Forum Discussion
keefyweefy
Nimbostratus
NimbostratusFilter on source & destination
Hello all
I'm trying to write what I presumed would be a simple iRule to restrict access from a client. We have a forwarding (IP) VS for a subnet say 192.168.1.0/24
I'm applying the following rule to that VS however it isn't performing as expected:
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr]/32 equals 192.168.2.1]
and [IP::addr [IP::remote_addr]/32 equals 192.168.1.100] } {
drop}
elseif { [IP::addr [IP::client_addr]/32 equals 192.168.2.1]
and [IP::addr [IP::remote_addr]/32 equals 192.168.1.101] } {
drop
}
}
Connections don't get blocked from 192.168.2.1 to 192.168.1.100 or 101.
If I trim the iRule down to:
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr]/32 equals 192.168.2.1] } {
drop}
}
Then all connections do get dropped so the problem appears to be with the latter part of the arguement.
5 Replies
- Chris_Miller
Altostratus
Edit: I see what you're trying to do - will post something else soon. - Chris_MillerI believe client_addr and remote_addr will return the same value in this situation. I'm wondering if local_addr is the way to go.
Edit: Using this sample rule as an example, it definitely looks like you need to be checking local_addr instead of remote_addr. Give that a shot and see what happens.
http://devcentral.f5.com/wiki/defau...uting.html
- Chris_MillerHow about this to make things prettier?
when CLIENT_ACCEPTED { if { [IP::client_addr] eq 192.168.2.1 } { switch [IP::local_addr] { 192.168.1.100 - 192.168.1.101 { drop } } } } 
keefyweefyYep that nailed it, thanks Chris.
hoolioCirrostratus
I'd suggest using IP::addr and/or address type datagroups which will do bit comparisons instead of string comparisons of the IP addresses:when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] eq 192.168.2.1] } { if { [IP::addr [IP::local_addr] eq 192.168.1.100] || [IP::addr [IP::local_addr] eq 192.168.1.101] drop } } }
Aaron
