Forum Discussion
sbadea_81872
Nimbostratus
NimbostratusRestricting access using irule
Is it possible to create an irule to restrict access to a certain ip range/hosts? I created a data group list containing a number of hosts ip addresses; need some help to create the irule. Can it look like this one?
when CLIENT_ACCEPTED {
if { [matchclass [IP::remote_addr] equals $::mylist] } {
pool my_pool
} else {
discard
hoolioCirrostratus
Hi there,
That would work fine. Just make sure to use an address type datagroup (called a class in the bigip.conf).when CLIENT_ACCEPTED { if { [matchclass [IP::remote_addr] equals $::mylist] } { pool my_pool } else { discard } }
Aaron
sbadea_81872Thanks. It worked just fine.
Fotios_30046This rule is just what I was looking for, however what if the data group contained networks instead of hosts. Can this same irule work?- Fotios_30046I tried it out and it works perfectly. I only adjusted the when CLIENT_ACCEPTED to when HTTP_REQUEST so that we could redirect them if they didn't meet the match.
miguel_61461how do you define "mylist" ?
Inside the irule or using the Data Group List ?
I tried to use it inside the irule, but did'nt found the right syntax. Then I used it in the Data Group List, but it's not easy to insert, when you have many datas to insert.- hoolioIt would be most efficient to add the IP's/subnets to a datagroup. You can either edit the bigip.conf file, or modify the class via the command line using 'bigpipe' or use an external class and a separate file. Try searching on AskF5.com for details on these options, or reply here if you get stuck.
Aaron