Forum Discussion
DarkSideOfTheQ_
Nimbostratus
NimbostratusRestrict access based off source network
Hello All,
Sanity check...I'm trying to block access to specific pages based off the source network the client is coming from. The rest of the site should remain available to anyone. I *think* I've got the irule down, but am not 100% sure and would appreciate some more knowledgeable input.
Pages to block:
http://our.domain.com/templates/Test.jsp
http://our.domain.com/templates/Stats.jsp
Data Group "internal-ips"
1.1.1.0/24
2.2.2.0/24
3.3.3.0/24
when HTTP_REQUEST {
if { ([HTTP::uri] contains "Test.jsp") or ([HTTP::uri] contains "Stats.jsp") and not ([matchclass [IP::client_addr] equals [$::internal-ips]]) } {
discard
}
}
TIA,
DarkSide
19 Replies
DarkSideOfTheQ_I removed the braces around the datagroup as CB suggested and it still didn't work. Added in the extra logging as you suggested, which was helpful as it appears to be ignoring the datagroup alltogether.
Sep 17 07:27:12 tmm tmm[959]: Rule secure_test : : Request to /templates/Test.jsp
Sep 17 07:27:12 tmm tmm[959]: Rule secure_test : : Discarding request to /templates/Test.jsp
Thoughts?
-DarkSide
hoolioCirrostratus
Can you list the contents of the class (using 'b class ips_internal list all') and your client IP address. If you want to anonymise the IP's, just change the first two or three octets.
Here is an example of the default private_net datagroup on a 9.4.8 unit:b class private_net list all class private_net { type ip filename none mode rw partition Common network 10.0.0.0/8 network 172.16.0.0/12 network 192.168.0.0/16 none none } Thanks, Aaron- DarkSideOfTheQ_Here it is. (changed first two octets)
class ips_internal {
network 1.1.0.0 mask 255.255.240.0
network 2.2.0.0 mask 255.255.252.0
}
client ip: 1.1.1.100
btw - this is 9.2.4 if that matters. - hoolioIs it an address type datagroup? That looks like a string datagroup. matchclass using IP addresses won't work with anything but an address type class.
Aaron - DarkSideOfTheQ_In the GUI it says it's an address type.
- hoolioIt's odd it's not working then... can you try this?
when HTTP_REQUEST { log local0. "[IP::client_addr]:[TCP::local_port]: Request to [HTTP::uri] with dg: $::ips_internal" if { [HTTP::uri] contains "Test.jsp" or [HTTP::uri] contains "Stats.jsp" }{ log local0. "[IP::client_addr]:[TCP::local_port]: Matched URI check" if {not [matchclass [IP::client_addr] equals $::ips_internal]} { log local0. "[IP::client_addr]:[TCP::local_port]: Matched IP check. Discarding request to [HTTP::uri]" discard } } }
Aaron - DarkSideOfTheQ_Well, as you suggested earlier, breaking out the matchclass to it's own if line worked.
Sep 17 10:04:09 tmm tmm[959]: Rule secure_test : 99.99.220.62:80: Request to /templates/Test.jsp with dg: {1.1.0.0/20} {2.2.0.0/22}
Sep 17 10:04:09 tmm tmm[959]: Rule secure_test : 99.99.220.62:80: Matched URI check
Sep 17 10:04:09 tmm tmm[959]: Rule secure_test : 99.99.220.62:80: Matched IP check. Discarding request to /templates/Test.jsp
The first log line, should that log client info for ONLY members of the datagroup? It's logging client info for any request made and even mentions the dg parameter, so I'm a bit confused on that.
Sep 17 10:03:47 tmm tmm[959]: Rule secure_test : 2.60.0.104:80: Request to /resources with dg: {1.1.0.0/20} {2.2.0.0/22}
*2.60.x.x is a vpn range in the 2.2.0.0 office (i changed first two octets) - DarkSideOfTheQ_Now I've gone and broke things....
This works:when HTTP_REQUEST { if { [HTTP::uri] contains "Test.jsp" or [HTTP::uri] contains "Stats.jsp" }{ if {not [matchclass [IP::client_addr] equals $::ips_internal]} { log local0. "[IP::client_addr]:[TCP::local_port]: Matched IP check. Discarding request to [HTTP::uri]" discard } } }
In anticipation of them adding more pages they want secured, I tried the '-glob' mechanism, but the GUI tells me "line 5: [missing an expression] [ ]" but not sure what's missing???when HTTP_REQUEST { switch -glob [HTTP::uri] { "Test.jsp" - "Stats.jsp" if {not [matchclass [IP::client_addr] equals $::ips_internal]} { log local0. "[IP::client_addr]:[TCP::local_port]: Matched IP check. Discarding request to [HTTP::uri]" discard } } }
Help is appreciated, my irule kung-fu isn't so strong. 🙂
-DarkSide - hoolioThis line was just for debugging of all requests:
log local0. "[IP::client_addr]:[TCP::local_port]: Request to [HTTP::uri] with dg: $::ips_internal"
If you want to use a switch statement you can use something like this:when HTTP_REQUEST { switch -glob [HTTP::uri] { "*Test.jsp*" - "*Stats.jsp*" { if {not [matchclass [IP::client_addr] equals $::ips_internal]} { log local0. "[IP::client_addr]:[TCP::local_port]: Matched IP check. Discarding request to [HTTP::uri]" discard } } } }
Note the use of the asterisks for wildcard (glob) matching.
Aaron
