iRule to Allow Certain Client IP

Question

Hi,&nbsp;I have a situation where I need to permit certain IPs to access HTTP content, to do this, I have an iRule that is using a switch based off of the client IP like this:&nbsp;when HTTP_REQUEST {
    if { [HTTP::host] contains "my.site.com" } { 
        switch [IP::addr [IP::client_addr] mask 255.255.255.255] {
            "1.2.3.4" {     
                my-pool
            } default {
                    HTTP::respond 200 content [ifile get AccessDenied]
            }
        }
    }
}My problem is if I need to allow multiple IPs, I have to repeat several lines of code - is there a more efficient way to do this?&nbsp;Thank you!&nbsp;

seth_cooper · Answer

Hi,&nbsp;
You can use the iRule datagroup to keep the IP addresses and have your iRule reference the datagroup.&nbsp;
Here is a link to information about datagroups...&nbsp;
https://devcentral.f5.com/articles/-the101-irules-101-datagroups-amp-tables&nbsp;
Seth&nbsp;

jrahm · Answer

you bet. Use a datagroup and then use the class command to extract the pool you want based on source.
ltm data-group internal /Common/iplist {
    records {
        192.168.1.1/32 {
            data my-pool
        }
        192.168.2.0/24 {
            data your-pool
        }
    }
    type ip
}

when HTTP_REQUEST {
  if { ([HTTP::host] contains "my.site.com" } {
    set pool [class match -value -- [IP::client_addr] equals iplist]
    catch { pool $pool }
  } else {
    HTTP::respond 200 content [ifile get AccessDenied]
  }
}

zblue_123071 · Answer

Thanks allot guys - I didn't even think about using datagroups. I'll follow up with my rule after I get it working!&nbsp;
Thanks&nbsp;

zblue_123071 · Answer

Okay, here is what I ended up doing: 
when HTTP_REQUEST {
    switch [HTTP::host] {
        "my.site.com" {
            if { [class match [IP::remote_addr] equals MYDATAGROUP] } {
                pool MYPOOL
            } else {
                HTTP::respond 200 content [ifile get AccessDenied]
            }
        }
    }
}

Thanks again for the suggestions!

Forum Discussion

iRule to Allow Certain Client IP

4 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

About client profile (apm-forwarding-client-tcp)

Using iRule to prompt for Client SSL Cert

Irule client certificate check against ldap value

Big IP Edge Client Issue

iRULE regsub error