Forum Discussion
Ranvir_Floura_7
Nimbostratus
Nimbostratusredirect based on source ip address
Need a little help in coming up with an iRule where if the client IP matches i want it going to a pool, if not just redirect to a url. I am missing something here
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals x.x.x.10] } {
} elseif { [IP::addr [IP::client_addr] equals x.x.x.11]} {
} elseif { [IP::addr [IP::client_addr] equals x.x.x.12]} {
} elseif { [IP::addr [IP::client_addr] equals x.x.x.13]} {
} elseif { [IP::addr [IP::client_addr] equals x.x.x.14]} {
} elseif { [IP::addr [IP::client_addr] equals x.x.x.15]} {
pool xyz
}
}
else {
HTTP::redirect http://impacii.nih.gov
}
Thanks!
6 Replies
hoolioCirrostratus
Hi,
It would be cleaner to define the IP addresses in a datagroup of type 'address' and then use the matchclass command (Click here) to check the client IP against the datagroup.when HTTP_REQUEST { Check if client IP is in the datagroup if {[matchclass [IP::client_addr] equals $::my_client_ips_class]}{ pool xyz } else { HTTP::redirect "http://redirect.example.com" } }
Aaron
Ranvir_Floura_7Hi Aaron,
Thanks for the directions. I am still having an issue. Here is what i have and it is complaining about undefined procedure: class.
class my_client_ips_class {
host x.x.x.209
host y.y.y.18
host z.z.z.15
}
when HTTP_REQUEST {
Check if client IP is in the datagroup
if {[matchclass [IP::client_addr] equals $::my_client_ips_class]}{
pool uat_pool
} else {
HTTP::redirect "http://abc.test.com"
}
}- dennypayne
Employee
The class syntax should not be part of the iRule, that syntax is what ends up in the bigip.conf file if you create a Data Group in the GUI (I wish that they had named it the same thing in the GUI as in the config file but hey...).
Denny 
pjcampbell_7243Cirrus
What am I doing wrong ? I have the following, and it is dropping all connections
when CLIENT_ACCEPTED {
if { [matchclass [IP::client_addr] equals $::relay_hosts_allowed]} {
forward
} else {
drop
}
}
relay_hosts_allowed contains a whole bunch of networks and hosts, including the one that I am using to test of course.- dennypayneThe wiki says - "Use of IP::addr is not necessary if matchclass command is used to perform the address-to-address comparison" but nonetheless you may want to try:
if { [matchclass IP:addr[IP::client_addr] equals $::relay_hosts_allowed]} {
The rule looks fine though...so long as LTM has a route to whatever you are trying to get to (or is directly connected) then it should forward the packet.
You could add some logging to see if you're not matching for some reason:when CLIENT_ACCEPTED { if { [matchclass [IP::client_addr] equals $::relay_hosts_allowed]} { log local0. "[IP::client_addr] matched an allowed host." forward } else { log local0. "[IP::client_addr] didn't match, dropping" drop } }
Denny - pjcampbell_7243I think my problem was that I was using forward instead of snat automap.
