For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

AbdullahAlshehri's avatar
AbdullahAlshehri
Icon for Altostratus rankAltostratus
Apr 26, 2022
Solved

F5 iRule Geolocation restriction

Hello, I want to know how I can restrict the access to specific one country only via iRule. For example: allow only users to access from "US" and block all other countries.
application delivery
security
  • David_Gill's avatar
    David_Gill
    Apr 28, 2022
    when FLOW_INIT {

    #
    # Drop everything except US
    #
    if { ! ([whereis [IP::client_addr] country] equals "US") } {
        log -noname local0. "Dropping connection from [IP::client_addr]/[whereis [IP::client_addr] state country continent ]"
        drop
    } 
}

    AFM not required.

AbdullahAlshehri's avatar
AbdullahAlshehri
Icon for Altostratus rankAltostratus
Apr 29, 2022

Hello  David_Gill,

I tested the iRule which I mentioned early and it worked fine.

Is there any difference with the one which you mentioned?

 

David_Gill's avatar
David_Gill
Icon for Cirrus rankCirrus
Apr 29, 2022

Functionally they do the same thing however ACL::action drop requires AFM whereas drop on its own does not which means the snippet works for a larger audience. Switch is generally used when making more than one comparison (as shown at https://clouddocs.f5.com/api/irules/ACL__action.html) which is why I used a single if statement. There is no need to define any variables either. That said, in both cases the end result is the same.