

1) tmsh ltm data-group internal create name type ip records add { 10.10.10.1 19.10.10.2 10.10.10.3 10.10.10.10 172.16.1.1 }

 

2) when CLIENT_ACCEPTED {

 

if { not [class match [IP::addr [IP::client_addr] equals some-dg] } {

 

reject }

 

}

 

but i did not find any relation between data group and code, (where code point to data group ???)

 

 

after i finish the irule i should apply it to VIP right ???

 

 

does it affect the perfornace of ltm since other services are running on it ?

 

 

thanksss

1) Yes, this Data Group will contain the IP address and/or networks (with /xx prefix) you want to ALLOW - 'name' is the name you give the DG

 

2) I've used DG name 'some-dg' but this should be changed to whatever name you use for 1)

 

 

Apologies, it wasn't too clear.

 

 

Yes, you then apply the iRule to the Virtual Server. Existing (and new but persisted) connections will not be affected, only new ones.

 

 

A simple iRule like this should have virtually zero performance impact.

hi steve,

 

 

I manage to create DG (name some-dg) using GUI (simple task :):))

 

when i implment iRule i got

 

line 2: [parse error: PARSE missingBracket 33 {missing close-bracket}] [{ not [class match [IP::addr [IP::client_addr] equals some-dg] }]

 

 

when CLIENT_ACCEPTED {

 

if { not [class match [IP::addr [IP::client_addr] equals some-dg] } {

 

reject }

 

}

Hi steve i manage to make it work :):):) thankssssssssssss

 

i have another question

 

the action is drop, if i want to redirect the page to another one like "your system has blocked you from accessing" how i can achieve this

 

 

thanksssss

Great, you're welcome.

 

 

If you want to redirect you could replace the 'reject' command with HTTP::redirect "http://...." but you will then have to change the event from when CLIENT_ACCEPTED to when HTTP_REQUEST.

 

 

Or, you could send a simple page from the F5 like so: HTTP::respond 200 content "some message here" noserver Content-Type "text/html" Connection "Close". Again, you'll need to change the event.

thankssssssssssssssssssss steve

 

 

It works for me :):)

 

I want to check the CPU and Mempry consumtion for 900 IP and i will let u know

 

 

Is there any other way i can do (other than iRule) i have seen some sites talking about packet filter and other solutions

 

 

again thanksssssssssssssssssssss