For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jonathan_Robins's avatar
Jonathan_Robins
Icon for Nimbostratus rankNimbostratus
Aug 26, 2010

GTM iRule to block certain IPs DNS Query of a WideIP

Hello

 

I need to stop a GTM Wide IP from responding to client IPs unless they are in a whitelist.

 

Ideally the GTM would respond with an NSDOMAIN rather than drop the request.

 

 

I am trying the following but am not having much luck, can anyone offer any help.

 

 

when DNS_REQUEST {

 

if {[matchclass [IP::remote_addr] ne $::ip_allowed_datagroup]} {

 

drop

 

}

 

}

 

 

Error: 01070151:3: Rule [hello] error: line 2: [undefined procedure: matchclass] [matchclass [IP::remote_addr] ne $::ip_allowed_datagroup]

 

 

Many thanks

 

Jonathan

 

application delivery
dev
devops
iRules

4 Replies

  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Aug 26, 2010
    Hi Jonathan,

    I don't believe "ne" is a valid operator in the matchclass

    You can either use "!" (not) or else clause 

    
 when DNS_REQUEST { 
        if { ![matchclass [IP::remote_addr] eq $::ip_allowed_datagroup] } { 
             drop  
             } 
 }

    -or- 

    
 when DNS_REQUEST { 
        if { [matchclass [IP::remote_addr] eq $::ip_allowed_datagroup] } { 
   } else { 
              drop 
         } 
 }

    I hope this helps

    Bhattman

  • Jonathan_Robins's avatar
    Jonathan_Robins
    Icon for Nimbostratus rankNimbostratus
    Aug 27, 2010

    Thanks for the reply Bhattman, I now get the following error:

     

    01070151:3: Rule [GAM_block_non_intranet_dns_query] error: line 1: [undefined procedure: matchclass] [matchclass [IP::remote_addr] eq $::ip_allowed_datagroup]

     

     

    So I assume that the matchclass can not be used within a when DNS_REQUEST?

     

     

    I have managed to get it working using multiple if statements using ip::addr to test against all my internal subnets (I'm trying to prevent a reply to an IP unless it is from my inside networks)..

     

     

    if {![IP::addr [IP::remote_addr] equals 10.0.0.0/8]}{

     

    if {![IP::addr [IP::remote_addr] equals 172.29.0.0/16]}{

     

    if {![IP::addr [IP::remote_addr] equals 172.30.0.0/16]}{

     

    drop

     

    }

     

    }

     

    }

     

     

    There must be a more elegant / efficient way of doing this?

     

     

    Also rather than drop I want to send an NXDOMAIN is this possible?

     

     

    --Jonathan

     

  • Jonathan_Robins's avatar
    Jonathan_Robins
    Icon for Nimbostratus rankNimbostratus
    Aug 27, 2010
    I had to make one further change as for some reaon the IP:addrr match was not matching a client ip to a subnet/mask.

     

    After trying many combinations of "address/mask", "address mask 255.255.0.0" etc. I found that I had to put the mask on the client_addr end not the subnet end.

     

     

    So my final working setup is:

     

     

    when DNS_REQUEST {

     

    if {![IP::addr [IP::client_addr]/20 equals "X.Y.Z.0"]} {

     

    if {![IP::addr [IP::client_addr]/16 equals "172.29.0.0"]} {

     

    cname "somewhere.else"

     

    }

     

    }

     

    }

     

  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Aug 27, 2010
    Can you try this syntax for matchclass? 

    
when DNS_REQUEST { 
if { ![class match [IP::client_addr] eq ip_allowed_datagroup] } {
cname "somewhere.else" } }

    Make sure your datagroup is an address-type and not string-type.