Forum Discussion
Donald_William1
Nimbostratus
NimbostratusSelectivly forward or drop source for IP Forwarding Virtual Server
Ok. I have a Forwarding(IP) network virtual server for a /24 network. I want to block all sources except for a select few. Here is what I have.
class dg_source {
host 10.10.10.10
host 10.10.10.11
}
rule ir_filter-source {
when CLIENT_ACCEPTED {
if {[matchclass [IP::client_addr] equals $::dg_source]} {
forward
} else {
drop
}
}
}
virtual vs-fwip_192.168.10.0-mask-24 {
destination 192.168.10.0:any
ip forward
mask 255.255.255.0
rule ir_filter-source
vlans vl_100 enable
}
Without the irule traffic forwards fine. When I apply the irule I can not connect. Please help.
- Have you added any logging statements to find out what's going on in your iRule. That's the first thing you should do because without some sort of message flow tracing, there isn't much we can do here.
On thing that I can see is that you shouldn't need to use the "forward" command. Try this rule out and see what's showing up in the logs.when CLIENT_ACCEPTED { log local0. "checking for address [IP::client_addr] in dg_source list" if {[matchclass [IP::client_addr] equals $::dg_source]} { log local0. "address [IP::client_addr] is being allowed through" forward } else { log local0. "address [IP::client_addr] not valid, dropping connection" drop } }
Then try it without the "forward" command and see if that works.
-Joe 
Donald_William1Well it appears to work now. I added the logging for local0 and it started working. I then removed it and it still works. Must have been a syntax error, un-needed space.
