For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Domai's avatar
Domai
Icon for Altostratus rankAltostratus
Jul 28, 2016

iRule help to allow 2 ip's only

Hello I have a question regarding packet filtering and need help with simple iRule help I need to allow 2 ip's only to acesss a VIP.

 

If I use packet filtering it applies to all the VIP's correct? If yes what is the point using packet filtering?

 

iRule help I need is as below - (Will the below work) I need client with 1.1.1.1 and 2.2.2.2 to access the VIP.

 

when CLIENT_ACCEPTED {

 

if { ![IP::addr [IP::client_addr] equals 1.1.1.1] or [IP::client_addr] equals 2.2.2.2] }{ discard } else {

 

log local0. "Allowed Traffic" } }

 

application delivery
iRules

2 Replies

  • ekaleido's avatar
    ekaleido
    Icon for Cirrus rankCirrus
    Jul 28, 2016

    Create an IP datagroup containing the IPs you want to allow, then try this...

        when CLIENT_ACCEPTED {
           set yesno [class match [IP::client_addr] equals "allowed_ip"]
           switch $yesno {
                          "" { discard }
                          default { log local0. "Accepted client from [IP::client_addr" }
           }
    }
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jul 28, 2016

    Hi,

    Packet filter apply to vlans. It's more general than just blocking access to those 2 IPs on a single Virtual Server.

    Your simple irule can do the trick without enabling Packet filter. You just have a small issue in the if condition : 

    when CLIENT_ACCEPTED { 
    if { !([IP::client_addr] eq "1.1.1.1" or [IP::client_addr] eq "2.2.2.2") } { 
        discard 
    } else { 
        log local0. "Allowed Traffic" 
    } 
}