09-Apr-2021 18:31
So i basically have the concept of the what i want to do programatically but need some assistance turning it into a irule.
I have virtual server that has open access and I want to change it to only allowed if the ip is in a datagroup.
However while cutting it over I want to log all the ips that are not in the datagroup and permit them anyway. I will then investigate if it should be allowed and add each ip as required.
After a few weeks hopefully all the allowed ips are in the datagroup and i can block connections but still log denied ips.
looking thought the forums i have a vague idea that the below will be close to working
and i change the last return to drop once i want to enforce it
Also in a address datagroup, i understand the Address is the ip, but what is the value field for?
when CLIENT_ACCEPTED {
if { [class match [IP::client_addr] eq "datagroup_allowed_ip" ] }{
return
} else {
log local0. "Dropped connection: client IP [IP::client_addr] is not in datagroup."
return
} }
10-Apr-2021 04:20
value is optional to add description. you can keep it blank. Reject can be commented out until IP address list is confirmed to allow all traffic
when CLIENT_ACCEPTED {
if { ![class match [IP::client_addr] eq "datagroup_allowed_ip" ] }{
log local0. "Dropped connection: client IP [IP::client_addr] is not in datagroup."
#reject
}
}
10-Apr-2021 14:39
SanjayP gave you a good suggestion but I recommend trying with local traffic policy as it now support data groups and this way is better than using not optimized iRule and it is easier to work with a local traffic policy when possible.
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-local-traffic-policies-getting-started-13-0-0/1.html
10-Apr-2021 16:21
Sanjay's example is good, but as Nikoolayy1 pointed out, this can be done more efficiently with a local traffic policy. Initially, the policy might like this:
(tmos)# list /ltm policy reject_disallowed_ip_addresses
ltm policy reject_disallowed_ip_addresses {
last-modified 2021-04-10:15:59:01
requires { tcp }
rules {
reject_disallowed_ip_addresses {
actions {
0 {
log
client-accepted
write
facility local0
message "tcl:Dropping connection for client [IP::client_addr] not in datagroup"
priority info
}
}
conditions {
0 {
tcp
client-accepted
address
matches
datagroup disallowed_ips
}
}
}
}
status published
strategy first-match
When you are ready to actually reject the traffic, change the log action to Reset traffic at client-accepted.
With respect to what the value setting is in a datagroup entry, it is optional and would allow you to associate some value with the key portion of the entry. In your case, you do not need it.
21-Sep-2022 11:51 - edited 21-Sep-2022 11:52
crodriguez,
I'm running 15.1.4
I'm trying to do the same thing here, but looking your policy, I'm not sure I have this correct. In my policy I have, as you can see below:
1 - TCP address matches in datagroup (group with allowed IPs) - Ignore
2 - All Traffic - Log traffic - This does appear to be logging traffic that doesn't match the first rule
3 - All Traffic - Reset traffic
When I test this, IP address from an address that is not in the datagroup, I do get the APM login page.
04-Aug-2022 06:43
Hello Ravager,
I just only want to give permission to specific ips which included into data group. For this, is it enough to write in the irule that Sanjay stated? did you use this?
when CLIENT_ACCEPTED { if { ![class match [IP::client_addr] eq "datagroup_allowed_ip" ] }{ log local0. "Dropped connection: client IP [IP::client_addr] is not in datagroup." #reject } }
@@crodrigue , what kind change we need here to actually reject (block) the traffic? Can you give the exact configuration statement? Is there any opportunity to block and log?
Kind Regards,