Forum Discussion
Nimbostratushelp on an irule
Hello,
I have the following irule which is working fine:
when HTTP_REQUEST { if { [HTTP::uri] starts_with "/EBanking2/admin" } { if { not ([IP::client_addr] equals "208.222.129.101") } { HTTP::redirect "http://www.coop.com.cy" log local0. "IP: [IP::client_addr] tried to access /EBanking2/admin from the Internet." } } }
I need your assistance on the fact that the EQUALS must be either of two IP addresses i.e.
equals "208.222.129.101" OR "another IP"
in order for this to work, do I have to use brackets or ??
Please advise. Tx
5 Replies
VernonWellsEmployee
Your rule:
when HTTP_REQUEST { if { [HTTP::uri] starts_with "/EBanking2/admin" } { if { not ([IP::client_addr] equals "208.222.129.101") } { HTTP::redirect "http://www.coop.com.cy" log local0. "IP: [IP::client_addr] tried to access /EBanking2/admin from the Internet." } } }So I assume you want to redirect when the client source address is neither 208.222.129.101 nor the other address. If so (and using 203.0.113.1 as the other IP for this example):
when HTTP_REQUEST { if { [HTTP::uri] starts_with "/EBanking2/admin" } { if { not ([IP::client_addr] equals "208.222.129.101" or [IP::client_addr] equals "203.0.113.1") } { HTTP::redirect "http://www.coop.com.cy" log local0. "IP: [IP::client_addr] tried to access /EBanking2/admin from the Internet." } } }An alternative would be to use a data-group. So, you would define a data-group like this:
create ltm data-group internal non-redirect-ips type ip records add { 208.222.129.101 {} 203.0.113.1 {} }Then change the iRule thusly:
when HTTP_REQUEST { if { [HTTP::uri] starts_with "/EBanking2/admin" and ![class match [IP::client_addr] equals non-redirect-ips]} { HTTP::redirect "http://www.coop.com.cy" log local0. "IP: [IP::client_addr] tried to access /EBanking2/admin from the Internet." } }The advantage is that you can add, change or delete IP addresses that are exempted without changing the iRule itself. You need only alter the data-group, which can be done via tmsh or the WebUI.
cmard_195831Thank you for your feedback. We will try and let you know
Your rule:
when HTTP_REQUEST { if { [HTTP::uri] starts_with "/EBanking2/admin" } { if { not ([IP::client_addr] equals "208.222.129.101") } { HTTP::redirect "http://www.coop.com.cy" log local0. "IP: [IP::client_addr] tried to access /EBanking2/admin from the Internet." } } }So I assume you want to redirect when the client source address is neither 208.222.129.101 nor the other address. If so (and using 203.0.113.1 as the other IP for this example):
when HTTP_REQUEST { if { [HTTP::uri] starts_with "/EBanking2/admin" } { if { not ([IP::client_addr] equals "208.222.129.101" or [IP::client_addr] equals "203.0.113.1") } { HTTP::redirect "http://www.coop.com.cy" log local0. "IP: [IP::client_addr] tried to access /EBanking2/admin from the Internet." } } }An alternative would be to use a data-group. So, you would define a data-group like this:
create ltm data-group internal non-redirect-ips type ip records add { 208.222.129.101 {} 203.0.113.1 {} }Then change the iRule thusly:
when HTTP_REQUEST { if { [HTTP::uri] starts_with "/EBanking2/admin" and ![class match [IP::client_addr] equals non-redirect-ips]} { HTTP::redirect "http://www.coop.com.cy" log local0. "IP: [IP::client_addr] tried to access /EBanking2/admin from the Internet." } }The advantage is that you can add, change or delete IP addresses that are exempted without changing the iRule itself. You need only alter the data-group, which can be done via tmsh or the WebUI.
- cmard_195831Thank you for your feedback. We will try and let you know
Greg_LabelleYou could use an OR statement, but I would recommend you move to using an iRule data group, and do a class match, for example:
if { [class match [IP::client_addr] equals IPWhiteList] } { ... }Where "IPWhiteList" is an iRule data group (of type string) that contains the IP's to be permitted.
