Blocking multiple IPs with iRules

Hi again,

 

Nevermind, just found out that this is a bug with v11.5.3.

 

Thanks, Chadi

 

Thanks Folks for the quick replies, I have managed to create a data group, add those IP addresses & create an iRule for that & associate it with the VS.

 

However, when trying to access the data group again to add more IP addresses, I am receiving a message No Access.

 

Any ideas on what might have gone wrong.

 

Thanks, Chadi

 

Hi Chadi. The rule above is static and will block all traffic from the ip defined. To dynamically build a blacklist, you should look at the table commands for creating a sub table and adding/removing entries. Also, you will want to define more criteria for adding to the list. See this rate limiting example for a look at a similar solution: https://devcentral.f5.com/s/feed/0D51T00006i7Q28SAE Also, you may want to consider looking at AFM w/ an IP Intelligence policy. This will give you capability to filter based on IP reputation and/or consume feed lists of blacklisted IPs without managing in an iRule.

You need to use Data Groups (see here)

 

It might be better to use Session Tracking in your ASM policy, and specify the addresses you want to block.

 

You can utilize the data group option for grouping multiple resources .

 

iRule

 

when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals IPGROUP] } { reject } }

 

Procedure to create datagroup 1) Main - > iRule -> Datagroup list 2) Click create and type any name which will be used to call in irule. in our case IPGROUP 3) Choose the type as address. 4) Enter the address with mask in address text box. ex., 10.0.0.0/8 and click add. 5) Then update to save the config.

 

Finally you can associate this iRule to desired VS.

 

Note : Drop action wont send the reset to client whereas reject action sends it.