Restrict access to Virtual Servers based on IP address

Hi,

You could use packet filters to restrict access (Click here).

Else, if you want to use an iRule, you can use the IP::addr (Click here) command to compare the client IP address with a specific IP or IP range, or matchclass (Click here) to compare the client IP address with a set of IP's or ranges.

There are a few related codeshare examples:

Access Control Based On IP

Click here

Access Control Based On Network or Host

Click here

If you do want to use an iRule instead of packet filters, and you're working with a single IP virtual server, it probably be easiest to use the matchclass command:

 Datagroup which defines allowed client IP addresses/networks
class allowed_clients_datagroup {
   network 10.30.0.0/16
   host 10.40.1.1
}

 this event is triggered when a client - BIG-IP TCP connection is established
when CLIENT_ACCEPTED {
   if { [matchclass [IP::client_addr] equals $::allowed_clients_datagroup] }{
      Uncomment the line below to turn on logging.
      log local0.  "Valid client IP: [IP::client_addr] - forwarding traffic"
       Do nothing... request will be sent to the pool
   } else {
      Uncomment the line below to turn on logging.
      log local0. "Invalid client IP: [IP::client_addr] - discarding"
      discard
   }
}

Reply if you have any questions.

Aaron

And also, if I wanted to use the class_allowed_clients data group you created above, where would I create that? Within the iRule itself?

I think the issue is that you're testing this on a virtual server with a pool, but you're using the forward command. If you want the BIG-IP to load balance the requests, don't use the forward command. You actually don't have to do anything in the case that the client IP matches the IP's/networks in the datagroup. If the client IP doesn't match, then you want to send a reset back to the client using the reject command.

 

 

I'm not sure what cause the error when trying to add a datagroup using the iRuler. You might try posting the error and any other details in the iRuler forum for Joe to take a look at.

 

 

Datagroups (known as classes in the bigip.conf config file) are separate objects from rules. If you want to create another datagroup, you should be able to using the iRuler or in the admin GUI under Local Traffic >> iRules >> Datagroups.

 

 

Aaron

I checked and I see the data group on the LTM web GUI. I think that's fine.

 

 

As for using forward, reject, etc. Can you give me an example? I'm new to TCL and am not sure how to correctly implement.

The previous example will work for a virtual server with a pool, where you want traffic from allowed clients to be load balanced and other clients to be dropped. Here is a shortened version that drops all requests if the client IP is not part of the datagroup.

 this event is triggered when a client - BIG-IP TCP connection is established
when CLIENT_ACCEPTED {
    Check if the client IP is not part of the datagroup hosts/networks
   if { not ([matchclass [IP::client_addr] equals $::allowed_clients_datagroup]) }{
       Log dropped requests
      log local0. "Invalid client IP: [IP::client_addr] - discarding"
       drop the request
      discard
   }
}

If you created a class/datagroup with a different name, just update the rule to reference the name you used.

If this doesn't work for you, check the ltm log file via the command line (tail -f /var/log/ltm) and see if you get any log statements showing errors.

Aaron

That works like a champ! Thanks much for the help.

 

 

-Brian