For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jimmy_124170's avatar
Jimmy_124170
Icon for Nimbostratus rankNimbostratus
Jun 26, 2013

iRules that allow or deny access to a VIP based on src IP

Hello. I try to create an iRule that allow or deny access to certain ranks of a given IP vip. I tried to find an existing topic on the forum and I have not found. if there is and you know where it is, please tell me. it would be really appreciated.

Now here's what I did.

1 - I created a data group containing my address to refuse. Name: jimmy_ip

which is in the form: 142.125.251.0/255.255.255.0

2 - I created (or rather trying to create) a iRule that looks like this just to see if it can work (based on an example found on the F5 site): 


when CLIENT_ACCEPTED {
    set dcfw_mapping_dg {/Common/jimmy_ip}

    while {1} {
        set dcfw_vdg [ class match -value 142.125.251.70 equals $dcfw_mapping_dg ]
        if { ! [ class exists $dcfw_vdg ] } { break }
        if { [ class match [IP::remote_addr] equals $dcfw_vdg ] } { break }
        return
    }
}

The problem is that my access is never denied. I always can access my VIP. I put the logs to see if my iRules was called and yes, it is.

Please help me

application delivery
dev
devops
iRules

2 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 26, 2013
    You can significantly simplify this iRule: 

    
when CLIENT_ACCEPTED {
if { not ( [class match [IP::client_addr] equals jimmy_ip] ) } {
reject
}
}
  • Jimmy_124170's avatar
    Jimmy_124170
    Icon for Nimbostratus rankNimbostratus
    Jun 26, 2013

    Thank you very much. This is exactly what I need

     

    Simple, straight to the point.