Forum Discussion
NimbostratusIrule for blocking specific traffic
HI Can we get some help to achieve the below
If the below condition matches we need to block the connection and rest all should be permited.
IP is from the following subnets
( src net 1.1.0.0/16 or src net 2.2.0.0/16 or src net 3.3.0.0/16 )
AND
the string ’Software Version7.13’ IS IN request body
AND
the string 'Hardware VersionHA1’ IS IN request body
AND
the string ‘1 BOOT’ IS NOT IN request body
5 Replies
IheartF5_45022Nacreous
For the IP blocking you would need to check IP::client_addr (this code with switch not tested BTW
switch -glob [IP:addr [IP::client_addr]] { "1.1.*" - "2.2.*" - "3.3." { reject } }For the XML - try here
Alternatively you would have to HTTP::collect and then use the HTTP_REQUEST_DATA event to search the body for the offending data.
Not sure if anyone is feeling more generous and wants to provide a full rule for you?
What_Lies_Bene1Cirrostratus
HTTP traffic? This could be quite intensive if it's going to be done on every request for those IPs in the restricted range.
Bhanu_9561Cirrus
You can also do it this way if you are only concerned about teh IP address. If you also need to look at the HTTP headers, you would require a more elaborate which coule be processor intensive as mentioned in the previous comment. iRuleIP_Addr_Block_List is a Data Group List which will contain the IP addresses/Networks that need to be blocked
when CLIENT_ACCEPTED{
if { [class match [IP::client_addr] equals $::IP_Addr_Block_List ] } {
TCP::close
} else {
return
}
}
Mathew_58740Thank you guys for the updates our requirement is if IPAddress and the headers matches we have to block ,remaining traffic should be allowed.
- Bhanu_9561
You can do something similar to this:
when HTTP_REQUEST { if { ([class match [IP::client_addr] equals IP_Throttle_List ]) and (HTTP::header exists "Blah Blah") } { HTTP::close Or TCP::close. Depends on your requirement } else { return } }
