Forum Discussion

Geethanjali_321's avatar
Geethanjali_321
Icon for Nimbostratus rankNimbostratus
Oct 25, 2012

IP address filtering rule does not work

Hi All,

I wanted to create a rule to block all IP addresses except one IP address. So, I gave this rule:

when CLIENT_ACCEPTED {
 if {! [IP::addr [IP::client_addr] equals x.x.x.x] } {
 
}
}

When I try accessing the web page associated with this VS, I am not able to access it from anywhere (that is, am not able to access it even from x.x.x.x which is supposed to have access). Can someone help me with this?

Thanks and Regards,

Geethanjali

application delivery
dev
devops
iRules

2 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Oct 25, 2012
    can you put some log command to see what is going on?

    e.g. 

    [root@ve10:Active] config  b virtual bar list
bvirtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:80
   ip protocol 6
   rules myrule
}
[root@ve10:Active] config  b pool foo list
pool foo {
   members 200.200.200.101:80 {}
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
   if { ! [IP::addr [IP::client_addr] equals 192.168.206.57] } {
      log local0. "Reject [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
      reject
   }
}
when SERVER_CONNECTED {
   log local0. "Allow [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -> [IP::remote_addr]:[TCP::remote_port]"
}
}

[root@ve10:Active] config  cat /var/log/ltm
Oct 25 11:14:38 local/tmm info tmm[7926]: Rule myrule : Reject 172.28.20.11:59191 -> 172.28.19.79:80
Oct 25 11:14:52 local/tmm info tmm[7926]: Rule myrule : Allow 192.168.206.57:63448 -> 172.28.19.79:80 -> 200.200.200.101:80
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Oct 25, 2012
    e.g. 

    [root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:80
   ip protocol 6
   rules myrule
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
   if { ! [class match -- [IP::client_addr] equals ip_class] } {
      log local0. "Reject [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
      reject
   }
}
when SERVER_CONNECTED {
   log local0. "Allow [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -> [IP::remote_addr]:[TCP::remote_port]"
}
}
[root@ve10:Active] config  b class ip_class list
class ip_class {
   {
      host 172.28.19.251
      host 192.168.206.57
   }
}

[root@ve10:Active] config  tail -f /var/log/ltm
Oct 25 22:57:44 local/tmm info tmm[7926]: Rule myrule : Reject 172.28.20.11:59229 -> 172.28.19.79:80
Oct 25 22:57:53 local/tmm info tmm[7926]: Rule myrule : Allow 192.168.206.57:65000 -> 172.28.19.79:80 -> 200.200.200.101:80
Oct 25 22:58:12 local/tmm info tmm[7926]: Rule myrule : Allow 172.28.19.251:37085 -> 172.28.19.79:80 -> 200.200.200.101:80