Forum Discussion

W__Tout_99150's avatar
W__Tout_99150
Icon for Nimbostratus rankNimbostratus
Oct 17, 2006

Restricting traffic to a range of source IPs

We need to restrict incomming traffic to a range of source IPs. Traffic not from the allowed range is to be rejected. The problem is not in the rejection but rather in what happens to connections that are to be rejected. Would they simply time out or would they hang? Is there a way to return a particular error message to the originator? The ideal solution would be to return an error message and then close the connection but how can we do that? How can the below iRule template be modified to get to the desired behaviour?

 

 

when HTTP_REQUEST {

 

LB local log, keep this one

 

log local0.NOTICE "*** Source ip is [IP::client_addr]"

 

if { [IP::client_addr] eq "IP1" || [IP::client_addr] eq "IP2" || [IP::client_addr] eq "IP3" || [IP::client_addr] eq "IP4" } {

 

log local0.NOTICE "*** Transfer to Pool mt1_pool"

 

pool mt1_pool

 

} else {

 

log local0.NOTICE "Not coming from an allowed source IP"

 

discard

 

}

 

}

 

 

 

Thanks
application delivery
dev
devops
iRules

1 Reply

Sort By
  • Joe_Pruitt's avatar
    Joe_Pruitt
    Oct 17, 2006
    You can use the HTTP::respond to return custom content to the client for HTTP connections.

     

     

    when HTTP_REQUEST {
  if { ... } {
    pool mt1_pool
  } else {
    HTTP::respond 200 content "Not AllowedYou are not allowed to access this site!"
  }
}

     

     

    Feel free to change the HTML content (or the HTTP response code) in the response to whatever you wish.

     

     

    Tip of the day: The HTTP::respond method is a great way to debug your iRules as well. Add a secret uri to your rule and if that is found, return back any content you want. I'm personally working on some Statistics profile work and this is a great way to build a reporting page.

     

     

    -Joe