Restrict Source IPs iRule

Question

Hi all&nbsp;Forgive what may be such an easy iRule question but unfortunately my experience with them is rather limited and time is of the essence. We have an iRule which looks to be doing something with the client certificate as you can see:&nbsp;when CLIENTSSL_CLIENTCERT priority 500 {
	set cnAllowClass "[string range [virtual name] 0 end-2]cn_allow_class"
	set clientCertRequiredClass "[string range [virtual name] 0 end-2]client_cert_required_class"
	set clientCertHeaderName "ssl_client_cert"
	set clientIP [IP::client_addr]
	if {[SSL::cert count] eq 0} {
		reject
		return
	} else {
		set subjectDN [string tolower [X509::subject [SSL::cert 0]]]
		if {[class match $subjectDN contains $clientCertRequiredClass] ne 0} {
			set clientCertHeaderValue [b64encode [SSL::cert 0]]
			set flgInsertClientCertHeader 1
		}
	}
	set cnExists [class match $subjectDN contains $cnAllowClass]
	if {$cnExists ne 0} {
	} else {
		reject
	}
}&nbsp;...what we need to do is add something in before this code that will say, in plain English:&nbsp;"if the source IP address is a.b.c.d, then use SSL profile abcd. If not, then use SSL profile efgh."&nbsp;Any ideas on how we can achieve this?&nbsp;Thank you.

iaine · Answer

HiYou need some logic within the CLIENT_ACCEPTED Event for this.  Something like this for a single IP.....this will look for a connection from 10.10.10.10 and apply a different SSL profile.  All other connections will used the default config of the VIPwhen CLIENT_ACCEPTED {     
  if { [IP::addr [IP::client_addr] equals 10.10.10.10] } {
     SSL::profile new_clientssl
 }
}You can expand out for look for a subnetwhen CLIENT_ACCEPTED {     
  if { [IP::addr [IP::client_addr] equals 10.10.10.0/24] } {
     SSL::profile new_clientssl
 }
}or use a DataGroup if you want to....when CLIENT_ACCEPTED {     
    if { [class match [IP::client_addr] equals source_ip] } {  
		SSL::profile new_clientssl
	}
}

thornid · Answer

Thank you iaine&nbsp;That was something that did come across my mind but then I realised that I framed the question incorrectly, apologies.&nbsp;The logic should actually read:&nbsp;"if the source IP address is a.b.c.d, then use SSL profile abcd, then stop processing, i.e. do not process other logic in the iRule"&nbsp;Essentially, there are some clients that we need to come into this VS but not be subject to the iRule logic (client cert, checks etc.) So need a way to allow them to come in and use an SSL profile that does not have Client Authentication enabled, then stop. All other clients just continue as normal using the default SSL profile (with client auth applied).&nbsp;Thanks

iaine · Answer

Hi&nbsp;To stop processing the iRule further, you can either use Event disable command or you can use a variable to stop specific events or part of code from running depending on requirements.  Such as...&nbsp;when CLIENT_ACCEPTED {     
  if { [IP::addr [IP::client_addr] equals 10.10.10.0/24] } {
     SSL::profile new_clientssl
	set sourceip 1 
 }
}
&nbsp;
when CLIENTSSL_CLIENTCERT {
	if {[info exists sourceip]}{
		return}
		
	}this uses return to stop this particular event

thornid · Answer

Brill, thanks iaine&nbsp;Out of curiosity, setting the variable 'sourceip 1' - what does '1' in this instance mean or refer to?

iaine · Answer

hi - it's just an arbitrary value so that the attribute contains something  when info exists  queries it.

Forum Discussion

Restrict Source IPs iRule

9 Replies

Recent Discussions

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Related Content

Office 365 Tenant Restrictions

F5 iRule Geolocation restriction

Irule for restricting access

SSL Orchestrator Advanced Use Cases: Enabling GCloud Organization Restrictions

Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header