Forum Discussion
smrh1363_179625
Jan 15, 2019Nimbostratus
Geo IP Blocking by iRule
Hello
I want to block incoming connection to my F5 LTM based on country code, like i want to allow US,CA,FR,DE and etc and block the rest and also i want to whitelist some IPs which they are being bl...
Kai_Wilke
Jan 15, 2019MVP
Hi smrh1363,
you may take a look to the iRule belows...
Bare metal iRule:
when CLIENT_ACCEPTED {
set ip_client_addr [getfield [IP::client_addr] "%" 1]
if { ( [IP::addr $ip_client_addr equals "10.0.0.0/8"] )
or ( [IP::addr $ip_client_addr equals "20.30.0.0/16"] )
or ( [IP::addr $ip_client_addr equals "30.40.50.0/24"] )
or ( [IP::addr $ip_client_addr equals "50.50.60.70/32"] ) } then {
Allowed by IP Whitelist
set blocked_ip 0
} else {
switch -exact -- [whereis $ip_client_addr country] {
"US" - "CA" - "FR" - "DE" {
Allowed by GEO Whitelist
set blocked_ip 0
}
default {
Default deny for everything else...
set blocked_ip 1
}
}
}
}
when HTTP_REQUEST {
if { $blocked_ip == 1 } then {
Sending access denied response...
HTTP::respond 403 content "Access denied" "Content-Type" "text/text" "Connection" "close"
}
}
Depending on the dynamics and size of the Country and IP-Whitelist, it may be useful to put the configuration information into LTMs data-groups and use a
[class match]
syntax to lookup the configured values.
Data-Group based iRule:
when CLIENT_ACCEPTED {
set ip_client_addr [getfield [IP::client_addr] "%" 1]
if { [class match $ip_client_addr equals "IP_WHITE_LIST"] } then {
Allowed by IP Whitelist
set blocked_ip 0
} elseif { [class match [whereis $ip_client_addr country] equals "GEO_WHITE_LIST"] } then {
Allowed by GEO Whitelist
set blocked_ip 0
} else {
set blocked_ip 1
}
}
when HTTP_REQUEST {
if { $blocked_ip == 1 } then {
Sending access denied response...
HTTP::respond 403 content "Access denied" "Content-Type" "text/text" "Connection" "close"
}
}
Data-Group configuration:
ltm data-group internal GEO_WHITE_LIST {
records {
CA { }
DE { }
FR { }
US { }
}
type string
}
ltm data-group internal IP_WHITE_LIST {
records {
10.0.0.0/8 { }
20.30.0.0/16 { }
30.40.50.0/24 { }
40.50.60.70/32 { }
}
type ip
}
Cheers, Kai
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects