Forum Discussion

Nimbostratus

Nov 17, 2015

Solved

iRule to allow only some IPs, Data traffic.

Hello,

I'm trying to create an iRule for only allowing certain IPs through to a VIP. I was given this iRule by a co-worker, but it doesn't seem to work. All traffic appears to be getting blocked. I've seen similar rules for HTTP traffic, but this is not an HTTP service, it's just data.

Was hoping someone could take a look and see if I'm missing anything in the rule?

when CLIENT_ACCEPTED {
  switch [IP::client_addr] {
        10.XX.XX.XX -
        10.XX.XX.XX -
        10.XX.XX.XX -
        10.XX.XX.XX -
        10.XX.XX.XX -
        10.XX.XX.XX { return }
  }
  reject 
  log local0. "Connection rejected from [IP::client_addr]"
}

Thanks.

Couple things. Try adding

IP::addr

and put your reject in the

default

command.

when CLIENT_ACCEPTED {
    switch [IP::addr [IP::client_addr]] {
        10.XX.XX.XX -
        10.XX.XX.XX -
        10.XX.XX.XX -
        10.XX.XX.XX -
        10.XX.XX.XX -
        10.XX.XX.XX { return }
        default {
            reject
            log local0. "Connection rejected from [IP::client_addr]"
        }
    }
}

Brad_Parker_139
Nacreous
Nov 17, 2015
Couple things. Try adding
IP::addr
and put your reject in the
default
command.

when CLIENT_ACCEPTED { switch [IP::addr [IP::client_addr]] { 10.XX.XX.XX - 10.XX.XX.XX - 10.XX.XX.XX - 10.XX.XX.XX - 10.XX.XX.XX - 10.XX.XX.XX { return } default { reject log local0. "Connection rejected from [IP::client_addr]" } } }
- Brad_Parker_139
  Nacreous
  Nov 17, 2015
  Also, if you ever plan on expanding the list of allowed IPs a data group would be better to manage. when CLIENT_ACCEPTED { if { [class match [IP::addr [IP::client_addr]] equals allowedIPs_dg] }{ return } else { reject log local0. "Connection rejected from [IP::client_addr]" } }
- grilledcheez_21
  Nimbostratus
  Nov 17, 2015
  I will give that a try. Thanks!
- grilledcheez_21
  Nimbostratus
  Nov 17, 2015
  So interestingly, it seemed to have caused the servers to not connect that I was trying to allow. I'm trying to allow the ones listed in the iRule. Anyway, apparently the servers returned with a bunch of SSL failures.
Brad_Parker
Cirrus
Nov 17, 2015
Couple things. Try adding
IP::addr
and put your reject in the
default
command.

when CLIENT_ACCEPTED { switch [IP::addr [IP::client_addr]] { 10.XX.XX.XX - 10.XX.XX.XX - 10.XX.XX.XX - 10.XX.XX.XX - 10.XX.XX.XX - 10.XX.XX.XX { return } default { reject log local0. "Connection rejected from [IP::client_addr]" } } }
- Brad_Parker
  Cirrus
  Nov 17, 2015
  Also, if you ever plan on expanding the list of allowed IPs a data group would be better to manage. when CLIENT_ACCEPTED { if { [class match [IP::addr [IP::client_addr]] equals allowedIPs_dg] }{ return } else { reject log local0. "Connection rejected from [IP::client_addr]" } }
- grilledcheez_21
  Nimbostratus
  Nov 17, 2015
  I will give that a try. Thanks!
- grilledcheez_21
  Nimbostratus
  Nov 17, 2015
  So interestingly, it seemed to have caused the servers to not connect that I was trying to allow. I'm trying to allow the ones listed in the iRule. Anyway, apparently the servers returned with a bunch of SSL failures.