Forum Discussion
Blocking multiple IPs with iRules
Hi,
I am trying to block multiple IP's with iRules but unable to do so.
Currently using the below command, but everytime there is a new ip, I need to create an iRule for that & bind it to the virtual server.
when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 1.1.1.1/32] } { log local0. "Blocking [IP::client_addr]" reject } }
Is there a way to create a group where all IP addresses can be added & automatically blocked? or what is the best way of doing so? probably a nested If statement.
Thanks for the help. Chadi
- solaikumar_1217Nimbostratus
You can utilize the data group option for grouping multiple resources .
iRule
when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals IPGROUP] } { reject } }
Procedure to create datagroup 1) Main - > iRule -> Datagroup list 2) Click create and type any name which will be used to call in irule. in our case IPGROUP 3) Choose the type as address. 4) Enter the address with mask in address text box. ex., 10.0.0.0/8 and click add. 5) Then update to save the config.
Finally you can associate this iRule to desired VS.
Note : Drop action wont send the reset to client whereas reject action sends it.
- Tzoori_Tamam_95Historic F5 Account
You need to use Data Groups (see here)
It might be better to use Session Tracking in your ASM policy, and specify the addresses you want to block.
- Michael_Everet1Historic F5 AccountHi Chadi. The rule above is static and will block all traffic from the ip defined. To dynamically build a blacklist, you should look at the table commands for creating a sub table and adding/removing entries. Also, you will want to define more criteria for adding to the list. See this rate limiting example for a look at a similar solution: https://devcentral.f5.com/s/feed/0D51T00006i7Q28SAE Also, you may want to consider looking at AFM w/ an IP Intelligence policy. This will give you capability to filter based on IP reputation and/or consume feed lists of blacklisted IPs without managing in an iRule.
- ChadiABN_250580Nimbostratus
Thanks Folks for the quick replies, I have managed to create a data group, add those IP addresses & create an iRule for that & associate it with the VS.
However, when trying to access the data group again to add more IP addresses, I am receiving a message No Access.
Any ideas on what might have gone wrong.
Thanks, Chadi
- ChadiABN_250580Nimbostratus
Hi again,
Nevermind, just found out that this is a bug with v11.5.3.
Thanks, Chadi
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com