For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Brian_Mayer_841's avatar
Brian_Mayer_841
Icon for Nimbostratus rankNimbostratus
Nov 05, 2007

Restrict access to Virtual Servers based on IP address

Hi all,     We have some test sites going online soon and need them to be publicly accessible for some external testers. But we don't want the entire world to see the sites until they're ready ...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Nov 07, 2007
The previous example will work for a virtual server with a pool, where you want traffic from allowed clients to be load balanced and other clients to be dropped. Here is a shortened version that drops all requests if the client IP is not part of the datagroup.


 this event is triggered when a client - BIG-IP TCP connection is established
when CLIENT_ACCEPTED {
    Check if the client IP is not part of the datagroup hosts/networks
   if { not ([matchclass [IP::client_addr] equals $::allowed_clients_datagroup]) }{
       Log dropped requests
      log local0. "Invalid client IP: [IP::client_addr] - discarding"
       drop the request
      discard
   }
}

If you created a class/datagroup with a different name, just update the rule to reference the name you used.

If this doesn't work for you, check the ltm log file via the command line (tail -f /var/log/ltm) and see if you get any log statements showing errors.

Aaron