Forum Discussion

smrh1363_179625's avatar
smrh1363_179625
Icon for Nimbostratus rankNimbostratus
Jan 15, 2019

Geo IP Blocking by iRule

Hello I want to block incoming connection to my F5 LTM based on country code, like i want to allow US,CA,FR,DE and etc and block the rest and also i want to whitelist some IPs which they are being blocked with iRule (for instance iRule is blocking China but i want to whitelist an IP in China), I tried to use policy option which is available on LTM but it couldn't meet my requirements, so looks like my best option is iRule. Would you please help me to create an iRule based on my requirements.

 

Thanks

 

application delivery
iRules
LTM
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Jan 15, 2019

    Hi smrh1363,

    you may take a look to the iRule belows...

    Bare metal iRule: 

    when CLIENT_ACCEPTED {
    set ip_client_addr [getfield [IP::client_addr] "%" 1]
    if { ( [IP::addr $ip_client_addr equals "10.0.0.0/8"] )
      or ( [IP::addr $ip_client_addr equals "20.30.0.0/16"] )
      or ( [IP::addr $ip_client_addr equals "30.40.50.0/24"] )
      or ( [IP::addr $ip_client_addr equals "50.50.60.70/32"] ) } then {   
         Allowed by IP Whitelist
        set blocked_ip 0
    } else { 
        switch -exact -- [whereis $ip_client_addr country] {
            "US" - "CA" - "FR" - "DE" {
                 Allowed by GEO Whitelist
                set blocked_ip 0
            }
            default {
                 Default deny for everything else...
                set blocked_ip 1
            }
        }
    }
}
when HTTP_REQUEST {
    if { $blocked_ip == 1 } then {
         Sending access denied response...
        HTTP::respond 403 content "Access denied" "Content-Type" "text/text" "Connection" "close"
    }
}

    Depending on the dynamics and size of the Country and IP-Whitelist, it may be useful to put the configuration information into LTMs data-groups and use a 

    [class match]
    syntax to lookup the configured values.

    Data-Group based iRule:

    when CLIENT_ACCEPTED {
    set ip_client_addr [getfield [IP::client_addr] "%" 1]
    if { [class match $ip_client_addr equals "IP_WHITE_LIST"] } then {
         Allowed by IP Whitelist 
        set blocked_ip 0
    } elseif  { [class match [whereis $ip_client_addr country] equals "GEO_WHITE_LIST"] } then {
         Allowed by GEO Whitelist
        set blocked_ip 0
    } else {
        set blocked_ip 1
    }
}
when HTTP_REQUEST {
    if { $blocked_ip == 1 } then {
         Sending access denied response...
        HTTP::respond 403 content "Access denied" "Content-Type" "text/text" "Connection" "close"
    }
}

    Data-Group configuration:

    ltm data-group internal GEO_WHITE_LIST {
    records {
        CA { }
        DE { }
        FR { }
        US { }
    }
    type string
}
ltm data-group internal IP_WHITE_LIST {
    records {
        10.0.0.0/8 { }
        20.30.0.0/16 { }
        30.40.50.0/24 { }
        40.50.60.70/32 { }
    }
    type ip
}

    Cheers, Kai