Forum Discussion

DevF5_378450's avatar
DevF5_378450
Icon for Nimbostratus rankNimbostratus
Dec 04, 2018

Limit access to an uri to a group of IPs

I am new to F5 iRules. We have a need to restrict access to an uri to the limited group of IPs. We have added these IPs to a data group and referenced it in below iRule. Request is still forwarded from F5 though the IP we requested the URL from is not in the IP DataGroup. Is this iRule correct? Thank you.

iRule

when HTTP_REQUEST {

if { [string tolower [HTTP::uri]] contains "/temp/servlet.do" } then {
    if { not ([class match [IP::client_addr] equals IPDataGroup]) } then {
        HTTP::redirect "http://test.com/temp/error.aspx"
   } 
}

}

iRules
security

8 Replies

Sort By
  • wlopez's avatar
    wlopez
    Icon for Cirrocumulus rankCirrocumulus
    Dec 04, 2018

    You could do something like this:

    when HTTP_REQUEST {
if { ( [string tolower [HTTP::path]] starts_with "/temp/servlet.do" ) && ( not ([class match [IP::client_addr] equals IPDataGroup]) ) } {
        HTTP::redirect "http://test.com/temp/error.aspx" 
        }
}

    Just make sure you include the IP addresses or subnets in data group 'IPDataGroup' for which you want to grant access to.

    You could also replace the redirect with other actions like 'reject' or 'drop'.

    • DevF5_378450's avatar
      DevF5_378450
      Icon for Nimbostratus rankNimbostratus
      Dec 05, 2018

      Yes, we have IP addresses in 'IPDataGroup'.

      ltm data-group internal IPDataGroup {

      records {
                            1.1.1.0/24 { }
                            2.2.2.0/24 { }
                            3.3.3.0/24 { }
                            4.4.4.4 { }
                            5.5.5.5 { }

}
type ip

      }

    • wlopez's avatar
      wlopez
      Icon for Cirrocumulus rankCirrocumulus
      Dec 06, 2018

      If that's the case, just go ahead and try it.

       

      I've done similar configurations before without any issues.

       

      You may also want to do some tcpdumps to validate which IP addresses are actually hitting the virtual server where you apply the iRule on.

       

  • wlopez_98779's avatar
    wlopez_98779
    Icon for Nimbostratus rankNimbostratus
    Dec 04, 2018

    You could do something like this:

    when HTTP_REQUEST {
if { ( [string tolower [HTTP::path]] starts_with "/temp/servlet.do" ) && ( not ([class match [IP::client_addr] equals IPDataGroup]) ) } {
        HTTP::redirect "http://test.com/temp/error.aspx" 
        }
}

    Just make sure you include the IP addresses or subnets in data group 'IPDataGroup' for which you want to grant access to.

    You could also replace the redirect with other actions like 'reject' or 'drop'.

    • DevF5_378450's avatar
      DevF5_378450
      Icon for Nimbostratus rankNimbostratus
      Dec 05, 2018

      Yes, we have IP addresses in 'IPDataGroup'.

      ltm data-group internal IPDataGroup {

      records {
                            1.1.1.0/24 { }
                            2.2.2.0/24 { }
                            3.3.3.0/24 { }
                            4.4.4.4 { }
                            5.5.5.5 { }

}
type ip

      }

    • wlopez_98779's avatar
      wlopez_98779
      Icon for Nimbostratus rankNimbostratus
      Dec 06, 2018

      If that's the case, just go ahead and try it.

       

      I've done similar configurations before without any issues.

       

      You may also want to do some tcpdumps to validate which IP addresses are actually hitting the virtual server where you apply the iRule on.

       

  • jurgenvdmark_14's avatar
    jurgenvdmark_14
    Icon for Nimbostratus rankNimbostratus
    Dec 04, 2018

    The iRule looks correct. You might want to take a look to the type of the datagroup you are using for the IP-addresses

     

    Try changing the type to ip