Forum Discussion

James_48517's avatar
James_48517
Icon for Altostratus rankAltostratus
Apr 09, 2018

iRule to only allow certain IP addresses to a hostname

I am working on an irule that will only allow a certain set of IP addresses to talk to a specific set of hostnames. I want it to keep processing the rest of the irules in the list if it doesn't match...
application delivery
iRules
LTM
  • James_48517's avatar
    James_48517
    Apr 10, 2018

    okay so my original issue was my own fault. I had the address I was being NAT'd to wrong, after correcting that the original rule worked and so did this one, which is more concise thanks to Filip Mikulík.

    when HTTP_REQUEST {
    if { ( ![class match [IP::client_addr] equals client_net]) and ([class match [string tolower [HTTP::host]] equals client_hostname])} {
        log local0. "Block IP [IP::client_addr]:[TCP::client_port] for Client"
        HTTP::respond 404 content "Sorry the requested page is blocked for your IP [IP::client_addr]:[TCP::client_port]" "Content-type" "text/html; charset=utf-8"
    }
}

    OR this

    when CLIENT_ACCEPTED { 
    if { not [class match [IP::client_addr] equals client_net]} { 
        set allowed_ip 0 
        } else { 
        set allowed_ip 1
}
when HTTP_REQUEST { 
if { [class match [string tolower [HTTP::host]] equals client_hostname]} { 
    if {$allowed_ip==0}{ 
        drop 
        log local0. "Block IP [IP::client_addr]:[TCP::client_port] for Client" 
        } 
    }
}
James_48517's avatar
James_48517
Icon for Altostratus rankAltostratus
Apr 10, 2018

okay so my original issue was my own fault. I had the address I was being NAT'd to wrong, after correcting that the original rule worked and so did this one, which is more concise thanks to Filip Mikulík.

when HTTP_REQUEST {
    if { ( ![class match [IP::client_addr] equals client_net]) and ([class match [string tolower [HTTP::host]] equals client_hostname])} {
        log local0. "Block IP [IP::client_addr]:[TCP::client_port] for Client"
        HTTP::respond 404 content "Sorry the requested page is blocked for your IP [IP::client_addr]:[TCP::client_port]" "Content-type" "text/html; charset=utf-8"
    }
}

OR this

when CLIENT_ACCEPTED { 
    if { not [class match [IP::client_addr] equals client_net]} { 
        set allowed_ip 0 
        } else { 
        set allowed_ip 1
}
when HTTP_REQUEST { 
if { [class match [string tolower [HTTP::host]] equals client_hostname]} { 
    if {$allowed_ip==0}{ 
        drop 
        log local0. "Block IP [IP::client_addr]:[TCP::client_port] for Client" 
        } 
    }
}