irule to only allow specified IPs to connect to Vitrual

Question

Hello I am looking to create an irule that will only allow connections to a VIP from a list or allowed IP's. Does anyone have a solution that they have used in the past with success on this? &nbsp;
My thought was something like create a group like $trustedIP&nbsp;
Then when &nbsp;
When client accepted 
if eq $trustedIP&nbsp;
allow 
elseif not eq 
block&nbsp;

kai_wilke · Answer

Hi jdeeby, 
you could use LTMs data-groups as a storage for your white-listed IPs and then use an iRule during CLIENT_ACCEPTED event, to compare the connecting [IP::client_addr] with your data-group information. 
Data-Group Config:
ltm data-group internal DG_MY_ALLOWED_IPs {
    records {
        1.1.1.1/32 {}
        2.2.2.0/24 {}
    }
    type ip
}

iRule Syntax to drop the connection on a TCP layer:
when CLIENT_ACCEPTED {
    if { [class match [IP::client_addr] equals DG_MY_ALLOWED_IPs] } then {
         Allow trusted clients
    } else {
         Drop untrusted clients
        drop
    }
}

Cheers, Kai

Forum Discussion

irule to only allow specified IPs to connect to Vitrual

1 Reply

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

F5 Academies Are Back – And We’re Coming to a City Near You

Recent Discussions

Long URL Redirecting

APM Access Policy|SSLVPN | SAML auth questionnaires

Azure Virtual Machine Scale Set (VMSS) with F5 LTM

F5 DNS Generic Host

Which encyrtion algorithm is used when making Kerberos ticket encyrtion.

Related Content

Three Ways to Specify Multiple Ports on a Virtual Server

Get virtual servers, pools, pool members, statuses and connections on a specified LTM

Site-to-Site Connectivity in F5 Distributed Cloud Network Connect – Reference Architecture

Force BotDefense Captcha on Specified URL

Specify global variables to be used over multiple connections

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS