Forum Discussion
6 Replies
Sort By
- hooleylistCirrostratusHi,
Datagroup which defines allowed client IP addresses/networks class allowed_clients_datagroup { network 10.30.0.0/16 host 10.40.1.1 }
this event is triggered when a client - BIG-IP TCP connection is established when CLIENT_ACCEPTED { if { [matchclass [IP::client_addr] equals $::allowed_clients_datagroup] }{ Uncomment the line below to turn on logging. log local0. "Valid client IP: [IP::client_addr] - forwarding traffic" Do nothing... request will be sent to the pool } else { Uncomment the line below to turn on logging. log local0. "Invalid client IP: [IP::client_addr] - discarding" discard } }
- Brian_Mayer_841NimbostratusAnd also, if I wanted to use the class_allowed_clients data group you created above, where would I create that? Within the iRule itself?
- hooleylistCirrostratusI think the issue is that you're testing this on a virtual server with a pool, but you're using the forward command. If you want the BIG-IP to load balance the requests, don't use the forward command. You actually don't have to do anything in the case that the client IP matches the IP's/networks in the datagroup. If the client IP doesn't match, then you want to send a reset back to the client using the reject command.
- Brian_Mayer_841NimbostratusI checked and I see the data group on the LTM web GUI. I think that's fine.
- hooleylistCirrostratusThe previous example will work for a virtual server with a pool, where you want traffic from allowed clients to be load balanced and other clients to be dropped. Here is a shortened version that drops all requests if the client IP is not part of the datagroup.
this event is triggered when a client - BIG-IP TCP connection is established when CLIENT_ACCEPTED { Check if the client IP is not part of the datagroup hosts/networks if { not ([matchclass [IP::client_addr] equals $::allowed_clients_datagroup]) }{ Log dropped requests log local0. "Invalid client IP: [IP::client_addr] - discarding" drop the request discard } }
- Brian_Mayer_841NimbostratusThat works like a champ! Thanks much for the help.