Access Control Based On Network or Host

Problem this snippet solves:

The iRule allows administrators to allow or deny access to a virtual server based on: source IP address or network destination IP address or network destination port

How to use this snippet:

The rule expects the following four datagroups to be defined: admin_datagroup restricted_client_datagroup destination_IP_datagroup destination_port_datagroup Admin clients are able to access any destination host or port. Restricted clients can only request hosts/networks defined in destination_IP_datagroup on ports defined in destination_port_datagroup

Code :

### data groups ###
class admin_datagroup {
   network 10.10.0.0/16
   host 10.20.1.1
}
class restricted_client_datagroup {
   network 10.30.0.0/16
   host 10.40.1.1
}
class destination_IP_datagroup {
   network 192.168.1.0/24
   host 192.168.2.1
}
class destination_port_datagroup {
   22
   80
   443
}

### Irule Source ###
# wildcard_acl_rule
#
# v2.0 - 28 Dec 2010
#
# BIG-IP versions 10.x (tested on 10.2.1)
#
# Purpose: 
#   This rule should be added to a network virtual server to catch all requests 
#   which  don't match a more specific virtual server.  This allows for centralized  
#   management of access through the BIG-IP.  The rule will optionally log rejected  
#   and accepted requests. By default, log entries are written to /var/log/ltm.
#
#   The rule expects the following four datagroups to define which admin, 
#   restricted hosts/networks should be allowed to connect to which destination 
#   hosts/networks and to which destination ports.
#
#   Admin clients are able to access any destination host or port.  
#   Restricted clients can only request hosts/networks defined in 
#   destination_IP_datagroup on ports defined in destination_port_datagroup
#
#   The datagroup names should be:
#
#   admin_datagroup
#   restricted_client_datagroup
#   destination_IP_datagroup
#   destination_port_datagroup
#

# This event is triggered when the rule is saved
when RULE_INIT {

   # Drop unknown source IP addresses?  0 = no, 1 = yes
   set static::drop_unknown_sources 0
   
   # Log accepted requests?  0 = no, 1 = yes
   set static::log_accepted_requests 1

   # Log accepted requests?  0 = no, 1 = yes
   set static::log_dropped_requests 1

}

# This event is triggered when a client - BIG-IP TCP connection is established
when CLIENT_ACCEPTED {

   # Is client IP address defined in the admin_datagroup?   
   if { [class match [IP::client_addr] equals admin_datagroup] }{
      
      # Log accepted admin request
      if {$static::log_accepted_requests==1}{

         # Log the client IP address:port -> destination IP address:port 
         log local0. "admin request accepted from client: \
                [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
      }

   } elseif { ( [class match [IP::client_addr] equals restricted_client_datagroup] )
      and ( [class match [IP::local_addr] equals destination_IP_datagroup]) 
      and [class match [TCP::local_port] equals destination_port_datagroup]}{

      # Client IP address is defined in the restricted_clients_datagroup 
      # and requested IP address is defined in the destination_IP_datagroup
      # and requested port is defined in the destination_port_datagroup
      # so request will not be dropped

      if {$static::log_accepted_requests==1}{

         # Log the client IP address:port -> destination IP address:port 
         log local0. "restricted client request accepted from client: \
                [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
      }

   } else {

      # Request didn't match the conditions for allowing the request
      if {$static::log_dropped_requests==1}{

         # Log the client IP address:port -> destination IP address:port
         log local0. "unknown request rejected from client: \
                [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
      }

      # Drop request if the option is enabled.  Could also send a reset using 'reject'
      if {$static::drop_unknown_sources==1}{
         drop
      }
   }
}

Tested this on version:

10.2
Published Jan 30, 2015
Version 1.0
devops
iRules
  • Rafal_340671's avatar
    Rafal_340671
    Icon for Nimbostratus rankNimbostratus
    Nov 13, 2017

    Hi,

     

    is it possible to set additionally a client profile depending on protocol client is connecting to ? If this is a TCP connection set TCP profile if UDP set UDP ?

     

    Thanks