IP restriction irule

Question

I found this old thread and am trying to make it work.&nbsp;
https://devcentral.f5.com/community/group/aft/18255/asg/50&nbsp;
here is what I have&nbsp;
 &nbsp;
when CLIENT_ACCEPTED {&nbsp;
if { not ([class match [IP::client_addr] equals $::ESB]) }{&nbsp;
 Log dropped requests&nbsp;
          log local0. "Invalid client IP: [IP::client_addr] - discarding"&nbsp;
 &nbsp;
drop the request&nbsp;
discard&nbsp;
}&nbsp;
}&nbsp;
 &nbsp;
Then in Data Group List I have&nbsp;
 &nbsp;
ESB&nbsp;
 &nbsp;
1.1.0.0/255.255.0.0 &lt;-sanatized &nbsp;
 &nbsp;
When I put it in a virtual host and run it I get this error...&nbsp;
 &nbsp;
TCL error: /Common/esb-mgmt  - can't read "ESB": no such variable while executing "class match [IP::client_addr] equals $ESB"&nbsp;
 &nbsp;
Its like it can't read the variable?&nbsp;
 &nbsp;
As always, any help is greatly appreciated!&nbsp;
Thanks&nbsp;
Joe&nbsp;
 &nbsp;

hooleylist · Answer

Hi Joe, 
&nbsp;  
&nbsp; Can you remove the $:: prefix from the data group name in the iRule? 
&nbsp;  
&nbsp;  
&nbsp; https://devcentral.f5.com/wiki/iRules.class.ashx 
&nbsp;  
&nbsp; Note that you should not use a $:: or :: prefix on the datagroup name when using the class command (or in any datagroup reference on 9.4.4 or later). 
&nbsp;  
&nbsp; In v9.4.4 - 10, using $::datagroup_name will work but demote the virtual server from running on all TMMs. For details, see the CMP compatibility page. 
&nbsp;  
&nbsp; In v11, using $::datagroup_name will result in a TCL runtime error and a reset being sent to the client! 
&nbsp;

sundogbrew · Answer

Hey Hoolio, 
&nbsp; Thanks for the response.  I did remove the $::  I am still not getting what I want?  If I put an address in there that isn't mine and try to go to it I get a log message that it is blocked and tells me my IP.  But if I put my IP in there I get nothing like it either drops it or doesn't do anything with it?  I saw in the other post you said not to say forward?  Do I need to say anything to get it to move the traffic on to the pool? 
&nbsp; Thanks 
&nbsp; Joe &nbsp;

sundogbrew · Answer

I still can't get this to work, can anyone help?  Looks like if it doesn't discard it then it doesn't work.  Like the default doesn't do anything?  Does that make sense? 
&nbsp; This is what I have, do I need an "else" or something else? 
&nbsp;  
&nbsp; when CLIENT_ACCEPTED { 
&nbsp; if {!( [class match [IP::client_addr] equals ESB]) }{ 
&nbsp;  Log dropped requests 
&nbsp;           log local0. "Invalid client IP: [IP::client_addr] - discarding" 
&nbsp;  
&nbsp; drop the request 
&nbsp; discard 
&nbsp; } 
&nbsp; } 
&nbsp;  
&nbsp;  
&nbsp; Thanks 
&nbsp; Joe

kevin_stewart · Answer

Does it discard as required? Are you using an address-based data group?

when CLIENT_ACCEPTED {
    if { not ( [class match [IP::client_addr] equals ESB] ) } {
         Log dropped requests
        log local0. "Invalid client IP: [IP::client_addr] - discarding"
        drop the request
        discard
    }
}

sundogbrew · Answer

Hey Kevin, 
&nbsp; Yes I have an address-based data group.  If I don't put my address in the list and try to go to it, it drops my request and logs it and tells me my IP, so that part works fine.  But if I put my address in the list I get nothing in the logs and I also don't get the page?   Like it drops it anyway but just doesn't log it?  Do I need to say forward or include the pool?

Forum Discussion

IP restriction irule

7 Replies

Recent Discussions

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

Related Content

iRule - Restricting IP addresses for a portion of URI

Restrict Traffic To VIP By Subnet

restrict website to only specific ip addresses on same VS

Restrict access to virtual server during specified time

APM IP Subnet Match - single IP list