CirrusI have to restrict access to a VS by IP & time. So during a particular window (time/day) only specific ip ranges should be allowed to access that vs. Can someone please guide how to do that on a LTM. LTM is running on version 13.1.0.7.
Hi Ashu Aggarwal,
Create a datagroup for always allowed IPs.
Try this iRule:
when RULE_INIT {
array set static::timerange { #change time
Monday {"08:30" "20:00"}
Tuesday {"08:30" "20:00"}
Wednesday {"08:30" "20:00"}
Thursday {"08:30" "20:00"}
Friday {"08:30" "20:00"}
Saturday {}
Sunday {}
}
}
when HTTP_REQUEST {
if { not [class match [IP::client_addr] equals dg-allowed-ip-list-name] } { #change dg name
set now [clock seconds]
set current_day [clock format $now -format {%A}]
set start [lindex $static::timerange($current_day) 0]
set end [lindex $static::timerange($current_day) 1]
if { ($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end]) } {
set denied 0
} else {
set denied 1
}
unset start end
} else {
set denied 0
}
if { $denied } {
drop
}
}
Cirrus: I got the permission to try this i-rule tonight. Just quick question, from where this i-rule will pick the clock/time? Would it pick the time from system clock?
Thanks
Hi,
I test it with this iRule.
when HTTP_REQUEST {
log local0. [clock seconds]
}Current time log:
Oct 14 18:11:10 f5 info tmm[18620]: Rule /Common/test_seconds <HTTP_REQUEST>: 1602688267
Oct 14 18:11:10 f5 info tmm[18620]: Rule /Common/test_seconds <HTTP_REQUEST>: 1602688270
...after change F5 System Time:
May 11 21:11:18 f5 info tmm2[18620]: Rule /Common/test_seconds <HTTP_REQUEST>: 1526062278
May 11 21:11:18 f5 info tmm2[18620]: Rule /Common/test_seconds <HTTP_REQUEST>: 1526062298
...iRule uses system time.
CirrusThank You very much i will try asap!
Admin- Can you mark one of these as Best answer? Did you solve the problem in some other way?
CirrusNo I could not resolve it, The i-rule is not working as expected. It just keep blocking the connection regardless of time. Thanks!
AdminHi Ashu, take a look at this iRule for guidance: https://devcentral.f5.com/s/articles/irule-maintenance-windows.
Hi Ashu,
Can you replace lines 20-24? (set denied values)
if { ($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end]) } {
set denied 1
}
else {
set denied 0
}when RULE_INIT {
array set static::timerange {
Monday {}
Tuesday {}
Wednesday {}
Thursday {"03:15" "03:30"}
Friday {}
Saturday {}
Sunday {}
}
}
when HTTP_REQUEST {
if { not [class match [IP::client_addr] equals dg_allow_ip_during_deployment] } {
set now [clock seconds]
set current_day [clock format $now -format {%A}]
set start [lindex $static::timerange($current_day) 0]
set end [lindex $static::timerange($current_day) 1]
if { ($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end]) } {
set denied 1
} else {
set denied 0
}
unset start end
} else {
set denied 0
}
if { $denied } {
drop
}
}