Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

irule that block host to all ip address except specific ip

Hello,

I need irule that block access to some url for all ip address except specific ip, i wrote the irule and i success to block the url but the problem is that the irule block access to all ip address and i need access from 10.10.10.10

when HTTP_REQUEST { if { [string tolower [HTTP::host]] starts_with "test1.technion.ac.il" || [HTTP::host] starts_with "test2.technion.ac.il" || [HTTP::host] starts_with "test3.technion.ac.il" || [HTTP::host] starts_with "test4.technion.ac.il" and [IP::addr[IP::remote_addr] not equals 10.10.10.10/255.255.255.255] } then { HTTP::respond 404 "Not Found" "Connection" "close" log local0. "This Connetion blocked By iRule My-iRule" } }

Any Suggestions ?

Regards Rafi

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Guy,

You missed parenthesizes in if sentence. The correct version of your irule version is :

when HTTP_REQUEST { 
	if { ([string tolower [HTTP::host]] starts_with "test1.technion.ac.il" || [HTTP::host] starts_with "test2.technion.ac.il" || [HTTP::host] starts_with "test3.technion.ac.il" || [HTTP::host] starts_with "test4.technion.ac.il") and [IP::addr[IP::remote_addr] not equals 10.10.10.10/255.255.255.255] }
	{ 
		HTTP::respond 404 "Not Found" "Connection" "close" log local0. "This Connetion blocked By iRule My-iRule" 
	} 
}
0
Comments on this Answer
Comment made 3 months ago by Rafish 143

Hello,

Thank you for your replay,

I changed to: when HTTP_REQUEST { if { ([string tolower [HTTP::host]] starts_with "test.technion.ac.il" || [HTTP::host] starts_with "test1.technion.ac.il" || [HTTP::host] starts_with "test2.technion.ac.il" || [HTTP::host] starts_with "test3.technion.ac.il") and not [IP::addr[IP::client_addr] not equals "10.10.10.10/255.255.255.255"] } then { HTTP::respond 404 "Not Found" "Connection" "close" log local0. "This Connetion blocked By iRule My-iRule" } }

As you suggest but it still 10.10.10.10 is also blocked

See logs: Apr 24 10:35:24 f5-sec err tmm[18979]: 01220001:3: TCL error: /Common/My-iRule - invalid command name "IP::addr10.10.10.10" while executing "IP::addr[IP::client_addr] not equals "132.68.2.150/255.255.255.255""

Regards

0
Comment made 3 months ago by Faruk AYDIN 774

delete second "not"

when HTTP_REQUEST { 
    if { ([string tolower [HTTP::host]] starts_with "test.technion.ac.il" || [HTTP::host] starts_with "test1.technion.ac.il" || [HTTP::host] starts_with "test2.technion.ac.il" || [HTTP::host] starts_with "test3.technion.ac.il") and not [IP::addr[IP::client_addr] equals "10.10.10.10/255.255.255.255"] }
    { 
        HTTP::respond 404 "Not Found" "Connection" "close" log local0. "This Connetion blocked By iRule My-iRule" 
    } 
}

0
Comment made 3 months ago by Rafish 143

Hello,

I wrote the second "not" by mistake. i dont have the second not in the production.

Do you know what is the tcl error ?

Regards

0
Comment made 3 months ago by Faruk AYDIN 774

There must be a black between IP:addr and [IP::client_addr] and remove netmask like this:

not [IP::addr [IP::client_addr] equals 10.10.10.10]
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You could simply the logic by placing different host headers into a datagroup:

## **DATAGROUP** ##
ltm data-group internal host_dg {
    records {
        test1.technion.ac.il {}
        test2.technion.ac.il {}
        test3.technion.ac.il {}
        test4.technion.ac.il {}
    }
    type string
}

## **iRULE** ## 
when HTTP_REQUEST {
    if {([class match [HTTP::host] starts_with host_dg]) && ([IP::addr[IP::remote_addr] equals 10.10.10.10/255.255.255.255])} {
        HTTP::respond 404 "Not Found" "Connection" "close" 
        log local0. "This Connetion blocked By iRule My-iRule" 
    }
}
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello Rafish,

Please try the below irule

when HTTP_REQUEST {

set low_host [string tolower [HTTP::host]]

if {(( $low_host starts_with "test1.technion.ac.il" ) || ( $low_host starts_with "test2.technion.ac.il" ) || ( $low_host starts_with "test3.technion.ac.il" ) || ( $low_host starts_with "test4.technion.ac.il" ) )&& ( [IP::addr [IP::client_addr] equals 10.10.10.10] )} {

HTTP::respond 404 content "Blocked by irule" log local0. "$low_host traffic has come from blocked subnet" }

}

I also got the same error and then I have given space between IP::addr and [IP::client_addr]. After that, irule was working fine. You can also given try by giving space between IP::addr and [IP::client_addr]

0
Comments on this Answer
Comment made 3 months ago by Rafish 143

Hello,

Thank you very much

The space solve the problem :)

Now how can i add more ip to IP::addr and [IP::client_addr ?

Regards

0
Comment made 3 months ago by Nandhini Natarajan 140

Hello,

You can use [IP::addr [IP::remote_addr] equals ipaddress with mask] in this format.

Eg:

[IP::addr [IP::remote_addr] equals 10.10.10.0/24]

0
Comment made 3 months ago by Rafish 143

Hello,

What if need to allow just another host /32 ?

Regards

0
Comment made 3 months ago by Nandhini Natarajan 140

Hello,

you can create an data_group for the exception IP's and then you can use that data group in the irule like below

ltm data-group internal test_allow_IP {
    records {
        10.10.10.10/32 { }
        10.10.10.11/32 { }
    }
    type ip
}

    when HTTP_REQUEST { 
    set low_host [string tolower [HTTP::host]]
    if {(( $low_host starts_with "test1.technion.ac.il" ) || ( $low_host starts_with "test2.technion.ac.il" ) || ( $low_host starts_with "test3.technion.ac.il" ) || ( $low_host starts_with "test4.technion.ac.il" ) )&& ( [class match [IP::client_addr] equals test_allow_IP] )} {
    HTTP::respond 404 content "Blocked by irule" log local0. "$low_host traffic has come from blocked subnet"
    }
    }
0
Comment made 3 months ago by Rafish 143

Hi,

Please see error i get 01070151:3: Rule [/Common/Hacked_web3_Https_site_with_support_access] error: /Common/My _irule_name_access:1: error: [undefined procedure: ltm][ltm data-group internal test_allow_IP { records { 10.10.10.10/32 { } 10.10.10.11/32 { } } type ip }]

I dont have Ltm license

Regards

0
Comment made 3 months ago by jaikumar_f5 1408

Rafish,

You are required to create the Data group first separetely and then put the Irule part separately. You have put both the datagroup and Irule code inside the Irule creation part itself, hence the error.

Please follow this,

Local Traffic ›› iRules : iRule List ›› RafishIrule

Paste the below code alone,

when HTTP_REQUEST {
set low_host [string tolower [HTTP::host]]
if {(( $low_host starts_with "test1.technion.ac.il" ) || ( $low_host starts_with "test2.technion.ac.il" ) || ( $low_host starts_with "test3.technion.ac.il" ) || ( $low_host starts_with "test4.technion.ac.il" ) )&& ( [class match [IP::client_addr] not equals test_allow_IP] )} {
HTTP::respond 404 content "Blocked by irule" log local0. "$low_host traffic has come from blocked subnet"
}
}

Then goto Local Traffic ›› iRules : Data Group List ›› New Data Group...

Name: test_allow_IP Type: Address

Address: 10.10.10.10/32 Value:

Click on Add.

Click on finished. Please let us know if you face any issues.

0
Comment made 3 months ago by Rafish 143

Hi

Thank you for your replay,

I tried once with "class match" but it didn't work good.

I tried once again as you suggest but 10.10.10.10 was blocked also.

Any suggest ?

Regards

0
Comment made 3 months ago by jaikumar_f5 1408

The not logic is incorrect. It should be,

( not [class match [IP::client_addr] equals test_allow_IP] )

Please use the below, you can achieve these by many ways, allowing in if or on else, its so many possibilities.

when HTTP_REQUEST { 
set low_host [string tolower [HTTP::host]]
if {(( $low_host starts_with "test1.technion.ac.il" ) || ( $low_host starts_with "test2.technion.ac.il" ) || ( $low_host starts_with "test3.technion.ac.il" ) || ( $low_host starts_with "test4.technion.ac.il" ) ) && ( not [class match [IP::client_addr] equals test_allow_IP] )} {
HTTP::respond 404 content "Blocked by irule" log local0. "$low_host traffic has come from blocked subnet"
}
}

or a simple one like this too, without the need for Data Group, as you need to allow just one ip,

when HTTP_REQUEST {
set low_host [string tolower [HTTP::host]]
if {(( $low_host equals "test1.technion.ac.il" ) || ( $low_host equals "test2.technion.ac.il" ) || ( $low_host equals "test3.technion.ac.il" ) || ( $low_host equals "test4.technion.ac.il" ) ) && ( not [IP::addr [IP::client_addr] equals 10.10.10.10] )} {
HTTP::respond 404 content "Blocked by irule" log local0. "$low_host traffic has come from blocked subnet"
} 
}
0
Comment made 3 months ago by Rafish 143

Hi,

Thank you very much it works now :)

Regards

1
Comment made 3 months ago by jaikumar_f5 1408

Glad could help.

0