Forum Discussion

cammy_178041's avatar
cammy_178041
Icon for Nimbostratus rankNimbostratus
Apr 21, 2015

Need an irule to block incoming connections if not matching a defined data group of addresses

Hi   I am trying to create an irule to block incoming smtp connections unless the originating ip is part of the block of ip addresss i have created in a data group. Where can i find this? Sorry -...
application delivery
devops
iRules
LTM
security
DEJ_159363's avatar
DEJ_159363
Icon for Cirrus rankCirrus
Apr 21, 2015

Hello,

Edit - just realized I had [TCP::client_addr] instead of [IP:client_addr]

I'm relatively new as well, but you may want to try the below. If the traffic is going to port 25 and the client IP is not included in your allow list, it is set to drop the traffic. All others will go to the default pool, if one is set. 
when CLIENT_ACCEPTED {
    Check if destination port is SMTP and the client IP is not in the allow list
    if {[[TCP::local_port] equals 25] and [class match [IP::client_addr] ne DATAGROUPNAME]}{
        Drop the traffic
        drop
}
}
DEJ_159363's avatar
DEJ_159363
Icon for Cirrus rankCirrus
Apr 21, 2015
I don't know where you are applying this iRule which is why I went ahead and specified the destination port.