Forum Discussion

KJ_50941's avatar
KJ_50941
Icon for Nimbostratus rankNimbostratus
Jan 11, 2018

Need to allow certain IP address to F5 VIP.

I need to restric F5 VIP to allow certain IP addresses.It appear I need to create datagroup ( allowed-nets) from F5 GUi with allow list of ip addresses. does below iRule works as is?

 

when CLIENT_ACCEPTED { if { not ([class match [IP::client_addr] equals allowed-nets]) } { log local0. "[IP::client_addr] is not permitted to site xxxx" reject } }

 

ltm data-group internal allowed-netss { records { 192.168.20.0/24, 192.178.20.0/24, 192.188.20.0/24 { data "NetYYYY" } } type ip }

 

application delivery
BIG-IP
iRules

10 Replies

Sort By
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Jan 11, 2018

    Hi.

     

    Could you please reformat your question and put code fences (Preformatted Code) around the iRule itself... It make it a lot easier for all to see

     

  • WithF5's avatar
    WithF5
    Icon for Nimbostratus rankNimbostratus
    Jan 12, 2018

    Hi mate,

    you need to ident your algorithm if you want it to work.

    when CLIENT_ACCEPTED { 
if { not [([IP::client_addr] equals allowed-nets)] } 
    { 
        log local0. "[IP::client_addr] is not permitted to site xxxx" 
        reject
    }

    }

    Also, I don't think that networks defined in the data group will work... you need to use the full IP /32 (ex. 192.168.1.1, 192.168.1.2 ... ). You can do it in the CLI to make it faster.

    • swjo_264656's avatar
      swjo_264656
      Icon for Cirrostratus rankCirrostratus
      Jan 13, 2018

      I`ve using that kinds of rule.

       

      you should check before apply to VS.

       

      In that data-group list, should contain client side and server side IP or network.

       

      take care.

       

    • swjo_264656's avatar
      swjo_264656
      Icon for Cirrostratus rankCirrostratus
      Jan 13, 2018

      I`m using two rules, for forwarding and VIP service.

       

      rule forward_allow when CLIENT_ACCEPTED { if {[class match [IP::client_addr] equals forward_white_list]}{

       

      log local0. "[IP::remote_addr]:[TCP::remote_port] Dst [IP::local_addr]:[TCP::local_port] -> Allowed"

      } else { reject log local0. "[IP::remote_addr]:[TCP::remote_port] Dst [IP::local_addr]:[TCP::local_port] -> Denied" } }

       

      rule vip_allow when CLIENT_ACCEPTED { if {[class match [IP::remote_addr] equals vip_white_list]}{

       

      log local0. "[IP::remote_addr]:[TCP::remote_port] Dst [IP::local_addr]:[TCP::local_port] -> Allowed"

      LB::server pool } else { reject log local0. "[IP::remote_addr]:[TCP::remote_port] Dst [IP::local_addr]:[TCP::local_port] -> Denied" } }

       

      please refer to it.

       

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jan 13, 2018

    does below iRule works as is?

     

    it looks okay to me.

     

    • swjo_264656's avatar
      swjo_264656
      Icon for Cirrostratus rankCirrostratus
      Jan 13, 2018

      I`ve using that kinds of rule.

       

      you should check before apply to VS.

       

      In that data-group list, should contain client side and server side IP or network.

       

      take care.

       

    • swjo_264656's avatar
      swjo_264656
      Icon for Cirrostratus rankCirrostratus
      Jan 13, 2018

      I`m using two rules, for forwarding and VIP service.

       

      rule forward_allow when CLIENT_ACCEPTED { if {[class match [IP::client_addr] equals forward_white_list]}{

       

      log local0. "[IP::remote_addr]:[TCP::remote_port] Dst [IP::local_addr]:[TCP::local_port] -> Allowed"

      } else { reject log local0. "[IP::remote_addr]:[TCP::remote_port] Dst [IP::local_addr]:[TCP::local_port] -> Denied" } }

       

      rule vip_allow when CLIENT_ACCEPTED { if {[class match [IP::remote_addr] equals vip_white_list]}{

       

      log local0. "[IP::remote_addr]:[TCP::remote_port] Dst [IP::local_addr]:[TCP::local_port] -> Allowed"

      LB::server pool } else { reject log local0. "[IP::remote_addr]:[TCP::remote_port] Dst [IP::local_addr]:[TCP::local_port] -> Denied" } }

       

      please refer to it.

       

  • AhmedGalal219_3's avatar
    AhmedGalal219_3
    Icon for Nimbostratus rankNimbostratus
    Jan 17, 2018

    first if you have AFM module you can make a policy with allowed address list then attach policy in VIP ... or if need irule you can use:-

     

    when HTTP_REQUEST { if {[IP::client_addr] equals "x.x.x.x" or [IP::client_addr] equals "x.x.x.x" or [IP::client_addr] equals "x.x.x.x" } { allow

     

    } else { reject } }

     

    • KJ_50941's avatar
      KJ_50941
      Icon for Nimbostratus rankNimbostratus
      Jan 17, 2018

      we don't have F5 AFM module. This needs to be done with LTM 12.1.x code, so can I use only iRule or I still need to create datagroup ?

       

      when HTTP_REQUEST { if {[IP::client_addr] equals "x.x.x.x" or [IP::client_addr] equals "x.x.x.x" or [IP::client_addr] equals "x.x.x.x" } { allow

       

      } else { reject } }