HI All, I have implemented a packet filter to block access to a VS from all IP addresses except one. I tried the same through an iRule. But it did not seem to work. Here is the iRule: when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals x.x.x.x] } { drop return } } When I tried doing the same with packet filter, by creating a rule which says, "action:accept" for "source ip:x.x.x.x" and "destination ip: (the ip for that virtual service)". This should allow only this x.x.x.x ip to access the virtual service. But, all the IPs are having access to the virtual service and looks like the rule is not implemented correctly. Can someone help me with this? Thanks and Regards, Geethanjali

this is mine. [root@ve10:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.79:80 ip protocol 6 } [root@ve10:Active] config b packet filter list packet filter { allow trusted {} } packet filter Allow_192.168.206.57 { order 5 action accept vlan external log enable filter { ( src host 192.168.206.57 ) and ( dst host 172.28.19.79 ) } } packet filter Deny_All { order 10 action reject vlan external log enable filter { ( dst host 172.28.19.79 ) } } [root@ve10:Active] config tail /var/log/pktfilter Oct 25 11:24:14 local/tmm notice tmm[7926]: 01250004:5: Deny_All (2): reject on external, len: 74 [IPv4 60 172.28.20.11 -> 172.28.19.79 TCP 59195 -> 80 S] Oct 25 11:24:21 local/tmm notice tmm[7926]: 01250002:5: Allow_192.168.206.57 (88): accept on external, len: 66 [IPv4 52 192.168.206.57 -> 172.28.19.79 TCP 63782 -> 80 S]

In case it's not clear, nitass is saying you need two packet filters. One to allow the host you want to, one to deny everything else.

Great. There's a couple of ways you can do this. For pure simplicity you could just modify the if statement; if { ( ! [IP::addr [IP::client_addr] equals x.x.x.x]) or ( ! [IP::addr [IP::client_addr] equals y.y.y.y]) or ( ! [IP::addr [IP::client_addr] equals z.z.z.z]) But the best way would be to use a Data Group and reference that. I'm sure nitass will be along with an example any minute!

e.g. [root@ve10:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.79:80 ip protocol 6 rules myrule } [root@ve10:Active] config b rule myrule list rule myrule { when CLIENT_ACCEPTED { if { ! [class match -- [IP::client_addr] equals ip_class] } { log local0. "Reject [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]" reject } } when SERVER_CONNECTED { log local0. "Allow [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -> [IP::remote_addr]:[TCP::remote_port]" } } [root@ve10:Active] config b class ip_class list class ip_class { { host 172.28.19.251 host 192.168.206.57 } } [root@ve10:Active] config tail -f /var/log/ltm Oct 25 22:57:44 local/tmm info tmm[7926]: Rule myrule : Reject 172.28.20.11:59229 -> 172.28.19.79:80 Oct 25 22:57:53 local/tmm info tmm[7926]: Rule myrule : Allow 192.168.206.57:65000 -> 172.28.19.79:80 -> 200.200.200.101:80 Oct 25 22:58:12 local/tmm info tmm[7926]: Rule myrule : Allow 172.28.19.251:37085 -> 172.28.19.79:80 -> 200.200.200.101:80

Packet filter does not work

15 Replies

Geethanjali_321
Nimbostratus
Oct 26, 2012
Hi,

I am not able to access this through the GUI. I don't find an option under system
What_Lies_Bene1
Cirrostratus
Oct 26, 2012
Do you at least have System > Logs?

nathe

Cirrocumulus

Oct 26, 2012

What user role are you?

Specifies log access by user role. You can allow or deny access for each user role except Administrator and Resource Administrator, which are always set to Allow. When the field is set to Deny, the Logs tab is not present for users of that role type, and trying to access the log directly results in a no-access message.

Geethanjali_321

Nimbostratus

Oct 26, 2012

Hi,

I am sorry. I got it now. Can you please explain what this code does? I understood the basic function, that it rejects all other IPs apart from the ones in the data group ip_class. But I dindn't get the log.local0 part and the server connected's syntax...Can you please expalin it to me?

when CLIENT_ACCEPTED {
   if { ! [class match -- [IP::client_addr] equals ip_class] } {
      log local0. "Reject [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
      reject
   }
}
when SERVER_CONNECTED {
   log local0. "Allow [IP::client_addr]:[TCP::client_port] -> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -> [IP::remote_addr]:[TCP::remote_port]"
}
}

Thanks and Regards,

Geethanjali

nathe
Cirrocumulus
Oct 26, 2012
See https://devcentral.f5.com/wiki/irules.server_connected.ashx

The log local0. command is simply grabbing all the information it gets from the request in the [] brackets e.g. the client ip address/port, and writing a log to detail the connection in a readable format.

Forum Discussion

Packet filter does not work

15 Replies

Recent Discussions

Telemetry streaming to Elasticsearch

Error while running ansible

SSL protocol mismatch

Could not connect to SMTP host.

cat and grep command for rst messages

Related Content

Decrypting BIG-IP Packet Captures without iRules

Decrypting BIG-IP Packet Captures Automatically

Automating Packet Captures on BIG-IP

F5 packet buffer

Packet Tracing in BIG-IP AFM