Forum Discussion
NimbostratusiRule - Whitelisting/Blocking IP Addresses
Hello,
We use a third party for our CDN and web security. I would like to write an iRule where we whitelist only their IP ranges and block all other traffic. Can someone please assist me in writing this rule? your help is greatly appreciated.
Thank you,
3 Replies
arpydaysIf you know their IP ranges then a simple irule/datagroup would do it. This rule will drop any connections from clients not in the 'allowed-nets' datagroup,
cheers
when CLIENT_ACCEPTED { if { not ([class match [IP::client_addr] equals allowed-nets]) } { log local0. "[IP::client_addr] is not permitted to site xxxx" drop } } ltm data-group internal allowed-netss { records { 192.168.20.0/24 { data "NetYYYY" } } type ip }
sysadmin_2015_2Hello,
Thank you for the reply. Our F5 is at the edge. If I create a data group with the listed CDN's IP'S called allowed-nets, do I still have to include them in the iRule? if so does the below look correct?
when CLIENT_ACCEPTED { if { not ([class match [IP::client_addr] equals allowed-nets]) } { log local0. "[IP::client_addr] is not permitted to site xxxx" reject } }
ltm data-group internal allowed-netss { records { 192.168.20.0/24, 192.178.20.0/24, 192.188.20.0/24 { data "NetYYYY" } } type ip }
Thank you,
- arpydays
No, the data group is not part of the irule, you can create it in the gui under local traffic > irule > data group, cheers
