Forum Discussion

AbdullahAlshehri's avatar
AbdullahAlshehri
Icon for Altostratus rankAltostratus
Apr 26, 2022

F5 iRule Geolocation restriction

Hello,

I want to know how I can restrict the access to specific one country only via iRule.

For example: allow only users to access from "US" and block all other countries.

application delivery
security
  • David_Gill's avatar
    David_Gill
    Apr 28, 2022
    when FLOW_INIT {

    #
    # Drop everything except US
    #
    if { ! ([whereis [IP::client_addr] country] equals "US") } {
        log -noname local0. "Dropping connection from [IP::client_addr]/[whereis [IP::client_addr] state country continent ]"
        drop
    } 
}

    AFM not required.

  • David_S_'s avatar
    David_S_
    Icon for Nimbostratus rankNimbostratus
    Apr 27, 2022

    I would make sure the LTM is updated with the latest GeoLocationUpdates from F5. Otherwise you will likely block valid US addresses.

    Here is one very simple way to do this:

    #
    # Block_non_US_IP
    #
    # iRule to drop traffic that is not from US addresses
    #
    when CLIENT_ACCEPTED {
    if { not [whereis [IP::client_addr] continent country] == "NA US" } {
    log local0. "Connection from [IP::client_addr] [whereis [IP::client_addr] continent country] to [virtual name] [IP::local_addr] : Blocked."
    drop
    }
    }

    • AbdullahAlshehri's avatar
      AbdullahAlshehri
      Icon for Altostratus rankAltostratus
      Apr 27, 2022

      Hello David,

      Thank you for your reply. 

      Just to clarify more, I'am using F5 DNS/LTM and I will apply the iRule on the VS.

      Also, I prefer to block the traffic when TCP-SYN or UDP packet come from non-US country. I got iRule from clouddocs.f5 that may will work

      when FLOW_INIT {

      set ipaddr [IP::client_addr]

      set locale [whereis $ipaddr country]

      log local0. "IP Address/Counry $ipaddr/$locale"

      switch $locale {

      "US" { return }

      default { ACL::action drop }

      }

      }

  • David_Gill's avatar
    David_Gill
    Icon for Cirrus rankCirrus
    Apr 28, 2022
    when FLOW_INIT {

    #
    # Drop everything except US
    #
    if { ! ([whereis [IP::client_addr] country] equals "US") } {
        log -noname local0. "Dropping connection from [IP::client_addr]/[whereis [IP::client_addr] state country continent ]"
        drop
    } 
}

    AFM not required.

    • AbdullahAlshehri's avatar
      AbdullahAlshehri
      Icon for Altostratus rankAltostratus
      Apr 29, 2022

      Hello  David_Gill,

      I tested the iRule which I mentioned early and it worked fine.

      Is there any difference with the one which you mentioned?

       

      • David_Gill's avatar
        David_Gill
        Icon for Cirrus rankCirrus
        Apr 29, 2022

        Functionally they do the same thing however ACL::action drop requires AFM whereas drop on its own does not which means the snippet works for a larger audience. Switch is generally used when making more than one comparison (as shown at https://clouddocs.f5.com/api/irules/ACL__action.html) which is why I used a single if statement. There is no need to define any variables either. That said, in both cases the end result is the same.