Limited Access to VIP by Source IP

Question

Should/Can I use an iRule to limite access to a VIP by source IP address?&nbsp;
&nbsp;I have several web servers hosting several public and one not so public applications.  I want to restrict who can access the no so public application by source IP.  Since they all applications fall under the same domain name I can't apply an "ACL" via the firewall.  This will have to be done at the LB level, at least I'd prefer it done so.&nbsp;
&nbsp;Is there an iRule already out there someone wouldn't mind sharing?&nbsp;
&nbsp;Thanks in advance.
&nbsp;Bob

hoolio · Answer

You can define a group of hosts/networks in a datagroup (called a class in the bigip.conf) and then use the matchclass function in an iRule to check that the client IP is a member of the datagroup before allowing access.  You can create the datagroup in the GUI under iRules | Datagroups. There is a separate tab for datagroups next to the iRules tab.  Select Address as the type.
Here is an example datagroup as it appears in the bigip.conf:
class allowed_hosts_networks_class {
   host 100.1.1.1
   network 10.0.0.0 mask 255.0.0.0
   network 172.16.0.0 mask 255.240.0.0
   network 192.168.0.0 mask 255.255.0.0
}
And here is an example rule which references the class and drops requests from clients who don't match the datagroup networks:
when CLIENT_ACCEPTED {
   log local0. "Received connection from [IP::client_addr]"
   if {not ([matchclass [IP::client_addr] equals $::allowed_hosts_networks_class])}{
      log local0. "Dropped connection from [IP::client_addr]"
       Drop the request
      drop
   }
}
Aaron

Forum Discussion

Recent Discussions

Help with SSH Virtual Server

iRule Developer Tools

F5 rate limiting with Irule

"01020066:3: The requested Node (/Common/fqdn1) already exists in partition Common."

Bigip Restoration From Hardware to VM

Related Content

AI Token Limit Enforcement

Rate limiting WebSocket messages for Agents

Test access sourcing from float

How to limit some snmp mib access

F5 Distributed Cloud (XC) Custom Routes: Capabilities, Limitations, and Key Design Considerations