Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

irule to only allow specified IPs to connect to Vitrual

Hello I am looking to create an irule that will only allow connections to a VIP from a list or allowed IP's. Does anyone have a solution that they have used in the past with success on this?

My thought was something like create a group like $trustedIP

Then when

When client accepted if eq $trustedIP
allow elseif not eq block

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi jdeeby,

you could use LTMs data-groups as a storage for your white-listed IPs and then use an iRule during CLIENT_ACCEPTED event, to compare the connecting [IP::client_addr] with your data-group information.

Data-Group Config:

ltm data-group internal DG_MY_ALLOWED_IPs {
    records {
        1.1.1.1/32 {}
        2.2.2.0/24 {}
    }
    type ip
}

iRule Syntax to drop the connection on a TCP layer:

when CLIENT_ACCEPTED {
    if { [class match [IP::client_addr] equals DG_MY_ALLOWED_IPs] } then {
        # Allow trusted clients
    } else {
        # Drop untrusted clients
        drop
    }
}

Cheers, Kai

0
Comments on this Answer
Comment made 31-Jan-2018 by jdeeby 56

Thanks to the help. I am new to using the Data Group function on the Big IP system.

The only way to get something in there is import a file.

I am not use what the syntax of that file should look like.

Im trying something like

ltm data-group internal trustedip { records { Adminbox { X.X.X.X } VDI { X.X.X.X/X } } type address }

To create a data group to allow IPs from a specified IP and a network of IPs. I simply put this info in a text file then tried to import and getting has an invalid format, line 1.

0
Comment made 31-Jan-2018 by Kai Wilke 6973

Hi jdeeby,

the outlined Data-Group Config snipped is an partial LTM config. You could either SSH into your box and apply this config via:

[itacs@dev-box:Active:Standalone] ~ # tmsh
itacs@(dev-box)(cfg-sync Standalone)(Active)(/Common)(tmos)# load sys config merge from-terminal
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.

ltm data-group internal DG_MY_ALLOWED_IPs {
    records {
        1.1.1.1/32 { data Adminbox }
        2.2.2.0/24 { data VDI-Subnet }
    }
    type ip
}
Loading configuration...
itacs@(dev-box)(cfg-sync Standalone)(Active)(/Common)(tmos)# 

Note: I've added name labels for the individual IPs/Subnets.

... or you could create (and also maintain) the entire Data-Group via LTMs Web-Page. You will find the data-group config here...

Local Traffic 
    -> iRules 
        ->  Data Group List 
            -> Create

... then use the following settings to manually create the provided config export sample:

Name: DG_MY_ALLOWED_IPs
Type: Address
Address Records: 
    Address: 1.1.1.1/32 
    Name: Adminbox
    Click Add

    Address: 2.2.2.0/24
    Name: VDI-Subnet
    Click Add
Click Finished

Cheers, Kai

0
Comment made 01-Feb-2018 by jdeeby 56

This is what I was looking for which was a was to do it through the UI. Question if I want to use a specific address such as the admin box do I need to specify the / for the subnet?

0
Comment made 01-Feb-2018 by Kai Wilke 6973

Question if I want to use a specific address such as the admin box do I need to specify the / for the subnet?

Both formats will work. I prefer to use a unified way...

Cheers, Kai

0
Comment made 01-Feb-2018 by jdeeby 56

Actually another follow-up. Do you know of a way to have the irule put out some content on the blocked connection that says like "Please Contact to be added to whitelist."

0
Comment made 01-Feb-2018 by Kai Wilke 6973

Hi Jdeeby,

you may have to change your Virtual Server settings and include a HTTP and SSL Profiles to allow LTM to decrypt the SSL session (if SSL is used) and to parse the HTTP protocol (required).

Once the prequisites are in place, then use the iRule below to display a simple HTTP error message.

when CLIENT_ACCEPTED {
    if { [class match [IP::client_addr] equals DG_MY_ALLOWED_IPs] } then {
        set is_trusted 1   
    } else {
        set is_trusted 0
    }
}
when HTTP_REQUEST {
    if { $is_trusted == 0 } then {
        # Send access denied HTTP response to the client
        HTTP::respond 403 content "Access Denied: Please contact helpdesk to become added to the whitelist" "Content-Type" "text/html" "Connection" "close"
    } else {
        # Allow the request
    }
}

Cheers, Kai

0
Comment made 01-Feb-2018 by jdeeby 56

Wow works great thanks for all your help!

0