Forum Discussion

Peru_130741's avatar
Peru_130741
Icon for Nimbostratus rankNimbostratus
Jul 31, 2013

Blocking X-forwarded for IP Adddress

Can anyone let me know what is the best way to block x-forwarded for IP address in F5. I have around 1000 VS configured & also ASM enabled on all the VS. original Source Ip has been already blocked in our gateway routers & our firewall but still it is not blocked for the hackers. this is because our sites are hosted under prolexic & when any user access our website, prolexic proxy ip address will be the source when it hits our firewall. Original source Ip address is inserted on the x-forwarded for header & so they are not getting blocked in our router & firewall.

 

application delivery
dev
devops
iRules
v4

4 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jul 31, 2013
    e.g. 

    root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.20.111:80
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        tcp { }
    }
    rules {
        myrule
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 2
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm data-group internal blacklist_ip
ltm data-group internal blacklist_ip {
    records {
        172.28.20.0/24 { }
    }
    type ip
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
    when HTTP_REQUEST {
  foreach axff [HTTP::header values X-Forwarded-For] {
    log local0. "axff is $axff"
    foreach anip [split [string map {" " ""} $axff] ","] {
      log local0. "anip is $anip"
      if { [class match -- $anip equals blacklist_ip] } {
        log local0. "$anip is rejected"
        reject
        return
      }
    }
  }
}
}

 client

[root@centos17 ~] curl -i http://172.28.20.111 -H "X-Forwarded-For: 1.1.1.1" -H "X-Forwarded-For: 172.28.20.17, 2.2.2.2.2"
curl: (52) Empty reply from server
[root@centos17 ~]

 /var/log/ltm

[root@ve11a:Active:Changes Pending] config  tail -f /var/log/ltm
Jul 31 17:09:32 ve11a info tmm1[11073]: Rule /Common/myrule : axff is 1.1.1.1
Jul 31 17:09:32 ve11a info tmm1[11073]: Rule /Common/myrule : anip is 1.1.1.1
Jul 31 17:09:32 ve11a info tmm1[11073]: Rule /Common/myrule : axff is 172.28.20.17, 2.2.2.2.2
Jul 31 17:09:32 ve11a info tmm1[11073]: Rule /Common/myrule : anip is 172.28.20.17
Jul 31 17:09:32 ve11a info tmm1[11073]: Rule /Common/myrule : 172.28.20.17 is rejected
  • Peru_130741's avatar
    Peru_130741
    Icon for Nimbostratus rankNimbostratus
    Jul 31, 2013
    Thx a lot Nitaas. Is irule the only way to get it blocked in our F5 ? Cant we do it in ASM ?

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jul 31, 2013
    Is irule the only way to get it blocked in our F5 ? Cant we do it in ASM ? i am not much familiar with asm but i think irule is easier and more effective (in this case).