| | SUPPORT | |

R
Knowledge Centers Resources Sign Up | Login | My Support

Search AskF5 Search tips 

AskF5 Home / K42075438

Quick Tasks
K42075438: Restricting access to a virtual server by IP subnet
Diagnose your system with
iHealth
Non-Diagnostic    
Create service request

Manage service requests

Original Publication Date: Sep 20, 2019 Applies to (see versions):
Find serial number

Search Bug Tracker

New and updated articles

Topic
 Subscribe to mailing lists
You should consider using this procedure under the following conditions:
Contact Support
You have a virtual server configured
You want to restrict access to the virtual server from certain IP addresses

Description
You can restrict access to a virtual server based on the IP address of the client. If you want to allow access only from a specific IP address or network, you
can configure the Source Address setting for the virtual server with the allowed IP addresses. If you want to block certain client IP addresses or
networks, you can specify the IP addresses to block using local traffic policies, iRules, or packet filters. To do so, perform the following procedures as
needed:

Prerequisites
You must meet the following prerequisite to use this procedure:

You have administrative access to the Configuration utility.

Procedures
Configuring allowed client IP addresses for a virtual server
Restricting access based on client IP addresses using local traffic policies
Restricting access based on client IP addresses using iRules
Restricting access based on client IP addresses using packet filters

Configuring allowed client IP addresses for a virtual server

When you configure the Source Address setting for a virtual server, the virtual server only accepts traffic from those IP addresses. In BIG-IP 14.1.0 and
later, you can use address lists to create a list of client IP addresses and networks that you want to allow access to a virtual server. You can then select
the address list in the Source Address setting for the virtual server. For BIG-IP versions prior to 14.1.0, you can specify the IP address or network in the
Source Address setting for the virtual server.

Note: When the Source Address setting is configured, the BIG-IP system resets any connection attempts from client IP addresses that do not match the
configured addresses.

Impact of procedure: The BIG-IP system denies access to the virtual server if the configuration is incorrect for your environment.

BIG-IP 14.1.0 and later

1. Log in to the Configuration utility.

2. Go to Shared Objects > Address Lists.
3. Select the Create button.
4. For Name, enter a name for the list.
5. For Addresses, enter the IP address or network address in CIDR format of the clients you want to allow.
6. Select the Add button.
7. Repeat steps 5 and 6 for any other client IP addresses you want to allow.
8. Select the Finished button.
9. Go to Local Traffic > Virtual Servers.
10. Select the name of the virtual server you want to protect.
11. For the Source Address setting, select Address List, then select the name of the address list you just created.
12. Select the Update button.

BIG-IP 12.x - 14.0.x

1. Log in to the Configuration utility.

2. Go to Local Traffic > Virtual Servers.
3. Select the name of the virtual server you want to protect.
4. For the Source Address setting, enter the IP address or network address in CIDR format of the clients you want to allow.
5. Select the Update button.

Restricting access based on client IP addresses using local traffic policies

Using local traffic policies, you can specify client IP addresses and networks to disallow for a virtual server. In BIG-IP 13.x and later, you can manage all the
IP addresses in a single data group and reference the data group in the policy. In BIG-IP 12.x, you specify the IP addresses and networks directly in the
policy when creating the rule.

Note: The following example policies reset the connection after the three-way TCP handshake completes if the client IP address matches.

Impact of procedure: The BIG-IP system denies access to the virtual server if the rule configuration is incorrect for your environment.

BIG-IP 13.x and later

1. Log in to the Configuration utility.

2. Go to Local Traffic > iRules > Data Group List.
3. Select the Create button.
4. For Name, enter a name for the data group.
5. For Type, select Address.
6. For the Address setting, type the IP address or network of the clients that you want to disallow and select the Add button. Repeat to add more
addresses as needed.
7. Select the Finished button.
8. Go to Local Traffic > Policies.
9. Select the Create button.
10. For Policy Name, enter a name for the policy.
11. For Type, select Traffic Policy.
12. Select Create Policy.
13. Under Rules, select Create.
14. For Name, enter a name for the rule.
15. Under Match all the following conditions, select + to expand the settings.
16. Create a directive using the following syntax:
TCP address matches in datagroup <datagroup_name> at client accepted time.

17. Under Do the following when traffic is matched, select + to expand the settings.
18. Create the following directive:
Reset traffic connection at client accepted time.

19. Select the Save button.

20. Select the down arrow next to Save Draft and select the Save and Publish Policy button.
21. Go to Local Traffic > Virtual Servers.
22. Under Resources for the virtual server, select Edit.
 23. Under Policies, select Manage.
24. In the Available list, select the name of the policy then to move it to the Enabled list.
25. Select the Finished button.

BIG-IP 12.x

1. Log in to the Configuration utility.

2. Go to Local Traffic > Policies.
3. Select the Create button.
4. For Policy Name, enter a name for the policy.
5. For Type, select Traffic Policy.
6. Select Create Policy.
7. Under Rules, select Create.
8. For Name, enter a name for the rule.
9. Under Match all the following conditions, select + to expand the settings.
10. Create a directive using the following syntax:
For <IP_address_list>, enter the client IP addresses you want to disallow by typing the IP address or network in CIDR format then selecting the
Add button.

TCP address matches in datagroup <IP_address_list> at request time.

11. Under Do the following when traffic is matched, select + to expand the settings.
12. Select Reset traffic.
13. Select Save.
14. Select the down arrow next to Save Draft and select the Save and Publish Policy button.
15. Go to Local Traffic > Virtual Servers.
16. Under Resources for the virtual server, select Edit.
17. Under Policies, select Manage.
18. In the Available list, select the name of the policy and to move it to the Enabled list.
19. Select the Finished button.

Restricting access based on client IP addresses using iRules

You can use iRules to restrict virtual server access based on the client IP address. You can manage all the IP addresses and networks in a single data
group and reference the data group in the iRule.

Impact of procedure: The BIG-IP system denies access to the virtual server if the rule configuration is incorrect for your environment.

1. Log in to the Configuration utility.

2. Go to Local Traffic > iRules > Data Group List.
3. Select the Create button.
4. For Name, enter a name for the data group.
5. For Type, select Address.
6. For Address, type the IP address or network of the clients that you want to disallow and select the Add button. Repeat to add more addresses as
needed.
7. Select the Finished button.
8. Go to Local Traffic > iRules.
9. Select the Create button.
10. For Name, type a name for the rule.
11. For Definition, enter the following code syntax. Replace <datagroup_name> with the name of the data group you created:
Note: The following example drops the connection after the three-way TCP handshake completes if the client IP address matches.

when CLIENT_ACCEPTED {
if { [class match [IP::client_addr] eq <datagroup_name>] } {
log local0. "Dropped connection: client IP [IP::client_addr] is blacklisted."
drop
}
}

12. Select the Finished button.

13. Go to Local Traffic > Virtual Servers.
14. Under Resources for the virtual server, select Edit.
15. Under iRules, select Manage.
16. In the Available list, select the name of the policy and move it to the Enabled list.
17. Select the Finished button.

Restricting access based on client IP addresses using packet filters

Packet filters accept or reject traffic based on criteria you specify such as protocol, source and destination IP addresses, and destination port. You can
restrict access to a virtual server by creating a rule to filter for the specified client IP address or network and the IP address and port of the virtual server.

Impact of procedure: The BIG-IP system denies access to the virtual server if the packet filter configuration is incorrect for your environment.

1. Log in to the Configuration utility.

2. Go to Network > Packet Filters > General.
3. For Packet Filtering, select Enabled.
4. Select the Update button.
5. Select the Rules tab.
6. Select the Create button.
7. For Name, enter a name for the rule.
8. For Order, select First.
9. For Action, select Discard or Reject. Discard drops matching packets. Reject drops matching packets and also sends a rejection packet to the
sender. Reject behavior depends on the configuration of the Send ICMP Error on Packet Reject option in the General Properties.
10. For Logging, select Enabled if you want the BIG-IP system to log each time a packet matches the rule.
11. For Source Hosts and Networks, select Restrict to any in list.
12. For Source Hosts and Networks List, enter the IP address or network of the clients that you want to disallow and select the Add button. Repeat
to add more addresses as needed.
13. For Destination Hosts and Networks, select Restrict to any in list.
14. For Destination Hosts and Networks List, enter the IP address of the virtual server that you want to protect and select the Add button.
15. For Destination Port, select Restrict to any in list.
16. For Destination Port List, enter the port number of the virtual server that you want to protect and select the Add button.
17. Select the Finished button.

Supplemental Information
K19823081: Mitigating UDP flood using the BIG-IP packet filter
K46122561: Restricting access to the management port using network firewall rules

Feedback? Login to give feedback on this article.

HAVE A QUESTION? FOLLOW US

| Support and Sales >

ABOUT F5 EDUCATION F5 SITES SUPPORT TASKS

Corporate Information Training F5.com Read Support Policies

Newsroom Certification DevCentral Create Service Request
Investor Relations LearnF5 Support Portal Leave feedback [+]
Careers Free Online Training Partner Central
About AskF5 F5 Labs
©2019 F5 Networks, Inc. All rights reserved. Policies | Privacy | Trademarks | Préférences de cookies

rev: 1.5.247.5956