Forum Discussion

James_48517's avatar
James_48517
Icon for Altostratus rankAltostratus
Apr 09, 2018
Solved

iRule to only allow certain IP addresses to a hostname

I am working on an irule that will only allow a certain set of IP addresses to talk to a specific set of hostnames. I want it to keep processing the rest of the irules in the list if it doesn't match...
application delivery
iRules
LTM
  • James_48517's avatar
    James_48517
    Apr 10, 2018

    okay so my original issue was my own fault. I had the address I was being NAT'd to wrong, after correcting that the original rule worked and so did this one, which is more concise thanks to Filip Mikulík.

    when HTTP_REQUEST {
    if { ( ![class match [IP::client_addr] equals client_net]) and ([class match [string tolower [HTTP::host]] equals client_hostname])} {
        log local0. "Block IP [IP::client_addr]:[TCP::client_port] for Client"
        HTTP::respond 404 content "Sorry the requested page is blocked for your IP [IP::client_addr]:[TCP::client_port]" "Content-type" "text/html; charset=utf-8"
    }
}

    OR this

    when CLIENT_ACCEPTED { 
    if { not [class match [IP::client_addr] equals client_net]} { 
        set allowed_ip 0 
        } else { 
        set allowed_ip 1
}
when HTTP_REQUEST { 
if { [class match [string tolower [HTTP::host]] equals client_hostname]} { 
    if {$allowed_ip==0}{ 
        drop 
        log local0. "Block IP [IP::client_addr]:[TCP::client_port] for Client" 
        } 
    }
}
Filip_Mikulík_1's avatar
Filip_Mikulík_1
Icon for Cirrus rankCirrus
Apr 09, 2018

I hope that I understand your task correctly. Try

when HTTP_REQUEST {
if { ( ![class match [IP::client_addr] equals client_net] ) and ( class match [string tolower [HTTP::host]] equals client_hostname )} {
    log local0. "Block IP [IP::client_addr]:[TCP::client_port] for Client"
    HTTP::respond 404 content "Sorry the requested page is blocked for your IP [IP::client_addr]:[TCP::client_port]" "Content-type" "text/html; charset=utf-8"
    }
}
  • James_48517's avatar
    James_48517
    Icon for Altostratus rankAltostratus
    Apr 10, 2018

    I attempted to use that but I got a syntax error.

     

    01070151:3: Rule [/DMZ_PUB/tor06_client_allow_rule] error: /DMZ_PUB/tor06_client_allow_rule:2: error: [parse error: PARSE syntax 92 {syntax error in expression " ( ![class match [IP::client_addr] equals client_net] ) and ...": variable references require preceding $}][{ ( ![class match [IP::client_addr] equals client_net] ) and ( class match [string tolower [HTTP::host]] equals client_hostname )}]

     

  • James_48517's avatar
    James_48517
    Icon for Altostratus rankAltostratus
    Apr 10, 2018

    Okay, I figured out the syntax issue, it just wanted a few more brackets on the second class match, but otherwise this rule works and so does my original rule, I just had my IP address wrong when I was testing it. Thanks.

     

  • Filip_Mikulík_1's avatar
    Filip_Mikulík_1
    Icon for Cirrus rankCirrus
    Apr 11, 2018

    yes, the close brackets ... my usual problem. sorry for that.

     

    so you resolve it by yourself, nice. have a nice day