Forum Discussion

Jason_19901's avatar
Jason_19901
Icon for Nimbostratus rankNimbostratus
Apr 07, 2011

Help with iRule

here is my requirement:

 

This iRule will be applied to an already existing virtual service for payme.example.com

 

+ Deny all access to URI payme.example.com/nfm (and all subdirectories) from all IP sources

 

+ These following IP addresses (create datagroup) are allowed to URI payme.example.com/*.asmx

 

222.27.26.151, 222.27.26.152, 222.38.4.248, 222.27.16.165, 222.27.16.169

 

+ Deny all access to URI payme.example.com/*.asmx from all other IP sources

 

+ Allow all access to URI payme.example.com/ (and all remaining subdirectories) from all IP sources

 

 

This iRule will be applied to an already existing virtual service for upayme.example.com

 

+ Deny all access to URI upayme.example.com/nfm (and all subdirectories) from all IP sources

 

+ These following IP addresses (create datagroup) are allowed to URI upayme.example.com/*.asmx

 

222.27.26.148, 222.38.4.249, 222.27.16.158, 222.27.16.161

 

+ Deny all access to URI upayme.example.com/*.asmx from all other IP sources

 

+ Allow all access to URI upayme.example.com/ (and all remaining subdirectories) from all IP sources

 

 

 

Here is my iRule that does not seem to work

 

 

class UserDataGroup {

 

{

 

host 222.17.26.151

 

host 222.17.26.152

 

host 222.28.4.248

 

host 222.17.16.165

 

host 222.17.16.169

 

}

 

}

 

class UserData_Group {

 

{

 

host 222.17.26.148

 

host 222.28.4.249

 

host 222.17.16.158

 

host 222.17.16.161

 

}

 

}

 

 

 

 

when CLIENT_ACCEPTED {

 

set debug "1"

 

if {$debug} {log local0. "Client IP address is: [IP::remote_addr]"}

 

Check if client IP is not in the UserDataGroup

 

if { [matchclass [IP::remote_addr] equals $::UserDataGroup] }{

 

log local0. "Client is in UserDataGroup1"

 

Prevent the HTTP_REQUEST event from firing if user is from local network

 

event HTTP_REQUEST disable

 

}

 

else {log local0. "Client is in NOT UserDataGroup"}

 

}

 

 

when HTTP_REQUEST {

 

switch -glob [HTTP::uri] {

 

"/*.asmx" -

 

"/nfm" -

 

{

 

Reject login info from non local sites

 

HTTP::respond 403 content "Logins only allowed from trusted networks.\r\n"

 

}

 

}

 

}

 

 

 

 

when CLIENT_ACCEPTED {

 

set debug "1"

 

if {$debug} {log local0. "Client IP address is: [IP::remote_addr]"}

 

Check if client IP is not in the UserData_Group

 

if { [matchclass [IP::remote_addr] equals $::UserData_Group] }{

 

log local0. "Client is in UserData_Group1"

 

Prevent the HTTP_REQUEST event from firing if user is from local network

 

event HTTP_REQUEST disable

 

}

 

else {log local0. "Client is in NOT UserData_Group"}

 

}

 

 

when HTTP_REQUEST {

 

switch -glob [HTTP::uri] {

 

"/nfm" -

 

"/*.asmx -

 

{

 

Reject login info from non local sites

 

HTTP::respond 403 content "Logins only allowed from trusted networks.\r\n"

 

}

 

}

 

}

 

 

config
design
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Apr 07, 2011
    Which version are you testing this on? Can you add debug logging to the iRule to see exactly what's not working? You can use the log command to do this and check the output in /var/log/ltm.

     

     

    Aaron
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Apr 08, 2011
    From your iRule, this is a debug log statement:

     

     

    if {$debug} {log local0. "Client IP address is: [IP::remote_addr]"}

     

     

    Since you have "set debug 1" above, this means that these lines will log to /var/log/ltm file. You can check for the info in your log (or any tcl errors) and any debug log statements that might help isolate where your problem is. Make sense?