Forum Discussion
Dennis__Lauder_
Nimbostratus
NimbostratusiRULE to drop in-bound ssh connections
I am looking for an iRULE to drop in-bound ssh connections if they are not from an accepted network.
Here is my first attempt:
class allowed_client_IP {
"x.x.x.x"
}
when CLIENT_ACCEPTED {
log local0. "IP [IP::client_addr] Tried to connect"
if { not [matchclass [IP::client_addr] eq [$::allowed_client_IP]]} {
drop}
}
I get the following error:
01070151:3: Rule [ssh_allow] error:
line 1: [undefined procedure: class] [class allowed_client_IP {
"x.x.x.x"
}]
Thanks, Dennis
- JRahm
Admin
The class isn't part of the iRule, it needs to be added as a datagroup under the iRules tab:
Local Traffic --> iRules --> Data Group List --> Create 
Dennis__Lauder_I have added the class to the Data Group List. I can connect from x.x.x.x as well as y.y.y.y ( I want to block y.y.y.y if it is not on the list.
Thanks, Dennis- JRahmTry discard, I haven't had much success with drop
- Dennis__Lauder_Maybe I have something else wrong. I have changed to rule to discard instead of drop but the results were the same. Here is some more information about my F5:
V 9.1.2
Have set up NAT translation
Have set up a virtual server ( Port_22 ) of a type forwarding IP
Enabled the ssh_allow iRule as a resource
Any ideas?
Thanks, Dennis - JRahmRemove the forwarding virtual server for port 22 (if possible) and retest. The developers can speak to the workflow, but I would expect the forwarding virtual server to have precendence over a tcp virtual server.
