Forum Discussion

Robert_47833's avatar
Robert_47833
Icon for Altostratus rankAltostratus
May 08, 2015

block client ip for existing connection via irule

when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals xx.xx.xx.xx/xx] } { reject } } it seems it doesn't work for existing connection   any workaround?  
application delivery
design
devops
iRules
LTM
security
nitass's avatar
nitass
Icon for Employee rankEmployee
May 08, 2015

tcp:collect/tcp:release?

e.g.

 configuration

root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:22
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        tcp { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 5
}
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:22 {
            address 200.200.200.101
        }
    }
}
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm data-group internal blacklist
ltm data-group internal blacklist {
    type ip
}
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when CLIENT_ACCEPTED {
  log local0. "\[class get blacklist\]=[class get blacklist]"
}
when CLIENT_DATA {
  log local0. "\[class get blacklist\]=[class get blacklist]"
  if { [class match -- [IP::client_addr] equals blacklist] } {
    log local0. "reject"
    reject
    return
  }
  TCP::release
  TCP::collect
}
when SERVER_CONNECTED {
  log local0. ""
  clientside {
    TCP::collect
  }
}
}

 /var/log/ltm

[root@ve11c:Active:In Sync] config  tail -f /var/log/ltm
May  8 16:28:15 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:15 ve11c info tmm[15145]: Rule /Common/qux :
May  8 16:28:15 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:15 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:15 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:15 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:16 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:16 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:16 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:16 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:18 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:18 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:18 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:18 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:20 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:21 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:21 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:22 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:28 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=192.168.206.0/23 {}
May  8 16:28:28 ve11c info tmm[15145]: Rule /Common/qux : reject

does it affect perfermance?

nothing has no impact. 🙂

  • Robert_47833's avatar
    Robert_47833
    Icon for Altostratus rankAltostratus
    May 11, 2015
    ha,I don't understand this,need time to pick it up.