cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

restrict access to a vs by a datagroup but temp allow exceptions and log

Ravager
Altostratus
Altostratus

So i basically have the concept of the what i want to do programatically but need some assistance turning it into a irule.

 

I have virtual server that has open access and I want to change it to only allowed if the ip is in a datagroup.

However while cutting it over I want to log all the ips that are not in the datagroup and permit them anyway. I will then investigate if it should be allowed and add each ip as required.

 

After a few weeks hopefully all the allowed ips are in the datagroup and i can block connections but still log denied ips.

 

looking thought the forums i have a vague idea that the below will be close to working

and i change the last return to drop once i want to enforce it

 

Also in a address datagroup, i understand the Address is the ip, but what is the value field for?

 

 when CLIENT_ACCEPTED {

   if { [class match [IP::client_addr] eq "datagroup_allowed_ip" ] }{

   return

   } else {

   log local0. "Dropped connection: client IP [IP::client_addr] is not in datagroup."

   return

   } }

 

 

 

4 REPLIES 4

SanjayP
MVP
MVP

value is optional to add description. you can keep it blank. Reject can be commented out until IP address list is confirmed to allow all traffic

 

when CLIENT_ACCEPTED { if { ![class match [IP::client_addr] eq "datagroup_allowed_ip" ] }{ log local0. "Dropped connection: client IP [IP::client_addr] is not in datagroup." #reject } }

 

SanjayP gave you a good suggestion but I recommend trying with local traffic policy as it now support data groups and this way is better than using not optimized iRule and it is easier to work with a local traffic policy when possible.

 

 

 

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-local-traffic-policies-getting-started-13-0-0/1.html

crodriguez
F5 Employee
F5 Employee

Sanjay's example is good, but as Nikoolayy1 pointed out, this can be done more efficiently with a local traffic policy. Initially, the policy might like this:

(tmos)# list /ltm policy reject_disallowed_ip_addresses ltm policy reject_disallowed_ip_addresses { last-modified 2021-04-10:15:59:01 requires { tcp } rules { reject_disallowed_ip_addresses { actions { 0 { log client-accepted write facility local0 message "tcl:Dropping connection for client [IP::client_addr] not in datagroup" priority info } } conditions { 0 { tcp client-accepted address matches datagroup disallowed_ips } } } } status published strategy first-match

When you are ready to actually reject the traffic, change the log action to Reset traffic at client-accepted.

 

With respect to what the value setting is in a datagroup entry, it is optional and would allow you to associate some value with the key portion of the entry. In your case, you do not need it.

Ravager
Altostratus
Altostratus

thanks all i got it working, thanks for the very quick replies.