Forum Discussion
NimbostratusRestrict FTP traffic on VIP to IP address or range
I have a contractor who requires FTP access to an FTP server on our network.
We have created a VIP that only allows traffic on port 21 to that server. We only want to allow an IP address or a range of IPs to access that specific server, and this is just a temporary access issue.
It is my understanding that we need to incorporate when CLIENT_ACCEPTED { into our iRule in order to accomplish this. I've found the following iRule, however it seems much more complex than what we're looking to do.
http://devcentral.f5.com/wiki/default.aspx/iRules/AccessControlBasedOnNetworkOrHost.html
I was thinking that something like this below would work, but this iRule seems to check the login name rather than the IP address or network that traffic would be coming into via port 21.
when CLIENT_ACCEPTED {
if { [matchclass [IP::remote_addr] equals $::aol] } {
pool aol_pool
} else {
pool all_pool
}
}
13 Replies
hoolioCirrostratus
Hi Joe,
If you want to add source IP/subnet restrictions to that iRule you could create an address type datagroup with the allowed IPs/subnets and then add a check in CLIENT_ACCEPTED to see if the client IP is in the datagroup:when CLIENT_ACCEPTED { Check if client IP is not in the allowed_clients_datagroup if { not [matchclass [IP::client_addr] equals allowed_clients_datagroup]}{ Disallowed client IP, send a tcp reset reject } }
Aaron
Joe_PipitoneAs always - thank you!
OMAltocumulus
Hi,
I have big-ip version 10.2 with 2 partitions and I want to filter incoming web requests based on clients' IP addresses. I tried the following irule with datagroup IP lists, with no sucess.
Is the irule below valid for multiple partitions?
Here's the irule:
when CLIENT_ACCEPTED {
Check if client IP is not in the allowed_clients_datagroup
if { not [class match [IP::client_addr] equals allowed_clients_datagroup]}{
Disallowed client IP, send a tcp reset
reject
}
}
thanks.- hoolioHi Omar,
Are your iRule and datagroup both in the same admin partition? There isn't anything in an iRule that's specific to partitions, but the iRule itself, the datagroup and the virtual server can be defined within specific partitions. See the management guide for details:
TMOS Management Guide for BIG-IP: Configuring Administrative Partitions
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos_management_guide_10_1/tmos_partitions.html
Aaron - OMThanks Aaron for your quick reply,
I have 2 partitions (prod and dev). The vs, the irules and the datagroup are all in the same partition (dev).
In the doc, the iRule syntax is slightly different depending whether we use the default route domain or unique route domain...
Would you please confirm the syntax of the iRule?
thanks.
Omar
- hoolioHi Omar,
Sorry, I think you're talking about route domains while I was talking about admin partitions. If you're using the iRule for a non-default route domain, you'd need to handle that specially in the iRule. The class commands do not currently handle non-default route domains. You can use iRule logic like this to do so:
http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/1172490/showtab/groupforums/Default.aspx1173816
See the last post in that thread for a Request For Enhancement ID documenting the request to handle this natively with the class command.
Aaron - kavan_49451
Hi Guys I have a couple of questions regarding this IRule, I hope someone can advise.
1. What effect would this IRule have on the 3600 LTM ? we would be looking to have 6 - 10 different IRules on 6-10 VIP Rules? Is there a maximum limit to how many IRules you can run on an F5 ? I'm worried about the processor. I've searched and have not been able to find a maximum recommended IRule amount
2. Would you recommend using this instead of a firewall ? or at least shift the work from the firewall to the LTM?
Any information would be gratefully received
Many thanks
Kav 
Michael_YatesThere is no limit or hard number of iRules that you can run on a BigIP. It all depends on the intensity of the iRules that you implement.
The 3600's are pretty beefy boxes, and this iRule running on 10 VIP's won't phase them at all. There are numerous posts on DevCentral for writing efficient iRules or how to test an iRule to see how much processing power it takes to run them, so if it is a concern I would suggest doing some additional research.
Should you run this on a firewall instead? That is actually a matter of preference. Both would / could solve your problem. I guess it could boil down to which one was easier to mantain or how much flexibility is required to add / remove things to the allow / deny list.
Austin_Geraci_3Cirrus
@kavan
LTMs are the best of bread Application Delivery Controllers, and are versitle enough to block some unwanted traffic like you've seen above. They were definitley never intended to replace your firewall by themselves.. especially if your firewal is Internet Facing..
Depending on your needs you may want to look into the APM...
http://www.f5.com/products/big-ip/a...nager.html
Internally you can definiltey do some traffic blocking without any hitches depending on your topology. Probably more usefull when servers are inline and are only accessed through your LTM...- As has been mentioned above, just because you can do everything under the sun in an iRule doesn't necessarily mean you should. As is mentioned in the Ten Steps to iRules Optimization Click Here making use of the right tool for the job is important. If your deployment dictates that your LTM is the best place to do this, then it can certainly fill the role, but whether or not you "should" do this here is highly dependent on your environment and deployment.
Also, Michael is 100% accurate: there is no hard upper limit of iRules you may run on a given platform. It's all about resource utilization, so keep an eye on that and you'll be fine. You might check out the timing command - Click Here to help with that.
Colin
