Forum Discussion
NimbostratusNeed help with iRULE
Can someone please let me know whats wrong with the iRULE below?
when CLIENT_ACCEPTED { if { [IP::addr [IP::local_addr] equals x.x.x.x/23] }{
Uncomment the line below to turn on logging.
log local0. "accees not allowed: [IP::local_addr] - reject traffic"
reject
} else {
Uncomment the line below to turn on logging.
log local0. "Valid client IP: [IP::local_addr] - forwarding traffic"
forward
}
snat none log local0. "Not Allowed to SNATed , [IP::client_addr]:[TCP::client_port] --> [IP::local_addr]:[TCP::local_port]" }
I am trying to reject traffic between inter vlan by limited to /23. Rest I want this server to access but no internet.
Internet part works (box have no internet access), but it is not rejected any traffic with /23, I have stuck this iRULE on a forwarding VS whwere source is y.y.y.y/24 and destination is 0.0.0.0/0.
What I am doing wrong?
2 Replies
- Kevin_Stewart
Employee
Please try this:
when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals x.x.x.x/23] } { reject } }I'm not sure what your intention is with IP::local_addr, but in the client side context that will give you the IP of the virtual server, or in an IP forwarding VIP, the IP of the server the client is ultimately connecting to. If you want the client's IP address, use the IP::client_addr command. You also shouldn't need the forward command. I don't think it hurts anything though. Last, the snat none command is in the root of the CLIENT_ACCEPTED event, so it applies to everything. If you don't need SNAT, then don't apply it to the VIP.
Samir_Jha_52506Noctilucent
Still not understand your requirement. Hope it will help.
when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals xx.xx.xx.xx/xx] } { log local0. "Blocking [IP::client_addr]" reject } }
