irule that block host to all ip address except specific ip

Hello,

Thank you very much

The space solve the problem :)

Now how can i add more ip to IP::addr and [IP::client_addr ?

Regards

Hello,

You can use [IP::addr [IP::remote_addr] equals ipaddress with mask] in this format.

Eg:

[IP::addr [IP::remote_addr] equals 10.10.10.0/24]

Hello,

You can use [IP::addr [IP::remote_addr] equals ipaddress with mask] in this format.

Eg:

[IP::addr [IP::remote_addr] equals 10.10.10.0/24]

Hello,

What if need to allow just another host /32 ?

Regards

Hello,

you can create an data_group for the exception IP's and then you can use that data group in the irule like below

ltm data-group internal test_allow_IP {
    records {
        10.10.10.10/32 { }
        10.10.10.11/32 { }
    }
    type ip
}

    when HTTP_REQUEST { 
    set low_host [string tolower [HTTP::host]]
    if {(( $low_host starts_with "test1.technion.ac.il" ) || ( $low_host starts_with "test2.technion.ac.il" ) || ( $low_host starts_with "test3.technion.ac.il" ) || ( $low_host starts_with "test4.technion.ac.il" ) )&& ( [class match [IP::client_addr] equals test_allow_IP] )} {
    HTTP::respond 404 content "Blocked by irule" log local0. "$low_host traffic has come from blocked subnet"
    }
    }

Hi,

Please see error i get 01070151:3: Rule [/Common/Hacked_web3_Https_site_with_support_access] error: /Common/My _irule_name_access:1: error: [undefined procedure: ltm][ltm data-group internal test_allow_IP { records { 10.10.10.10/32 { } 10.10.10.11/32 { } } type ip }]

I dont have Ltm license

Regards

Rafish,

You are required to create the Data group first separetely and then put the Irule part separately. You have put both the datagroup and Irule code inside the Irule creation part itself, hence the error.

Please follow this,

Local Traffic ›› iRules : iRule List ›› RafishIrule

Paste the below code alone,

when HTTP_REQUEST {
set low_host [string tolower [HTTP::host]]
if {(( $low_host starts_with "test1.technion.ac.il" ) || ( $low_host starts_with "test2.technion.ac.il" ) || ( $low_host starts_with "test3.technion.ac.il" ) || ( $low_host starts_with "test4.technion.ac.il" ) )&& ( [class match [IP::client_addr] not equals test_allow_IP] )} {
HTTP::respond 404 content "Blocked by irule" log local0. "$low_host traffic has come from blocked subnet"
}
}

Then gotoLocal Traffic ›› iRules : Data Group List ›› New Data Group...

Name: test_allow_IP Type: Address

Address: 10.10.10.10/32 Value:

Click on Add.

Click on finished. Please let us know if you face any issues.

Hi

Thank you for your replay,

I tried once with "class match" but it didn't work good.

I tried once again as you suggest but 10.10.10.10 was blocked also.

Any suggest ?

Regards

The not logic is incorrect. It should be,

( not [class match [IP::client_addr] equals test_allow_IP] )

Please use the below, you can achieve these by many ways, allowing in if or on else, its so many possibilities.

when HTTP_REQUEST { 
set low_host [string tolower [HTTP::host]]
if {(( $low_host starts_with "test1.technion.ac.il" ) || ( $low_host starts_with "test2.technion.ac.il" ) || ( $low_host starts_with "test3.technion.ac.il" ) || ( $low_host starts_with "test4.technion.ac.il" ) ) && ( not [class match [IP::client_addr] equals test_allow_IP] )} {
HTTP::respond 404 content "Blocked by irule" log local0. "$low_host traffic has come from blocked subnet"
}
}

or a simple one like this too, without the need for Data Group, as you need to allow just one ip,

when HTTP_REQUEST {
set low_host [string tolower [HTTP::host]]
if {(( $low_host equals "test1.technion.ac.il" ) || ( $low_host equals "test2.technion.ac.il" ) || ( $low_host equals "test3.technion.ac.il" ) || ( $low_host equals "test4.technion.ac.il" ) ) && ( not [IP::addr [IP::client_addr] equals 10.10.10.10] )} {
HTTP::respond 404 content "Blocked by irule" log local0. "$low_host traffic has come from blocked subnet"
} 
}

Hi,

Thank you very much it works now :)

Regards