For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

AbdullahAlshehri's avatar
AbdullahAlshehri
Icon for Altostratus rankAltostratus
Apr 26, 2022
Solved

F5 iRule Geolocation restriction

Hello,

I want to know how I can restrict the access to specific one country only via iRule.

For example: allow only users to access from "US" and block all other countries.

application delivery
security
  • David_Gill's avatar
    David_Gill
    Apr 28, 2022
    when FLOW_INIT {

    #
    # Drop everything except US
    #
    if { ! ([whereis [IP::client_addr] country] equals "US") } {
        log -noname local0. "Dropping connection from [IP::client_addr]/[whereis [IP::client_addr] state country continent ]"
        drop
    } 
}

    AFM not required.

6 Replies

  • David_S_'s avatar
    David_S_
    Icon for Nimbostratus rankNimbostratus
    Apr 27, 2022

    I would make sure the LTM is updated with the latest GeoLocationUpdates from F5. Otherwise you will likely block valid US addresses.

    Here is one very simple way to do this:

    #
    # Block_non_US_IP
    #
    # iRule to drop traffic that is not from US addresses
    #
    when CLIENT_ACCEPTED {
    if { not [whereis [IP::client_addr] continent country] == "NA US" } {
    log local0. "Connection from [IP::client_addr] [whereis [IP::client_addr] continent country] to [virtual name] [IP::local_addr] : Blocked."
    drop
    }
    }

    • AbdullahAlshehri's avatar
      AbdullahAlshehri
      Icon for Altostratus rankAltostratus
      Apr 27, 2022

      Hello David,

      Thank you for your reply. 

      Just to clarify more, I'am using F5 DNS/LTM and I will apply the iRule on the VS.

      Also, I prefer to block the traffic when TCP-SYN or UDP packet come from non-US country. I got iRule from clouddocs.f5 that may will work

      when FLOW_INIT {

      set ipaddr [IP::client_addr]

      set locale [whereis $ipaddr country]

      log local0. "IP Address/Counry $ipaddr/$locale"

      switch $locale {

      "US" { return }

      default { ACL::action drop }

      }

      }

  • David_Gill's avatar
    David_Gill
    Icon for Cirrus rankCirrus
    Apr 28, 2022
    when FLOW_INIT {

    #
    # Drop everything except US
    #
    if { ! ([whereis [IP::client_addr] country] equals "US") } {
        log -noname local0. "Dropping connection from [IP::client_addr]/[whereis [IP::client_addr] state country continent ]"
        drop
    } 
}

    AFM not required.

    • AbdullahAlshehri's avatar
      AbdullahAlshehri
      Icon for Altostratus rankAltostratus
      Apr 29, 2022

      Hello  David_Gill,

      I tested the iRule which I mentioned early and it worked fine.

      Is there any difference with the one which you mentioned?

       

      • David_Gill's avatar
        David_Gill
        Icon for Cirrus rankCirrus
        Apr 29, 2022

        Functionally they do the same thing however ACL::action drop requires AFM whereas drop on its own does not which means the snippet works for a larger audience. Switch is generally used when making more than one comparison (as shown at https://clouddocs.f5.com/api/irules/ACL__action.html) which is why I used a single if statement. There is no need to define any variables either. That said, in both cases the end result is the same.