IP Filtering
IP-based Filtering enables allowing or blocking API calls based on a set of IP Address-related rules.
Multiple values can be provided for 'Allowed IP with Mask' and 'Denied IP with Mask' separated by comma(s).
Configuration
The properties that have to be configured to use the policy are described below.
Figure 1: IP Filtering Policy Configuration attributes
Property | Description |
---|---|
Allowed IP with Mask | Provide the respective IP address with mask to enable access to white-listed user(s) who can be allowed to access the site. The mask will define the range of allowed IPs. Format of the IP address is: <IP address/Subnet mask>, for example, 192.168.0.1/24 |
Denied IP with Mask | Provide the respective IP address with mask to deny access to those user(s) who are not supposed to access the site; the mask will define the rangeof allowed IPs. The format is the same as mentioned in 'Allowed IP with Mask' above. |
IP Type | Choose between the network protocol supported; both the IP Standards IPv4 and IPv6 are supported. |
No Match Rule | No match rule defines what the project must do to request IPs that do not match either the allow or deny list above. Choose between the options 'allow' and 'deny' in No Match Rule to define the same. |
Examples of IP Masks
1. To allow/deny only the IP address 20.20.20.20, use the IP address with mask 20.20.20.20/32
2. To allow/deny the IP addresses of pattern 20.20.20.*, use the IP address with mask 20.20.20.20/24
3. To allow/deny the IP addresses of pattern 20.20.*.*, use the IP address with mask 20.20.20.20/16
- In case an IP address matches both the allow and deny list, the access processing will be done depending on the selected No Match rule.
- In case a sub network range is given for allow/deny list, the first and last IP addresses of the sub network (that is, the network and the broadcast address respectively) will not be included in the range and the same will have to be mentioned separately if they need to be allowed/blocked.
- To deny/allow multiple range of IP addresses, the same can be provided in the fields separated by a comma (",") as shown in Example 2 below.
Edit button helps to rename the policy ID (the name appearing under Policies).
How to calculate IP/Mask from IPv4 range ?
As IPv4 addresses are 32-bit addresses, the IP addresses ranging from 00000000.00000000.00000000.00000000 to 11111111.11111111.11111111.11111111, that is, 0.0.0.0 to 255.255.255.255
The example below illustrates how to derive the IP address/Subnet mask form for a range of IP addresses.
Example
To find out the IP address/Subnet mask for the IP addresses in the range 192.168.1.0 – 192.168.1.10, perform the following actions:
- Divide it into multiple ranges with IP addresses in the power of 2, that is, 192.168.1.0 – 192.168.1.7, 192.168.1.8 – 192.168.1.10
- Pick the first set of IP addresses which cover 8 IPs ( 8 = 2^3 ) which means the last three bits of the subnet are '0' and rest all are '1', the subnet value being 11111111.11111111.11111111.11111000
- Calculate the number of 1's from the left in the subnet bits above; the count is 29.
Hence, the first range of IP addresses, 192.168.1.0 – 192.168.1.7, can be written as 192.168.1.0/29.
As per IP Based Filter policy, the first and last IP addresses in a range should not be included. Since an IP with 192.168.1.0 cannot be allocated to any host, the IP address '192.168.1.7' needs to be defined separately. To define a single IP address, a subnet mask of 32 can be used; IP/Mask 192.168.1.7/32 defines the same.
The next range is 192.168.1.8 – 192.168.1.10 which counts to 3 IP addresses, but since the calculation does not include the first and last IP addresses, expand this range to 192.168.1.8 – 192.168.1.11 which can, as per the procedure above, be represented as 192.168.1.8/30. Since the last IP address '192.168.1.11', is not part of the range, so just include the first IP address, which is 192.168.1.8 (represented as 192.168.1.8/32).
To block the IP addresses in the range 192.168.1.0 – 192.168.1.10, provide 192.168.1.0/29, 192.168.1.7/32, 192.168.1.8/32, 192.168.1.8/30 in the Denied IP range and set the No Match Rule to 'allow'.
Below are examples of IP with Mask for certain ranges to illustrate the IP Filter configuration.
Examples
First, calculate the IP Address Mask from a range. Find below an example of Class A, B, and C network addresses.
Class A
Range of 10.10.10.1 – 10.10.10.10
Dividing using the largest power of 2 from 0 fits the range. The above range is a part of 10.10.10.0 – 10.10.10.7, 10.10.10.8 – 10.10.10.11.
The first range can be specified as 10.10.10.0/29. Since the first and last IPs of the range are not included by default in Fiorano API, include it exclusively in the IP/Mask values. So, the range 10.10.10.0 – 10.10.10.7 will be represented as a combination of two IP/Mask, that is, 10.10.10.0/29, 10.10.10.7/32. (/32 mask defines a single IP declaration).
Similarly, the other continuation range will be represented as 10.10.10.8/30, 10.10.10.8/32.
Since 10.10.10.11 is not a part of the range, this IP need not be defined separately.
Hence, the final IP/Mask combinations become:
10.10.10.0/29, 10.10.10.7/32, 10.10.10.8/30, 10.10.10.8/32
Class B
Range of 172.16.4.5 – 172.16.5.255
Going by the previous calculations, this can be broken into the following ranges:
172.16.4.4 – 172.16.4.7, 172.16.4.8 – 172.16.4.15, 172.16.4.16 – 172.16.4.31, 172.16.4.32 – 172.16.4.63, 172.16.4.64 – 172.16.4.127, 172.16.4.128 – 172.16.4.255, 172.16.5.0 – 172.16.5.255.
The same can be represented in IP/mask format as below:
172.16.4.4/30, 172.16.4.7/32, 172.16.4.8/29, 172.16.4.8/32, 172.16.4.15/32, 172.16.4.16/28, 172.16.4.16/32, 172.16.4.31/32, 172.16.4.32/27, 172.16.4.32/32, 172.16.4.63/32, 172.16.4.64/26, 172.16.4.64/32, 172.16.4.127/32, 172.16.4.128/25, 172.16.4.128/32, 172.16.4.255/32, 172.16.5.0/24, 172.16.5.0/32, 172.16.5.255/32
Class C
Range of 192.168.32.197 – 192.168.32.207
This can be broken into 192.168.32.197-192.168.32.199, 192.168.32.200-192.168.32.207
The same can be represented in IP/mask format as below:
192.168.32.196/30, 192.168.32.199/32, 192.168.32.200/29, 192.168.32.200/32, 192.168.32.207/32
Below are a couple of examples illustrating sample configurations.
Example 1
Configure the IP Filtering policy as per the details below:
- Allowed IP with Mask: 192.168.2.0/24,192.168.1.0/24
- Denied IP with Mask: 192.168.3.0/24,192.168.4.0/24
- IP Type: ipv4
- No Match Rule: allow
Figure 2: IP Filtering policy properties with values provided in Example 1
The above configuration will allow the IP addresses of the pattern 192.168.2.* and 192.168.1.*, and deny IP addresses of the pattern 192.168.3.* and 192.168.4.*.
IP addresses that do not fall into any of the values set in 'Allowed IP with Mask' and 'Denied IP with Mask' will be allowed/denied as per the value set in 'No Match Rule'. In this case where the No Match Rule is set to 'Allow', they are allowed.
Example 2
Configure the IP Filtering policy as per the details below:
- Allowed IP with Mask: 192.168.2.5/27
- Denied IP with Mask: 192.168.2.0/24
- IP Type: ipv4
- No Match Rule: deny
Figure 3: IP Filtering policy properties with values provided in Example 2
Here, IP addresses in the range 192.168.2.1 – 192.168.2.30 have to be allowed as per the value set for 'Allowed IP with Mask'. But, the IP addresses of pattern 192.168.2.* have to be denied as per the value set for 'Denied IP with Mask'. When there is a conflict, 'No Match Rule' is considered. Therefore, IP addresses of pattern 192.168.2.* will be denied as No Match Rule is set to 'deny'.