Datagroup and class match

Question

Been scouring through the docs and can't find any good resource that addresses my question. Please help.&nbsp;
&nbsp;I am tasked with creating an iRule that will check incoming packets for the client_ip and compare them against a list of IPs to block with exceptions&nbsp;
&nbsp;I am using version 10.2 and have an Irule started:&nbsp;
&nbsp;when HTTP_REQUEST {
&nbsp;Check if the client IP is a member of the exception list
&nbsp;    log local0.debug "IRule has been triggered"
&nbsp;if { ([class match [IP::client_addr] equals ip_exception])} {
&nbsp;log local0.debug "[IP::client_addr] Your IP was approved via the exception list"
&nbsp;  Client IP matched the class, so allow it }
&nbsp;else {
&nbsp;log local0.debug "[IP::cleint_addr] Your IP was NOT approved via the exception list"
&nbsp;drop
&nbsp;}
&nbsp;}&nbsp;
&nbsp;I'm working on a bigger picture, trying to get the smaller pieces working.&nbsp;
&nbsp;I have a datagroup defined as an external class in /var/class names ip_exception.&nbsp;
&nbsp;The problem is I cannot tell if it is being accessed at all, The last statement in my irule always shows up.&nbsp;
&nbsp;Next problem is that I don't know how to add data the external class list from the command line. The help section is very confusing.&nbsp;
&nbsp;So can you look at my iRule and let me know if in its simplicity it looks ok?&nbsp;
&nbsp;Can you tell me how to add IPs (data) to the exception list from the command line?&nbsp;
&nbsp;Many thanks,
&nbsp;Kevin&nbsp;

chris_miller · Answer

Rather than checking whether their IP exists and logging it, why not just check whether it doesn't exist? The rule below will check whether their IP exists in the data group. If it doesn't, we'll drop them.

when HTTP_REQUEST {
    Check if the client IP is a member of the exception list
    log local0.debug "IRule has been triggered"
       if { ! [class match [IP::client_addr] eq ip_exception] } {
              drop
              log local0.debug "[IP::client_addr] Your IP was NOT approved via the exception list"
             }
    }

If you'd like to add data to your external class, I suspect just using a file editor would work?

kevin_nail · Answer

This is just a first step, I'm trying to get something working. When completed, the exception list will be IPs that should be allowed but were mistakenly blocked.&nbsp;&nbsp;&nbsp;

jscharfenberg_3 · Answer

Chris,
I am going to use what you suggested for allowing certain hosts to use EWS as we're locking down exchange.
overall something like this....
when HTTP_REQUEST {
        "/ews*" {
if {! [class match [IP::client_addr] eq Allowed_Hosts_EWS]}{
HTTP::respond 403 content {Blocked!}
}
logs sent to /var/log/ltm
log local0. "[IP::client_addr] was NOT approved via exeption list"
}
}
Does this look correct?  I need to add some kind of logging that i can comment out when we turn it on and local seeems fine.

Forum Discussion

Datagroup and class match

3 Replies

Recent Discussions

Geo Fence in ASM through irule for URI

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Related Content

/32 IPs in Datagroup class match not matching

CSV to Address External Datagroup File

Datagroup / Access class match not working.

Class match with starts_with - Data group matching order

Modifying multiple entries in a datagroup via api?