irulse for url limit

when HTTP_REQUEST {
    if {[string tolower [HTTP::query]] contains "redirect=/admin"} {
        HTTP::respond 404
    }
}

If by limited you mean rejected:

when HTTP_REQUEST {
    if { [HTTP::uri] contains "login" } {
        HTTP::close
    }
}

If you want one uri to come to the F5 and another uri to bypass the F5, that's impossible, since a DNS server only gets a host name name and the uri is at a different (higher) layer. The best you could do is have the F5 send the traffic from one uri to one pool, and another uri to a different pool, but it still has to traverse the F5.

If your meaning is different, please describe more clearly.

Updated to include checking of source IP address:

when RULE_INIT {
    set static::admin_datagroup "admin_datagroup"
}
when HTTP_REQUEST {
    if {[string tolower [HTTP::query]] contains "redirect=/admin"} {
        if { ! [class match [IP::client_addr] equals $static::admin_datagroup] } {
            HTTP::respond 404
        }
    }
}

You can replace condition

[string tolower [HTTP::query]] contains "redirect=/admin"

with (this will search

redirect

[string to lower [URI::query [HTTP::uri] redirect]] starts_with "/admin"

or

[string to lower [URI::query [HTTP::uri] redirect]] equals "/admin"

One other recommendation is to filter on HTTP::path instead of HTTP::uri if login string is in path part of the URI.

The final iRule can be:

when RULE_INIT {
    set static::admin_datagroup "admin_datagroup"
}
when HTTP_REQUEST {
    if {([HTTP::path] ends_with "/login/") && ([string to lower [URI::query [HTTP::uri] redirect]] starts_with "/admin")&& ! [class match [IP::client_addr] equals $static::admin_datagroup]} {
            HTTP::respond 404
    }
}