Forum Discussion

Donald_William1's avatar
Donald_William1
Icon for Nimbostratus rankNimbostratus
Feb 03, 2006

Selectivly forward or drop source for IP Forwarding Virtual Server

Ok. I have a Forwarding(IP) network virtual server for a /24 network. I want to block all sources except for a select few. Here is what I have.

 

 

class dg_source {

 

host 10.10.10.10

 

host 10.10.10.11

 

}

 

 

rule ir_filter-source {

 

when CLIENT_ACCEPTED {

 

if {[matchclass [IP::client_addr] equals $::dg_source]} {

 

forward

 

} else {

 

drop

 

}

 

}

 

}

 

 

virtual vs-fwip_192.168.10.0-mask-24 {

 

destination 192.168.10.0:any

 

ip forward

 

mask 255.255.255.0

 

rule ir_filter-source

 

vlans vl_100 enable

 

}

 

 

Without the irule traffic forwards fine. When I apply the irule I can not connect. Please help.

 

2 Replies

  • Have you added any logging statements to find out what's going on in your iRule. That's the first thing you should do because without some sort of message flow tracing, there isn't much we can do here.

    On thing that I can see is that you shouldn't need to use the "forward" command. Try this rule out and see what's showing up in the logs.

    when CLIENT_ACCEPTED {
      log local0. "checking for address [IP::client_addr] in dg_source list"
      if {[matchclass [IP::client_addr] equals $::dg_source]} {
        log local0. "address [IP::client_addr] is being allowed through"
        forward
      } else {
        log local0. "address [IP::client_addr] not valid, dropping connection"
        drop
      }
    }

    Then try it without the "forward" command and see if that works.

    -Joe

  • Well it appears to work now. I added the logging for local0 and it started working. I then removed it and it still works. Must have been a syntax error, un-needed space.