Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

restrict access to a vs by a datagroup but temp allow exceptions and log

Ravager
Altostratus
Altostratus

‎09-Apr-2021 18:31

So i basically have the concept of the what i want to do programatically but need some assistance turning it into a irule.

 

I have virtual server that has open access and I want to change it to only allowed if the ip is in a datagroup.

However while cutting it over I want to log all the ips that are not in the datagroup and permit them anyway. I will then investigate if it should be allowed and add each ip as required.

 

After a few weeks hopefully all the allowed ips are in the datagroup and i can block connections but still log denied ips.

 

looking thought the forums i have a vague idea that the below will be close to working

and i change the last return to drop once i want to enforce it

 

Also in a address datagroup, i understand the Address is the ip, but what is the value field for?

 

 when CLIENT_ACCEPTED {

   if { [class match [IP::client_addr] eq "datagroup_allowed_ip" ] }{

   return

   } else {

   log local0. "Dropped connection: client IP [IP::client_addr] is not in datagroup."

   return

   } }

 

 

 

Labels:
0 Kudos
6 REPLIES 6

SanjayP
MVP
MVP

‎10-Apr-2021 04:20

value is optional to add description. you can keep it blank. Reject can be commented out until IP address list is confirmed to allow all traffic

 

when CLIENT_ACCEPTED { if { ![class match [IP::client_addr] eq "datagroup_allowed_ip" ] }{ log local0. "Dropped connection: client IP [IP::client_addr] is not in datagroup." #reject } }

 

Nikoolayy1
MVP
MVP

‎10-Apr-2021 14:39

SanjayP gave you a good suggestion but I recommend trying with local traffic policy as it now support data groups and this way is better than using not optimized iRule and it is easier to work with a local traffic policy when possible.

 

 

 

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-local-traffic-policies-getting-started-13-0-0/1.html

crodriguez
F5 Employee
F5 Employee

‎10-Apr-2021 16:21

Sanjay's example is good, but as Nikoolayy1 pointed out, this can be done more efficiently with a local traffic policy. Initially, the policy might like this:

(tmos)# list /ltm policy reject_disallowed_ip_addresses ltm policy reject_disallowed_ip_addresses { last-modified 2021-04-10:15:59:01 requires { tcp } rules { reject_disallowed_ip_addresses { actions { 0 { log client-accepted write facility local0 message "tcl:Dropping connection for client [IP::client_addr] not in datagroup" priority info } } conditions { 0 { tcp client-accepted address matches datagroup disallowed_ips } } } } status published strategy first-match

When you are ready to actually reject the traffic, change the log action to Reset traffic at client-accepted.

 

With respect to what the value setting is in a datagroup entry, it is optional and would allow you to associate some value with the key portion of the entry. In your case, you do not need it.

The-messenger
Cirrostratus
Cirrostratus
In response to crodriguez

‎21-Sep-2022 11:51 - edited ‎21-Sep-2022 11:52

crodriguez,
I'm running 15.1.4

I'm trying to do the same thing here, but looking your policy, I'm not sure I have this correct.  In my policy I have, as you can see below:
1 - TCP address matches in datagroup (group with allowed IPs) - Ignore

2 -  All Traffic - Log traffic  - This does appear to be logging traffic that doesn't match the first rule

3 - All Traffic - Reset traffic

 

Themessenger_0-1663786009890.png

When I test this, IP address from an address that is not in the datagroup, I do get the APM login page.

0 Kudos

Ravager
Altostratus
Altostratus

‎10-Apr-2021 16:26

thanks all i got it working, thanks for the very quick replies.

0 Kudos

guest
Nimbostratus
Nimbostratus
In response to Ravager

‎04-Aug-2022 06:43

Hello Ravager,

I just only want to give permission to specific ips which included into data group. For this, is it enough to write in the irule that Sanjay stated? did you use this?

when CLIENT_ACCEPTED { if { ![class match [IP::client_addr] eq "datagroup_allowed_ip" ] }{ log local0. "Dropped connection: client IP [IP::client_addr] is not in datagroup." #reject } }

@@crodrigue , what kind change we need here to actually reject (block) the traffic? Can you give the exact configuration statement? Is there any opportunity to block and log?

Kind Regards,

 

0 Kudos
Copyright © 2022 Khoros, LLC