redirect based on source ip address

Question

Need a little help in coming up with an iRule where if the client IP matches i want it going to a pool, if not just redirect to a url.  I am missing something here 
&nbsp;  
&nbsp; when CLIENT_ACCEPTED { 
&nbsp;   if { [IP::addr [IP::client_addr] equals x.x.x.10] } { 
&nbsp; } elseif { [IP::addr [IP::client_addr] equals x.x.x.11]} { 
&nbsp; } elseif { [IP::addr [IP::client_addr] equals x.x.x.12]} { 
&nbsp; } elseif { [IP::addr [IP::client_addr] equals x.x.x.13]} { 
&nbsp; } elseif { [IP::addr [IP::client_addr] equals x.x.x.14]} { 
&nbsp; } elseif { [IP::addr [IP::client_addr] equals x.x.x.15]} { 
&nbsp;      pool xyz 
&nbsp;  } 
&nbsp; } 
&nbsp; else { 
&nbsp;  HTTP::redirect http://impacii.nih.gov 
&nbsp;  } 
&nbsp;  
&nbsp; Thanks!

hoolio · Answer

Hi, 
  
 It would be cleaner to define the IP addresses in a datagroup of type 'address' and then use the matchclass command (Click here) to check the client IP against the datagroup.

when HTTP_REQUEST { 
  
     Check if client IP is in the datagroup 
    if {[matchclass [IP::client_addr] equals $::my_client_ips_class]}{ 
  
       pool xyz 
    } else { 
       HTTP::redirect "http://redirect.example.com" 
    } 
 }

Aaron

ranvir_floura_7 · Answer

Hi Aaron, 
&nbsp;  
&nbsp; Thanks for the directions.  I am still having an issue.  Here is what i have and it is complaining about undefined procedure: class. 
&nbsp;  
&nbsp; class my_client_ips_class { 
&nbsp;    host x.x.x.209 
&nbsp;    host y.y.y.18 
&nbsp;    host z.z.z.15 
&nbsp; } 
&nbsp;  
&nbsp; when HTTP_REQUEST {  
&nbsp;      Check if client IP is in the datagroup  
&nbsp;     if {[matchclass [IP::client_addr] equals $::my_client_ips_class]}{  
&nbsp;      pool uat_pool  
&nbsp;     } else {  
&nbsp;        HTTP::redirect "http://abc.test.com"  
&nbsp;     }  
&nbsp;  }

dennypayne · Answer

The class syntax should not be part of the iRule, that syntax is what ends up in the bigip.conf file if you create a Data Group in the GUI (I wish that they had named it the same thing in the GUI as in the config file but hey...). 
&nbsp;  
&nbsp; Denny

pjcampbell_7243 · Answer

What am I doing wrong ?  I have the following, and it is dropping all connections 
&nbsp;  
&nbsp; when CLIENT_ACCEPTED {  
&nbsp;    if { [matchclass [IP::client_addr] equals $::relay_hosts_allowed]} {  
&nbsp;     forward   
&nbsp;    } else  {  
&nbsp;      drop  
&nbsp;    }  
&nbsp;  } 
&nbsp;  
&nbsp; relay_hosts_allowed contains a whole bunch of networks and hosts, including the one that I am using to test of course.

dennypayne · Answer

The wiki says - "Use of IP::addr is not necessary if matchclass command is used to perform the address-to-address comparison"  but nonetheless you may want to try:

if { [matchclass IP:addr[IP::client_addr] equals $::relay_hosts_allowed]} {

The rule looks fine though...so long as LTM has a route to whatever you are trying to get to (or is directly connected) then it should forward the packet. 
  
 You could add some logging to see if you're not matching for some reason:

when CLIENT_ACCEPTED { 
   if { [matchclass [IP::client_addr] equals $::relay_hosts_allowed]} { 
     log local0. "[IP::client_addr] matched an allowed host." 
     forward 
     } else { 
     log local0. "[IP::client_addr] didn't match, dropping" 
     drop 
   } 
 }

Denny

Forum Discussion

redirect based on source ip address

Recent Discussions

Diameter iRules attachment?

Source IP F5 DNS Zone Forwarder

F5 BIG-IP

BIG-IP Oauth Client and AS

How to Renew F5 Device Certificate

Related Content

The Power of Source Address

health monitor source IP address

source address persistence maximum session timeout

F5 Malicious Source IP Address Alert

How to ensure source address and source port are accepted and traversed properly via F5 SNAT automap

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS