Forum Discussion
sysadmin_2015_2
Nimbostratus
NimbostratusVirtual Server - Block IP
Hello,
We need to block a several subnets for a particular virtual server. Is the best way to use an iRule? And can you please send me an example of an iRule we can use?
Thank you for the help!
Faruk_AYDINAltostratus
In my opinion, the best way is to create an IP datagroup, then write an iRule like this:
Datagroup which defines denied client IP addresses/networks class denied_clients { network 10.0.0.0/8 host 192.168.10.0/24 } when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals denied_clients] }{ log local0. "client IP: [IP::client_addr] - discarded" discard } }To use a datagroup makes it easy to manage, whenever you want to add an IP subnet or delete an IP subnet, you can do it easily without touching to the iRule.
- Faruk_AYDIN
You can use switch command, like this
when CLIENT_ACCEPTED { switch [IP::client_addr] { "10.0.0.0/8" - "192.168.10.0/24" { log local0. "client IP: [IP::client_addr] - discarded" discard } } 
Stanislas_Piro2Cumulonimbus
Hi,
without data group, you can create a list of denied networks:
when RULE_INIT { set static::denied_clients {10.0.0.0/8 192.168.0.0/16} } when CLIENT_ACCEPTED { foreach subnet $static::denied_clients { if {[IP::addr [IP::remote_addr] equals $subnet]} { log local0. "client IP: [IP::client_addr] - discarded" discard } } }Note : switch command does not support network with netmask comparaison.