Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

how do I allow an IP range and a set of allowed IPs in one traffic script rule?

sam.christmas
Not applicable
‎02-01-2016 06:28:AM
‎02-01-2016 06:28:AM

how do I allow an IP range and a set of allowed IPs in one traffic script rule?

HI, I'm trying to configure a trafficscript rule on our SteelApp VTM. 

 

I want to allow BOTH a specified IP address AND an IP range to reach blah.com, and for the following suffixes to be redirected to blah.com/RDWeb: /rpc, /remoteDesktopGateway, 

 

Here is my rule: 

 

$allowedIPs = [ "123.123.0.1","109.233.52.0/24"];
$ip = request.getremoteip();
$drop = false;
$arraylen = array.length($allowedIPs);
$url = http.getHeader("Host");
$path = http.getpath ();

for ( $i = 0; $i < $arraylen; $i++ ) {
   log.info( "IP= " . $ip . "AllowedIP= " . $allowedIPs[$i] . "");
   if( string.startsWithI( $url, "blah.com")) {
      if(string.containsI( $path, "/RDWeb" ) || string.containsI ( $path, "/rpc" ) || string.containsI( $path, "/remoteDesktopGateway" )){
         if ( $ip == $allowedIPs[$i]) {
            
            pool.use( "Blah_RDS" );
            break;
         } else {
            $drop = true;
         }
      }
      else {
         http.redirect( "https://blah.com/rdweb" );
      }
   }

}
if ($drop == true) {
   connection.discard();
}

 

---

 

This rule compiles fine but doesn't work. Any ideas? 

0 Kudos
Reply
1 REPLY 1
sameh
Contributor
‎02-01-2016 06:46:AM
‎02-01-2016 06:46:AM

Re: how do I allow an IP range and a set of allowed IPs in one traffic script rule?

You are testing for a string match:

 

  if ( $ip == $allowedIPs[$i])

This works for an IP but not for a subnet.

 

TrafficScript offers a function to test an IP presence in a subnet: 

 

string.ipmaskmatch($ip, $subnet)

 

And you can use a simple foreach to test the array until a match is found like in this subroutine:

 

sub IPorSubnetMatch($networksAndIPs, $ip) {
   foreach ($subnetOrIP in $networksAndIPs) {
      if (string.ipmaskmatch($ip, $subnetOrIP)) {
         return (1==1);
      }
   }
   return(1!=1);
}

(I was not sure if boolean is a real type in TS)

 

 

Another problem - might not be relevant since you edited that part of the code - is that you redirect to https://blah.com/rdweb if Host: starts with "blah.com" which sounds like a redirect loop to me Smiley Happy

 

To wrap it up and because you don't want to test the requested path on each IP test, you should use the aforementionned function and reduce your code to something like

 

if( string.startsWithI( http.getHostHeader(), “blah.com”)) {
  $path = http.getPath();
  if(string.containsI( $path, "/RDWeb" ) || string.containsI ( $path, "/rpc" ) || string.containsI( $path, "/remoteDesktopGateway" )) {
    $allowedIPs = [ "123.123.0.1","109.233.52.0/24"];
    $ip = request.getRemoteIP();
    if (IPorSubnetMatch($allowedIPs, $ip)) {
   pool.use( "Blah_RDS" );
    } else {
      connection.discard();
    }
  }
} else {
  http.redirect( "https://notblah.com/rdweb" );
}

 

 

Reply
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.