Forum Discussion
Kevin_Nail
Feb 09, 2011Nimbostratus
Datagroup and class match
Been scouring through the docs and can't find any good resource that addresses my question. Please help.
I am tasked with creating an iRule that will check incoming packets for the client_ip and compare them against a list of IPs to block with exceptions
I am using version 10.2 and have an Irule started:
when HTTP_REQUEST {
Check if the client IP is a member of the exception list
log local0.debug "IRule has been triggered"
if { ([class match [IP::client_addr] equals ip_exception])} {
log local0.debug "[IP::client_addr] Your IP was approved via the exception list"
Client IP matched the class, so allow it }
else {
log local0.debug "[IP::cleint_addr] Your IP was NOT approved via the exception list"
drop
}
}
I'm working on a bigger picture, trying to get the smaller pieces working.
I have a datagroup defined as an external class in /var/class names ip_exception.
The problem is I cannot tell if it is being accessed at all, The last statement in my irule always shows up.
Next problem is that I don't know how to add data the external class list from the command line. The help section is very confusing.
So can you look at my iRule and let me know if in its simplicity it looks ok?
Can you tell me how to add IPs (data) to the exception list from the command line?
Many thanks,
Kevin
- Chris_MillerAltostratusRather than checking whether their IP exists and logging it, why not just check whether it doesn't exist? The rule below will check whether their IP exists in the data group. If it doesn't, we'll drop them.
when HTTP_REQUEST { Check if the client IP is a member of the exception list log local0.debug "IRule has been triggered" if { ! [class match [IP::client_addr] eq ip_exception] } { drop log local0.debug "[IP::client_addr] Your IP was NOT approved via the exception list" } }
- Kevin_NailNimbostratusThis is just a first step, I'm trying to get something working. When completed, the exception list will be IPs that should be allowed but were mistakenly blocked.
- jscharfenberg_3Nimbostratus
Chris,
I am going to use what you suggested for allowing certain hosts to use EWS as we're locking down exchange.
overall something like this....
when HTTP_REQUEST { "/ews*" { if {! [class match [IP::client_addr] eq Allowed_Hosts_EWS]}{ HTTP::respond 403 content {Blocked!} } logs sent to /var/log/ltm log local0. "[IP::client_addr] was NOT approved via exeption list" } }
Does this look correct? I need to add some kind of logging that i can comment out when we turn it on and local seeems fine.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects