Conditional logic based on source IP

Question

Hi guys, 
&nbsp;  
&nbsp; We'd like to implement an iRule that triggers on the presence of two or three specific strings in the URI.  When any of the strings are found, we next want to check the source IP.  If the IPs are part of a data group, then we want to allow the traffic to reach the site.  All other IPs should be dropped. 
&nbsp;  
&nbsp; Any idea if this is possible? 
&nbsp;  
&nbsp; Thanks in advance guys, 
&nbsp; B

nicolas_menant · Answer

Hi, 
  
 This is possible with something like this

when HTTP_REQUEST { 
    if {[HTTP::uri] starts_with "/appli1" } { 
        if {[matchclass [IP::addr [IP::client_addr]/16] equals $::autorized_IPs]} { 
                     pool web_pool 
       } else { 
           reject 
      } 
 }

Here are the links that may help you: 
  
 Click here 
 Click here 
 Click here 
  
 HTH 
  
 N.

brian_mayer_841 · Answer

Sounds good.  I'll drop this in today and let you know how it goes.  Thanks!

brian_mayer_841 · Answer

So I've created an iRule but it's not quite working.  Here's it is: 
&nbsp;  
&nbsp; when HTTP_REQUEST {  
&nbsp;     if {[matchclass [HTTP::uri] contains $::cm2prod_filtered_URI] and (not [matchclass [IP::client_addr] eq $::corporate_external_net])}{ 
&nbsp;       discard 
&nbsp;       }   
&nbsp;  } 
&nbsp;  
&nbsp; I've got a data group that contains a list of several line items.  If any of the strings appears in the URI and the source IP is not the corporate network, then the traffic should be dropped. 
&nbsp;  
&nbsp; Here's the data group for the URI strings to match: 
&nbsp;  
&nbsp;                 /init/ 
&nbsp;                 /msg/ 
&nbsp;                 /debs/ 
&nbsp;                 /amsg/ 
&nbsp;                 /web/ 
&nbsp;                 /catalogAdmin/ 
&nbsp;                 /visualModeler/ 
&nbsp;                 /attributeMgr/ 
&nbsp;                 /productMgr/ 
&nbsp;                 /pricingMgr/ 
&nbsp;                 /enterpriseMgr/ 
&nbsp;                 /tokenIF/ 
&nbsp;                 /customerSegmentation/ 
&nbsp;  
&nbsp; The data group for the network addresses is a simple list of our external corporate firewall IPs. 
&nbsp;  
&nbsp; Any idea why this isn't working and how to troubleshoot? 
&nbsp;  
&nbsp; Thanks! 
&nbsp; B

brian_mayer_841 · Answer

Bump, any help guys?

the_bhattman · Answer

Haven't test this, but have you tried:

when HTTP_REQUEST {  
        if {([matchclass [HTTP::uri] contains $::cm2prod_filtered_URI]) and (not [matchclass [IP::client_addr] eq $::corporate_external_net])} { discard }  
 }

or 
  
 when HTTP_REQUEST {  
 if {([matchclass [HTTP::uri] contains $::cm2prod_filtered_URI]) and (![matchclass [IP::client_addr] equals $::corporate_external_net])}{ discard } 
 }

or

when HTTP_REQUEST {  
        if {[matchclass [HTTP::uri] contains $::cm2prod_filtered_URI] and (not [matchclass [IP::client_addr] equals $::corporate_external_net])} { discard }  
 } 
  
 or 
  
 when HTTP_REQUEST {  
        if {([matchclass [HTTP::uri] contains $::cm2prod_filtered_URI]) and (not [matchclass [IP::client_addr] equals $::corporate_external_net])} { discard }  
 }

Hope this helps 
 CB

Forum Discussion

Conditional logic based on source IP

Recent Discussions

XC Bot defense question

LTM Rule, iRule, or Brute Force Configuration to Limit URL Access

NetScaler to F5 Migration

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Related Content

F5 Distributed Cloud - Listener Logic

Conditional XOR operations

F5 Distributed Cloud - Service Policy - Header Matching Logic & Processing

vCMP logical interfaces throughput

Conditioning iRule Logic on External Information - #01 - HTTP::retry

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS