irule to restrict access by ip

Hi Glenn,

 

 

If you check /var/log/ltm, you should see a TCL runtime error on every request because the datagroup epp can't be found. You could either replace the - with an _ in the datagroup name, or change your iRule to reference the datagroup as ${epp-test}. You can search the forums for "hyphen" and "datagroup" for more info.

 

 

Aaron

Actually I believe that it is your original iRule.

All traffic is passed through an iRule that is applied to a Virtual Server.

when HTTP_REQUEST {

if { ([HTTP::uri] starts_with "/epp") and ([matchclass [IP::remote_addr] equals $$epp-test]) } {

HTTP::redirect https://[HTTP::host][HTTP::uri]

} else {

drop }

}

You are telling it to look for an [HTTP::uri] of "/epp" and compare it to see if the IP Address of the client matches a list of IP Addresses contained in your Datagroup.

If it IS, then redirect it.

If it does not match the IF Statement, drop it. This includes everything else.

The drop includes all traffic other traffic (that doesn't get redirected by the first part of the iRule).

Try this. I believe it is what you are looking for.

when HTTP_REQUEST {
if { ([HTTP::uri] starts_with "/epp") and !([matchclass [IP::remote_addr] equals $::epp-test]) } {
drop
}
elseif { ([HTTP::uri] starts_with "/epp") and ([matchclass [IP::remote_addr] equals $::epp-test]) } {
HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
}
}

The first IF Statement looks for the "/epp" and sees if the Client IP Address matches the Datagroup List. If it does NOT (Note the exclamation point !([matchclass) then it drops it. If it DOES, then it goes to the next portion of the iRule.

The ELSEIF does the compare again and if you are in the Datagroup, it redirects you to go HTTPS.

You could also replace the Drop (Kind of harsh) with something like:

HTTP::respond 403

or

HTTP::redirect "/"

Hope this helps.

Thanks for the input everyone! Just posting back what worked for me for future reference.

 

 

Wound up flipping the logic where if not on the list close, instead of redirecting if on the list. I changed to an underscore as well.

 

 

when HTTP_REQUEST {

 

if { ([HTTP::uri] starts_with "/epp") and ! ([matchclass [IP::remote_addr] equals $::epp_test]) } {

 

HTTP::close

 

}

 

}

 

 

Many thanks!

 

 

Glenn

Where and how are you defining $::epp_test? Thanks

Where and how are you defining $::epp_test?i understand it is a data group. it is under local traffic/irules/data group list in webui. in cli, it is called class.

e.g.

[root@ve1023:Active] config  b class epp_test list
class epp_test {
   {
      host 1.1.1.1
      network 20.20.20.0/24
   }
}