cancel
Showing results for 
Search instead for 
Did you mean: 

iRule to drop Public IP access to DNS Wide-ip

kridsana
Cirrostratus
Cirrostratus

We have wide-ip "abc01.example.com" which we want only to access from internal user (private ip)

Do we have iRule to drop only public ip and allow private ip on that wide-ip?

So when nslookup to "abc01.example.com" via public ip, F5 drop
and when nslookup to "abc01.example.com" via private ip, F5 allow

Thank you

3 REPLIES 3

kridsana
Cirrostratus
Cirrostratus

or can we create DNS pool with no member?
So I can create Topology LB and check for source IP,,
If Source IP is Private IP > choose Pool A
If Source IP is not Private IP > choose Pool B (Which have no member = return no IP)

I try to create pool with no member but F5 mark status down

Sebastiansierra
Cirrocumulus
Cirrocumulus

Hi, 

You can create a data group with the subnets of your private network and then apply it to the listener, follow the next link to see the irule logic.

https://support.f5.com/csp/article/K42075438

We can't do just that because we want to block public ip from only specific wide-ip (eg. abc01.example.com)
but user from public can resolve for abc02.example.com and more.

I think that we need iRule that check if client IP is private or not and also check if those client access to abc01.example.com or not.
e.g. 
if client not eq [private_ip_datagroup] && try to resolve wideip [abc01.example.com]
drop
else
return

Not sure if there is that irule though