Forum Discussion
NimbostratusNeed to allow certain IP address to F5 VIP.
I need to restric F5 VIP to allow certain IP addresses.It appear I need to create datagroup ( allowed-nets) from F5 GUi with allow list of ip addresses. does below iRule works as is?
when CLIENT_ACCEPTED { if { not ([class match [IP::client_addr] equals allowed-nets]) } { log local0. "[IP::client_addr] is not permitted to site xxxx" reject } }
ltm data-group internal allowed-netss { records { 192.168.20.0/24, 192.178.20.0/24, 192.188.20.0/24 { data "NetYYYY" } } type ip }
10 Replies
HamishCirrocumulus
Hi.
Could you please reformat your question and put code fences (Preformatted Code) around the iRule itself... It make it a lot easier for all to see
WithF5Hi mate,
you need to ident your algorithm if you want it to work.
when CLIENT_ACCEPTED { if { not [([IP::client_addr] equals allowed-nets)] } { log local0. "[IP::client_addr] is not permitted to site xxxx" reject }}
Also, I don't think that networks defined in the data group will work... you need to use the full IP /32 (ex. 192.168.1.1, 192.168.1.2 ... ). You can do it in the CLI to make it faster.
nitass_89166Noctilucent
does below iRule works as is?
it looks okay to me.
swjo_264656Cirrostratus
I`ve using that kinds of rule.
you should check before apply to VS.
In that data-group list, should contain client side and server side IP or network.
take care.
- swjo_264656
I`m using two rules, for forwarding and VIP service.
rule forward_allow when CLIENT_ACCEPTED { if {[class match [IP::client_addr] equals forward_white_list]}{
log local0. "[IP::remote_addr]:[TCP::remote_port] Dst [IP::local_addr]:[TCP::local_port] -> Allowed"} else { reject log local0. "[IP::remote_addr]:[TCP::remote_port] Dst [IP::local_addr]:[TCP::local_port] -> Denied" } }
rule vip_allow when CLIENT_ACCEPTED { if {[class match [IP::remote_addr] equals vip_white_list]}{
log local0. "[IP::remote_addr]:[TCP::remote_port] Dst [IP::local_addr]:[TCP::local_port] -> Allowed"LB::server pool } else { reject log local0. "[IP::remote_addr]:[TCP::remote_port] Dst [IP::local_addr]:[TCP::local_port] -> Denied" } }
please refer to it.
- nitass
Employee
does below iRule works as is?
it looks okay to me.
- swjo_264656
I`ve using that kinds of rule.
you should check before apply to VS.
In that data-group list, should contain client side and server side IP or network.
take care.
- swjo_264656
I`m using two rules, for forwarding and VIP service.
rule forward_allow when CLIENT_ACCEPTED { if {[class match [IP::client_addr] equals forward_white_list]}{
log local0. "[IP::remote_addr]:[TCP::remote_port] Dst [IP::local_addr]:[TCP::local_port] -> Allowed"} else { reject log local0. "[IP::remote_addr]:[TCP::remote_port] Dst [IP::local_addr]:[TCP::local_port] -> Denied" } }
rule vip_allow when CLIENT_ACCEPTED { if {[class match [IP::remote_addr] equals vip_white_list]}{
log local0. "[IP::remote_addr]:[TCP::remote_port] Dst [IP::local_addr]:[TCP::local_port] -> Allowed"LB::server pool } else { reject log local0. "[IP::remote_addr]:[TCP::remote_port] Dst [IP::local_addr]:[TCP::local_port] -> Denied" } }
please refer to it.
AhmedGalal219_3first if you have AFM module you can make a policy with allowed address list then attach policy in VIP ... or if need irule you can use:-
when HTTP_REQUEST { if {[IP::client_addr] equals "x.x.x.x" or [IP::client_addr] equals "x.x.x.x" or [IP::client_addr] equals "x.x.x.x" } { allow
} else { reject } }
KJ_50941we don't have F5 AFM module. This needs to be done with LTM 12.1.x code, so can I use only iRule or I still need to create datagroup ?
when HTTP_REQUEST { if {[IP::client_addr] equals "x.x.x.x" or [IP::client_addr] equals "x.x.x.x" or [IP::client_addr] equals "x.x.x.x" } { allow
} else { reject } }
