Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Restrict access to VS by ip & time

Ashu_Aggarwal
Cirrus
Cirrus

‎18-Sep-2020 10:46

I have to restrict access to a VS by IP & time. So during a particular window (time/day) only specific ip ranges should be allowed to access that vs. Can someone please guide how to do that on a LTM. LTM is running on version 13.1.0.7.

Labels:
0 Kudos
13 REPLIES 13

Enes_Afsin_Al
MVP
MVP

‎18-Sep-2020 13:29

Hi Ashu Aggarwal,

 

Create a datagroup for always allowed IPs.

Try this iRule:

when RULE_INIT { array set static::timerange { #change time Monday {"08:30" "20:00"} Tuesday {"08:30" "20:00"} Wednesday {"08:30" "20:00"} Thursday {"08:30" "20:00"} Friday {"08:30" "20:00"} Saturday {} Sunday {} } }   when HTTP_REQUEST { if { not [class match [IP::client_addr] equals dg-allowed-ip-list-name] } { #change dg name set now [clock seconds] set current_day [clock format $now -format {%A}] set start [lindex $static::timerange($current_day) 0] set end [lindex $static::timerange($current_day) 1] if { ($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end]) } { set denied 0 } else { set denied 1 } unset start end } else { set denied 0 }   if { $denied } { drop } }

 

Ashu_Aggarwal
Cirrus
Cirrus
In response to Enes_Afsin_Al

‎14-Oct-2020 04:15 - last edited on ‎24-Mar-2022 02:09 by Fog

 : I got the permission to try this i-rule tonight. Just quick question, from where this i-rule will pick the clock/time? Would it pick the time from system clock?

Thanks

0 Kudos

Enes_Afsin_Al
MVP
MVP
In response to Ashu_Aggarwal

‎14-Oct-2020 08:18

Hi,

 

I test it with this iRule.

when HTTP_REQUEST { log local0. [clock seconds] }

Current time log:

Oct 14 18:11:10 f5 info tmm[18620]: Rule /Common/test_seconds <HTTP_REQUEST>: 1602688267 Oct 14 18:11:10 f5 info tmm[18620]: Rule /Common/test_seconds <HTTP_REQUEST>: 1602688270 ...

after change F5 System Time:

May 11 21:11:18 f5 info tmm2[18620]: Rule /Common/test_seconds <HTTP_REQUEST>: 1526062278 May 11 21:11:18 f5 info tmm2[18620]: Rule /Common/test_seconds <HTTP_REQUEST>: 1526062298 ...

iRule uses system time.

Ashu_Aggarwal
Cirrus
Cirrus
In response to Ashu_Aggarwal

‎14-Oct-2020 10:00

I hope i am not eating a lot of your time. But how to read it '1526062298'?

Thanks

0 Kudos

Enes_Afsin_Al
MVP
MVP
In response to Ashu_Aggarwal

‎14-Oct-2020 10:04

clock seconds

Returns the current time as an integer number of seconds.

 

An integer value passed to the clock command that represents an absolute time as a number of seconds from the epoch time of 1 January 1970, 00:00 UTC. Note that the count of seconds does not include any leap seconds; seconds are counted as if each UTC day has exactly 86400 seconds. Tcl responds to leap seconds by speeding or slowing its clock by a tiny fraction for some minutes until it is back in sync with UTC; its data model does not represent minutes that have 59 or 61 seconds.

 

REF: https://www.tcl.tk/man/tcl8.6/TclCmd/clock.htm#M11

0 Kudos

Ashu_Aggarwal
Cirrus
Cirrus
In response to Ashu_Aggarwal

‎14-Oct-2020 18:41

I tried the rule but it didn't work. it didn't block anything. Below is the rule.

 

when RULE_INIT {

      array set static::timerange { #change time

         Monday {}

         Tuesday {}

         Wednesday {}

         Thursday {"03:15" "03:30"}

         Friday {}

         Saturday {}

         Sunday {}

      }

   }

 

   when HTTP_REQUEST {

      if { not [class match [IP::client_addr] equals dg_allow_ip_during_deployment] } { #change dg name

         set now [clock seconds]

         set current_day [clock format $now -format {%A}]

         set start [lindex $static::timerange($current_day) 0]

         set end [lindex $static::timerange($current_day) 1]

 

         if { ($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end]) } {

            set denied 0

         } else {

            set denied 1

         }

 

         unset start end

      } else {

         set denied 0

      }

 

      if { $denied } {

         drop

      }

   }

 

 

0 Kudos

Ashu_Aggarwal
Cirrus
Cirrus

‎18-Sep-2020 13:32

Thank You very much i will try asap!

0 Kudos

LiefZimmerman
Community Manager
Community Manager

‎02-Nov-2020 16:33 - last edited on ‎24-Mar-2022 01:09 by Fog

 - Can you mark one of these as Best answer? Did you solve the problem in some other way?

0 Kudos

Ashu_Aggarwal
Cirrus
Cirrus
In response to LiefZimmerman

‎03-Nov-2020 02:52 - last edited on ‎24-Mar-2022 01:09 by Fog

 No I could not resolve it, The i-rule is not working as expected. It just keep blocking the connection regardless of time. Thanks!

0 Kudos

JRahm
Community Manager
Community Manager
In response to Ashu_Aggarwal

‎03-Nov-2020 21:01

Hi Ashu, take a look at this iRule for guidance: https://devcentral.f5.com/s/articles/irule-maintenance-windows.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral
0 Kudos

Ashu_Aggarwal
Cirrus
Cirrus
In response to Ashu_Aggarwal

‎22-Jan-2021 08:56 - last edited on ‎24-Mar-2022 01:09 by Fog

Hi  ,

 

Thanks for your response. Where to enter the values for day start_time end_time. Sorry i haven't get this part & bit confusing to me. For example i want to enable the maintenance window every Wednesday at 10:15PM & end at 12:15AM(Thursday).

Thank You!

0 Kudos

JRahm
Community Manager
Community Manager
In response to Ashu_Aggarwal

‎22-Jan-2021 20:37

Give this a shot.

 

when RULE_INIT { set static::start_time 221500 set static::end_time 001459 set static::days [list "Wednesday" "Thursday"] } when HTTP_REQUEST { scan [clock format [clock seconds] -format {%A %H%M%S}] {%s %s} cur_day cur_time   ### FOR TESTING PURPOSES ONLY ### # immediately before the maintenance window #scan [clock format [clock scan "Wed Jan 20 22:14:59 CST 2021"] -format {%A %H%M%S}] {%s %s} cur_day cur_time # at very beginning of the maintenance window #scan [clock format [clock scan "Wed Jan 20 22:15:00 CST 2021"] -format {%A %H%M%S}] {%s %s} cur_day cur_time # at the very end of the maintenance window #scan [clock format [clock scan "Thu Jan 21 00:14:59 CST 2021"] -format {%A %H%M%S}] {%s %s} cur_day cur_time # immediately after the maintenance window #scan [clock format [clock scan "Thu Jan 21 00:15:00 CST 2021"] -format {%A %H%M%S}] {%s %s} cur_day cur_time ### END TESTING STRINGS ###   if { !(($cur_day eq [lindex $static::days 0]) && ($cur_time >= $static::start_time)) && !(($cur_day eq [lindex $static::days 1]) && ($cur_time <= $static::end_time)) } { # NORMAL CONDITION HTTP::respond 200 content "Situation: Normal. $cur_day, $cur_time " } else { # MAINTENANCE CONDITION HTTP::respond 200 content "Situation: Maintenance. $cur_day, $cur_time " } }

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral
0 Kudos

Enes_Afsin_Al
MVP
MVP

‎03-Nov-2020 11:08

Hi Ashu,

 

Can you replace lines 20-24? (set denied values)

if { ($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end]) } { set denied 1 } else { set denied 0 }

 

when RULE_INIT { array set static::timerange { Monday {} Tuesday {} Wednesday {} Thursday {"03:15" "03:30"} Friday {} Saturday {} Sunday {} } }   when HTTP_REQUEST { if { not [class match [IP::client_addr] equals dg_allow_ip_during_deployment] } { set now [clock seconds] set current_day [clock format $now -format {%A}] set start [lindex $static::timerange($current_day) 0] set end [lindex $static::timerange($current_day) 1] if { ($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end]) } { set denied 1 } else { set denied 0 } unset start end } else { set denied 0 }   if { $denied } { drop } }

 

0 Kudos
Copyright © 2023 Khoros, LLC