Forum Discussion
Geethanjali_321
Nimbostratus
Oct 25, 2012IP address filtering rule does not work
Hi All,
I wanted to create a rule to block all IP addresses except one IP address. So, I gave this rule:
when CLIENT_ACCEPTED {
if {! [IP::addr [IP::client_addr] equals x.x.x.x] } {
}
}
When I try accessing the web page associated with this VS, I am not able to access it from anywhere (that is, am not able to access it even from x.x.x.x which is supposed to have access). Can someone help me with this?
Thanks and Regards,
Geethanjali
2 Replies
- nitass
Employee
can you put some log command to see what is going on?[root@ve10:Active] config b virtual bar list bvirtual bar { snat automap pool foo destination 172.28.19.79:80 ip protocol 6 rules myrule } [root@ve10:Active] config b pool foo list pool foo { members 200.200.200.101:80 {} } [root@ve10:Active] config b rule myrule list rule myrule { when CLIENT_ACCEPTED { if { ! [IP::addr [IP::client_addr] equals 192.168.206.57] } { log local0. "Reject [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]" reject } } when SERVER_CONNECTED { log local0. "Allow [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -> [IP::remote_addr]:[TCP::remote_port]" } } [root@ve10:Active] config cat /var/log/ltm Oct 25 11:14:38 local/tmm info tmm[7926]: Rule myrule : Reject 172.28.20.11:59191 -> 172.28.19.79:80 Oct 25 11:14:52 local/tmm info tmm[7926]: Rule myrule : Allow 192.168.206.57:63448 -> 172.28.19.79:80 -> 200.200.200.101:80
- nitass
Employee
e.g.[root@ve10:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.79:80 ip protocol 6 rules myrule } [root@ve10:Active] config b rule myrule list rule myrule { when CLIENT_ACCEPTED { if { ! [class match -- [IP::client_addr] equals ip_class] } { log local0. "Reject [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]" reject } } when SERVER_CONNECTED { log local0. "Allow [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -> [IP::remote_addr]:[TCP::remote_port]" } } [root@ve10:Active] config b class ip_class list class ip_class { { host 172.28.19.251 host 192.168.206.57 } } [root@ve10:Active] config tail -f /var/log/ltm Oct 25 22:57:44 local/tmm info tmm[7926]: Rule myrule : Reject 172.28.20.11:59229 -> 172.28.19.79:80 Oct 25 22:57:53 local/tmm info tmm[7926]: Rule myrule : Allow 192.168.206.57:65000 -> 172.28.19.79:80 -> 200.200.200.101:80 Oct 25 22:58:12 local/tmm info tmm[7926]: Rule myrule : Allow 172.28.19.251:37085 -> 172.28.19.79:80 -> 200.200.200.101:80
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects