Forum Discussion
AbdullahAlshehri
Altostratus
AltostratusF5 iRule Geolocation restriction
Hello, I want to know how I can restrict the access to specific one country only via iRule. For example: allow only users to access from "US" and block all other countries.
when FLOW_INIT { # # Drop everything except US # if { ! ([whereis [IP::client_addr] country] equals "US") } { log -noname local0. "Dropping connection from [IP::client_addr]/[whereis [IP::client_addr] state country continent ]" drop } }AFM not required.
David_S_
Nimbostratus
NimbostratusI would make sure the LTM is updated with the latest GeoLocationUpdates from F5. Otherwise you will likely block valid US addresses.
Here is one very simple way to do this:
#
# Block_non_US_IP
#
# iRule to drop traffic that is not from US addresses
#
when CLIENT_ACCEPTED {
if { not [whereis [IP::client_addr] continent country] == "NA US" } {
log local0. "Connection from [IP::client_addr] [whereis [IP::client_addr] continent country] to [virtual name] [IP::local_addr] : Blocked."
drop
}
}
AbdullahAlshehriAltostratus
AltostratusHello David,
Thank you for your reply.
Just to clarify more, I'am using F5 DNS/LTM and I will apply the iRule on the VS.
Also, I prefer to block the traffic when TCP-SYN or UDP packet come from non-US country. I got iRule from clouddocs.f5 that may will work
when FLOW_INIT {
set ipaddr [IP::client_addr]
set locale [whereis $ipaddr country]
log local0. "IP Address/Counry $ipaddr/$locale"
switch $locale {
"US" { return }
default { ACL::action drop }
}
}