For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Brian_Mayer_841's avatar
Brian_Mayer_841
Icon for Nimbostratus rankNimbostratus
Nov 05, 2007

Restrict access to Virtual Servers based on IP address

Hi all,     We have some test sites going online soon and need them to be publicly accessible for some external testers. But we don't want the entire world to see the sites until they're ready ...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Nov 05, 2007
Hi,

You could use packet filters to restrict access (Click here).

Else, if you want to use an iRule, you can use the IP::addr (Click here) command to compare the client IP address with a specific IP or IP range, or matchclass (Click here) to compare the client IP address with a set of IP's or ranges.

There are a few related codeshare examples:

Access Control Based On IP

Click here

Access Control Based On Network or Host

Click here

If you do want to use an iRule instead of packet filters, and you're working with a single IP virtual server, it probably be easiest to use the matchclass command:


 Datagroup which defines allowed client IP addresses/networks
class allowed_clients_datagroup {
   network 10.30.0.0/16
   host 10.40.1.1
}


 this event is triggered when a client - BIG-IP TCP connection is established
when CLIENT_ACCEPTED {
   if { [matchclass [IP::client_addr] equals $::allowed_clients_datagroup] }{
      Uncomment the line below to turn on logging.
      log local0.  "Valid client IP: [IP::client_addr] - forwarding traffic"
       Do nothing... request will be sent to the pool
   } else {
      Uncomment the line below to turn on logging.
      log local0. "Invalid client IP: [IP::client_addr] - discarding"
      discard
   }
}

Reply if you have any questions.

Aaron