Forum Discussion

Justin_106597's avatar
Justin_106597
Icon for Nimbostratus rankNimbostratus
Jan 15, 2015

irule to allow clients listed in data group and drop other clients and also allow all clients only within a specific port range?

We have a forwarding ip vserver that currently has an irule that references a data group to check if the client ip exists in the data group, if it does it forwards the traffic to the server else it drops. This ensures users can't bypass the f5 and access the server(s) directly unless your an admin.

 

I now need to edit this irule to allow any client to access these servers only on ports 50,000 to 59,999 ports.

 

Is it possible to have the irule allow admins to access these servers if they are in the data group but drop other clients and allow all clients only on ports 50,000 to 59,999

 

APM
application delivery
devops
iRules
LTM
management
security

18 Replies

Sort By
Show More
  • Justin_106597's avatar
    Justin_106597
    Icon for Nimbostratus rankNimbostratus
    Jan 20, 2015

    the logs on the f5 for the client trying to ssh is Rule /Common/Infoblox_Management : IP address: x.x.x.x

     

    client gets connection reset.

     

  • Justin_106597's avatar
    Justin_106597
    Icon for Nimbostratus rankNimbostratus
    Jan 20, 2015

    i changed that to remote port. I now see in the logs why it is rejecting the other client Tue Jan 20 09:24:56 CST 2015infoF5TESTtmm[12495] Rule /Common/Infoblox_Management : IP address: x.x.x.x Tue Jan 20 09:24:56 CST 2015infoF5TESTtmm[12495] Rule /Common/Infoblox_Management : Source Port: 50454 Tue Jan 20 09:24:56 CST 2015infoF5TESTtmm[12495] Rule /Common/Infoblox_Management : IP and Port checks failed. DROPPING connection

     

    is it looking at the source port and not destination port?

     

    • Michael_Jenkins's avatar
      Michael_Jenkins
      Icon for Cirrostratus rankCirrostratus
      Jan 20, 2015
      You can check out the TCP wiki page for TCP to see what the different options are (https://clouddocs.f5.com/api/irules/TCP.html).
  • Justin_106597's avatar
    Justin_106597
    Icon for Nimbostratus rankNimbostratus
    Jan 20, 2015

    I got it to work. I will move into prod soon and verify it works. thanks for all your help.

     

    • Michael_Jenkins's avatar
      Michael_Jenkins
      Icon for Cirrostratus rankCirrostratus
      Jan 20, 2015
      Good deal. Don't forget to mark one of the answers as the solution if it seems like the best solution.