IP-based Filtering helps you to allow or block API calls based on a set of IP Address-related rules.
Configuration
The properties that have to be configured to use the policy are described below.
Figure 1: IP Filtering Policy Configuration attributes
Property | Description |
---|---|
Allowed IP with Mask | Provide the respective IP address with mask to enable access to white-listed user(s) who can be allowed to enter the site. The mask will define the range of allowed IPs. Format of the IP address is: <IP address/Subnet mask>, for example, 192.168.0.1/24 |
Denied IP with Mask | Provide the respective IP address with mask to deny access to those user(s) who are not supposed to enter the site, as above, the mask will define the range. Format is the same as mentioned in 'Allowed IP with Mask' above. |
IP Type | Choose between the network protocol supported; we support both the IP Standards IPv4 and IPv6. |
No Match Rule | No match rule defines what the project must do to request IPs that do not match either the allow or deny list above. Choose between the options 'allow' and 'deny' in No Match Rule to define the same. |
How to calculate IP/Mask from IPv4 range ?
As IPv4 addresses are 32-bit addresses, the IP addresses ranging from 00000000.00000000.00000000.00000000 to 11111111.11111111.11111111.11111111, that is, 0.0.0.0 to 255.255.255.255
The example below illustrates how to derive at the IP address/Subnet mask form for a range of IP addresses.
Example
To find out the IP address/Subnet mask for the IP addresses in the range 192.168.1.0 – 192.168.1.10, perform the following actions:
- Divide it into multiple ranges with IP addresses in the power of 2, that is, 192.168.1.0 – 192.168.1.7, 192.168.1.8 – 192.168.1.10
- Pick the first set of IP addresses which cover 8 IPs ( 8 = 2^3 ) which means the last three bits of the subnet are '0' and rest all are '1', the subnet value being 11111111.11111111.11111111.11111000
- Calculate the number of 1's from the left in the subnet bits above; the count is 29.
Hence, the first range of IP addresses, 192.168.1.0 – 192.168.1.7, can be written as 192.168.1.0/29.
The next range is 192.168.1.8 – 192.168.1.10 which counts to 3 IP addresses, but since the calculation does not include the first and last IP addresses, expand this range to 192.168.1.8 – 192.168.1.11 which can, as per the procedure above, be represented as 192.168.1.8/30. Now, since the last IP address '192.168.1.11', in any case, is not part of the range, so just include the first IP address, which is 192.168.1.8 (represented as 192.168.1.8/32).
Find below examples of IP with Mask for certain ranges to illustrate the IP Filter configuration.
Examples
To start with, learn how to calculate the IP Address Mask from a range. Find below an example each of Class A, B and C network addresses.
Class A
Range of 10.10.10.1 – 10.10.10.10
Dividing using largest power of 2 from 0 fits the range. The above range is a part of 10.10.10.0 – 10.10.10.7, 10.10.10.8 – 10.10.10.11.
The first range can be specified as 10.10.10.0/29. Since the first and last IPs of the range are not included by default in Fiorano API, include it exclusively in the IP/Mask values. So, the range 10.10.10.0 – 10.10.10.7 will be represented as a combination of two IP/Mask, that is, 10.10.10.0/29, 10.10.10.7/32. (/32 mask defines a single IP declaration).
Similarly, the other continuation range will be represented as 10.10.10.8/30, 10.10.10.8/32.
Hence, the final IP/Mask combinations become:
10.10.10.0/29, 10.10.10.7/32, 10.10.10.8/30, 10.10.10.8/32
Class B
Range of 172.16.4.5 – 172.16.5.255
Going by the previous calculations, this can be broken into the following ranges:
172.16.4.4 – 172.16.4.7, 172.16.4.8 – 172.16.4.15, 172.16.4.16 – 172.16.4.31, 172.16.4.32 – 172.16.4.63, 172.16.4.64 – 172.16.4.127, 172.16.4.128 – 172.16.4.255, 172.16.5.0 – 172.16.5.255.
The same can be represented in IP/mask format as below:
172.16.4.4/30, 172.16.4.7/32, 172.16.4.8/29, 172.16.4.8/32, 172.16.4.15/32, 172.16.4.16/28, 172.16.4.16/32, 172.16.4.31/32, 172.16.4.32/27, 172.16.4.32/32, 172.16.4.63/32, 172.16.4.64/26, 172.16.4.64/32, 172.16.4.127/32, 172.16.4.128/25, 172.16.4.128/32, 172.16.4.255/32, 172.16.5.0/24, 172.16.5.0/32, 172.16.5.255/32
Class C
Range of 192.168.32.197 – 192.168.32.207
This can be broken into 192.168.32.197-192.168.32.199, 192.168.32.200-192.168.32.207
The same can be represented in IP/mask format as below:
192.168.32.196/30, 192.168.32.199/32, 192.168.32.200/29, 192.168.32.200/32, 192.168.32.207/32
Below-mentioned are a couple of examples illustrating sample configurations.
Example 1
Configure the IP Filtering policy as per the below details:
- Allowed IP with Mask: 192.168.2.0/24,192.168.1.0/24
- Denied IP with Mask: 192.168.3.0/24,192.168.4.0/24
- 41IP Type: ipv4
- No Match Rule: allow
Figure 2: IP Filtering policy properties with values provided in Example 1
The above configuration will allow the IP addresses of the pattern 192.168.2.* and 192.168.1.*, and deny IP addresses of the pattern 192.168.3.* and 192.168.4.*.
IP addresses which do not fall into any of the values set in 'Allowed IP with Mask' and 'Denied IP with Mask' will be allowed/denied as per the value set in 'No Match Rule'. In this case (No Match Rule is set to 'Allow'), they are allowed.
Example 2
Configure the IP Filtering policy as per the below details:
- Allowed IP with Mask: 192.168.2.5/27
- Denied IP with Mask: 192.168.2.0/24
- IP Type: ipv4
- No Match Rule: deny
Figure 3: IP Filtering policy properties with values provided in Example 2
Here, IP addresses in the range 192.168.2.1 – 192.168.2.30 have to be allowed as per the value set for 'Allowed IP with Mask'. But, the IP addresses of pattern 192.168.2.* have to be denied as per the value set for 'Denied IP with Mask'. When there is a conflict, 'No Match Rule' is considered. So, IP addresses of pattern 192.168.2.* will be denied as No Match Rule is set to 'deny'.