NimbostratusI need an irule to only allow access to the f5 vip to certain source ip addresses. I think an irule is the only way to do his but please correct me if I am wrong.
Thx!
EmployeeThe format varies between older and newer BIG-IP versions, but this is what an internal address datagroup looks like in 11.4+
ltm data-group internal /Common/my_ips {
records {
10.70.0.0/24 { }
10.80.0.0/24 { }
}
type ip
}
If you created this as a text file you can merge it like so:
tmsh load sys config merge file my_ips.txt
NimbostratusHello, can someone please paste a sample content of address datagroup file? in my case, I don't to "create" datagroup file, I can only import, which is fine, so I create txt file and have the following in it: ( those are just sample IPs): 172.14.20.10/24, 172.14.21.10/24,
however it does not like it..thank you
EmployeeIn the BIG-IP management GUI, go to Network - Packet Filters. Select the "Enabled" option and then configure appropriately. See this guide for an extensive description of the packet filter feature:
Introduction to packet filtering
NimbostratusHow would I do it with an ip filter rule?
EmployeeThe most secure method is probably an IP filter rule. The unauthorized IPs wouldn't even complete a TCP handshake. You can alternately do this with an iRule and optionally a data group. Create an address-based data group (ex. my_ip_dg) and add the allowed IPs/subnets.
iRule:
when CLIENT_ACCEPTED {
if { not ( [class match [IP::client_addr] equals my_ip_dg] ) } {
reject
}
}
Keep in mind though that the iRule implementation will allow a full 3-way TCP handshake before rejecting the client.
CirrusWorks for me, thanks a lot! Got a little improvement - VS Code said that. Put double dash after class match, like this
when CLIENT_ACCEPTED priority 60 {
if { not ( [class match -- [IP::client_addr] equals [DataGroupName]] ) } {
reject
}
}