cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

iRule for IP restriction with multiple virt servers and multiple DGL of allowed IPs.

Tim_V
Nimbostratus
Nimbostratus

I have read through a multitude of threads, but my scenario seems a little unique.

 

A little background so it all makes sense.

We serve multiple customers with their own site, each site is a virt server and arte using the header to match rather than a single IP per.

 

Each customer has a unique data group list of allowed IP's. We did not want a single list of allowed IP's in case a customer was emailed an incorrect URL by mistake, or just started browsing other dns records for the domain etc.

 

We are changing our monitoring company and I would like to have a second data group list of IP's that are allowed so that any time there is a change for a source IP of monitoring, one of our offices etc, we don't have to touch 100 lists. The current iRule we are using is:

 

when HTTP_REQUEST priority 100 {

# This iRule will check if the client request is SITE.DOMAIN.COM and the client source IP is NOT a member of the datagroup specified which is a list of allowed IPs

# If the client ip address is matched to the list of allowed IPs then it will bring up the web page, if it isnt, then it will bring up the COMPANY IP Forbidden Page.

 

  if { ( [string tolower [HTTP::host]] equals "1000-t01.DOMAIN.COM" ) and not ( [class match [IP::client_addr] equals COMPANY-1000-CUSTOMER-DG-Allow ] ) } {

# log local0. "Invalid CUSTOMER client IP: [IP::client_addr] - Blocking traffic"

    HTTP::respond 200 content [ifile get COMPANY_ip_forbidden]

after 50 drop

event disable

}

}

 

 

How do I add the second data group, and allow if the source IP is in either of the two data groups?

 

 

2 REPLIES 2

Tim_V
Nimbostratus
Nimbostratus

To clarify the last sentence, I know how to create the data group list, how to I add it into the iRule.

 

something sort of below. Modify datagroup name accordingly

 

when HTTP_REQUEST priority 100 { if { ( [string tolower [HTTP::host]] equals "1000-t01.DOMAIN.COM" ) and ( not ( [class match [IP::client_addr] equals COMPANY-1000-CUSTOMER-DG-Allow ] or [class match [IP::client_addr] equals newmonitorcompany-DG-Allow] ) ) } {   # log local0. "Invalid CUSTOMER client IP: [IP::client_addr] - Blocking traffic" HTTP::respond 200 content [ifile get COMPANY_ip_forbidden] after 50 drop event disable } }