NetScaler - Gateway vServer- Dropping packets from a specific Source
While talking with a citrixirc colleague, the question was brought up... "Is there a way to block 1 client from a vserver at the NetScaler level?"
The answer is "Yes". I am sure there are multiple ways to do this. I personally would use a "Responder Policy".
If you want to learn more about Citrix Responder Policies you can check out support.citrix.com.
Setting up a Responder Policy to drop a client
- Open up the GUI and go to "NetScaler Gateway > Virtual Servers"
- Open the vServer you would like to add the Responder Policy too.
- Click on the "Policies" tab
- Then click on the Responder button
- Click on Insert Policy at the bottom
- Then click on "New Policy..."
- Create the following Responder Policy
- Name: rpol-%youpickaname%
- You can use which ever naming convention you would like. I use "rpol" for my Responder Policies.
- Action: DROP
- Expression: CLIENT.IP.SRC.EQ(10.10.10.10)
- Replace 10.10.10.10 with the IP you want to block.
- Click on "Create" and you should now see you Responder Policy under the Responder Section.
If you want to verify from the NetScaler it is being blocked, you could do something like
- Enable logging
- SSH to you NetScaler and from shell do a "NSTCPDUMP.sh dst 10.10.10.10" to see what is happening with the packets.
- From CLI do
- Show Connectiontable "DESTIP eq 10.10.10.10"
If you wanted to do this all from the CLI, you could just do...
add responder policy rpol-block-ip "CLIENT.IP.SRC.EQ(10.10.10.10)"
bind vpn vserver My-vServer -policy rpol-block-ip -priority 100 -gotoPriorityExpression END -type REQUEST
Note: This only blocks new connections. Any existing connections will remain connected until they are forced to reconnect.