Forum Discussion

KhalidSG_295331's avatar
KhalidSG_295331
Icon for Nimbostratus rankNimbostratus
Nov 27, 2017

iRule accept connection from specific IP

HI I have F5 LTM and i use it for exchange server only and i create a rule to restrict access to sub url the rule will accept connection from specific IP address and other ip address the connection will be drooped please let me know if my rule and the syntax i used is good.

when HTTP_REQUEST {

switch -glob -- [string tolower [HTTP::uri]] {
    "/microsoft-server-activesync*" {
        if { ![IP::addr [IP::client_addr] equals 192.168.7.106] } {
          drop
        }
    }
}

}

application delivery
iRules
LTM

1 Reply

Sort By
  • Kevin_Davies's avatar
    Kevin_Davies
    Icon for MVP rankMVP
    Nov 27, 2017

    Generally with iRules we want to target the most generic item first. Most of your clients will not be from that specific IP address. So to prevent your iRule from running unnecessary code for each request you should target that address first.

     

    Because we can check the address at connection time this means we can decide whether to even run the HTTP code with event disable. This means we only perform the IP check once per connection instead of every single HTTP request in the original iRule. Then we run the HTTP code only if the address matches.

     

    when CLIENT_ACCEPTED {
  if {[IP::client_addr] ne "192.168.7.106"} { event HTTP_REQUEST disable }
} 

when HTTP_REQUEST {
     now this only runs if the IP address matched above
    switch -glob [string tolower [HTTP::uri]] {
        "/microsoft-server-activesync*" {
            drop
        }        
    }
}

    See the event disable command https://devcentral.f5.com/wiki/iRules.event.ashx

     

    This iRule checks for the IP address. If it does not match it disables the HTTP_REQUEST event. This means the subsequent code inside that event will never run.