Forum Discussion
coreyva
Nimbostratus
Nimbostratusdata group not matching
I'm writing an irule to deny logins from external users. I've tried to define a datagroup that contains allowed subnets, but have not been able to get it to match to an incoming address. See below.
class UserDataGroup {
{
network 10.9.0.0/13
network 10.16.0.0/13
}
}
when CLIENT_ACCEPTED {
set debug "1"
if {$debug} {log local0. "Client IP address is: [IP::remote_addr]"}
Check if client IP is not in the UserDataGroup
if { [matchclass [IP::remote_addr] equals $::UserDataGroup] }{
log local0. "Client is in UserDataGroup1"
Prevent the HTTP_REQUEST event from firing if user is from local network
event HTTP_REQUEST disable
}
else {log local0. "Client is in NOT UserDataGroup"}
}
when HTTP_REQUEST {
switch -glob [HTTP::uri] {
"/login.aspx" -
"/foo/login.aspx" -
"/bar/login.aspx" {
Reject login info from non local sites
HTTP::respond 403 content "Logins only allowed from local networks.\r\n"
}
}
}
Apr 1 14:12:52 local/tmm info tmm[4711]: Rule LocalOnly : Client IP address is: 10.10.17.153
Apr 1 14:12:52 local/tmm info tmm[4711]: Rule LocalOnly : Client is in NOT UserDataGroup
If I change my rule to this it works fine
if { [IP::addr [IP::remote_addr] equals 10.9.0.0/12] }{
log local0. "Client is in UserDataGroup1"
Prevent the HTTP_REQUEST event from firing if user is from local network
event HTTP_REQUEST disable
}
elseif { [IP::addr [IP::remote_addr] equals 10.16.0.0/13] }{
log local0. "Client is in UserDataGroup2"
Any idea what I'm doing wrong?
coreyvaOops, bad CIDR. It should have been. It works now.
class UserDataGroup {
{
network 10.8.0.0/13
network 10.16.0.0/13
}
}
hooleylistCirrostratus
Which LTM version are you running? For 9.4.4+ you should remove the $:: prefix from the datagroup name references in the iRule. If you're on v10, you could also change matchclass to 'class match' to improve the efficiency of the iRule:
http://devcentral.f5.com/wiki/default.aspx/iRules/class
Also, if you're using IIS, you should set the URI to lowercase in the switch statement. You could also check HTTP::path instead of HTTP::uri. This would catch someone using a URI like /login.aspx? or /login.aspx?ignore=this to bypass your logic.
switch -glob [string tolower [HTTP::path]] {
Aaron- coreyvaThanks. I did note the change to "class match" shortly after my initial post. I appreciate the you mentioning HTTP::path. I'll implement it as well as the lowercase.
- coreyvaHere is what I ended up with.
when CLIENT_ACCEPTED {
set DEBUG "0"
if { $DEBUG } {log local0. "Client IP address is: [IP::remote_addr]"}
Check if client IP is not in the UserDataGroup
if { [class match [IP::remote_addr] equals "UserDataGroup"] }{
if { $DEBUG } {log local0. "Client is in UserDataGroup"}
Prevent the HTTP_REQUEST event from firing if user is local
event HTTP_REQUEST disable
}
elseif { $DEBUG } {log local0. "Client is in NOT UserDataGroup"}
}
when HTTP_REQUEST {
switch -glob [string tolower HTTP::path] {
"/login.aspx" -
"/foo/login.aspx" -
"/bar/login.aspx" {
Reject login info from non sites
HTTP::respond 403 content "Logins only allowed from networks.\r\n"
}
}
} - hooleylistThat looks good. One small correction: you're missing the square braces around HTTP::path:
switch -glob [string tolower [HTTP::path]] {
Also be aware that it's really simple to bypass URI based checks like that on IIS:
http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/30900/showtab/groupforums/Default.aspx31324
Aaron - coreyvaI've corrected it the brackets. Thanks for the info on IIS.