Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

restrict access to a vs by a datagroup but temp allow exceptions and log

Ravager
Altostratus
Altostratus

So i basically have the concept of the what i want to do programatically but need some assistance turning it into a irule.

 

I have virtual server that has open access and I want to change it to only allowed if the ip is in a datagroup.

However while cutting it over I want to log all the ips that are not in the datagroup and permit them anyway. I will then investigate if it should be allowed and add each ip as required.

 

After a few weeks hopefully all the allowed ips are in the datagroup and i can block connections but still log denied ips.

 

looking thought the forums i have a vague idea that the below will be close to working

and i change the last return to drop once i want to enforce it

 

Also in a address datagroup, i understand the Address is the ip, but what is the value field for?

 

 when CLIENT_ACCEPTED {

   if { [class match [IP::client_addr] eq "datagroup_allowed_ip" ] }{

   return

   } else {

   log local0. "Dropped connection: client IP [IP::client_addr] is not in datagroup."

   return

   } }

 

 

 

6 REPLIES 6

SanjayP
MVP
MVP

value is optional to add description. you can keep it blank. Reject can be commented out until IP address list is confirmed to allow all traffic

when CLIENT_ACCEPTED {
 if { ![class match [IP::client_addr] eq "datagroup_allowed_ip" ] }{
  log local0. "Dropped connection: client IP [IP::client_addr] is not in datagroup."
  #reject
  }
 }

SanjayP gave you a good suggestion but I recommend trying with local traffic policy as it now support data groups and this way is better than using not optimized iRule and it is easier to work with a local traffic policy when possible.

 

 

 

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-local-traffic-policies-getting-started-13-0-0/1.html

crodriguez
Legacy Employee
Legacy Employee

Sanjay's example is good, but as Nikoolayy1 pointed out, this can be done more efficiently with a local traffic policy. Initially, the policy might like this:

(tmos)# list /ltm policy reject_disallowed_ip_addresses
ltm policy reject_disallowed_ip_addresses {
    last-modified 2021-04-10:15:59:01
    requires { tcp }
    rules {
        reject_disallowed_ip_addresses {
            actions {
                0 {
                    log
                    client-accepted
                    write
                    facility local0
                    message "tcl:Dropping connection for client [IP::client_addr] not in datagroup"
                    priority info
                }
            }
            conditions {
                0 {
                    tcp
                    client-accepted
                    address
                    matches
                    datagroup disallowed_ips
                }
            }
        }
    }
    status published
    strategy first-match

When you are ready to actually reject the traffic, change the log action to Reset traffic at client-accepted.

With respect to what the value setting is in a datagroup entry, it is optional and would allow you to associate some value with the key portion of the entry. In your case, you do not need it.

crodriguez,
I'm running 15.1.4

I'm trying to do the same thing here, but looking your policy, I'm not sure I have this correct.  In my policy I have, as you can see below:
1 - TCP address matches in datagroup (group with allowed IPs) - Ignore

2 -  All Traffic - Log traffic  - This does appear to be logging traffic that doesn't match the first rule

3 - All Traffic - Reset traffic

 

Themessenger_0-1663786009890.png

When I test this, IP address from an address that is not in the datagroup, I do get the APM login page.

Ravager
Altostratus
Altostratus

thanks all i got it working, thanks for the very quick replies.

Hello Ravager,

I just only want to give permission to specific ips which included into data group. For this, is it enough to write in the irule that Sanjay stated? did you use this?

when CLIENT_ACCEPTED { if { ![class match [IP::client_addr] eq "datagroup_allowed_ip" ] }{ log local0. "Dropped connection: client IP [IP::client_addr] is not in datagroup." #reject } }

@@crodrigue , what kind change we need here to actually reject (block) the traffic? Can you give the exact configuration statement? Is there any opportunity to block and log?

Kind Regards,