iRule to only allow certain IP addresses to a hostname
I am working on an irule that will only allow a certain set of IP addresses to talk to a specific set of hostnames. I want it to keep processing the rest of the irules in the list if it doesn't match the criteria to block. In this current state it doesn't seem to be blocking at all.
when CLIENT_ACCEPTED { if { not [class match [IP::client_addr] equals client_net]} { set allowed_ip 0 } else { set allowed_ip 1
}
when HTTP_REQUEST { if { [class match [string tolower [HTTP::host]] equals client_hostname]} { if {$allowed_ip==0}{ drop log local0. "Block IP [IP::client_addr]:[TCP::client_port] for Client" } }
}
okay so my original issue was my own fault. I had the address I was being NAT'd to wrong, after correcting that the original rule worked and so did this one, which is more concise thanks to Filip Mikulík.
when HTTP_REQUEST { if { ( ![class match [IP::client_addr] equals client_net]) and ([class match [string tolower [HTTP::host]] equals client_hostname])} { log local0. "Block IP [IP::client_addr]:[TCP::client_port] for Client" HTTP::respond 404 content "Sorry the requested page is blocked for your IP [IP::client_addr]:[TCP::client_port]" "Content-type" "text/html; charset=utf-8" } }
OR this
when CLIENT_ACCEPTED { if { not [class match [IP::client_addr] equals client_net]} { set allowed_ip 0 } else { set allowed_ip 1 } when HTTP_REQUEST { if { [class match [string tolower [HTTP::host]] equals client_hostname]} { if {$allowed_ip==0}{ drop log local0. "Block IP [IP::client_addr]:[TCP::client_port] for Client" } } }