White/Black List based on Source IP

Updated: July 14, 2023 20:24

Access Control Lists

Access Control Lists (ACLs) can be used both globally and per virtual service. Please see this link for more details on setting up ACLs
Note that the LoadMaster is unable to use ACLs on sub virtual services. However, it is possible to use the other methods mentioned below for sub virtual services.

Content Rules

By using the following rule to match on source IP, it can be used to white-list a single IP or a range.
If you select the fail on match option, it behaves as a blacklist.

An example of a rule you should create is shown below.

Rule Type:	Content Matching
Match Type:	Regular Expression
Header Field:	src-ip

If single address	192.168.10.10
Match String:	/^192\.168\.10\.10$/
If address range	192.168.0.0/16
Match String:	/^192\.168\.(25[0-5]\|2[0-4][0-9]\|1[0-9]{2}\|[0-9][0-9]?)\.(25[0-4]\|2[0-4][0-9]\|1[0-9]{2}\|[1-9][0-9]?)$/

Explaining the Match String	/^192\.168\.(25[0-5]\|2[0-4][0-9]\|1[0-9]{2}\|[0-9][0-9]?)\.(25[0-4]\|2[0-4][0-9]\|1[0-9]{2}\|[1-9][0-9]?)$/

Start Regex:	/
Start Match:	^
Match:	192.168.
	192.168.0 – 192.168.255
	192.168.0.1 – 192.168.255.254
End Match	$
End Regex	/

WAF

Finally, you can use a custom WAF rule to allow or deny clients based on the IP address as shown below.

Whitelist for Single IP (192.168.10.10)

SecRule REMOTE_ADDR "192.168.10.10" "id:'101',phase:1,t:none,allow,log,msg:'IP Allow Rule'"
SecRule REMOTE_ADDR "\." "id:'99999',phase:1,t:none,deny,log,msg:'IP Deny Rule'"

Whitelist for an IP Range (192.168.10.0/24)

SecRule REMOTE_ADDR "@ipMatch 192.168.10.0/24" "id:'101',phase:1,t:none,allow,log,msg:'IP Allow Rule'"
SecRule REMOTE_ADDR "\." "id:'99999',phase:1,t:none,deny,log,msg:'IP Deny Rule'"

Blacklist for Single IP (192.168.10.10)

SecRule REMOTE_ADDR "192.168.10.10"
"id:'101',phase:1,t:none,deny,log,msg:'IP Deny Rule'"
SecRule REMOTE_ADDR "\." "id:'99999',phase:1,t:none,allow,log,msg:'IP Allow Rule'"

Blacklist for an IP Range (192.168.10.0/24)

SecRule REMOTE_ADDR "@ipMatch 192.168.10.0/24"
"id:'101',phase:1,t:none,deny,log,msg:'IP Deny Rule'"
SecRule REMOTE_ADDR "\." "id:'99999',phase:1,t:none,allow,log,msg:'IP Allow Rule'"

Was this article helpful?

1 out of 1 found this helpful

Comments

Unix SysAdmins

January 29, 2020 15:49

The link at the top of this article is broken. Can you fix it, please?

user user

January 29, 2020 17:41

Thank you for your feedback. The link is now fixed.

Unix SysAdmins

January 29, 2020 19:14

Thank you, Naseer!

Joel Van Os

September 26, 2022 21:10

If the IP is blocked, is it possible to have it redirect to a static page to let them know they have been blocked?

Kemp Support, how can we help?

White/Black List based on Source IP

Access Control Lists (ACLs) can be used both globally and per virtual service. Please see this link for more details on setting up ACLs
Note that the LoadMaster is unable to use ACLs on sub virtual services. However, it is possible to use the other methods mentioned below for sub virtual services.

Comments

In this document

Kemp Resources

White/Black List based on Source IP

Access Control Lists (ACLs) can be used both globally and per virtual service. Please see this link for more details on setting up ACLsNote that the LoadMaster is unable to use ACLs on sub virtual services. However, it is possible to use the other methods mentioned below for sub virtual services.

Comments

In this document

Kemp Resources

Access Control Lists (ACLs) can be used both globally and per virtual service. Please see this link for more details on setting up ACLs
Note that the LoadMaster is unable to use ACLs on sub virtual services. However, it is possible to use the other methods mentioned below for sub virtual services.