Forum Discussion

Dennis__Lauder_'s avatar
Dennis__Lauder_
Icon for Nimbostratus rankNimbostratus
Feb 14, 2007

iRULE to drop in-bound ssh connections

I am looking for an iRULE to drop in-bound ssh connections if they are not from an accepted network.

 

 

Here is my first attempt:

 

 

class allowed_client_IP {

 

"x.x.x.x"

 

 

}

 

when CLIENT_ACCEPTED {

 

log local0. "IP [IP::client_addr] Tried to connect"

 

 

if { not [matchclass [IP::client_addr] eq [$::allowed_client_IP]]} {

 

drop}

 

}

 

 

I get the following error:

 

 

01070151:3: Rule [ssh_allow] error:

 

line 1: [undefined procedure: class] [class allowed_client_IP {

 

"x.x.x.x"

 

}]

 

 

Thanks, Dennis

 

 

application delivery
dev
devops
iRules

5 Replies

Sort By
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Feb 14, 2007
    The class isn't part of the iRule, it needs to be added as a datagroup under the iRules tab:

     

     

    Local Traffic --> iRules --> Data Group List --> Create
  • Dennis__Lauder_'s avatar
    Dennis__Lauder_
    Icon for Nimbostratus rankNimbostratus
    Feb 14, 2007
    I have added the class to the Data Group List. I can connect from x.x.x.x as well as y.y.y.y ( I want to block y.y.y.y if it is not on the list.

     

     

    Thanks, Dennis
  • Dennis__Lauder_'s avatar
    Dennis__Lauder_
    Icon for Nimbostratus rankNimbostratus
    Feb 14, 2007
    Maybe I have something else wrong. I have changed to rule to discard instead of drop but the results were the same. Here is some more information about my F5:

     

     

    V 9.1.2

     

    Have set up NAT translation

     

    Have set up a virtual server ( Port_22 ) of a type forwarding IP

     

    Enabled the ssh_allow iRule as a resource

     

     

     

    Any ideas?

     

     

    Thanks, Dennis
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Feb 14, 2007
    Remove the forwarding virtual server for port 22 (if possible) and retest. The developers can speak to the workflow, but I would expect the forwarding virtual server to have precendence over a tcp virtual server.