Forum Discussion
David_Peters_19
Nimbostratus
NimbostratusCreating a TCP .net iRule to reject IP
Hello All,
I am tring to block IPs that are not on a "White List" and log the rejections.
Because this is an application using .net and TCP I can not use the HTTP profile. I have tried to modify code that i found on this site and
can not find any other information on this. Could some point me in the correct direction.
I have included what I am trying to do.
Blocks all ip requests that are not on the data group list "IPs", and logs rejects
when Client_Access {
if {[matchclass [IP::client_addr] equals $::IPsTest]}{
} else {
log local0.info "WirelessCDL: Client Rejected IP:[IP::client_addr]"
discard
}
}
Thanks,
David
4 Replies
naladar_65658Altostratus
You might try giving this a shot:when CLIENT_ACCEPTED { if {not ([IP::addr [IP::client_addr] equals $::IPsTest]) } { log local0.info "WirelessCDL: Client Rejected IP:[IP::client_addr]" discard } }- Chris_MillerWhat version are you using? If you're using a newer version of 10.x, this will be the best way to do it.
when CLIENT_ACCEPTED { if { !( [class match [IP::client_addr] eq IPsTest] )} { discard log local0. "WirelessCDL: Client Rejected:[IP::client_addr]" } }
If you're on an older version:when CLIENT_ACCEPTED { if { !( [matchclass [IP::client_addr] eq $::IPsTest] )} { discard log local0. "WirelessCDL: Client Rejected:[IP::client_addr]" } }
Using $:: disables CMP but I can't recall whether you can reference DGs without "class match" - Chris_MillerPosted By naladar on 08/13/2010 06:46 AM You might try giving this a shot:
You have to use matchclass or class match to reference a datagroup, right?when CLIENT_ACCEPTED { if {not ([IP::addr [IP::client_addr] equals $::IPsTest]) } { log local0.info "WirelessCDL: Client Rejected IP:[IP::client_addr]" discard } } 
David_Peters_19Chris, Thanks
Thanks also naladar.
I am still on 9.4.7. This seems to work with the demo laptop that I have.
David
