Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

restrict access to a vs by a datagroup but temp allow exceptions and log

Ravager
Altostratus
Altostratus

‎09-Apr-2021 18:31

So i basically have the concept of the what i want to do programatically but need some assistance turning it into a irule.

 

I have virtual server that has open access and I want to change it to only allowed if the ip is in a datagroup.

However while cutting it over I want to log all the ips that are not in the datagroup and permit them anyway. I will then investigate if it should be allowed and add each ip as required.

 

After a few weeks hopefully all the allowed ips are in the datagroup and i can block connections but still log denied ips.

 

looking thought the forums i have a vague idea that the below will be close to working

and i change the last return to drop once i want to enforce it

 

Also in a address datagroup, i understand the Address is the ip, but what is the value field for?

 

 when CLIENT_ACCEPTED {

   if { [class match [IP::client_addr] eq "datagroup_allowed_ip" ] }{

   return

   } else {

   log local0. "Dropped connection: client IP [IP::client_addr] is not in datagroup."

   return

   } }

 

 

 

Labels:
0 Kudos
4 REPLIES 4

SanjayP
MVP
MVP

‎10-Apr-2021 04:20

value is optional to add description. you can keep it blank. Reject can be commented out until IP address list is confirmed to allow all traffic

 

when CLIENT_ACCEPTED { if { ![class match [IP::client_addr] eq "datagroup_allowed_ip" ] }{ log local0. "Dropped connection: client IP [IP::client_addr] is not in datagroup." #reject } }

 

Nikoolayy1
MVP
MVP

‎10-Apr-2021 14:39

SanjayP gave you a good suggestion but I recommend trying with local traffic policy as it now support data groups and this way is better than using not optimized iRule and it is easier to work with a local traffic policy when possible.

 

 

 

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-local-traffic-policies-getting-started-13-0-0/1.html

crodriguez
F5 Employee
F5 Employee

‎10-Apr-2021 16:21

Sanjay's example is good, but as Nikoolayy1 pointed out, this can be done more efficiently with a local traffic policy. Initially, the policy might like this:

(tmos)# list /ltm policy reject_disallowed_ip_addresses ltm policy reject_disallowed_ip_addresses { last-modified 2021-04-10:15:59:01 requires { tcp } rules { reject_disallowed_ip_addresses { actions { 0 { log client-accepted write facility local0 message "tcl:Dropping connection for client [IP::client_addr] not in datagroup" priority info } } conditions { 0 { tcp client-accepted address matches datagroup disallowed_ips } } } } status published strategy first-match

When you are ready to actually reject the traffic, change the log action to Reset traffic at client-accepted.

 

With respect to what the value setting is in a datagroup entry, it is optional and would allow you to associate some value with the key portion of the entry. In your case, you do not need it.

0 Kudos

Ravager
Altostratus
Altostratus

‎10-Apr-2021 16:26

thanks all i got it working, thanks for the very quick replies.

0 Kudos
Copyright © 2022 Khoros, LLC