Forum Discussion

Rafish_129330's avatar
Rafish_129330
Icon for Nimbostratus rankNimbostratus
Apr 23, 2018

irule that block host to all ip address except specific ip

Hello,

 

I need irule that block access to some url for all ip address except specific ip, i wrote the irule and i success to block the url but the problem is that the irule block access to all ip address and i need access from 10.10.10.10

 

when HTTP_REQUEST { if { [string tolower [HTTP::host]] starts_with "test1.technion.ac.il" || [HTTP::host] starts_with "test2.technion.ac.il" || [HTTP::host] starts_with "test3.technion.ac.il" || [HTTP::host] starts_with "test4.technion.ac.il" and [IP::addr[IP::remote_addr] not equals 10.10.10.10/255.255.255.255] } then { HTTP::respond 404 "Not Found" "Connection" "close" log local0. "This Connetion blocked By iRule My-iRule" } }

 

Any Suggestions ?

 

Regards Rafi

 

iRules
security

15 Replies

Sort By
  • Faruk_AYDIN's avatar
    Faruk_AYDIN
    Icon for Nimbostratus rankNimbostratus
    Apr 23, 2018

    Hi Guy,

    You missed parenthesizes in if sentence. The correct version of your irule version is :

    when HTTP_REQUEST { 
if { ([string tolower [HTTP::host]] starts_with "test1.technion.ac.il" || [HTTP::host] starts_with "test2.technion.ac.il" || [HTTP::host] starts_with "test3.technion.ac.il" || [HTTP::host] starts_with "test4.technion.ac.il") and [IP::addr[IP::remote_addr] not equals 10.10.10.10/255.255.255.255] }
{ 
HTTP::respond 404 "Not Found" "Connection" "close" log local0. "This Connetion blocked By iRule My-iRule" 
} 
}
  • Lee_Sutcliffe's avatar
    Lee_Sutcliffe
    Icon for Nacreous rankNacreous
    Apr 23, 2018

    You could simply the logic by placing different host headers into a datagroup:

     **DATAGROUP** 
ltm data-group internal host_dg {
    records {
        test1.technion.ac.il {}
        test2.technion.ac.il {}
        test3.technion.ac.il {}
        test4.technion.ac.il {}
    }
    type string
}

 **iRULE**  
when HTTP_REQUEST {
    if {([class match [HTTP::host] starts_with host_dg]) && ([IP::addr[IP::remote_addr] equals 10.10.10.10/255.255.255.255])} {
        HTTP::respond 404 "Not Found" "Connection" "close" 
        log local0. "This Connetion blocked By iRule My-iRule" 
    }
}
  • Nandhini_Natara's avatar
    Nandhini_Natara
    Icon for Nimbostratus rankNimbostratus
    Apr 24, 2018

    Hello Rafish,

     

    Please try the below irule

     

    when HTTP_REQUEST {

     

    set low_host [string tolower [HTTP::host]]

     

    if {(( $low_host starts_with "test1.technion.ac.il" ) || ( $low_host starts_with "test2.technion.ac.il" ) || ( $low_host starts_with "test3.technion.ac.il" ) || ( $low_host starts_with "test4.technion.ac.il" ) )&& ( [IP::addr [IP::client_addr] equals 10.10.10.10] )} {

     

    HTTP::respond 404 content "Blocked by irule" log local0. "$low_host traffic has come from blocked subnet" }

     

    }

     

    I also got the same error and then I have given space between IP::addr and [IP::client_addr]. After that, irule was working fine. You can also given try by giving space between IP::addr and [IP::client_addr]

     

  • Nandhini_Natar1's avatar
    Nandhini_Natar1
    Icon for Cirrus rankCirrus
    Apr 24, 2018

    Hello Rafish,

     

    Please try the below irule

     

    when HTTP_REQUEST {

     

    set low_host [string tolower [HTTP::host]]

     

    if {(( $low_host starts_with "test1.technion.ac.il" ) || ( $low_host starts_with "test2.technion.ac.il" ) || ( $low_host starts_with "test3.technion.ac.il" ) || ( $low_host starts_with "test4.technion.ac.il" ) )&& ( [IP::addr [IP::client_addr] equals 10.10.10.10] )} {

     

    HTTP::respond 404 content "Blocked by irule" log local0. "$low_host traffic has come from blocked subnet" }

     

    }

     

    I also got the same error and then I have given space between IP::addr and [IP::client_addr]. After that, irule was working fine. You can also given try by giving space between IP::addr and [IP::client_addr]

     

    • Rafish_129330's avatar
      Rafish_129330
      Icon for Nimbostratus rankNimbostratus
      Apr 24, 2018

      Hello,

       

      Thank you very much

       

      The space solve the problem :)

       

      Now how can i add more ip to IP::addr and [IP::client_addr ?

       

      Regards

       

    • Nandhini_Natara's avatar
      Nandhini_Natara
      Icon for Nimbostratus rankNimbostratus
      Apr 24, 2018

      Hello,

       

      You can use [IP::addr [IP::remote_addr] equals ipaddress with mask] in this format.

       

      Eg:

       

      [IP::addr [IP::remote_addr] equals 10.10.10.0/24]

       

    • Nandhini_Natar1's avatar
      Nandhini_Natar1
      Icon for Cirrus rankCirrus
      Apr 24, 2018

      Hello,

       

      You can use [IP::addr [IP::remote_addr] equals ipaddress with mask] in this format.

       

      Eg:

       

      [IP::addr [IP::remote_addr] equals 10.10.10.0/24]