24/05/2022 10:14 How to block IP Address by iRule
AskF5 Home / K73554344
K73554344: How to block IP Address by iRule
Support Solution
Original Publication Date: Jan 18, 2021
Updated Date: Oct 09, 2021
Description
You need a way to block/drop traffic from a specific IP or a list of IP addresses.
For example, during a suspected cyber attack or simply to discard traffic from certain IP addresses.
Environment
BIG-IP
Virtual server
Cause
None
Recommended Actions
You can make iRule(s) similar to examples provided and apply them to Virtual Servers that needs to block/drop
traffic.
when FLOW_INIT {
if { [IP::addr [IP::client_addr] equals (IPv4 Address%RouteDomain)] } {
log local0. "Blocking [IP::client_addr]"
drop
Note: If the IPv4 Address being matched is in the default route domain, the Route Domain notation does not
needed to be included in the iRule syntax.
Example:
1. Block an IP in route domain 3000:
https://support.f5.com/csp/article/K73554344 1/3
24/05/2022 10:14 How to block IP Address by iRule
when FLOW_INIT {
if { [IP::addr [IP::client_addr] equals 172.16.0.9%3000] } {
log local0. "Blocking [IP::client_addr]"
drop
2. Block an IP in the default route domain:
when FLOW_INIT {
if { [IP::addr [IP::client_addr] equals 172.16.0.9] } {
log local0. "Blocking [IP::client_addr]"
drop
3. When you have multiple/list of IP addresses or a whole network range to block/drop traffic from, then it is
recommended to use data-group created as Address (IP) type.
when FLOW_INIT {
if { [class match [IP::remote_addr] equals BlocklistIP_DataGroup]} {
log local0. "Attacker IP [IP::client_addr]"
drop
Sample Data Group with Type IP:
ltm data-group internal BlocklistIP_DataGroup {
records {
10.10.10.0/24 { }
type ip
Sample iRule for allowing an IP address if it does not match a Data Group.
when FLOW_INIT {
set ClientIP [IP::client_addr]
if { (not [class match $ClientIP equals AllowListIP_DataGroup] )} {
log local0. "Attacker IP [IP::client_addr]"
drop
}
https://support.f5.com/csp/article/K73554344 2/3
24/05/2022 10:14 How to block IP Address by iRule
Note: The log lines in the iRules are optional and can be commented (#) out.
Additional Information
None
Related Content
FLOW_INIT on F5 Cloud Docs
K50565834: How to add an iRule to a Virtual Server
F5 Support engineers who work directly with customers to resolve issues create this content. Support Solution
articles give you fast access to mitigation, workaround, or troubleshooting suggestions.
Applies to:
Product: BIG-IP
16.X.X, 15.X.X, 14.X.X, 13.X.X, 12.X.X, 11.X.X
https://support.f5.com/csp/article/K73554344 3/3