Forum Discussion
Peru_130741
Nimbostratus
NimbostratusBlocking X-forwarded for IP Adddress
Can anyone let me know what is the best way to block x-forwarded for IP address in F5. I have around 1000 VS configured & also ASM enabled on all the VS. original Source Ip has been already blocked in our gateway routers & our firewall but still it is not blocked for the hackers. this is because our sites are hosted under prolexic & when any user access our website, prolexic proxy ip address will be the source when it hits our firewall. Original source Ip address is inserted on the x-forwarded for header & so they are not getting blocked in our router & firewall.
4 Replies
- nitass
Employee
e.g.root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.20.111:80 ip-protocol tcp mask 255.255.255.255 pool foo profiles { http { } tcp { } } rules { myrule } source 0.0.0.0/0 source-address-translation { type automap } vs-index 2 } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm data-group internal blacklist_ip ltm data-group internal blacklist_ip { records { 172.28.20.0/24 { } } type ip } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule ltm rule myrule { when HTTP_REQUEST { foreach axff [HTTP::header values X-Forwarded-For] { log local0. "axff is $axff" foreach anip [split [string map {" " ""} $axff] ","] { log local0. "anip is $anip" if { [class match -- $anip equals blacklist_ip] } { log local0. "$anip is rejected" reject return } } } } } client [root@centos17 ~] curl -i http://172.28.20.111 -H "X-Forwarded-For: 1.1.1.1" -H "X-Forwarded-For: 172.28.20.17, 2.2.2.2.2" curl: (52) Empty reply from server [root@centos17 ~] /var/log/ltm [root@ve11a:Active:Changes Pending] config tail -f /var/log/ltm Jul 31 17:09:32 ve11a info tmm1[11073]: Rule /Common/myrule : axff is 1.1.1.1 Jul 31 17:09:32 ve11a info tmm1[11073]: Rule /Common/myrule : anip is 1.1.1.1 Jul 31 17:09:32 ve11a info tmm1[11073]: Rule /Common/myrule : axff is 172.28.20.17, 2.2.2.2.2 Jul 31 17:09:32 ve11a info tmm1[11073]: Rule /Common/myrule : anip is 172.28.20.17 Jul 31 17:09:32 ve11a info tmm1[11073]: Rule /Common/myrule : 172.28.20.17 is rejected 
Peru_130741Thx a lot Nitaas. Is irule the only way to get it blocked in our F5 ? Cant we do it in ASM ?- nitassIs irule the only way to get it blocked in our F5 ? Cant we do it in ASM ? i am not much familiar with asm but i think irule is easier and more effective (in this case).
- Peru_130741ah okay.. kool.. thx a lot for our quick reply on this.
