Forum Discussion

Tyson_James's avatar
Tyson_James
Icon for Altostratus rankAltostratus
Sep 20, 2018

iRule to only allow private networks....

Hi, I have an iRule in place that is supposed to be rejecting all external network traffic coming into an LTM virtual server for a few select administrative pages. Someone on DevCentral had done something very similar to what I needed, so I took their iRule and adjusted for my needs. The iRule is as follows :

when HTTP_REQUEST {
  switch -glob [string tolower [HTTP::uri]] {
    "*/wp-admin/*" -
    "*/wp-login.php" -
    "*/phpmyadmin/*" -
    "*/wp-config.php" {
      if { !([class match [IP::client_addr] equals private_net])} {
         reject
      }
    }  
  }
}

private_net is a data group that contains the class A,B and C RFC private networks. The issue is that we are having random people inside our network ( 10.x.x.x ) having the iRule apply to their connections and they are unable to access the pages. I cannot find a reason why this is occurring. We did a WireShark capture for someone that is being blocked and sure enough, you can see the source address is ( 10.x.x.x ) but the iRule still kicks in.

Any ideas or insight into this issue would be greatly appreciated. Thanks.

2 Replies

  • Maybe this clients are behind NAT? you can check it by adding log to the iRule:

    when HTTP_REQUEST {
      switch -glob [string tolower [HTTP::uri]] {
        "*/wp-admin/*" -
        "*/wp-login.php" -
        "*/phpmyadmin/*" -
        "*/wp-config.php" {
          if { !([class match [IP::client_addr] equals private_net])} {
          log local0. "rejected client ip [IP::client_addr]" <-- new added line
             reject
          }
        }
      }
    }
    

    and check which IP do you see in /var/log/ltm

    good luck!

  • Thanks so much. It was NAT. Had our firewall take a look and he figured it out.