For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

bmohanak_276891's avatar
bmohanak_276891
Icon for Cirrus rankCirrus
Jul 13, 2016

I need help with an iRule to restrict inbound connections to certain IPs

Hello F5 Experts. I am New to F5 and iRules, I am helping my team to troubleshoot an iRule Issue, Basically the Irule is already in place which is to allow only the IPs listed in the iRule to have ...
application delivery
iRules
Yann_Desmarest_'s avatar
Yann_Desmarest_
Icon for Nacreous rankNacreous
Jul 30, 2016

Hi,

You can use the following irule to disallow access to specific urls to users : 

when HTTP_REQUEST {
  if { [string tolower [HTTP::path]] starts_with "/devicemanagement/enroll" or [string tolower [HTTP::path]] starts_with "/deviceservices/enrollment/airwatchenroll.aws" and ![class match [IP::client_addr] equals irdg-mdm-test] } {
      log local0. "[IP::client_addr] - Matched default policy: Access Denied"
      reject
      return
  }
}

This irule will allow IP addresses defined in the datagroup named irdg-mdm-test to access specified urls. Other IPs will be rejected.

Maybe, you can also change the 

reject
command to something more user friendly like 

HTTP::respond 403 content "Request Not Allowed"

Note : Pay attention that you don't have other irules, LTM policies or whatever else that bypass this irule processing.

bmohanak_276891's avatar
bmohanak_276891
Icon for Cirrus rankCirrus
Aug 01, 2016

Yann,

 

I have changed the iRule to above but connections are still being allowed when I try to access from an machine not from this list.