Block ssl requests by ip

Because the client IP address will always be the same for the duration of the TCP connection, it would be more efficient to check it once in CLIENT_ACCEPTED (triggered when a client establishes a TCP connection) versus in HTTP_REQUEST (triggered when the HTTP headers in an HTTP request are parsed). This would also allow you to use the same iRule for both VIPs.

You can use the IP::addr (Click here) command to evaluate a single IP address or subnet against a second single IP address or subnet. Or if you have multiple IP addresses/subnets you want to check you can use a datagroup and the matchclass (Click here) command.

Here is an example of using IP::addr:

 
 when CLIENT_ACCEPTED { 
  
     Check if client IP is part of the subnet we want to allow 
    if {[IP::addr [IP::client_addr] equals 10.0.0.0/8]}{ 
  
        Specify the pool 
       pool WEBPOOL 
  
    } else { 
  
        Reset the TCP connection 
       reject 
    } 
 } 
 

Aaron

Hoolio,

 

Thank you for the quick reply! I figured the HTTP_REQUEST was sending me down the wrong path. Is there any good iRule books out there that you would recommend?

 

 

Thanks again!

I don't think anyone has written a book about iRules (yet?). Here is a page with a lot of good links to start with:

 

 

http://devcentral.f5.com/Default.aspx?tabid=75

 

 

Aaron

Hoolio,

 

I cant seem to get this to work. Would the configuration type on the virtual server have anything to do with it not working?

Possibly. What are the symptoms of the failure? Do you see any errors logged in /var/log/ltm? Can you add debug logging to the iRule to see what's happening?

 
  when CLIENT_ACCEPTED {  
  
     log local0. "[IP::client_addr]:[TCP::client_port]: New TCP connection established." 
  
      Check if client IP is part of the subnet we want to allow  
     if {[IP::addr [IP::client_addr] equals 10.0.0.0/8]}{  
  
         Specify the pool  
        log local0. "[IP::client_addr]:[TCP::client_port]: Legal IP. Connection allowed to pool." 
        pool WEBPOOL  
  
     } else {  
  
         Reset the TCP connection  
        log local0. "[IP::client_addr]:[TCP::client_port]: Invalid IP. Resetting TCP connection." 
        reject  
     }  
  }  
 

Aaron

Aaron,

 

The log shows the following

 

 

Feb 16 14:33:54 tmm tmm[990]: Rule Block_all_but_us_NEW : 10.10.1.1:35232: Legal IP. Connection allowed to pool.

 

 

If i have the rule on the virtual server I cant get to the site via ssl. But without the rule i can get to the site.

 

 

Does it work if you remove the iRule and add the WEBPOOL as the default pool on the VIP? If so, I'm not sure what would change with the iRule. Can you post an anonymized copy of the VIP and pool configuration with and without the iRule by running 'b virtual VIP_NAME list' and 'b pool POOL_NAME list'?

 

 

If that's not what you're testing, can you elaborate on what you're trying?

 

 

 

Thanks,

 

Aaron

I have three pools, one for 80, one for 443, and one for 8080. The only one that works with the SSL VIP is the 443 pool.

 

 

Without the rule

 

 

[root@F51:Active] log b virtual WWWSSH list

 

virtual WWWSSH {

 

destination ipaddress:https

 

ip protocol tcp

 

pool WEBPOOLSSH

 

vlans external enable

 

}

 

[root@F51:Active] log b pool WEBPOOLSSH list

 

pool WEBPOOLSSH {

 

monitor all https

 

member 10.100.74.15:https

 

member 10.100.74.16:https

 

}

 

 

With the irule

 

 

[root@F51:Active] log b virtual WWWSSH list

 

virtual WWWSSH {

 

destination ipaddress:https

 

ip protocol tcp

 

pool WEBPOOLSSH

 

rule Block_all_but_us_NEW

 

vlans external enable

 

}

 

[root@F51:Active] log b pool WEBPOOLSSH list

 

pool WEBPOOLSSH {

 

monitor all https

 

member 10.100.74.15:https

 

member 10.100.74.16:https

 

}

 

 

 

 

I figured it out, i need a different irule to point ot the different pool. I am a bine head. Thanks for all of your help!