For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

smrh1363_179625's avatar
smrh1363_179625
Icon for Nimbostratus rankNimbostratus
Jan 15, 2019

Geo IP Blocking by iRule

Hello I want to block incoming connection to my F5 LTM based on country code, like i want to allow US,CA,FR,DE and etc and block the rest and also i want to whitelist some IPs which they are being bl...
application delivery
iRules
LTM
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Jan 15, 2019

Hi smrh1363,

you may take a look to the iRule belows...

Bare metal iRule: 

when CLIENT_ACCEPTED {
    set ip_client_addr [getfield [IP::client_addr] "%" 1]
    if { ( [IP::addr $ip_client_addr equals "10.0.0.0/8"] )
      or ( [IP::addr $ip_client_addr equals "20.30.0.0/16"] )
      or ( [IP::addr $ip_client_addr equals "30.40.50.0/24"] )
      or ( [IP::addr $ip_client_addr equals "50.50.60.70/32"] ) } then {   
         Allowed by IP Whitelist
        set blocked_ip 0
    } else { 
        switch -exact -- [whereis $ip_client_addr country] {
            "US" - "CA" - "FR" - "DE" {
                 Allowed by GEO Whitelist
                set blocked_ip 0
            }
            default {
                 Default deny for everything else...
                set blocked_ip 1
            }
        }
    }
}
when HTTP_REQUEST {
    if { $blocked_ip == 1 } then {
         Sending access denied response...
        HTTP::respond 403 content "Access denied" "Content-Type" "text/text" "Connection" "close"
    }
}

Depending on the dynamics and size of the Country and IP-Whitelist, it may be useful to put the configuration information into LTMs data-groups and use a 

[class match]
syntax to lookup the configured values.

Data-Group based iRule:

when CLIENT_ACCEPTED {
    set ip_client_addr [getfield [IP::client_addr] "%" 1]
    if { [class match $ip_client_addr equals "IP_WHITE_LIST"] } then {
         Allowed by IP Whitelist 
        set blocked_ip 0
    } elseif  { [class match [whereis $ip_client_addr country] equals "GEO_WHITE_LIST"] } then {
         Allowed by GEO Whitelist
        set blocked_ip 0
    } else {
        set blocked_ip 1
    }
}
when HTTP_REQUEST {
    if { $blocked_ip == 1 } then {
         Sending access denied response...
        HTTP::respond 403 content "Access denied" "Content-Type" "text/text" "Connection" "close"
    }
}

Data-Group configuration:

ltm data-group internal GEO_WHITE_LIST {
    records {
        CA { }
        DE { }
        FR { }
        US { }
    }
    type string
}
ltm data-group internal IP_WHITE_LIST {
    records {
        10.0.0.0/8 { }
        20.30.0.0/16 { }
        30.40.50.0/24 { }
        40.50.60.70/32 { }
    }
    type ip
}

Cheers, Kai