Forum Discussion
CirrusiRule to only allow private networks....
Hi, I have an iRule in place that is supposed to be rejecting all external network traffic coming into an LTM virtual server for a few select administrative pages. Someone on DevCentral had done something very similar to what I needed, so I took their iRule and adjusted for my needs. The iRule is as follows :
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::uri]] {
"*/wp-admin/*" -
"*/wp-login.php" -
"*/phpmyadmin/*" -
"*/wp-config.php" {
if { !([class match [IP::client_addr] equals private_net])} {
reject
}
}
}
}
private_net is a data group that contains the class A,B and C RFC private networks. The issue is that we are having random people inside our network ( 10.x.x.x ) having the iRule apply to their connections and they are unable to access the pages. I cannot find a reason why this is occurring. We did a WireShark capture for someone that is being blocked and sure enough, you can see the source address is ( 10.x.x.x ) but the iRule still kicks in.
Any ideas or insight into this issue would be greatly appreciated. Thanks.2 Replies
ItayG_188662Nimbostratus
Maybe this clients are behind NAT? you can check it by adding log to the iRule:
when HTTP_REQUEST { switch -glob [string tolower [HTTP::uri]] { "*/wp-admin/*" - "*/wp-login.php" - "*/phpmyadmin/*" - "*/wp-config.php" { if { !([class match [IP::client_addr] equals private_net])} { log local0. "rejected client ip [IP::client_addr]" <-- new added line reject } } } }and check which IP do you see in /var/log/ltm
good luck!
Tyson_JamesThanks so much. It was NAT. Had our firewall take a look and he figured it out.
