NimbostratusHello,
We need to block a several subnets for a particular virtual server. Is the best way to use an iRule? And can you please send me an example of an iRule we can use?
Thank you for the help!
NimbostratusIn my opinion, the best way is to create an IP datagroup, then write an iRule like this:
Datagroup which defines denied client IP addresses/networks
class denied_clients {
network 10.0.0.0/8
host 192.168.10.0/24
}
when CLIENT_ACCEPTED {
if { [class match [IP::client_addr] equals denied_clients] }{
log local0. "client IP: [IP::client_addr] - discarded"
discard
}
}
To use a datagroup makes it easy to manage, whenever you want to add an IP subnet or delete an IP subnet, you can do it easily without touching to the iRule.
NimbostratusYou can use switch command, like this
when CLIENT_ACCEPTED {
switch [IP::client_addr] {
"10.0.0.0/8" -
"192.168.10.0/24" {
log local0. "client IP: [IP::client_addr] - discarded"
discard
}
}
CumulonimbusHi,
without data group, you can create a list of denied networks:
when RULE_INIT {
set static::denied_clients {10.0.0.0/8 192.168.0.0/16}
}
when CLIENT_ACCEPTED {
foreach subnet $static::denied_clients {
if {[IP::addr [IP::remote_addr] equals $subnet]} {
log local0. "client IP: [IP::client_addr] - discarded"
discard
}
}
}
Note : switch command does not support network with netmask comparaison.