Forum Discussion
venom43212_9610
Aug 04, 2011Nimbostratus
iRule to Filter on X-Netli-Forward-For value
I am trying to create an iRule that will look at the X-Netli-Forward-For value, and if it matches an IP address, it is forwarded on, if it does not, it is dropped. Basically, I only want to allow a global PAT to to be forwarded on from the VIP, and everything else to drop. Any help would be appreciated. Thanks.
- hooleylistCirrostratusIf you create an address type datagroup you can use an iRule like this. Keep in mind that users can insert any arbitrary header. So if someone knew you were using this kind of logic they could bypass it.
when HTTP_REQUEST { Check if the XFF header is set and not null if {[HTTP::header X-Netli-Forward-For] ne ""}{ Look up the value in the allowed_ips_class datagroup if {not [class match [IP::client_addr] equals allowed_ips_class]}{ Reset the connection reject } } }
- Kevin_Davies_40Nacreous
This post was intentionally left blank as formatting is impossible. What are you guys using to put HTML tags in an iRule , think HTTP::respond, in a post on these forums?
- venom43212_9610NimbostratusThanks for the replies. There are actually two globals, so the data group suggestion by Aaron worked out great. Also, good call out on the header insertion. Thanks again.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects