iRule to Filter on X-Netli-Forward-For value

Question

I am trying to create an iRule that will look at the X-Netli-Forward-For value, and if it matches an IP address, it is forwarded on, if it does not, it is dropped. Basically, I only want to allow a global PAT to to be forwarded on from the VIP, and everything else to drop. Any help would be appreciated. Thanks.

hooleylist · Answer

If you create an address type datagroup you can use an iRule like this.  Keep in mind that users can insert any arbitrary header.  So if someone knew you were using this kind of logic they could bypass it.

when HTTP_REQUEST {

Check if the XFF header is set and not null
   if {[HTTP::header X-Netli-Forward-For] ne ""}{

Look up the value in the allowed_ips_class datagroup
      if {not [class match [IP::client_addr] equals allowed_ips_class]}{

Reset the connection
 reject
      }
   }
}

Aaron

kevin_davies_40 · Answer

This post was intentionally left blank as formatting is impossible. What are you guys using to put HTML tags in an iRule , think HTTP::respond,  in a post on these forums?&nbsp;

venom43212_9610 · Answer

Thanks for the replies. There are actually two globals, so the data group suggestion by Aaron worked out great. Also, good call out on the header insertion. Thanks again.

Forum Discussion

iRule to Filter on X-Netli-Forward-For value

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

Ansible bigip_device_facts - Filter Output

Filter request irule

irule ports

Packet filter can't filter proxypass is there any other way to filter traffic?

Filtering unused External SP Connectors

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS