Forum Discussion

Mike_61640's avatar
Mike_61640
Icon for Nimbostratus rankNimbostratus
Sep 01, 2012

iRule to check Datagroup for allowed servers through a default VS

I'm sure there is a posting here that has an iRule that will check a datagroup or list of servers to see if they are allowed through a Virtual Server. Like to control traffic between two internal segments on my network. Specifically I have the F5 Load Balancing traffic to the DMZ. I was looking for a way to control which DMZ servers are allowed to talk to my internal servers. Since I need to specify destination IP and port a VS seems the way to go, but not sure how I control access. Thanks in advance. Mike
  • Richard__Harlan's avatar
    Richard__Harlan
    Historic F5 Account
    Something like this should be able to do what you want. You add the iRule to a Any:Any TCP VIP. The data group would be the IP:port with a list of client allowed to talked to it. Below is the TCP version below that is the UDP version, nut much differet but make UDP calls. You would have to create a new VIP to deal with UDP traffic

     

     

    when CLIENT_ACCEPTED {

     

    set reject 1

     

    set source_addr [IP::client_addr]

     

    set dest_ip_port [IP::local_addr]:[TCP::local_port]

     

    log local0. "Source = $source_addr Dest_IP:Port = $dest_ip_port"

     

    set dest_addr_class [class match -value -- [IP::client_addr] contains tcp_firewall_rules]

     

    set dest_addr_list [ split $dest_addr_class "," ]

     

    foreach dest_addr $dest_addr_list {

     

    if { $dest_addr equals $dest_ip_port } {

     

    set reject 0

     

    }

     

    }

     

    if { $reject } {

     

    drop

     

    log local0. "TCP Connection reset Source = $source_addr Dest_IP:Port = $dest_ip_port"

     

    }

     

    }

     

    }

     

     

    UDP Version

     

     

    when CLIENT_ACCEPTED {

     

    set reject 1

     

    set source_addr [IP::client_addr]

     

    set dest_ip_port [IP::local_addr]:[UDP::local_port]

     

    log local0. "Source = $source_addr Dest_IP:Port = $dest_ip_port"

     

    set dest_addr_class [class match -value -- [IP::client_addr] contains udp_firewall_rules]

     

    set dest_addr_list [ split $dest_addr_class "," ]

     

    foreach dest_addr $dest_addr_list {

     

    if { $dest_addr equals $dest_ip_port } {

     

    set reject 0

     

    }

     

    }

     

    if { $reject } {

     

    drop

     

    log local0. "UDP Connection reset Source = $source_addr Dest_IP:Port = $dest_ip_port"

     

     

    }

     

    }

     

    }

     

     

    The iRule should do what you are looking for. Thanks
  • this is an another example in codeshare.

     

     

    Access Control Based On Network Or Host by Aaron

     

    https://devcentral.f5.com/wiki/iRules.AccessControlBasedOnNetworkOrHost.ashx