ClusterFunk

If you want to filter based on IP address you have a number of options with Traffic Script.You can filter based on subnet mask, file based white list and regular expressions.

Mask Based Filter

This example tests the remote IP against the entire 10.0.0.0 address range if the address resides within that range the connection is closed.

$ip = request.getRemoteIP();

if string.ipmaskmatch($ip, “10.0.0.0/8″)) {
connection.close( “500 Unauthorised\r\n” );
}

File Based White List

In this example we need to restrict access to specific area of the web site to specific staff computers. First of all you need to create a file in ZXTM install location if your using the default install location its

/usr/local/zeus/zxtm/conf/extra

You can create as many files as you like for different white list purposes. Following the Zeus Knowledge Hub example this file is called trusted_ips

$siteaddress = http.getHostHeader();
$rawurl = http.getRawurl();
$ip = request.getRemoteIP();
$trusted_user_file = “trusted_ips”;
$trusted_ips = resource.get( “trusted_ips” );

if (($siteaddress  == ( “www.website.com” )) && ( string.contains( $rawurl, “/payments/secure/” ))) {

# Check IP
if( string.contains( $trusted_ips, $ip ) == 0 ) {
connection.close( “500 Unauthorised\r\n” );

}
}

Regular Expressions

If like i did, you think this looks like ramblings of a mad math professor, stick with it. Its actually quite straightforward and very very powerful

The key to this is the reg ex
When you put the value you want to test in () the value is assigned to $1 thru $9

So this example has $1 and $2

string.regexMatch($ip, “([0-9]+)\\.([0-9]+)\\.[0-9]+\\.[0-9]+”);

This example has variables $1 $2 $3 and $4

string.regexMatch($ip, “([0-9]+)\\.([0-9]+)\\.([0-9]+)\\.([0-9]+)”);

We can then test the values of $1 $2 etc

e.g.
if $1 == 192 {
do something
}

This is taken from a script I produced that had to allow certain IPs within any /24 subnet from a within 192.4.160

Example

$ip = request.getRemoteIP();

string.regexMatch($ip, “[0-9]+\\.[0-9]+\\.([0-9]+)\\.[0-9]+”);

# log.info (“Matched the mask to 192.4.0.0/16″);
# Match 192.4.160.x to 192.4.161.x OR
# Match 192.4.8.x to 192.4.9.x

if (($1 >= 160 && $1 < 162) || ($1 >= 8 && $1 < 10)) {

#         log.info (“Matched at RegEx”);

} else
connection.close( “500 Unauthorised\r\n” );
}
}

A bit more on Reg Ex

The key to this is the reg ex

When you put the value you want to test in () the value is assigned to $1 thru $9

So this example has $1 and $2

string.regexMatch($ip, “([0-9]+)\\.([0-9]+)\\.[0-9]+\\.[0-9]+”);

This example has variables $1 $2 $3 and $4

string.regexMatch($ip, “([0-9]+)\\.([0-9]+)\\.([0-9]+)\\.([0-9]+)”);

We can then test the values of $1 $2 etc

e.g.

if $1 == 192 {

do something

}

ZXTM traffic Script conforms to the PRCE Regular Expression compatible library.
More info here http://perldoc.perl.org/perlre.html

Putting it all together: Example Script

This example is used to match a set of web sites host names and then test the client IP to see if the request is from a machine considered to be internal in this network. If its not internal the client is directed to a pool that requires two factor authentication.

$siteaddress = http.getHostHeader();
$ip = request.getRemoteIP();

if ($siteaddress  == ( www.siteone.co.uk ) ||
$siteaddress  == ( “www.sitetwo.co.uk ” ) ||
$siteaddress  == ( “www.siteone.net ” ) ||
$siteaddress  == ( www.siteone.com ) ||
$siteaddress  == ( “somethingelse.net” )) {

log.info ( “2FA Rule ” . $ip . ” Host = ” . $siteaddress );

if(string.ipmaskmatch($ip, “10.0.0.0/8″)){
string.regexMatch($ip, “([0-9]+)\\.([0-9]+)\\.[0-9]+\\.[0-9]+”);

# log.info (“Matched the mask to 10.0.0.0/8″);
# Match 192.0.0.0 to 192.150.255.255  OR
# Match 192.158.0.0 to 192.201.255.255

if (($1 == 192 && $2 < 151) ||
($1 == 192 && $2 >= 158 && $2 < 202)) {
#         log.info (“Matched at RegEx”);
pool.use ( “HTTP” );
} else {
# Address is External
pool.use ( “RADIUS” );
}

Enjoy