Forum Discussion
Gorf_33479
Nimbostratus
NimbostratusiRule to filter based on subnet
Greetings all, I have been reading some other forum posts about using iRules to filter client IP's, and I have come across some discussions about how to get subnets to work, but I am still a little lost. I was hoping that someone could point me in the right direction.
We have many remote companies that need access into a billing portal that we run. I have built a pretty straight forward iRule that does this:
when CLIENT_ACCEPTED {
switch [IP::client_addr] {
173.160.151.225 {
}
[several dozen more ip cases trimmed for readability]
default {
drop;
}
}
}(sorry for the formatting, the forum software on this site is really goofy. Something about not being able to paste rich content?)
So this works pretty well. But, the problem I have is that some of my clients use various subnet ranges for their access. And I can't figure out how to match for my clients that have addresses that are like a /28? Simply putting the subnet and CIDR into the switch doesn't seem to work.
Currently this is running on some 1600's with 9.4.x on them. We are planning a roll out of 10.2 soon though. Hoping someone can offer me some help.
hooleylistCirrostratus
Hi Gorf,
The switch statement you're using performs a string comparison of the client IP against the addresses. It would be more efficient to use an address type datagroup and 'matchclass' to do this. An address datagroup also supports subnets.
http://devcentral.f5.com/wiki/default.aspx/iRules/matchclasswhen CLIENT_ACCEPTED { if { not ([matchclass [IP::client_addr] equals allowed_subnets_class]) } { drop } }
Aaron