Forum Discussion
iRule to only allow certain IP addresses to a hostname
- Apr 10, 2018
okay so my original issue was my own fault. I had the address I was being NAT'd to wrong, after correcting that the original rule worked and so did this one, which is more concise thanks to Filip Mikulík.
when HTTP_REQUEST { if { ( ![class match [IP::client_addr] equals client_net]) and ([class match [string tolower [HTTP::host]] equals client_hostname])} { log local0. "Block IP [IP::client_addr]:[TCP::client_port] for Client" HTTP::respond 404 content "Sorry the requested page is blocked for your IP [IP::client_addr]:[TCP::client_port]" "Content-type" "text/html; charset=utf-8" } }
OR this
when CLIENT_ACCEPTED { if { not [class match [IP::client_addr] equals client_net]} { set allowed_ip 0 } else { set allowed_ip 1 } when HTTP_REQUEST { if { [class match [string tolower [HTTP::host]] equals client_hostname]} { if {$allowed_ip==0}{ drop log local0. "Block IP [IP::client_addr]:[TCP::client_port] for Client" } } }
I hope that I understand your task correctly. Try
when HTTP_REQUEST {
if { ( ![class match [IP::client_addr] equals client_net] ) and ( class match [string tolower [HTTP::host]] equals client_hostname )} {
log local0. "Block IP [IP::client_addr]:[TCP::client_port] for Client"
HTTP::respond 404 content "Sorry the requested page is blocked for your IP [IP::client_addr]:[TCP::client_port]" "Content-type" "text/html; charset=utf-8"
}
}
- James_48517Apr 10, 2018Altostratus
I attempted to use that but I got a syntax error.
01070151:3: Rule [/DMZ_PUB/tor06_client_allow_rule] error: /DMZ_PUB/tor06_client_allow_rule:2: error: [parse error: PARSE syntax 92 {syntax error in expression " ( ![class match [IP::client_addr] equals client_net] ) and ...": variable references require preceding $}][{ ( ![class match [IP::client_addr] equals client_net] ) and ( class match [string tolower [HTTP::host]] equals client_hostname )}]
- James_48517Apr 10, 2018Altostratus
Okay, I figured out the syntax issue, it just wanted a few more brackets on the second class match, but otherwise this rule works and so does my original rule, I just had my IP address wrong when I was testing it. Thanks.
- Filip_Mikulík_1Apr 11, 2018Cirrus
yes, the close brackets ... my usual problem. sorry for that.
so you resolve it by yourself, nice. have a nice day
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com