For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

d_feike_266546's avatar
d_feike_266546
Icon for Nimbostratus rankNimbostratus
May 10, 2017

restrict uri path for any IP except defined subnets

Hi guys, I am working on a pretty simple irule, but it works in the opposite as intended. I want to limit access to a URI to internal subnets and any external connection from the internet shall not...
application delivery
iRules
Leonardo_Souza's avatar
Leonardo_Souza
Icon for Cirrocumulus rankCirrocumulus
May 10, 2017

For this case, datagroup is better for keeping the code simple, and easy to add new IPs or networks. I haven't try to understand what is wrong with your iRule, as I just wrote a better version.

 

Here is an iRule with your requirements, with some changes so I could test in my lab:

 

when HTTP_REQUEST {
  if { [string tolower [HTTP::path]] starts_with "/admin" } {
    if { not ( [class match [IP::client_addr] equals "datagroup-ip"] ) } {
      log local0. "Client Source IP: [IP::client_addr]:[TCP::client_port]"
      discard
    }
  }
}

Just create a data group called datagroup-ip, or any name you want as long you change the name in the iRule. This is a simple datagroup type address.

 

ltm data-group internal datagroup-ip {
    records {
        10.0.0.30/32 { }
    }
    type ip
}