Forum Discussion

Ravager's avatar
Ravager
Icon for Altostratus rankAltostratus
Apr 10, 2021

restrict access to a vs by a datagroup but temp allow exceptions and log

So i basically have the concept of the what i want to do programatically but need some assistance turning it into a irule.

 

I have virtual server that has open access and I want to change it to only allowed if the ip is in a datagroup.

However while cutting it over I want to log all the ips that are not in the datagroup and permit them anyway. I will then investigate if it should be allowed and add each ip as required.

 

After a few weeks hopefully all the allowed ips are in the datagroup and i can block connections but still log denied ips.

 

looking thought the forums i have a vague idea that the below will be close to working

and i change the last return to drop once i want to enforce it

 

Also in a address datagroup, i understand the Address is the ip, but what is the value field for?

 

 when CLIENT_ACCEPTED {

   if { [class match [IP::client_addr] eq "datagroup_allowed_ip" ] }{

   return

   } else {

   log local0. "Dropped connection: client IP [IP::client_addr] is not in datagroup."

   return

   } }

 

 

 

  • value is optional to add description. you can keep it blank. Reject can be commented out until IP address list is confirmed to allow all traffic

    when CLIENT_ACCEPTED {
     if { ![class match [IP::client_addr] eq "datagroup_allowed_ip" ] }{
      log local0. "Dropped connection: client IP [IP::client_addr] is not in datagroup."
      #reject
      }
     }
  • SanjayP gave you a good suggestion but I recommend trying with local traffic policy as it now support data groups and this way is better than using not optimized iRule and it is easier to work with a local traffic policy when possible.

     

     

     

    https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-local-traffic-policies-getting-started-13-0-0/1.html

  • Sanjay's example is good, but as Nikoolayy1 pointed out, this can be done more efficiently with a local traffic policy. Initially, the policy might like this:

    (tmos)# list /ltm policy reject_disallowed_ip_addresses
    ltm policy reject_disallowed_ip_addresses {
        last-modified 2021-04-10:15:59:01
        requires { tcp }
        rules {
            reject_disallowed_ip_addresses {
                actions {
                    0 {
                        log
                        client-accepted
                        write
                        facility local0
                        message "tcl:Dropping connection for client [IP::client_addr] not in datagroup"
                        priority info
                    }
                }
                conditions {
                    0 {
                        tcp
                        client-accepted
                        address
                        matches
                        datagroup disallowed_ips
                    }
                }
            }
        }
        status published
        strategy first-match

    When you are ready to actually reject the traffic, change the log action to Reset traffic at client-accepted.

    With respect to what the value setting is in a datagroup entry, it is optional and would allow you to associate some value with the key portion of the entry. In your case, you do not need it.

    • The-messenger's avatar
      The-messenger
      Icon for Cirrostratus rankCirrostratus

      crodriguez,
      I'm running 15.1.4

      I'm trying to do the same thing here, but looking your policy, I'm not sure I have this correct.  In my policy I have, as you can see below:
      1 - TCP address matches in datagroup (group with allowed IPs) - Ignore

      2 -  All Traffic - Log traffic  - This does appear to be logging traffic that doesn't match the first rule

      3 - All Traffic - Reset traffic

       

      When I test this, IP address from an address that is not in the datagroup, I do get the APM login page.

  • thanks all i got it working, thanks for the very quick replies.

    • guest's avatar
      guest
      Icon for Nimbostratus rankNimbostratus

      Hello Ravager,

      I just only want to give permission to specific ips which included into data group. For this, is it enough to write in the irule that Sanjay stated? did you use this?

      when CLIENT_ACCEPTED { if { ![class match [IP::client_addr] eq "datagroup_allowed_ip" ] }{ log local0. "Dropped connection: client IP [IP::client_addr] is not in datagroup." #reject } }

      @@crodrigue , what kind change we need here to actually reject (block) the traffic? Can you give the exact configuration statement? Is there any opportunity to block and log?

      Kind Regards,