Forum Discussion
But i would also need to specify networks also.
Is this the best approach for what i need?
iRule for VIP any to restrict ports and IPs allowed.
There are two look-ups here, first the port , and then for that port number you must match the source IP address.
There are multiple ways of doing it but, the simplest in terms design and maintenance is to create one STRING type class (data-group) as follows:
Key vlaue
443:10.0.1.2 “”
443:11.1.1.4 “”
443:12.1.1.4 “”
8080:12.0.1.2 “”
8080:13.1.1.4 “”
8080:14.1.1.4 “”
Internal class:
class port_to_IP_whitelist {
{
"443:10.0.1.2" { "" }
"443:11.0.1.3" { "" }
"8080:10.0.1.2" { "" }
"8080:11.0.1.3" { "" }
"8081:14.0.1.2" { "" }
"8081:15.0.1.3" { "" }
}
}
External class:
Create file as below:
File saved here:
/config/port_to_IP_whitelist.dat:
Contents of file:
"443:10.0.1.2" := "",
"443:11.0.1.2" := "",
"8080:12.0.1.2" := "",
"8080:13.0.1.2" := "",
"8081:14.0.1.2" := "",
"8081:15.0.1.2" := "",
Configure external class vai GUI, the following shows in the config file:
class port_to_IP_whitelist {
type string
filename port_to_IP_whitelist.dat
}
Here is the irule which matches that design:
When CLIENT_ACCEPTED {
set search_key [TCP::local_port]:[IP::client_addr]
if { not ( [class lookup $search_key port_to_IP_whitelist]) } {
log local0. "Search key $search_key not in whitelist Rejecting connection."
discard
event disable all
return
}
}