I'm in the process to setup an app accessible from the internet. I need to allow traffic from various ip range to this app (which is an API) and decline any other traffic.
Is there an easy way to do it?
I know I can use the embedded WAF to achieve that, but would like to know if I can do it with traffic script.
Thanks in advance,
-S. Rossan
Solved! Go to Solution.
For completeness sake, here is a working sample of an ipmaskmatch script used to whitelist upstream SMTP servers:
$client = request.getremoteip();
if( string.ipmaskmatch($client, "216.146.32.0/23" ) == 0 ) { #IP range of Dyndns MX that are our upstream filters
log.info( "Dropped SMTP connection from untrusted IP: <" . $client . ">" );
connection.discard();
} else {
log.info( "Permitted SMTP connection from trusted IP: <" . $client . ">" );
}
Take a look at Stingray's Service Protection policies; they may do what you need (I can't recall if they can block-all and whitelist some).
Otherwise a simple trafficscript request rule will do what you need:
$allowed = [
"192.168.1.1",
"92.27.24.216",
"131.111.131.1",
"8.8.8.8" ];
if( ! array.contains( $allowed, request.getRemoteIP() ) {
http.sendResponse( "401 Not Authorised", "text/plain", "", "" );
}
If you'd like to match the client IP against IP subnets, then the easiest strategy would be to list these in the array and iterate through the array, testing the IP against each array element using string.ipmaskmatch( $ip, $element );
It was very helpful but as you mentioned, working with single ip only.
I couldn't figure how to use the ipmaskmatch command. So, I achieve what I was looking for with the Application Firewall.
Thanks for the help anyway.
For completeness sake, here is a working sample of an ipmaskmatch script used to whitelist upstream SMTP servers:
$client = request.getremoteip();
if( string.ipmaskmatch($client, "216.146.32.0/23" ) == 0 ) { #IP range of Dyndns MX that are our upstream filters
log.info( "Dropped SMTP connection from untrusted IP: <" . $client . ">" );
connection.discard();
} else {
log.info( "Permitted SMTP connection from trusted IP: <" . $client . ">" );
}