Forum Discussion

marv_Williams_5's avatar
marv_Williams_5
Icon for Nimbostratus rankNimbostratus
Apr 15, 2015

Urgent: Need an I-Rule to Block Continents but allow certain IP addresses

I tried this I-Rule but when tested it does not parse the I-Rule properly

 

when CLIENT_ACCEPTED { Block Continent IP Range and allow certain traffic if { ( [whereis [IP::client_addr] continent] eq "EU") && not ( [class match [IP::client_addr] equals whitelist])} { log local0. "Valid client IP - forwarding traffic." reject } }

 

I need to be able to block Continents from accessing a VIP but also allow certain IP addresses though then either send a 403 or redirect the traffic to another website

 

6 Replies

  • Richard__Harlan's avatar
    Richard__Harlan
    Historic F5 Account

    Ok I double check the iRule and again it loaded just fine. I then tested the logic and it worked. In my case the network being tested is a private network so change the Continent to be not set and put in IP in the datagroup and test and tested with it removed from the Datagroup. It worked both way when it is in the datagroup no reject when it is in the data group the Reject log fires.

    when CLIENT_ACCEPTED { 
    
    log local0. "Location = [whereis [IP::client_addr] continent]"
    if { ( [whereis [IP::client_addr] continent] eq "") && not ( [class match [IP::client_addr] equals whitelist] ) } { 
        log local0. "Reject"
        reject 
        }
    }
    

    Data group

    `ltm data-group internal /Common/whitelist {
    records {
        192.168.1.3/32 { }
        192.168.1.5/32 { }
    }
    type ip
    }
    

    What error are you getting in the logs?

  • Here is the log error: Rule [/Common/iRuler_Parse_Test_Rule] error: line 3: [parse error: PARSE syntax 108 {syntax error in expression "[class match --[whereis[IP::client_addr]countinent]eq "EU"] ...": character not legal in expressions}] [{[class match --[whereis[IP::client_addr]countinent]eq "EU"] or \ not[IP::addr[IP::client_addr] equals whitelist]}] line 6: [command is not valid in the current scope] [}]

     

  • Richard__Harlan's avatar
    Richard__Harlan
    Historic F5 Account

    I imported the iRule in my test box and ran it with out a issue. Got the following log entries

     

    Apr 15 11:49:54 luke info tmm[11462]: Rule /Common/test2 : Valid client IP - forwarding traffic.

     

    What version are you running. The test box I am running is version 12 beta. I would check to make sure there is no copy and paste error in the iRule like a extra hidden ASCII char.