Please help me to write irule according to ip-address

Hi Le Phuong Binh,

 

 

We will need additional information in order to help you.

 

 

What version of BIG-IP are you running?

 

 

How many different network subnets are we talking about?

 

Hi Michael Yates,

 

 

Thanks so much.

 

 

 

That is not enough information to assist you with what you are needing.

 

 

There are command differences between v9.x.x and v10.x.x, so the platform version matters.

 

 

It also matters how many IP Addresses you need to be blocking to determine the most efficient way to implement the iRule and Manage it. 1, 2, 10, entire /24 subnet?

 

 

Your current setup of the Virtual Servers and Pools may also have some bearing on the suggestions that you may get (if you have 4 servers and want users to be directed to them by some type of priority you may want to put them in separate pools (could be 2 pools or even 3 depending on what you want)).

Generally speaking, when defining problems that need to be solved, giving as much detailed information as possible helps ensure a speedy response and solution. That is doubly the case with programming and writing code for a deployment that you don't directly control, like many of us do in the forums here all the time.

 

 

If you can give us a detailed description of what you're trying to accomplish, we'd be happy to help. What you've described leaves too much left unsaid, as Michael already mentioned.

 

 

What network layer are we blocking access from? How is it defined? Do we need to worry about port 80 or just 443? etc.

 

 

Colin

Posted By Michael Yates on 08/16/2011 08:10 AM

 

Hi Le Phuong Binh,

 

 

We will need additional information in order to help you.

 

 

What version of BIG-IP are you running?

 

 

How many different network subnets are we talking about?

 

Hi Michael Yates and Colin Walker,

 

 

 

Thanks for helping.

 

 

 

 

 

 

 

Hi Le Phuong Binh,

This are my suggestions, there are many other ways to do this and even more efficient ways than what I am showing you here, but this way may be the easiest to initially understand and then you can go for efficiency later.

Create two pools and split your servers into those pools to make load balancing between the servers sets possible (attempting to do this in an iRule is possible but would require insane overhead).

a.Pool 1: pool.admin.server.set.1 (Server1 and Server2)

b.Pool 2: pool.admin.server.set.2 (Server3 and Server 4)

The first portion of this iRule handles the access to "/admin". It verifies that the client IP Address is within the proper subnet (10.10.10.240/28). If you are attempting to access the "/admin" portion of the site and the client IP Address is NOT in that subnet range it will redirect the user back to the base website.

The second if statement does a compare on the the more restricted subnet (10.10.10.241/28). If the client IP Address is in that range they will be directed to the pool with Server 1 and 2. If they do not qualify for the first subnet compare then I am assuming that they are in the second and routing them to the pool with Server 3 and Server 4. If you want to add in an additional subnet compare you can, but you will need to then handle what happens if they do not qualify for either subnet (drop the traffic redirect them, etc.).

 
when HTTP_REQUEST {
if { [string tolower [HTTP::uri]] starts_with "/admin" and [IP::addr [IP::client_addr] equals 10.10.10.240/28] } {
pool pool.admin.server.set.1 
}
else {
If they are not in the allowed subnet 10.10.10.240/28 redirect them to homepage.
You can drop the traffic or whatever else you wish.
HTTP::redirect "http://[getfield [HTTP::host] ":" 1]"
}
if { [IP::addr [IP::client_addr] equals 10.10.10.241/28] } {
pool pool.admin.server.set.1 
}
else {
pool pool.admin.server.set.2
}
}