Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Virtual Server - Block IP

Hello,

We need to block a several subnets for a particular virtual server. Is the best way to use an iRule? And can you please send me an example of an iRule we can use?

Thank you for the help!

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

In my opinion, the best way is to create an IP datagroup, then write an iRule like this:

# Datagroup which defines denied client IP addresses/networks
class denied_clients {
   network 10.0.0.0/8
   host 192.168.10.0/24
}

when CLIENT_ACCEPTED {
   if { [class match [IP::client_addr] equals denied_clients] }{
      log local0.  "client IP: [IP::client_addr] - discarded"
      discard
   }
}

To use a datagroup makes it easy to manage, whenever you want to add an IP subnet or delete an IP subnet, you can do it easily without touching to the iRule.

0
Comments on this Answer
Comment made 14-Sep-2017 by sysadmin_2015 256

Hello,

Thank you for your response. Is there a way to achieve this with out using a data group?

Thank you,

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You can use switch command, like this

when CLIENT_ACCEPTED {
  switch [IP::client_addr] {   
        "10.0.0.0/8" -
        "192.168.10.0/24" {
            log local0.  "client IP: [IP::client_addr] - discarded"
            discard
        }
}
0
Comments on this Answer
Comment made 16-Sep-2017 by Faruk AYDIN 948

Hope it helps

Please mark it as answer if it works

Regards

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

without data group, you can create a list of denied networks:

when RULE_INIT {
    set static::denied_clients {10.0.0.0/8 192.168.0.0/16}
}

when CLIENT_ACCEPTED {
    foreach subnet $static::denied_clients {
        if {[IP::addr [IP::remote_addr] equals $subnet]} {
            log local0.  "client IP: [IP::client_addr] - discarded"
            discard
        }
    }
}

Note : switch command does not support network with netmask comparaison.

0
Comments on this Answer
Comment made 1 month ago by Joe Lupo 54

Stanislas,

So how would and iRule look if I wanted to block several specific IP's?

UPDATE: I created a data group with an IP address in it and then created the iRule as such:

when CLIENT_ACCEPTED { if { {class match [IP::client_addr] equals DATA_GROUP_NAME] } { reject } }

Should this work when applied to a specific VS?

0