Forum Discussion

Dianna_129659's avatar
Dianna_129659
Icon for Nimbostratus rankNimbostratus
Jan 29, 2014

Will this iRule block a range of IP Addresses?

Will this iRule block the range of 150.70.173.40 through 150.70.173.99. Is there a better way to block a range of IP addresses?

 

when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 150.70.173.40/24] } { log local0. "Blocking [IP::client_addr]" reject } }

 

  • Instead reject is better to use drop. Instead 150.70.173.40/24 is better to use 150.70.173.0/25 for blocking range 150.70.173.40 through 150.70.173.99

     

  • Instead reject is better to use drop. Instead 150.70.173.40/24 is better to use 150.70.173.0/25 for blocking range 150.70.173.40 through 150.70.173.99

     

    • Dianna_129659's avatar
      Dianna_129659
      Icon for Nimbostratus rankNimbostratus
      Vitaliy, thank you very much! I will make your suggested change.
    • Mohamed_Lrhazi's avatar
      Mohamed_Lrhazi
      Icon for Altocumulus rankAltocumulus
      150.70.173.0/25 will match 150.70.173.1 to 150.70.173.126 If you dont want to reject only .40 to .99, you would want to further extract the last octet and test it before calling drop/reject, maybe like this: set ip [IP::client_addr] set lastoctet [getfield $ip "." 4] if { ($lastoctet >= 40) && ($lastoctet <= 99) } { log local0. "IP: $ip Last octet: $lastoctet, YES." } else { log local0. "IP: $ip Last octet: $lastoctet, NO." }