Forum Discussion
NimbostratusiRule accept connection from specific IP
HI I have F5 LTM and i use it for exchange server only and i create a rule to restrict access to sub url the rule will accept connection from specific IP address and other ip address the connection will be drooped please let me know if my rule and the syntax i used is good.
when HTTP_REQUEST {
switch -glob -- [string tolower [HTTP::uri]] {
"/microsoft-server-activesync*" {
if { ![IP::addr [IP::client_addr] equals 192.168.7.106] } {
drop
}
}
}
}
- Kevin_Davies
Nacreous
Generally with iRules we want to target the most generic item first. Most of your clients will not be from that specific IP address. So to prevent your iRule from running unnecessary code for each request you should target that address first.
Because we can check the address at connection time this means we can decide whether to even run the HTTP code with event disable. This means we only perform the IP check once per connection instead of every single HTTP request in the original iRule. Then we run the HTTP code only if the address matches.
when CLIENT_ACCEPTED { if {[IP::client_addr] ne "192.168.7.106"} { event HTTP_REQUEST disable } } when HTTP_REQUEST { now this only runs if the IP address matched above switch -glob [string tolower [HTTP::uri]] { "/microsoft-server-activesync*" { drop } } }See the event disable command https://devcentral.f5.com/wiki/iRules.event.ashx
This iRule checks for the IP address. If it does not match it disables the HTTP_REQUEST event. This means the subsequent code inside that event will never run.
