IRule to block all but a few members of a subnet

Question

For give the newbie question, but this will be all of the second iRule that I've ever had to write.  We've got a situation where a major application has failed, and we're moving it behind the LTM.  However, we'd like to make sure that it is working prior to the public pounding on it--which they will do the second it comes up, unless we block most of the world from accessing it, while allowing the testing team's ips through. I know it can be done, I'm just not sure where to start.

dennypayne · Answer

Since it's temporary, you could just use packet filters rather than writing a rule. 
  
 Or, something like:

when CLIENT_ACCEPTED { 
   if { not (IP::addr[IP::client_addr] equals "x.x.x.x") } { 
       add add'l IP's with an || operator if needed 
       discard 
     } 
 }

or if you create a Data Group (class) with your list of IP's:

when CLIENT_ACCEPTED { 
    if { not ( [matchclass $::data_group_name contains IP::addr[IP::client_addr]]) } { 
      discard 
   }  
 }

Denny

Forum Discussion

IRule to block all but a few members of a subnet

1 Reply

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

2026 301a exam

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

VIP in https that redirect to another vip in https

F5OS login with admin/root failed via console

UCS Encryption Question

Related Content

Aswin MK - November 2025 Featured Member

Kostas Injeyan - October 2025 Featured Member

Using Client Subnet in DNS Requests

Implementing Client Subnet DNS Requests

Implementing Client Subnet in DNS Requests

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS