Forum Discussion

d_feike_266546's avatar
d_feike_266546
Icon for Nimbostratus rankNimbostratus
May 10, 2017

restrict uri path for any IP except defined subnets

Hi guys,

I am working on a pretty simple irule, but it works in the opposite as intended. I want to limit access to a URI to internal subnets and any external connection from the internet shall not have access. Can someone point me in the right direction?

Codewhen HTTP_REQUEST { 
 if { [string tolower [HTTP::path]] contains "/home/status" } { 
  if {  not  (  ( [IP::addr [IP::client_addr] equals 172.30.31.32/27] ) or
                ( [IP::addr [IP::client_addr] equals 10.100.0.0/14] ) or
                ( [IP::addr [IP::client_addr] equals 10.99.0.0/16] ) or
                ( [IP::addr [IP::client_addr] equals 192.168.21.0/24] ) or
                ( [IP::addr [IP::client_addr] equals 192.168.129.0/24] ) or
                ( [IP::addr [IP::client_addr] equals 192.168.130.0/24] ) or
                ( [IP::addr [IP::client_addr] equals 10.85.17.157/32] ) or
                ( [IP::addr [IP::client_addr] equals 10.204.0.0/15] ) or
                ( [IP::addr [IP::client_addr] equals 10.200.0.0/14] ) or
                ( [IP::addr [IP::client_addr] equals 10.192.0.0/13] ) or
                ( [IP::addr [IP::client_addr] equals 10.128.0.0/10] ) or
                ( [IP::addr [IP::client_addr] equals 10.99.0.0/16] ) or
                ( [IP::addr [IP::client_addr] equals 10.104.0.0/13] ) or
                ( [IP::addr [IP::client_addr] equals 10.112.0.0/12] ) or
                ( [IP::addr [IP::client_addr] equals 10.101.0.0/16] ) ) } { 
     log local0. "Client Source IP: [IP::client_addr]:[TCP::client_port]" } {
     discard 
  }
 }
}

thanks in advance David

application delivery
iRules
  • Leonardo_Souza's avatar
    Leonardo_Souza
    Icon for Cirrocumulus rankCirrocumulus
    May 10, 2017

    For this case, datagroup is better for keeping the code simple, and easy to add new IPs or networks. I haven't try to understand what is wrong with your iRule, as I just wrote a better version.

     

    Here is an iRule with your requirements, with some changes so I could test in my lab:

     

    when HTTP_REQUEST {
  if { [string tolower [HTTP::path]] starts_with "/admin" } {
    if { not ( [class match [IP::client_addr] equals "datagroup-ip"] ) } {
      log local0. "Client Source IP: [IP::client_addr]:[TCP::client_port]"
      discard
    }
  }
}

    Just create a data group called datagroup-ip, or any name you want as long you change the name in the iRule. This is a simple datagroup type address.

     

    ltm data-group internal datagroup-ip {
    records {
        10.0.0.30/32 { }
    }
    type ip
}