Forum Discussion

Bob_10976's avatar
Bob_10976
Icon for Nimbostratus rankNimbostratus
Feb 06, 2008

Limited Access to VIP by Source IP

Should/Can I use an iRule to limite access to a VIP by source IP address?

 

 

I have several web servers hosting several public and one not so public applications. I want to restrict who can access the no so public application by source IP. Since they all applications fall under the same domain name I can't apply an "ACL" via the firewall. This will have to be done at the LB level, at least I'd prefer it done so.

 

 

Is there an iRule already out there someone wouldn't mind sharing?

 

 

Thanks in advance.

 

Bob
application delivery
dev
devops
iRules

1 Reply

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Feb 06, 2008
    You can define a group of hosts/networks in a datagroup (called a class in the bigip.conf) and then use the matchclass function in an iRule to check that the client IP is a member of the datagroup before allowing access. You can create the datagroup in the GUI under iRules | Datagroups. There is a separate tab for datagroups next to the iRules tab. Select Address as the type.

    Here is an example datagroup as it appears in the bigip.conf:

    
class allowed_hosts_networks_class {
   host 100.1.1.1
   network 10.0.0.0 mask 255.0.0.0
   network 172.16.0.0 mask 255.240.0.0
   network 192.168.0.0 mask 255.255.0.0
}

    And here is an example rule which references the class and drops requests from clients who don't match the datagroup networks:

    
when CLIENT_ACCEPTED {
   log local0. "Received connection from [IP::client_addr]"
   if {not ([matchclass [IP::client_addr] equals $::allowed_hosts_networks_class])}{
      log local0. "Dropped connection from [IP::client_addr]"
       Drop the request
      drop
   }
}

    Aaron