For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

bmohanak_276891's avatar
bmohanak_276891
Icon for Cirrus rankCirrus
Jul 13, 2016

I need help with an iRule to restrict inbound connections to certain IPs

Hello F5 Experts.

I am New to F5 and iRules, I am helping my team to troubleshoot an iRule Issue, Basically the Irule is already in place which is to allow only the IPs listed in the iRule to have access to the Backend Servers. The iRules looks likes this when HTTP_REQUEST { 

if { ([string tolower [HTTP::uri]] contains "/devicexx/enxx") ||
         ([string tolower [HTTP::uri]] contains "/devicexx/enxx/airxx.aws") } { 
    switch [IP::client_addr] {
        "62.x.x.x" {
        }
        "62.x.x.x" {
        }
        "202.x.x.x" {
        }
        "204.x.x.x" {
        }
        default {
            log local0. "Matched default policy: Access Denied"
            reject
        }
    }
}

}

But the issue here is that the iRule is not blocking the IPs which are not listed here. Any help is much appreciated.

PS: I am replacing some portion of the URI and Public IPs for security reasons

application delivery
iRules

9 Replies

  • Ed_Summers's avatar
    Ed_Summers
    Icon for Nimbostratus rankNimbostratus
    Jul 13, 2016

    This may be a good application for a data-group. It may make management of the allowed IP addresses easier. If you create an internal data-group called 'allowed_ips', the iRule below will reject connections that are not sourced from an IP in the data-group.

    Also for your string match, both entries contain '/devicexx/enxx', so the OR is superfluous. That is, unless the information you redacted is different between the entries?

    if { ([string tolower [HTTP::uri]] contains "/devicexx/enxx") ||
 ([string tolower [HTTP::uri]] contains "/devicexx/enxx/airxx.aws") } { 
    if { ! [class match [IP::client_addr] eq allowed_ips] } {
        log local0. "Matched default policy: Access Denied
        reject
    }
 }

    }

  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    Jul 30, 2016

    Hi,

    You can use the following irule to disallow access to specific urls to users : 

    when HTTP_REQUEST {
  if { [string tolower [HTTP::path]] starts_with "/devicemanagement/enroll" or [string tolower [HTTP::path]] starts_with "/deviceservices/enrollment/airwatchenroll.aws" and ![class match [IP::client_addr] equals irdg-mdm-test] } {
      log local0. "[IP::client_addr] - Matched default policy: Access Denied"
      reject
      return
  }
}

    This irule will allow IP addresses defined in the datagroup named irdg-mdm-test to access specified urls. Other IPs will be rejected.

    Maybe, you can also change the 

    reject
    command to something more user friendly like 

    HTTP::respond 403 content "Request Not Allowed"

    Note : Pay attention that you don't have other irules, LTM policies or whatever else that bypass this irule processing.

    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      Jul 30, 2016

      You may also expect something more scalable : 

      when HTTP_REQUEST {
  if { [class match [HTTP::path] contains url-mdm-test] and ![class match [IP::client_addr] equals irdg-mdm-test] } {
      log local0. "[IP::client_addr] - Matched default policy: Access Denied"
      reject
      return
  }
}
    • bmohanak_276891's avatar
      bmohanak_276891
      Icon for Cirrus rankCirrus
      Aug 01, 2016

      Yann,

       

      I have changed the iRule to above but connections are still being allowed when I try to access from an machine not from this list.

       

    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      Aug 02, 2016

      Hi,

       

      Hi updated the irule above. Can you check that you get the logs from the irule in the /var/log/ltm logfile ?

       

      Do you have some proxy or reverse proxy between F5 and the client ?

       

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jul 30, 2016

    Hi,

    You can use the following irule to disallow access to specific urls to users : 

    when HTTP_REQUEST {
  if { [string tolower [HTTP::path]] starts_with "/devicemanagement/enroll" or [string tolower [HTTP::path]] starts_with "/deviceservices/enrollment/airwatchenroll.aws" and ![class match [IP::client_addr] equals irdg-mdm-test] } {
      log local0. "[IP::client_addr] - Matched default policy: Access Denied"
      reject
      return
  }
}

    This irule will allow IP addresses defined in the datagroup named irdg-mdm-test to access specified urls. Other IPs will be rejected.

    Maybe, you can also change the 

    reject
    command to something more user friendly like 

    HTTP::respond 403 content "Request Not Allowed"

    Note : Pay attention that you don't have other irules, LTM policies or whatever else that bypass this irule processing.

    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      Jul 30, 2016

      You may also expect something more scalable : 

      when HTTP_REQUEST {
  if { [class match [HTTP::path] contains url-mdm-test] and ![class match [IP::client_addr] equals irdg-mdm-test] } {
      log local0. "[IP::client_addr] - Matched default policy: Access Denied"
      reject
      return
  }
}
    • bmohanak_276891's avatar
      bmohanak_276891
      Icon for Cirrus rankCirrus
      Aug 01, 2016

      Yann,

       

      I have changed the iRule to above but connections are still being allowed when I try to access from an machine not from this list.

       

    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      Aug 02, 2016

      Hi,

       

      Hi updated the irule above. Can you check that you get the logs from the irule in the /var/log/ltm logfile ?

       

      Do you have some proxy or reverse proxy between F5 and the client ?