Forum Discussion

DanS's avatar
DanS
Icon for Nimbostratus rankNimbostratus
Sep 12, 2019

Restrict Traffic To VIP By Subnet

I would like to restrict a subnet (192.168.1.0/24) from accessing VIP: 10.10.10.10. Is this possible with a irule? I can only find ways on how to restrict traffic from a single IP and not a subnet. A...
iRules
security
  • jaikumar_f5's avatar
    jaikumar_f5
    Sep 13, 2019

    Just go with a datagroup with Irule method. So that you can add more IP's in the blacklist group on the file. You need not keep editing your irule.

    Create a datagroup called blacklist subnet, make sure its type IP.

    type: ip

    ltm data-group internal blacklist_subnet {
records {
20.20.20.0/32 { }
30.30.30.30/25 { }
}
type ip
}

    Then create your irule like below,

    when CLIENT_ACCEPTED {
if { [class match [IP::client_addr] eq blacklist_subnet] } {
	log local0. "Client IP - [IP::client_addr] is blacklisted. Dropped traffic"
    drop
}
}
DanS's avatar
DanS
Icon for Nimbostratus rankNimbostratus

Thanks Jaikumar and Faruk! The help is much appreciated!

 

The data group intrigues me. I don't see an option to create an "IP" type data group. The options I have are address, string, integer, and external file.

 

DanS's avatar
DanS
Icon for Nimbostratus rankNimbostratus
Sep 13, 2019

Thanks I got it figured out with the data groups. Your example was command line instead of GUI so it threw me off. Thanks again for your help!