For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

DanS's avatar
DanS
Icon for Nimbostratus rankNimbostratus
Sep 12, 2019
Solved

Restrict Traffic To VIP By Subnet

I would like to restrict a subnet (192.168.1.0/24) from accessing VIP: 10.10.10.10. Is this possible with a irule? I can only find ways on how to restrict traffic from a single IP and not a subnet. A...
iRules
security
  • jaikumar_f5's avatar
    jaikumar_f5
    Sep 13, 2019

    Just go with a datagroup with Irule method. So that you can add more IP's in the blacklist group on the file. You need not keep editing your irule.

    Create a datagroup called blacklist subnet, make sure its type IP.

    type: ip

    ltm data-group internal blacklist_subnet {
records {
20.20.20.0/32 { }
30.30.30.30/25 { }
}
type ip
}

    Then create your irule like below,

    when CLIENT_ACCEPTED {
if { [class match [IP::client_addr] eq blacklist_subnet] } {
	log local0. "Client IP - [IP::client_addr] is blacklisted. Dropped traffic"
    drop
}
}
DanS's avatar
DanS
Icon for Nimbostratus rankNimbostratus
Sep 13, 2019

Thanks Jaikumar and Faruk! The help is much appreciated!

 

The data group intrigues me. I don't see an option to create an "IP" type data group. The options I have are address, string, integer, and external file.

 

DanS's avatar
DanS
Icon for Nimbostratus rankNimbostratus
Sep 13, 2019

Thanks I got it figured out with the data groups. Your example was command line instead of GUI so it threw me off. Thanks again for your help!