Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Bob_10976's avatar
Bob_10976
Icon for Nimbostratus rankNimbostratus
Feb 06, 2008

Limited Access to VIP by Source IP

Should/Can I use an iRule to limite access to a VIP by source IP address?     I have several web servers hosting several public and one not so public applications. I want to restrict who can ac...
application delivery
dev
devops
irules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Feb 06, 2008
You can define a group of hosts/networks in a datagroup (called a class in the bigip.conf) and then use the matchclass function in an iRule to check that the client IP is a member of the datagroup before allowing access. You can create the datagroup in the GUI under iRules | Datagroups. There is a separate tab for datagroups next to the iRules tab. Select Address as the type.

Here is an example datagroup as it appears in the bigip.conf:


class allowed_hosts_networks_class {
   host 100.1.1.1
   network 10.0.0.0 mask 255.0.0.0
   network 172.16.0.0 mask 255.240.0.0
   network 192.168.0.0 mask 255.255.0.0
}

And here is an example rule which references the class and drops requests from clients who don't match the datagroup networks:


when CLIENT_ACCEPTED {
   log local0. "Received connection from [IP::client_addr]"
   if {not ([matchclass [IP::client_addr] equals $::allowed_hosts_networks_class])}{
      log local0. "Dropped connection from [IP::client_addr]"
       Drop the request
      drop
   }
}

Aaron