Forum Discussion

sstafford's avatar
sstafford
Icon for Nimbostratus rankNimbostratus
Apr 03, 2009

IRule to block all but a few members of a subnet

For give the newbie question, but this will be all of the second iRule that I've ever had to write. We've got a situation where a major application has failed, and we're moving it behind the LTM. However, we'd like to make sure that it is working prior to the public pounding on it--which they will do the second it comes up, unless we block most of the world from accessing it, while allowing the testing team's ips through. I know it can be done, I'm just not sure where to start.

1 Reply

  • Since it's temporary, you could just use packet filters rather than writing a rule.

    Or, something like:

     
     when CLIENT_ACCEPTED { 
       if { not (IP::addr[IP::client_addr] equals "x.x.x.x") } { 
           add add'l IP's with an || operator if needed 
           discard 
         } 
     } 
     

    or if you create a Data Group (class) with your list of IP's:

     
     when CLIENT_ACCEPTED { 
        if { not ( [matchclass $::data_group_name contains IP::addr[IP::client_addr]]) } { 
          discard 
       }  
     } 
     

    Denny