Only allow users from specific Ip address to gain access

Question

I am trying to use a corporate backup tool and they are telling me that I need to open a range of ports on my server from 600-13800 or something like that. I have created a Virtual Server that allows all ports and I created a Pool with one member, which is my server, and it is also allowing all ports. Obviously I do not want to leave everything wide open like this so I was going to write an Irule that would only allow a specific IP to reach the server through this Virtual server. I read a similar post but the person did not seem to get it working. If anyone could help It would be great.&nbsp;
&nbsp;Thanks
&nbsp;Mike

jrahm · Answer

Try this:
when CLIENT_ACCEPTED {
  if { ! ([IP::client_addr] == "10.10.10.10") } {
    discard
  } elseif { ([TCP::local_port] &lt; 300) or ([TCP::local_port] &gt; 13800) } {
      discard
  } else { forward }
}

mike_rausch_628 · Answer

I meant to write this the first time but the corporate tool will be using a range of IP's like 10.1.1.0 and 10.1.2.0. Can this be put into a data group and the data group get referenced in the Irule

jrahm · Answer

Yes, once you build your datagroup, say allowed_clients, 
class allowed_clients  {
   network 10.1.1.0 mask 255.255.255.0
   network 10.1.2.0 mask 255.255.255.0
   host 10.1.3.10
}
then you can use this:
when CLIENT_ACCEPTED {
  if { not ([matchclass [IP::client_addr] equals [$::allowed_clients]]) } {
    discard
  } elseif { ([TCP::local_port] &lt; 300) or ([TCP::local_port] &gt; 13800) } {
      discard
  } else { forward }
}

mike_rausch_628 · Answer

I tried this rule but I got an error in my logs saying&nbsp;
&nbsp;TCL error: rule client_allow - invalid command name
&nbsp;"{10.1.1.0/24}{10.1.2.0/24}" while executing "$::Allowed_Clients"&nbsp;
&nbsp;I have a datagroup called Allowed_Clients and it contains
&nbsp;10.1.1.0 255.255.255.0
&nbsp;10.1.2.0 255.255.255.0&nbsp;
&nbsp;When I tried to connect from a different network I was allowed. I put a 
&nbsp;log local0. "IP [client::IP_addr]tried to log in" statement into my rule to see who is trying to log into the server and my IP from my local machine showed up in the logs as well as the above error message. So it did not block me from gaining access and I received and error as well.

jrahm · Answer

are the network and mask keywords in your class like this:&nbsp;
&nbsp;network 10.1.1.0 mask 255.255.255.0
&nbsp;network 10.1.2.0 mask 255.255.255.0&nbsp;
&nbsp;It seems the TCL error is preventing the if check, so everything matches the else statement, thus permitting the forwarding

Forum Discussion

Only allow users from specific Ip address to gain access

7 Replies

Recent Discussions

Rundeck ansible F5 errors

What is the meaning is 52% block in WAF

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header

Allow only specific IP Address to only specific URL/route in ASM

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

Restricting access to a virtual server by Public IP address should access through only domain name.

CSV to Address External Datagroup File