Forum Discussion

Tim_V's avatar
Tim_V
Icon for Nimbostratus rankNimbostratus
Apr 20, 2021

iRule for IP restriction with multiple virt servers and multiple DGL of allowed IPs.

I have read through a multitude of threads, but my scenario seems a little unique.

 

A little background so it all makes sense.

We serve multiple customers with their own site, each site is a virt server and arte using the header to match rather than a single IP per.

 

Each customer has a unique data group list of allowed IP's. We did not want a single list of allowed IP's in case a customer was emailed an incorrect URL by mistake, or just started browsing other dns records for the domain etc.

 

We are changing our monitoring company and I would like to have a second data group list of IP's that are allowed so that any time there is a change for a source IP of monitoring, one of our offices etc, we don't have to touch 100 lists. The current iRule we are using is:

 

when HTTP_REQUEST priority 100 {

# This iRule will check if the client request is SITE.DOMAIN.COM and the client source IP is NOT a member of the datagroup specified which is a list of allowed IPs

# If the client ip address is matched to the list of allowed IPs then it will bring up the web page, if it isnt, then it will bring up the COMPANY IP Forbidden Page.

 

  if { ( [string tolower [HTTP::host]] equals "1000-t01.DOMAIN.COM" ) and not ( [class match [IP::client_addr] equals COMPANY-1000-CUSTOMER-DG-Allow ] ) } {

# log local0. "Invalid CUSTOMER client IP: [IP::client_addr] - Blocking traffic"

    HTTP::respond 200 content [ifile get COMPANY_ip_forbidden]

after 50 drop

event disable

}

}

 

 

How do I add the second data group, and allow if the source IP is in either of the two data groups?

 

 

2 Replies

  • Tim_V's avatar
    Tim_V
    Icon for Nimbostratus rankNimbostratus

    To clarify the last sentence, I know how to create the data group list, how to I add it into the iRule.

     

    • SanjayP's avatar
      SanjayP
      Icon for Nacreous rankNacreous

      something sort of below. Modify datagroup name accordingly

      when HTTP_REQUEST priority 100  {
      if { ( [string tolower [HTTP::host]] equals "1000-t01.DOMAIN.COM" ) and ( not ( [class match [IP::client_addr] equals COMPANY-1000-CUSTOMER-DG-Allow ] or [class match [IP::client_addr] equals newmonitorcompany-DG-Allow] ) ) } {
       
      # log local0. "Invalid CUSTOMER client IP: [IP::client_addr] - Blocking traffic"
      HTTP::respond 200 content [ifile get COMPANY_ip_forbidden]
      after 50 drop
      event disable
         }
      }