Forum Discussion
Nimbostratuslimit source ip connection
I want to limit client connection ,for example when the client ip1 connections equal 50,f5 reject it's access.
13 Replies
Shaun_Simmons1Altostratus
You definitely want an iRule that has a datagroup configured, just in case you want to add more IP's in the future.
I'm not an iRule guru..ha! One of the guys will chime in soon! :)
- Shaun_Simmons1
Hmm try this haha..just found it.
 
if { [class match [IP::remote_addr] equals ip_blacklist] } { reject event disable all return } Referenced from: https://devcentral.f5.com/s/feed/0D51T00006i7WnQSAU Create a datagroup called "ip_blacklist" - Shaun_Simmons1
Single IP:
when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals xx.xx.xx.xx/xx] } { reject } } Answered by Kevin Stewart on the link above. 
VernonWellsEmployee
And, of course, to do the same but with quite a bit more performance, consider using AFM. If you have at least a Better bundle, it is already available to you.
yuanqiang_22112@ Vernon, my customer not buy AFM,and now need to solve his question ,do you know how to limit client connections not more than 50 ?
And, of course, to do the same but with quite a bit more performance, consider using AFM. If you have at least a Better bundle, it is already available to you.
- yuanqiang_22112
@ Vernon, my customer not buy AFM,and now need to solve his question ,do you know how to limit client connections not more than 50 ?
- yuanqiang_22112
@Shaun Simmons, thank for your answer; For any source ip if it's connections more than 50 ,I'll reject it's flow. I read your irules it's function equal packet filter ,can your have another idea ?
- Shaun_Simmons1
Found this post - https://devcentral.f5.com/s/feed/0D51T00006i7OkLSAU
 
There are a few iRules that can fit your need. Read towards the bottom and look for Hoolio's post
 
*Note: Verbiage of the iRule is based on your TMOS version.
 
- yuanqiang_22112
3Q
- VernonWells
Is it your desire to limit each source IP address to no more than 50 connections through a particular Virtual Server, or to limit the total number of connections to a Virtual Server to 50, regardless of source address? The latter is trivial; there is a connection limit setting on Virtual Servers. If it is the former, then the last entry in this post references a few rules that can be used to accomplish this:
TayF5unYou should try irule which is below. However, I have not tried before.
when HTTP_REQUEST {
set getCount [table key -count -subtable [IP::client_addr]]
if { $getCount > 50 } {
reject
}
else {
return
}
}
