Forum Discussion
Geo IP Blocking by iRule
Hello I want to block incoming connection to my F5 LTM based on country code, like i want to allow US,CA,FR,DE and etc and block the rest and also i want to whitelist some IPs which they are being blocked with iRule (for instance iRule is blocking China but i want to whitelist an IP in China), I tried to use policy option which is available on LTM but it couldn't meet my requirements, so looks like my best option is iRule. Would you please help me to create an iRule based on my requirements.
Thanks
- RossVermette_14Nimbostratus
This can easily be done via AFM Firewall). Do you have that module provisioned?
Hi smrh1363,
you may take a look to the iRule belows...
Bare metal iRule:
when CLIENT_ACCEPTED { set ip_client_addr [getfield [IP::client_addr] "%" 1] if { ( [IP::addr $ip_client_addr equals "10.0.0.0/8"] ) or ( [IP::addr $ip_client_addr equals "20.30.0.0/16"] ) or ( [IP::addr $ip_client_addr equals "30.40.50.0/24"] ) or ( [IP::addr $ip_client_addr equals "50.50.60.70/32"] ) } then { Allowed by IP Whitelist set blocked_ip 0 } else { switch -exact -- [whereis $ip_client_addr country] { "US" - "CA" - "FR" - "DE" { Allowed by GEO Whitelist set blocked_ip 0 } default { Default deny for everything else... set blocked_ip 1 } } } } when HTTP_REQUEST { if { $blocked_ip == 1 } then { Sending access denied response... HTTP::respond 403 content "Access denied" "Content-Type" "text/text" "Connection" "close" } }
Depending on the dynamics and size of the Country and IP-Whitelist, it may be useful to put the configuration information into LTMs data-groups and use a
syntax to lookup the configured values.[class match]
Data-Group based iRule:
when CLIENT_ACCEPTED { set ip_client_addr [getfield [IP::client_addr] "%" 1] if { [class match $ip_client_addr equals "IP_WHITE_LIST"] } then { Allowed by IP Whitelist set blocked_ip 0 } elseif { [class match [whereis $ip_client_addr country] equals "GEO_WHITE_LIST"] } then { Allowed by GEO Whitelist set blocked_ip 0 } else { set blocked_ip 1 } } when HTTP_REQUEST { if { $blocked_ip == 1 } then { Sending access denied response... HTTP::respond 403 content "Access denied" "Content-Type" "text/text" "Connection" "close" } }
Data-Group configuration:
ltm data-group internal GEO_WHITE_LIST { records { CA { } DE { } FR { } US { } } type string } ltm data-group internal IP_WHITE_LIST { records { 10.0.0.0/8 { } 20.30.0.0/16 { } 30.40.50.0/24 { } 40.50.60.70/32 { } } type ip }
Cheers, Kai
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com