Forum Discussion

Ranvir_Floura_7's avatar
Ranvir_Floura_7
Icon for Nimbostratus rankNimbostratus
Mar 25, 2009

redirect based on source ip address

Need a little help in coming up with an iRule where if the client IP matches i want it going to a pool, if not just redirect to a url. I am missing something here

 

 

when CLIENT_ACCEPTED {

 

if { [IP::addr [IP::client_addr] equals x.x.x.10] } {

 

} elseif { [IP::addr [IP::client_addr] equals x.x.x.11]} {

 

} elseif { [IP::addr [IP::client_addr] equals x.x.x.12]} {

 

} elseif { [IP::addr [IP::client_addr] equals x.x.x.13]} {

 

} elseif { [IP::addr [IP::client_addr] equals x.x.x.14]} {

 

} elseif { [IP::addr [IP::client_addr] equals x.x.x.15]} {

 

pool xyz

 

}

 

}

 

else {

 

HTTP::redirect http://impacii.nih.gov

 

}

 

 

Thanks!
application delivery
dev
devops
iRules

6 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Mar 26, 2009
    Hi,

    It would be cleaner to define the IP addresses in a datagroup of type 'address' and then use the matchclass command (Click here) to check the client IP against the datagroup. 

     
 when HTTP_REQUEST { 
  
     Check if client IP is in the datagroup 
    if {[matchclass [IP::client_addr] equals $::my_client_ips_class]}{ 
  
       pool xyz 
    } else { 
       HTTP::redirect "http://redirect.example.com" 
    } 
 }

    Aaron
  • Ranvir_Floura_7's avatar
    Ranvir_Floura_7
    Icon for Nimbostratus rankNimbostratus
    Apr 01, 2009
    Hi Aaron,

     

     

    Thanks for the directions. I am still having an issue. Here is what i have and it is complaining about undefined procedure: class.

     

     

    class my_client_ips_class {

     

    host x.x.x.209

     

    host y.y.y.18

     

    host z.z.z.15

     

    }

     

     

    when HTTP_REQUEST {

     

    Check if client IP is in the datagroup

     

    if {[matchclass [IP::client_addr] equals $::my_client_ips_class]}{

     

    pool uat_pool

     

    } else {

     

    HTTP::redirect "http://abc.test.com"

     

    }

     

    }
  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    Apr 01, 2009
    The class syntax should not be part of the iRule, that syntax is what ends up in the bigip.conf file if you create a Data Group in the GUI (I wish that they had named it the same thing in the GUI as in the config file but hey...).

     

     

    Denny
  • pjcampbell_7243's avatar
    pjcampbell_7243
    Icon for Cirrus rankCirrus
    Apr 15, 2009
    What am I doing wrong ? I have the following, and it is dropping all connections

     

     

    when CLIENT_ACCEPTED {

     

    if { [matchclass [IP::client_addr] equals $::relay_hosts_allowed]} {

     

    forward

     

    } else {

     

    drop

     

    }

     

    }

     

     

    relay_hosts_allowed contains a whole bunch of networks and hosts, including the one that I am using to test of course.
  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    Apr 15, 2009
    The wiki says - "Use of IP::addr is not necessary if matchclass command is used to perform the address-to-address comparison" but nonetheless you may want to try: 

     
 if { [matchclass IP:addr[IP::client_addr] equals $::relay_hosts_allowed]} {

    The rule looks fine though...so long as LTM has a route to whatever you are trying to get to (or is directly connected) then it should forward the packet.

    You could add some logging to see if you're not matching for some reason: 

     
 when CLIENT_ACCEPTED { 
   if { [matchclass [IP::client_addr] equals $::relay_hosts_allowed]} { 
     log local0. "[IP::client_addr] matched an allowed host." 
     forward 
     } else { 
     log local0. "[IP::client_addr] didn't match, dropping" 
     drop 
   } 
 }

    Denny