To block some specific traffic from F5 for specific virtual directory

Hi Pankaj,

You can try to implement this type of logic in an iRule, but it may be simple to bypass:

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=30900

That said, here is an example that could provide some protection. First, create an address data group containing the hosts and networks which can access /bac*. Then use an iRule like this which references a data group named allowed_hosts_dg:

when HTTP_REQUEST {

switch -glob [string tolower [HTTP::path]] {
"/bac*" {
if {not [class match [IP::client_addr] equals allowed_hosts_dg]}{
HTTP::respond 403 content {Blocked!}
}
}
}
}

Aaron

I never create iRule this is first time so please can you send me acctual iRule with below example:

 

 

Site: https://www.xyz.com/bac

 

Allowed below host:

 

174.26.53.0/24

 

172.56.36.2

 

175.63.54.0/24

 

Block: all others

 

 

Site: https://wwww.xyz.com

 

Allowed for any

 

 

So we require only filter for /bac virtual directory all other site running without any filter.

 

I never create iRule this is first time so please can you send me acctual iRule with below example:

 

 

Site: https://www.xyz.com/bac

 

Allowed below host:

 

174.26.53.0/24

 

172.56.36.2

 

175.63.54.0/24

 

Block: all others

 

 

Site: https://wwww.xyz.com

 

Allowed for any

 

 

So we require only filter for /bac virtual directory all other site running without any filter.

 

You can create the data group in the GUI under Local Traffic | iRules | Data group list | Create. Select a name of allowed_hosts_dg and a type of address. Then create the iRule using the code above and add that to the virtual server.

 

 

Aaron

is this iRule works for both http and https?

I am geeting error on iRule:

 

01070151:3: Rule [BAC_ALLOWD_IP_RULE] error:

 

line 5: [undefined procedure: class] [class match [IP::client_addr] equals BAC_ALLOWED_IP]

 

 

Which LTM version are you on? You can check in the GUI under System | General Properties | Version. If you're on 9.4.4 or higher, you can use this

9.4.4 - 9.4.8

when HTTP_REQUEST {
     Check the requested path set to lower case
    switch -glob [string tolower [HTTP::path]] {
        "/bac*" {
             Path started with /bac so check if client IP is in the allowed_hosts_dg data group
            if {not [matchclass [IP::client_addr] equals allowed_hosts_dg]}{
                 Send a 403 unauthorized response
                HTTP::respond 403 content {Blocked!}
                 Or you could reset the TCP connection
                reject
            }
        }
    }
}

9.4.3 and lower

when HTTP_REQUEST {
     Check the requested path set to lower case
    switch -glob [string tolower [HTTP::path]] {
        "/bac*" {
             Path started with /bac so check if client IP is in the allowed_hosts_dg data group
            if {not [matchclass [IP::client_addr] equals $::allowed_hosts_dg]}{
                 Send a 403 unauthorized response
                HTTP::respond 403 content {Blocked!}
                 Or you could reset the TCP connection
                reject
            }
        }
    }
}

Aaron

System is running with :BIG-IP 9.4.6 Build 401.0 Final but still getting below error, i have created the DG with BAC_ALLOWED_IP.

 

 

01070151:3: Rule [BAC_ONLY_ALLOWED] error:

 

line 7: [undefined procedure: match] [match class [IP::client_addr] equals BAC_ALLOWED_IP]

 

 

Sorry, it's matchclass not "match class". I edited the examples above with the correct command.

 

 

Aaron

Seeing this rule is a start to what I am currently needing but I have 4 folders that the Private_nets group need access to but external clients should not be allowed. Can I nest those into different rows for each directory?

 

 

Thanks in advance.