Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

iRule to drop Public IP access to DNS Wide-ip

kridsana
Cirrocumulus
Cirrocumulus

‎18-May-2022 03:12 - edited ‎18-May-2022 03:15

We have wide-ip "abc01.example.com" which we want only to access from internal user (private ip)

Do we have iRule to drop only public ip and allow private ip on that wide-ip?

So when nslookup to "abc01.example.com" via public ip, F5 drop
and when nslookup to "abc01.example.com" via private ip, F5 allow

Thank you

Labels:
0 Kudos
3 REPLIES 3

kridsana
Cirrocumulus
Cirrocumulus

‎18-May-2022 03:18 - edited ‎18-May-2022 03:18

or can we create DNS pool with no member?
So I can create Topology LB and check for source IP,,
If Source IP is Private IP > choose Pool A
If Source IP is not Private IP > choose Pool B (Which have no member = return no IP)

I try to create pool with no member but F5 mark status down

0 Kudos

Sebastiansierra
MVP
MVP

‎19-May-2022 09:31

Hi, 

You can create a data group with the subnets of your private network and then apply it to the listener, follow the next link to see the irule logic.

https://support.f5.com/csp/article/K42075438

0 Kudos

kridsana
Cirrocumulus
Cirrocumulus
In response to Sebastiansierra

‎20-May-2022 03:36

We can't do just that because we want to block public ip from only specific wide-ip (eg. abc01.example.com)
but user from public can resolve for abc02.example.com and more.

I think that we need iRule that check if client IP is private or not and also check if those client access to abc01.example.com or not.
e.g. 
if client not eq [private_ip_datagroup] && try to resolve wideip [abc01.example.com]
drop
else
return

Not sure if there is that irule though

0 Kudos
Copyright © 2023 Khoros, LLC