09-Apr-2021 18:31
So i basically have the concept of the what i want to do programatically but need some assistance turning it into a irule.
I have virtual server that has open access and I want to change it to only allowed if the ip is in a datagroup.
However while cutting it over I want to log all the ips that are not in the datagroup and permit them anyway. I will then investigate if it should be allowed and add each ip as required.
After a few weeks hopefully all the allowed ips are in the datagroup and i can block connections but still log denied ips.
looking thought the forums i have a vague idea that the below will be close to working
and i change the last return to drop once i want to enforce it
Also in a address datagroup, i understand the Address is the ip, but what is the value field for?
when CLIENT_ACCEPTED {
if { [class match [IP::client_addr] eq "datagroup_allowed_ip" ] }{
return
} else {
log local0. "Dropped connection: client IP [IP::client_addr] is not in datagroup."
return
} }
10-Apr-2021 04:20
value is optional to add description. you can keep it blank. Reject can be commented out until IP address list is confirmed to allow all traffic
when CLIENT_ACCEPTED {
if { ![class match [IP::client_addr] eq "datagroup_allowed_ip" ] }{
log local0. "Dropped connection: client IP [IP::client_addr] is not in datagroup."
#reject
}
}
10-Apr-2021 14:39
SanjayP gave you a good suggestion but I recommend trying with local traffic policy as it now support data groups and this way is better than using not optimized iRule and it is easier to work with a local traffic policy when possible.
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-local-traffic-policies-getting-started-13-0-0/1.html
10-Apr-2021 16:21
Sanjay's example is good, but as Nikoolayy1 pointed out, this can be done more efficiently with a local traffic policy. Initially, the policy might like this:
(tmos)# list /ltm policy reject_disallowed_ip_addresses
ltm policy reject_disallowed_ip_addresses {
last-modified 2021-04-10:15:59:01
requires { tcp }
rules {
reject_disallowed_ip_addresses {
actions {
0 {
log
client-accepted
write
facility local0
message "tcl:Dropping connection for client [IP::client_addr] not in datagroup"
priority info
}
}
conditions {
0 {
tcp
client-accepted
address
matches
datagroup disallowed_ips
}
}
}
}
status published
strategy first-match
When you are ready to actually reject the traffic, change the log action to Reset traffic at client-accepted.
With respect to what the value setting is in a datagroup entry, it is optional and would allow you to associate some value with the key portion of the entry. In your case, you do not need it.