Forum Discussion
nitass
Jan 14, 2013Employee
can you help me how can I include an ip filter that only allows certain ip addresses to access the pool? Should I use matchlass? how to include it in the irule? you should use "class" command.
e.g.
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
destination 172.28.20.14:443
ip-protocol tcp
mask 255.255.255.255
pool foo
profiles {
clientssl {
context clientside
}
http { }
tcp { }
}
rules {
myrule
}
source 0.0.0.0/0
source-address-translation {
type automap
}
vlans-disabled
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
when CLIENT_ACCEPTED {
if { not [class match -- [IP::client_addr] equals allow_ip_class] } {
log local0. "[IP::client_addr]:[TCP::client_port] is rejected"
reject
} else {
log local0. "[IP::client_addr]:[TCP::client_port] is accepted"
}
}
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm data-group internal allow_ip_class
ltm data-group internal allow_ip_class {
records {
192.168.206.33/32 { }
}
type ip
}
[root@ve11a:Active:Changes Pending] config tail -f /var/log/ltm
Jan 14 14:24:29 ve11a info tmm[11170]: Rule /Common/myrule : 172.28.19.251:48999 is rejected
Jan 14 14:24:36 ve11a info tmm1[11170]: Rule /Common/myrule : 192.168.206.33:54606 is accepted