Forum Discussion

Ashu_Aggarwal's avatar
Ashu_Aggarwal
Icon for Cirrus rankCirrus
Sep 18, 2020

Restrict access to VS by ip & time

I have to restrict access to a VS by IP & time. So during a particular window (time/day) only specific ip ranges should be allowed to access that vs. Can someone please guide how to do that on a LTM. LTM is running on version 13.1.0.7.

application delivery
iRules
LTM
  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    Icon for MVP rankMVP
    Sep 18, 2020

    Hi Ashu Aggarwal,

    Create a datagroup for always allowed IPs.

    Try this iRule:

    when RULE_INIT {
	array set static::timerange { #change time
		Monday {"08:30" "20:00"}
		Tuesday {"08:30" "20:00"}
		Wednesday {"08:30" "20:00"}
		Thursday {"08:30" "20:00"}
		Friday {"08:30" "20:00"}
		Saturday {}
		Sunday {}
	}
}
 
when HTTP_REQUEST {
	if { not [class match [IP::client_addr] equals dg-allowed-ip-list-name] } { #change dg name
		set now [clock seconds]
		set current_day [clock format $now -format {%A}]
		set start [lindex $static::timerange($current_day) 0]
		set end [lindex $static::timerange($current_day) 1]
		
		if { ($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end]) } {
			set denied 0
		} else {
			set denied 1
		}
		
		unset start end
	} else {
		set denied 0
	}
 
	if { $denied } {
		drop
	}
}
    • Ashu_Aggarwal's avatar
      Ashu_Aggarwal
      Icon for Cirrus rankCirrus
      Oct 14, 2020

       : I got the permission to try this i-rule tonight. Just quick question, from where this i-rule will pick the clock/time? Would it pick the time from system clock?

      Thanks

      • Enes_Afsin_Al's avatar
        Enes_Afsin_Al
        Icon for MVP rankMVP
        Oct 14, 2020

        Hi,

        I test it with this iRule.

        when HTTP_REQUEST {
    log local0. [clock seconds]
}

        Current time log:

        Oct 14 18:11:10 f5 info tmm[18620]: Rule /Common/test_seconds <HTTP_REQUEST>: 1602688267
Oct 14 18:11:10 f5 info tmm[18620]: Rule /Common/test_seconds <HTTP_REQUEST>: 1602688270
...

        after change F5 System Time:

        May 11 21:11:18 f5 info tmm2[18620]: Rule /Common/test_seconds <HTTP_REQUEST>: 1526062278
May 11 21:11:18 f5 info tmm2[18620]: Rule /Common/test_seconds <HTTP_REQUEST>: 1526062298
...

        iRule uses system time.

  • LiefZimmerman's avatar
    LiefZimmerman
    Icon for Admin rankAdmin
    Nov 03, 2020

     - Can you mark one of these as Best answer? Did you solve the problem in some other way?

    • Ashu_Aggarwal's avatar
      Ashu_Aggarwal
      Icon for Cirrus rankCirrus
      Nov 03, 2020

       No I could not resolve it, The i-rule is not working as expected. It just keep blocking the connection regardless of time. Thanks!

      • JRahm's avatar
        JRahm
        Icon for Admin rankAdmin
        Nov 04, 2020

        Hi Ashu, take a look at this iRule for guidance: https://devcentral.f5.com/s/articles/irule-maintenance-windows.

  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    Icon for MVP rankMVP
    Nov 03, 2020

    Hi Ashu,

    Can you replace lines 20-24? (set denied values)

    if { ($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end]) } {
	set denied 1
}
else {
	set denied 0
}
    when RULE_INIT {
	array set static::timerange {
		Monday {}
		Tuesday {}
		Wednesday {}
		Thursday {"03:15" "03:30"}
		Friday {}
		Saturday {}
		Sunday {}
	}
}
 
when HTTP_REQUEST {
	if { not [class match [IP::client_addr] equals dg_allow_ip_during_deployment] } {
		set now [clock seconds]
		set current_day [clock format $now -format {%A}]
		set start [lindex $static::timerange($current_day) 0]
		set end [lindex $static::timerange($current_day) 1]
		
		if { ($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end]) } {
			set denied 1
		} else {
			set denied 0
		}
		
		unset start end
	} else {
		set denied 0
	}
 
	if { $denied } {
		drop
	}
}
Related Content