Restrict Traffic To VIP By Subnet

Question

I would like to restrict a subnet (192.168.1.0/24) from accessing VIP: 10.10.10.10. Is this possible with a irule? I can only find ways on how to restrict traffic from a single IP and not a subnet. Any help would be appreciated.

Thanks

Dan

jaikumar_f5 · Accepted Answer

Just go with a datagroup with Irule method. So that you can add more IP's in the blacklist group on the file. You need not keep editing your irule.Create a datagroup called blacklist subnet, make sure its type IP.type: ipltm data-group internal blacklist_subnet {
records {
20.20.20.0/32 { }
30.30.30.30/25 { }
}
type ip
}Then create your irule like below,when CLIENT_ACCEPTED {
if { [class match [IP::client_addr] eq blacklist_subnet] } {
	log local0. "Client IP - [IP::client_addr] is blacklisted. Dropped traffic"
    drop
}
}

faruk_aydin · Answer

use this:when CLIENT_ACCEPTED {
   if { [IP::addr [IP::client_addr]/24 equals 192.168.1.0] } {
      drop
   }
}

dans · Answer

Thanks Jaikumar and Faruk! The help is much appreciated!

The data group intrigues me. I don't see an option to create an "IP" type data group. The options I have are address, string, integer, and external file.

dans · Answer

Thanks I got it figured out with the data groups. Your example was command line instead of GUI so it threw me off. Thanks again for your help!

Forum Discussion

Restrict Traffic To VIP By Subnet

4 Replies

Recent Discussions

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Related Content

SSL Orchestrator Advanced Use Cases: Enabling GCloud Organization Restrictions

fellow traffic

Remove subnet from NAT pools without any impact

Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header

Implementing Client Subnet DNS Requests