iRule to Filter on X-Netli-Forward-For value

Question

I am trying to create an iRule that will look at the X-Netli-Forward-For value, and if it matches an IP address, it is forwarded on, if it does not, it is dropped. Basically, I only want to allow a global PAT to to be forwarded on from the VIP, and everything else to drop. Any help would be appreciated. Thanks.

hooleylist · Answer

If you create an address type datagroup you can use an iRule like this.  Keep in mind that users can insert any arbitrary header.  So if someone knew you were using this kind of logic they could bypass it.

when HTTP_REQUEST {

Check if the XFF header is set and not null
   if {[HTTP::header X-Netli-Forward-For] ne ""}{

Look up the value in the allowed_ips_class datagroup
      if {not [class match [IP::client_addr] equals allowed_ips_class]}{

Reset the connection
 reject
      }
   }
}

Aaron

kevin_davies_40 · Answer

This post was intentionally left blank as formatting is impossible. What are you guys using to put HTML tags in an iRule , think HTTP::respond,  in a post on these forums?&nbsp;

venom43212_9610 · Answer

Thanks for the replies. There are actually two globals, so the data group suggestion by Aaron worked out great. Also, good call out on the header insertion. Thanks again.

Forum Discussion

iRule to Filter on X-Netli-Forward-For value

3 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

ASM filtered HTML exceeded limit: event code C190 Filtered Response HTML exceeded max limit

irule

Avoiding Common iRules Security Pitfalls

Simple Sideband - iRule sideband the easy way

GSLB Split DNS by iRule