Forum Discussion
Mike_61640
Nimbostratus
NimbostratusiRule to check Datagroup for allowed servers through a default VS
I'm sure there is a posting here that has an iRule that will check a datagroup or list of servers to see if they are allowed through a Virtual Server. Like to control traffic between two internal segments on my network. Specifically I have the F5 Load Balancing traffic to the DMZ. I was looking for a way to control which DMZ servers are allowed to talk to my internal servers. Since I need to specify destination IP and port a VS seems the way to go, but not sure how I control access. Thanks in advance. Mike
Mike_61640I found a solution to this by customizing an iRule based on other posts I found. Here is the rule that I used. The Datagroups are just a list of server IPs using an Datagroup with type "Address".
when CLIENT_ACCEPTED {
Is client IP address defined in the FE datagroup?
if { [class match [IP::client_addr] equals sj01-fe-servers] }{
Log the client IP address:port -> destination IP address:port
log local0. "admin request accepted from client: \
[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
} elseif { [class match [IP::client_addr] equals sj01-strongmail-servers] }{
Client IP address is defined in the strongmail datagroup
Log the client IP address:port -> destination IP address:port
log local0. "restricted client request accepted from client: \
[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
} else {
Request didn't match the conditions for allowing the request
Log the client IP address:port -> destination IP address:port
log local0. "unknown request rejected from client: \
[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
drop
}
}