iRule to only allow certain IP addresses to a hostname

Question

I am working on an irule that will only allow a certain set of IP addresses to talk to a specific set of hostnames. I want it to keep processing the rest of the irules in the list if it doesn't match the criteria to block. In this current state it doesn't seem to be blocking at all.&nbsp;
when CLIENT_ACCEPTED {
if { not [class match [IP::client_addr] equals client_net]} {
set allowed_ip 0
} else {
set allowed_ip 1&nbsp;
}&nbsp;
when HTTP_REQUEST {
if { [class match [string tolower [HTTP::host]] equals client_hostname]} {
if {$allowed_ip==0}{
drop
log local0. "Block IP [IP::client_addr]:[TCP::client_port] for Client"
}
}&nbsp;
}&nbsp;

james_48517 · Accepted Answer

okay so my original issue was my own fault. I had the address I was being NAT'd to wrong, after correcting that the original rule worked and so did this one, which is more concise thanks to Filip Mikulík.
when HTTP_REQUEST {
    if { ( ![class match [IP::client_addr] equals client_net]) and ([class match [string tolower [HTTP::host]] equals client_hostname])} {
        log local0. "Block IP [IP::client_addr]:[TCP::client_port] for Client"
        HTTP::respond 404 content "Sorry the requested page is blocked for your IP [IP::client_addr]:[TCP::client_port]" "Content-type" "text/html; charset=utf-8"
    }
}

OR this
when CLIENT_ACCEPTED { 
    if { not [class match [IP::client_addr] equals client_net]} { 
        set allowed_ip 0 
        } else { 
        set allowed_ip 1
}
when HTTP_REQUEST { 
if { [class match [string tolower [HTTP::host]] equals client_hostname]} { 
    if {$allowed_ip==0}{ 
        drop 
        log local0. "Block IP [IP::client_addr]:[TCP::client_port] for Client" 
        } 
    }
}

filip_mikulík_1 · Answer

I hope that I understand your task correctly. Try
when HTTP_REQUEST {
if { ( ![class match [IP::client_addr] equals client_net] ) and ( class match [string tolower [HTTP::host]] equals client_hostname )} {
    log local0. "Block IP [IP::client_addr]:[TCP::client_port] for Client"
    HTTP::respond 404 content "Sorry the requested page is blocked for your IP [IP::client_addr]:[TCP::client_port]" "Content-type" "text/html; charset=utf-8"
    }
}

james_48517 · Answer

I attempted to use that but I got a syntax error.&nbsp;
01070151:3: Rule [/DMZ_PUB/tor06_client_allow_rule] error: /DMZ_PUB/tor06_client_allow_rule:2: error: [parse error: PARSE syntax 92 {syntax error in expression " ( ![class match [IP::client_addr] equals client_net] ) and ...": variable references require preceding $}][{ ( ![class match [IP::client_addr] equals client_net] ) and ( class match [string tolower [HTTP::host]] equals client_hostname )}]&nbsp;

james_48517 · Answer

Okay, I figured out the syntax issue, it just wanted a few more brackets on the second class match, but otherwise this rule works and so does my original rule, I just had my IP address wrong when I was testing it. Thanks.

filip_mikulík_1 · Answer

yes, the close brackets ... my usual problem. sorry for that.&nbsp;
so you resolve it by yourself, nice.
have a nice day&nbsp;

Forum Discussion

iRule to only allow certain IP addresses to a hostname

5 Replies

Recent Discussions

Rundeck ansible F5 errors

What is the meaning is 52% block in WAF

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

CSV to Address External Datagroup File

Decoding the IPv4 address from the persistence cookie

SNAT IP address logging

Destination address at F5

Rewrite HTTP Redirect Hostname