cancel
Showing results for 
Search instead for 
Did you mean: 

Restrict access to VS by ip & time

Ashu_Aggarwal
Cirrus
Cirrus

I have to restrict access to a VS by IP & time. So during a particular window (time/day) only specific ip ranges should be allowed to access that vs. Can someone please guide how to do that on a LTM. LTM is running on version 13.1.0.7.

13 REPLIES 13

Hi Ashu Aggarwal,

 

Create a datagroup for always allowed IPs.

Try this iRule:

when RULE_INIT { array set static::timerange { #change time Monday {"08:30" "20:00"} Tuesday {"08:30" "20:00"} Wednesday {"08:30" "20:00"} Thursday {"08:30" "20:00"} Friday {"08:30" "20:00"} Saturday {} Sunday {} } }   when HTTP_REQUEST { if { not [class match [IP::client_addr] equals dg-allowed-ip-list-name] } { #change dg name set now [clock seconds] set current_day [clock format $now -format {%A}] set start [lindex $static::timerange($current_day) 0] set end [lindex $static::timerange($current_day) 1] if { ($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end]) } { set denied 0 } else { set denied 1 } unset start end } else { set denied 0 }   if { $denied } { drop } }

 

 : I got the permission to try this i-rule tonight. Just quick question, from where this i-rule will pick the clock/time? Would it pick the time from system clock?

Thanks

Hi,

 

I test it with this iRule.

when HTTP_REQUEST { log local0. [clock seconds] }

Current time log:

Oct 14 18:11:10 f5 info tmm[18620]: Rule /Common/test_seconds <HTTP_REQUEST>: 1602688267 Oct 14 18:11:10 f5 info tmm[18620]: Rule /Common/test_seconds <HTTP_REQUEST>: 1602688270 ...

after change F5 System Time:

May 11 21:11:18 f5 info tmm2[18620]: Rule /Common/test_seconds <HTTP_REQUEST>: 1526062278 May 11 21:11:18 f5 info tmm2[18620]: Rule /Common/test_seconds <HTTP_REQUEST>: 1526062298 ...

iRule uses system time.

I hope i am not eating a lot of your time. But how to read it '1526062298'?

Thanks

clock seconds

Returns the current time as an integer number of seconds.

 

An integer value passed to the clock command that represents an absolute time as a number of seconds from the epoch time of 1 January 1970, 00:00 UTC. Note that the count of seconds does not include any leap seconds; seconds are counted as if each UTC day has exactly 86400 seconds. Tcl responds to leap seconds by speeding or slowing its clock by a tiny fraction for some minutes until it is back in sync with UTC; its data model does not represent minutes that have 59 or 61 seconds.

 

REF: https://www.tcl.tk/man/tcl8.6/TclCmd/clock.htm#M11

I tried the rule but it didn't work. it didn't block anything. Below is the rule.

 

when RULE_INIT {

      array set static::timerange { #change time

         Monday {}

         Tuesday {}

         Wednesday {}

         Thursday {"03:15" "03:30"}

         Friday {}

         Saturday {}

         Sunday {}

      }

   }

 

   when HTTP_REQUEST {

      if { not [class match [IP::client_addr] equals dg_allow_ip_during_deployment] } { #change dg name

         set now [clock seconds]

         set current_day [clock format $now -format {%A}]

         set start [lindex $static::timerange($current_day) 0]

         set end [lindex $static::timerange($current_day) 1]

 

         if { ($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end]) } {

            set denied 0

         } else {

            set denied 1

         }

 

         unset start end

      } else {

         set denied 0

      }

 

      if { $denied } {

         drop

      }

   }

 

 

Ashu_Aggarwal
Cirrus
Cirrus

Thank You very much i will try asap!

LiefZimmerman
Community Manager
Community Manager

 - Can you mark one of these as Best answer? Did you solve the problem in some other way?

------
Lief ZimmermanLiefZimmerman | @LiefZF5 | DevCentral Community Manager

 No I could not resolve it, The i-rule is not working as expected. It just keep blocking the connection regardless of time. Thanks!

Hi Ashu, take a look at this iRule for guidance: https://devcentral.f5.com/s/articles/irule-maintenance-windows.

Hi  ,

 

Thanks for your response. Where to enter the values for day start_time end_time. Sorry i haven't get this part & bit confusing to me. For example i want to enable the maintenance window every Wednesday at 10:15PM & end at 12:15AM(Thursday).

Thank You!

Give this a shot.

 

when RULE_INIT { set static::start_time 221500 set static::end_time 001459 set static::days [list "Wednesday" "Thursday"] } when HTTP_REQUEST { scan [clock format [clock seconds] -format {%A %H%M%S}] {%s %s} cur_day cur_time   ### FOR TESTING PURPOSES ONLY ### # immediately before the maintenance window #scan [clock format [clock scan "Wed Jan 20 22:14:59 CST 2021"] -format {%A %H%M%S}] {%s %s} cur_day cur_time # at very beginning of the maintenance window #scan [clock format [clock scan "Wed Jan 20 22:15:00 CST 2021"] -format {%A %H%M%S}] {%s %s} cur_day cur_time # at the very end of the maintenance window #scan [clock format [clock scan "Thu Jan 21 00:14:59 CST 2021"] -format {%A %H%M%S}] {%s %s} cur_day cur_time # immediately after the maintenance window #scan [clock format [clock scan "Thu Jan 21 00:15:00 CST 2021"] -format {%A %H%M%S}] {%s %s} cur_day cur_time ### END TESTING STRINGS ###   if { !(($cur_day eq [lindex $static::days 0]) && ($cur_time >= $static::start_time)) && !(($cur_day eq [lindex $static::days 1]) && ($cur_time <= $static::end_time)) } { # NORMAL CONDITION HTTP::respond 200 content "Situation: Normal. $cur_day, $cur_time " } else { # MAINTENANCE CONDITION HTTP::respond 200 content "Situation: Maintenance. $cur_day, $cur_time " } }

 

Hi Ashu,

 

Can you replace lines 20-24? (set denied values)

if { ($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end]) } { set denied 1 } else { set denied 0 }

 

when RULE_INIT { array set static::timerange { Monday {} Tuesday {} Wednesday {} Thursday {"03:15" "03:30"} Friday {} Saturday {} Sunday {} } }   when HTTP_REQUEST { if { not [class match [IP::client_addr] equals dg_allow_ip_during_deployment] } { set now [clock seconds] set current_day [clock format $now -format {%A}] set start [lindex $static::timerange($current_day) 0] set end [lindex $static::timerange($current_day) 1] if { ($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end]) } { set denied 1 } else { set denied 0 } unset start end } else { set denied 0 }   if { $denied } { drop } }