Forum Discussion

grilledcheez_21's avatar
grilledcheez_21
Icon for Nimbostratus rankNimbostratus
Nov 17, 2015

iRule to allow only some IPs, Data traffic.

Hello, I'm trying to create an iRule for only allowing certain IPs through to a VIP. I was given this iRule by a co-worker, but it doesn't seem to work. All traffic appears to be getting blocked. I...
devops
iRules
LTM
  • Brad_Parker_139's avatar
    Brad_Parker_139
    Nov 17, 2015

    Couple things. Try adding 

    IP::addr
    and put your reject in the 
    default
    command.

    when CLIENT_ACCEPTED {
    switch [IP::addr [IP::client_addr]] {
        10.XX.XX.XX -
        10.XX.XX.XX -
        10.XX.XX.XX -
        10.XX.XX.XX -
        10.XX.XX.XX -
        10.XX.XX.XX { return }
        default {
            reject
            log local0. "Connection rejected from [IP::client_addr]"
        }
    }
}
Brad_Parker_139's avatar
Brad_Parker_139
Icon for Nacreous rankNacreous
Nov 17, 2015

Couple things. Try adding 

IP::addr
and put your reject in the 
default
command.

when CLIENT_ACCEPTED {
    switch [IP::addr [IP::client_addr]] {
        10.XX.XX.XX -
        10.XX.XX.XX -
        10.XX.XX.XX -
        10.XX.XX.XX -
        10.XX.XX.XX -
        10.XX.XX.XX { return }
        default {
            reject
            log local0. "Connection rejected from [IP::client_addr]"
        }
    }
}
  • Brad_Parker_139's avatar
    Brad_Parker_139
    Icon for Nacreous rankNacreous
    Nov 17, 2015
    Also, if you ever plan on expanding the list of allowed IPs a data group would be better to manage. when CLIENT_ACCEPTED { if { [class match [IP::addr [IP::client_addr]] equals allowedIPs_dg] }{ return } else { reject log local0. "Connection rejected from [IP::client_addr]" } }
  • grilledcheez_21's avatar
    grilledcheez_21
    Icon for Nimbostratus rankNimbostratus
    Nov 17, 2015
    I will give that a try. Thanks!
  • grilledcheez_21's avatar
    grilledcheez_21
    Icon for Nimbostratus rankNimbostratus
    Nov 17, 2015
    So interestingly, it seemed to have caused the servers to not connect that I was trying to allow. I'm trying to allow the ones listed in the iRule. Anyway, apparently the servers returned with a bunch of SSL failures.
  • grilledcheez_21's avatar
    grilledcheez_21
    Icon for Nimbostratus rankNimbostratus
    Nov 17, 2015
    I think I'll give that class match a try. This switch IP address doesn't seem to work. Thanks.
  • grilledcheez_21's avatar
    grilledcheez_21
    Icon for Nimbostratus rankNimbostratus
    Nov 17, 2015
    So it appears it still does not work. What happens is it keeps getting SSL errors, pipe broken. Now with this implementation the F5 is not offloading the SSL certs, we tried, but the app is so old it would just break. So the clients and servers are doing the SSL certs on their own and F5 is transparent. So I don't understand why this is causing the 'pipe' to break. This simple script to block out IPs not allowed should be not be breaking the SSL or 'pipe'. I don't get it.
  • Brad_Parker_139's avatar
    Brad_Parker_139
    Icon for Nacreous rankNacreous
    Nov 17, 2015
    SSL errors would occur after the TCP 3way handshake. If you are getting an SSL error, then the connection is making through your iRule.
  • grilledcheez_21's avatar
    grilledcheez_21
    Icon for Nimbostratus rankNimbostratus
    Nov 17, 2015
    So then what could the iRule be doing that would cause it to think that the SSL is having issues? It works fine without the rule, as soon as I put the rule in, it breaks. :(
  • Brad_Parker_139's avatar
    Brad_Parker_139
    Icon for Nacreous rankNacreous
    Nov 17, 2015
    So you have the log statement in your iRule. Is is logging that it is rejecting the traffic? Also, can you do a tcpdump to capture a failed connection? tcpdump -s0 -ni :nnn host and host .
  • grilledcheez_21's avatar
    grilledcheez_21
    Icon for Nimbostratus rankNimbostratus
    Nov 17, 2015
    Right, still learning to troubleshoot with this thing. Should have thought of that. Anyway, I found this error in the logs. Tue Nov 17 14:18:06 EST 2015 err slot1/LTM02 tmm4[8476] 01220001 TCL error: /Common/RNG_AllowedIPs - invalid command name "IP::addr10.130.21.20" while executing "IP::addr[IP::client_addr]" Ps. Thanks for all your assistance on this, Brad. It is very appreciated.
  • grilledcheez_21's avatar
    grilledcheez_21
    Icon for Nimbostratus rankNimbostratus
    Nov 17, 2015
    Hmmm.... I'm also being told by a fellow co-worker that I should try importing using the iRule editor, as I was just coping and pasting out of there, but sometimes formatting gets messed up when copied and pasted.