Forum Discussion
James_48517
Altostratus
AltostratusiRule to only allow certain IP addresses to a hostname
I am working on an irule that will only allow a certain set of IP addresses to talk to a specific set of hostnames. I want it to keep processing the rest of the irules in the list if it doesn't match the criteria to block. In this current state it doesn't seem to be blocking at all.
when CLIENT_ACCEPTED { if { not [class match [IP::client_addr] equals client_net]} { set allowed_ip 0 } else { set allowed_ip 1
}
when HTTP_REQUEST { if { [class match [string tolower [HTTP::host]] equals client_hostname]} { if {$allowed_ip==0}{ drop log local0. "Block IP [IP::client_addr]:[TCP::client_port] for Client" } }
}
okay so my original issue was my own fault. I had the address I was being NAT'd to wrong, after correcting that the original rule worked and so did this one, which is more concise thanks to Filip Mikulík.
when HTTP_REQUEST { if { ( ![class match [IP::client_addr] equals client_net]) and ([class match [string tolower [HTTP::host]] equals client_hostname])} { log local0. "Block IP [IP::client_addr]:[TCP::client_port] for Client" HTTP::respond 404 content "Sorry the requested page is blocked for your IP [IP::client_addr]:[TCP::client_port]" "Content-type" "text/html; charset=utf-8" } }OR this
when CLIENT_ACCEPTED { if { not [class match [IP::client_addr] equals client_net]} { set allowed_ip 0 } else { set allowed_ip 1 } when HTTP_REQUEST { if { [class match [string tolower [HTTP::host]] equals client_hostname]} { if {$allowed_ip==0}{ drop log local0. "Block IP [IP::client_addr]:[TCP::client_port] for Client" } } }
Filip_Mikulík_1Cirrus
I hope that I understand your task correctly. Try
when HTTP_REQUEST { if { ( ![class match [IP::client_addr] equals client_net] ) and ( class match [string tolower [HTTP::host]] equals client_hostname )} { log local0. "Block IP [IP::client_addr]:[TCP::client_port] for Client" HTTP::respond 404 content "Sorry the requested page is blocked for your IP [IP::client_addr]:[TCP::client_port]" "Content-type" "text/html; charset=utf-8" } }
James_48517I attempted to use that but I got a syntax error.
01070151:3: Rule [/DMZ_PUB/tor06_client_allow_rule] error: /DMZ_PUB/tor06_client_allow_rule:2: error: [parse error: PARSE syntax 92 {syntax error in expression " ( ![class match [IP::client_addr] equals client_net] ) and ...": variable references require preceding $}][{ ( ![class match [IP::client_addr] equals client_net] ) and ( class match [string tolower [HTTP::host]] equals client_hostname )}]
- James_48517
Okay, I figured out the syntax issue, it just wanted a few more brackets on the second class match, but otherwise this rule works and so does my original rule, I just had my IP address wrong when I was testing it. Thanks.
- Filip_Mikulík_1
yes, the close brackets ... my usual problem. sorry for that.
so you resolve it by yourself, nice. have a nice day
- James_48517
okay so my original issue was my own fault. I had the address I was being NAT'd to wrong, after correcting that the original rule worked and so did this one, which is more concise thanks to Filip Mikulík.
when HTTP_REQUEST { if { ( ![class match [IP::client_addr] equals client_net]) and ([class match [string tolower [HTTP::host]] equals client_hostname])} { log local0. "Block IP [IP::client_addr]:[TCP::client_port] for Client" HTTP::respond 404 content "Sorry the requested page is blocked for your IP [IP::client_addr]:[TCP::client_port]" "Content-type" "text/html; charset=utf-8" } }OR this
when CLIENT_ACCEPTED { if { not [class match [IP::client_addr] equals client_net]} { set allowed_ip 0 } else { set allowed_ip 1 } when HTTP_REQUEST { if { [class match [string tolower [HTTP::host]] equals client_hostname]} { if {$allowed_ip==0}{ drop log local0. "Block IP [IP::client_addr]:[TCP::client_port] for Client" } } }