For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Access Control Based On Network or Host

Problem this snippet solves:

The iRule allows administrators to allow or deny access to a virtual server based on: source IP address or network destination IP address or network destination port

How to use this snippet:

The rule expects the following four datagroups to be defined: admin_datagroup restricted_client_datagroup destination_IP_datagroup destination_port_datagroup Admin clients are able to access any destination host or port. Restricted clients can only request hosts/networks defined in destination_IP_datagroup on ports defined in destination_port_datagroup

Code :

### data groups ###
class admin_datagroup {
   network 10.10.0.0/16
   host 10.20.1.1
}
class restricted_client_datagroup {
   network 10.30.0.0/16
   host 10.40.1.1
}
class destination_IP_datagroup {
   network 192.168.1.0/24
   host 192.168.2.1
}
class destination_port_datagroup {
   22
   80
   443
}

### Irule Source ###
# wildcard_acl_rule
#
# v2.0 - 28 Dec 2010
#
# BIG-IP versions 10.x (tested on 10.2.1)
#
# Purpose: 
#   This rule should be added to a network virtual server to catch all requests 
#   which  don't match a more specific virtual server.  This allows for centralized  
#   management of access through the BIG-IP.  The rule will optionally log rejected  
#   and accepted requests. By default, log entries are written to /var/log/ltm.
#
#   The rule expects the following four datagroups to define which admin, 
#   restricted hosts/networks should be allowed to connect to which destination 
#   hosts/networks and to which destination ports.
#
#   Admin clients are able to access any destination host or port.  
#   Restricted clients can only request hosts/networks defined in 
#   destination_IP_datagroup on ports defined in destination_port_datagroup
#
#   The datagroup names should be:
#
#   admin_datagroup
#   restricted_client_datagroup
#   destination_IP_datagroup
#   destination_port_datagroup
#

# This event is triggered when the rule is saved
when RULE_INIT {

   # Drop unknown source IP addresses?  0 = no, 1 = yes
   set static::drop_unknown_sources 0
   
   # Log accepted requests?  0 = no, 1 = yes
   set static::log_accepted_requests 1

   # Log accepted requests?  0 = no, 1 = yes
   set static::log_dropped_requests 1

}

# This event is triggered when a client - BIG-IP TCP connection is established
when CLIENT_ACCEPTED {

   # Is client IP address defined in the admin_datagroup?   
   if { [class match [IP::client_addr] equals admin_datagroup] }{
      
      # Log accepted admin request
      if {$static::log_accepted_requests==1}{

         # Log the client IP address:port -> destination IP address:port 
         log local0. "admin request accepted from client: \
                [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
      }

   } elseif { ( [class match [IP::client_addr] equals restricted_client_datagroup] )
      and ( [class match [IP::local_addr] equals destination_IP_datagroup]) 
      and [class match [TCP::local_port] equals destination_port_datagroup]}{

      # Client IP address is defined in the restricted_clients_datagroup 
      # and requested IP address is defined in the destination_IP_datagroup
      # and requested port is defined in the destination_port_datagroup
      # so request will not be dropped

      if {$static::log_accepted_requests==1}{

         # Log the client IP address:port -> destination IP address:port 
         log local0. "restricted client request accepted from client: \
                [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
      }

   } else {

      # Request didn't match the conditions for allowing the request
      if {$static::log_dropped_requests==1}{

         # Log the client IP address:port -> destination IP address:port
         log local0. "unknown request rejected from client: \
                [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
      }

      # Drop request if the option is enabled.  Could also send a reset using 'reject'
      if {$static::drop_unknown_sources==1}{
         drop
      }
   }
}

Tested this on version:

10.2
Published Jan 30, 2015
Version 1.0
devops
iRules

2 Comments

  • Rafal_340671's avatar
    Rafal_340671
    Icon for Nimbostratus rankNimbostratus
    Nov 13, 2017

    Hi,

     

    is it possible to set additionally a client profile depending on protocol client is connecting to ? If this is a TCP connection set TCP profile if UDP set UDP ?

     

    Thanks