Forum Discussion
Mike_Rausch_628
Nimbostratus
NimbostratusOnly allow users from specific Ip address to gain access
I am trying to use a corporate backup tool and they are telling me that I need to open a range of ports on my server from 600-13800 or something like that. I have created a Virtual Server that allows all ports and I created a Pool with one member, which is my server, and it is also allowing all ports. Obviously I do not want to leave everything wide open like this so I was going to write an Irule that would only allow a specific IP to reach the server through this Virtual server. I read a similar post but the person did not seem to get it working. If anyone could help It would be great.
Thanks
Mike
- JRahm
Admin
Try this:when CLIENT_ACCEPTED { if { ! ([IP::client_addr] == "10.10.10.10") } { discard } elseif { ([TCP::local_port] < 300) or ([TCP::local_port] > 13800) } { discard } else { forward } } 
Mike_Rausch_628I meant to write this the first time but the corporate tool will be using a range of IP's like 10.1.1.0 and 10.1.2.0. Can this be put into a data group and the data group get referenced in the Irule- JRahmYes, once you build your datagroup, say allowed_clients,
class allowed_clients {
network 10.1.1.0 mask 255.255.255.0
network 10.1.2.0 mask 255.255.255.0
host 10.1.3.10
}
then you can use this:when CLIENT_ACCEPTED { if { not ([matchclass [IP::client_addr] equals [$::allowed_clients]]) } { discard } elseif { ([TCP::local_port] < 300) or ([TCP::local_port] > 13800) } { discard } else { forward } } - Mike_Rausch_628I tried this rule but I got an error in my logs saying
TCL error: rule client_allow - invalid command name
"{10.1.1.0/24}{10.1.2.0/24}" while executing "$::Allowed_Clients"
I have a datagroup called Allowed_Clients and it contains
10.1.1.0 255.255.255.0
10.1.2.0 255.255.255.0
When I tried to connect from a different network I was allowed. I put a
log local0. "IP [client::IP_addr]tried to log in" statement into my rule to see who is trying to log into the server and my IP from my local machine showed up in the logs as well as the above error message. So it did not block me from gaining access and I received and error as well. - JRahmare the network and mask keywords in your class like this:
network 10.1.1.0 mask 255.255.255.0
network 10.1.2.0 mask 255.255.255.0
It seems the TCL error is preventing the if check, so everything matches the else statement, thus permitting the forwarding - Mike_Rausch_628exactly like that.
The backup service just ran and was denied immediately. when I said I was able to access the server before I was wrong, it logged my initial connection to the virtual server but did not go through to the pool. - JRahmSorry, had some extra brackets in there around the class. This may be simpler, and tested fine on my 9.1.2 HF5 system just now.
when CLIENT_ACCEPTED { if { ([matchclass [IP::client_addr] equals $::allowed_clients]) and (([TCP::local_port] < 13800) or ([TCP::local_port] > 300))} { log local0. "Connection accepted from [IP::client_addr] destined for tcp port [TCP::local_port]" forward } else { log local0. "Connection discarded from [IP::client_addr] destined for tcp port [TCP::local_port]" discard } }
HTH...Jason
