Forum Discussion
Mike_61640
Nimbostratus
NimbostratusiRule to check Datagroup for allowed servers through a default VS
I'm sure there is a posting here that has an iRule that will check a datagroup or list of servers to see if they are allowed through a Virtual Server. Like to control traffic between two internal seg...
Something like this should be able to do what you want. You add the iRule to a Any:Any TCP VIP. The data group would be the IP:port with a list of client allowed to talked to it. Below is the TCP version below that is the UDP version, nut much differet but make UDP calls. You would have to create a new VIP to deal with UDP traffic
when CLIENT_ACCEPTED {
set reject 1
set source_addr [IP::client_addr]
set dest_ip_port [IP::local_addr]:[TCP::local_port]
log local0. "Source = $source_addr Dest_IP:Port = $dest_ip_port"
set dest_addr_class [class match -value -- [IP::client_addr] contains tcp_firewall_rules]
set dest_addr_list [ split $dest_addr_class "," ]
foreach dest_addr $dest_addr_list {
if { $dest_addr equals $dest_ip_port } {
set reject 0
}
}
if { $reject } {
drop
log local0. "TCP Connection reset Source = $source_addr Dest_IP:Port = $dest_ip_port"
}
}
}
UDP Version
when CLIENT_ACCEPTED {
set reject 1
set source_addr [IP::client_addr]
set dest_ip_port [IP::local_addr]:[UDP::local_port]
log local0. "Source = $source_addr Dest_IP:Port = $dest_ip_port"
set dest_addr_class [class match -value -- [IP::client_addr] contains udp_firewall_rules]
set dest_addr_list [ split $dest_addr_class "," ]
foreach dest_addr $dest_addr_list {
if { $dest_addr equals $dest_ip_port } {
set reject 0
}
}
if { $reject } {
drop
log local0. "UDP Connection reset Source = $source_addr Dest_IP:Port = $dest_ip_port"
}
}
}
The iRule should do what you are looking for. Thanks