Forum Discussion
Block Source IP using a blocklist hosted on a webserver
Hi,
this list can be uploaded as an ifile. You can also do a lookup using sideband connections in irules
Here a small Proof of Concept.
when HTTP_REQUEST {
set file [ifile get domains]
log local0. "$file"
set domain "amazon.co.uk.security-check.ga"
if { [string match "*$domain*" $file] } {
log local0. "succeeded"
HTTP::respond 200 content "ok"
} else {
log local0. "failed"
}
}
Note : should test performance impact, memory consumption and stuff like that before switching something in production
- first of all, i'm not an expert but just wann help if i can. :-)
- al_kabeer_2905Jun 13, 2011
Nimbostratus
hi and thx for reply, - SNAT is literally Source-NAT. Basically its telling the VS to act as a proxy... So the backend (Poolmembers) see the IP connection coming from one of the BigIP's addresses (Automap will use the floating self-ip of the interface that routes to the poolmembers).
- al_kabeer_2905Jun 13, 2011
Nimbostratus
when i put the snat none, the virtual server is not working - About 5 items below the SNAT option when configuring the Virtual Server. There's separate options for 'Address Translation' and 'Port Translation'. Select both. Then make sure the default gateway back to the client IP is via the F5 floating self-ip address that directly connects to the poolmembers. (I suspect that's already done, unless you were running the poolmembers in a kind of n-path configuration)
I think it's more likely that the only thing wrong is your poolmembers are routing back direct to the client via a separate router, since it looks like you're running the F5 single armed (Sorry, can't see your picture, so no network diagram to verify)...
- al_kabeer_2905Jun 14, 2011
Nimbostratus
hi, in the attachment there is full diagram of what i am discussing - As Nitass and Hamish have suggested, if you have the default gateway on 192.168.1.1 and 192.168.1.2 set to the LTM self IP on the 192.168.1.0/24 subnet, you can set SNAT on the virtual server to none and the servers will see the original client IP address. As Hamish said, make sure to leave (destination) address and (destination) port translation enable on the virtual server properties.
- al_kabeer_2905Jun 15, 2011
Nimbostratus
thanks Boss for yr reply i will try it and give my feedback - al_kabeer_2905Jun 19, 2011
Nimbostratus
i have tried it i cant remote desktop or access http servers now , since i change the default gateway to ip of Bigip not coreswitch
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com