For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

player_72606's avatar
player_72606
Icon for Nimbostratus rankNimbostratus
Jul 19, 2009

uri by source ip

Hi all,

 

newbie here :-)

 

i need help writing iRule to filter uri by source ip :

 

for uri /web/admin=1 - source ip 1.1.1.1

 

for uri /web/admin=0 - all others

 

 

 

hen HTTP_REQUEST {

 

if { [URI::decode [string tolower [HTTP::uri]]] contains "web/admin=1"

 

}

 

{

 

if {[matchclass [IP::remote_addr] equals $::management_ip]

 

}

 

{

 

log local0.info "Allowed client to uri: [IP::remote_addr] requesting: [HTTP::uri]"

 

}

 

else

 

redirect{ [URI::decode [string tolower [HTTP::uri]]] contains "web/admin=0"

 

{

 

log local0.info "not web manager: [IP::remote_addr] requesting: [HTTP::uri]"

 

}

 

}

 

what's wrong here?
application delivery
dev
devops
iRules

6 Replies

  • player_72606's avatar
    player_72606
    Icon for Nimbostratus rankNimbostratus
    Jul 20, 2009
    the ip restrication should be based on the parameter in the uri :

     

     

    uri - /web/admin.aspx?login=1 permited to source ip 1.1.1.1

     

    uri - /web/admin.aspx?login=2 permited to any source ip

     

     

    any ideas?
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 20, 2009
    Hi,

    Do you want to only allow requests to /web/admin.aspx with a parameter login-1 to a single IP address? What do you want to do if a request is made for this path with login=1 from a disallowed client IP address?

    Here is an example to get you started: 

     
 when HTTP_REQUEST {  
  
     Check requested path  
    if {[string tolower [URI::decode [HTTP::path]]] eq "/web/admin.aspx"}{  
  
        Check login parameter value  
       if {[URI::query [HTTP::uri] "login"] eq "1"}{  
  
           Request to restricted resource.  Check if client IP is not 1.1.1.1  
          if {not ([IP::addr [IP::client_addr] equals 1.1.1.1])}{  
  
              Take some action to prevent request?  
  
              Rewrite login=1 to login=2  
             HTTP::uri [string map {login=1 login=2} [HTTP::uri]]  
  
      Redirect client to rewritten URI?  
             HTTP::redirect [string map {login=1 login=2} [HTTP::uri]]  
          }  
       }  
    } 
 }

    Aaron
  • player_72606's avatar
    player_72606
    Icon for Nimbostratus rankNimbostratus
    Jul 20, 2009
    only source ip 1.1.1.1 should be allowed to access =1

     

    all other sources should be discarded,

     

     

    if source ip 1.1.1.1 requesting to access =0

     

    discard the request.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 20, 2009
    To discard a connection, you can use the discard command. I'm not sure I understand the exact logic you're trying to implement, but hopefully the example I added above will be enough for you to get started. If you run into problems, try adding log statements to the iRule to see what conditions are being met. The log output will be written to /var/log/ltm by default.

     

     

    Aaron