Filtering traffic based on client ip address and URL

Question

Let's say I have a setup with &nbsp;same destination ip address(DNS ) for multiple URLs . This is accessed by multiple clients and there traffic is only separated at the pool level. Can we do any restriction on the GTM, so &nbsp;that client A cannot access client B if they type client B port number. Can we do something using Client A URL , their Source address and destination port number. If it's not possible onGTM, is it possible on LTM using traffic policies? &nbsp;Is there any better way to do this restriction in F5 LTM and GTM

paulius · Accepted Answer

InquisitiveMai Is the port number in the clients request or on the server side.
*** DNS records ***client1.example.com 300 IN A 1.1.1.1client2.example.com 300 IN A 1.1.1.1
*** Clients side request example with port ***https://client1.example.com:49152 -&gt; F5 VS listening on 1.1.1.1:49152 -&gt; pool members listening on &lt;private_IP&gt;:443https://client2.example.com:49153 -&gt; F5 VS listening on 1.1.1.1:49153 -&gt; pool members listening on &lt;private_IP&gt;:443
*** Server side request example with port ***https://client1.example.com -&gt; F5 VS listening on 1.1.1.1:443 -&gt; pool member listening on &lt;private_IP&gt;:49152https://client2.example.com -&gt; F5 VS listening on 1.1.1.1:443 -&gt; pool member listening on &lt;private_IP&gt;:49153
In either of the client situation you can create an iRule that drops all hosts requests that are not for that specific client which will prevent from using the incorrect port for the associated client FQDN. In the second example if the client defined an alternate port the traffic would timeout because the F5 isn't listening on that port and it's the servers that are listening on the respective port behind the F5. You can create an iRule that says if host X comes in send them to pool X and if host Y comes in send them to pool Y. The irules would be the following, first the client and second the server.
# This is the iRule for client1.example.com Virtual Server
when CLIENT_ACCEPTED priority 500 {

set DEFAULT_POOL [LB::server pool]

}

when HTTP_REQUEST priority 500 {

set HOST [HTTP::uri]

if { ${HOST} != "client1.example.com" } {
        drop
    }

}# This is the iRule for client2.example.com Virtual Server
when CLIENT_ACCEPTED priority 500 {

set DEFAULT_POOL [LB::server pool]

}

when HTTP_REQUEST priority 500 {

set HOST [HTTP::uri]

if { ${HOST} != "client2.example.com" } {
        drop
    }

}# This is the iRule for combine Virtual Server listening on 443
when CLIENT_ACCEPTED priority 500 {

set DEFAULT_POOL [LB::server pool]

}

when HTTP_REQUEST priority 500 {

set HOST [HTTP::uri]

switch --glob ${HOST} {
        "client1.example.com {
            pool POOL_client1_49152
        }
        "client2.example.com {
            pool POOL_client2_49153
        }
        default {
            # This is used if you have a generic website configured to direct clients to you for services
            pool ${DEFAULT_POOL}
        }
    }

}
If you can provide additional detail on the example communication flow we should be able to come up with a better iRule that will work for you. Please also keep in mind that when dealing with HTTPS communication this iRule would require that you are perform SSL termination on the F5.

inquisitivemai · Answer

It is server side connection i.e request comes on https and then it hits a datagroup with a string of url and goes to the pool listening on ex: 49152 for client 1 and 49153 for client 2. Can we do something using traffic policies.

Option 1) Getting out of the datagroups and Creating a traffic policy with the filtreing based on client and URL

Option 2) Can we use anything along with the datagroup to filter traffic based on the client and URL and drop other clients who are not eligible to access the URL

paulius · Answer

InquisitiveMai I do not know how to configure the traffic policy equivalent but the following is the iRule that you can use most likely.
when CLIENT_ACCEPTED  priority 500 {

set DEFAULT_POOL [LB::server pool]

}

when HTTP_REQUEST priority 500 {

set HOST [HTTP::host]

if { [class match -- ${HOST} == CLASS-customer-sites] } {

set TEMP_POOL [class match --value ${HOST} == CLASS-customer-sites]

pool ${TEMP_POOL}

} else {
        pool ${DEFAULT_POOL}
    }

}
This one is what the data-group should look like.
ltm data-group internal CLASS-customer-sites {
    records {
        client1.example.com {
            data POOL_client1_49152
        }
        client2.example.com {
            data POOL_client2_49153
        }
    }
    type string
}

leslie_hubertus · Answer

InquisitiveMai&nbsp;- did the iRule&nbsp;Paulius&nbsp;shared help you out, or are you still trying to find a solution? If it helped, can you please hit the Solution Accepted button on his post so future users with the same challenge can easily find the answer?

Forum Discussion

Filtering traffic based on client ip address and URL

4 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Tenant image upgrade

Related Content

fellow traffic

Decoding the IPv4 address from the persistence cookie

CSV to Address External Datagroup File

SNAT IP address logging

Block traffic