IP address filtering rule does not work

Question

Hi All,
I wanted to create a rule to block all IP addresses except one IP address. So, I gave this rule:
 
when CLIENT_ACCEPTED {
 if {! [IP::addr [IP::client_addr] equals x.x.x.x] } {
 
}
}
When I try accessing the web page associated with this VS, I am not able to access it from anywhere (that is, am not able to access it even from x.x.x.x which is supposed to have access). Can someone help me with this?
Thanks and Regards,
Geethanjali

nitass · Answer

can you put some log command to see what is going on? 
  
 e.g. 
  
 [root@ve10:Active] config  b virtual bar list
bvirtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:80
   ip protocol 6
   rules myrule
}
[root@ve10:Active] config  b pool foo list
pool foo {
   members 200.200.200.101:80 {}
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
   if { ! [IP::addr [IP::client_addr] equals 192.168.206.57] } {
      log local0. "Reject [IP::client_addr]:[TCP::client_port] -&gt; [IP::local_addr]:[TCP::local_port]"
      reject
   }
}
when SERVER_CONNECTED {
   log local0. "Allow [IP::client_addr]:[TCP::client_port] -&gt; [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -&gt; [IP::remote_addr]:[TCP::remote_port]"
}
}

[root@ve10:Active] config  cat /var/log/ltm
Oct 25 11:14:38 local/tmm info tmm[7926]: Rule myrule : Reject 172.28.20.11:59191 -&gt; 172.28.19.79:80
Oct 25 11:14:52 local/tmm info tmm[7926]: Rule myrule : Allow 192.168.206.57:63448 -&gt; 172.28.19.79:80 -&gt; 200.200.200.101:80

nitass · Answer

e.g. 
  
 [root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:80
   ip protocol 6
   rules myrule
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
   if { ! [class match -- [IP::client_addr] equals ip_class] } {
      log local0. "Reject [IP::client_addr]:[TCP::client_port] -&gt; [IP::local_addr]:[TCP::local_port]"
      reject
   }
}
when SERVER_CONNECTED {
   log local0. "Allow [IP::client_addr]:[TCP::client_port] -&gt; [clientside {IP::local_addr}]:[clientside {TCP::local_port}] -&gt; [IP::remote_addr]:[TCP::remote_port]"
}
}
[root@ve10:Active] config  b class ip_class list
class ip_class {
   {
      host 172.28.19.251
      host 192.168.206.57
   }
}

[root@ve10:Active] config  tail -f /var/log/ltm
Oct 25 22:57:44 local/tmm info tmm[7926]: Rule myrule : Reject 172.28.20.11:59229 -&gt; 172.28.19.79:80
Oct 25 22:57:53 local/tmm info tmm[7926]: Rule myrule : Allow 192.168.206.57:65000 -&gt; 172.28.19.79:80 -&gt; 200.200.200.101:80
Oct 25 22:58:12 local/tmm info tmm[7926]: Rule myrule : Allow 172.28.19.251:37085 -&gt; 172.28.19.79:80 -&gt; 200.200.200.101:80

Forum Discussion

IP address filtering rule does not work

2 Replies

Recent Discussions

F5 terminal - help to run commands - disk space full

LDAPS and renegotiation

Need help on i-rule to specific uri path

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

Reverse Proxy Not Behaving

Related Content

F5 Distributed Cloud Origin Server Subset Rules

LTM Cipher rule

Decoding the IPv4 address from the persistence cookie

CSV to Address External Datagroup File

SNAT IP address logging