Forum Discussion
nba_preseason_g
Aug 29, 2013Nimbostratus
Irule to limit access to VIP to only certain source ip addresses
I need an irule to only allow access to the f5 vip to certain source ip addresses. I think an irule is the only way to do his but please correct me if I am wrong.
Thx!
Kevin_Stewart
Aug 29, 2013Employee
The most secure method is probably an IP filter rule. The unauthorized IPs wouldn't even complete a TCP handshake. You can alternately do this with an iRule and optionally a data group. Create an address-based data group (ex. my_ip_dg) and add the allowed IPs/subnets.
iRule:
when CLIENT_ACCEPTED {
if { not ( [class match [IP::client_addr] equals my_ip_dg] ) } {
reject
}
}
Keep in mind though that the iRule implementation will allow a full 3-way TCP handshake before rejecting the client.
- seamlessfireworkSep 11, 2023Cirrus
Works for me, thanks a lot! Got a little improvement - VS Code said that. Put double dash after class match, like this
when CLIENT_ACCEPTED priority 60 { if { not ( [class match -- [IP::client_addr] equals [DataGroupName]] ) } { reject } }
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects