Forum Discussion

Justin_S's avatar
Justin_S
Icon for Nimbostratus rankNimbostratus
Apr 11, 2014

GeoIP Whitelist iRule

I have been working on a GeoIP whitelist rule to filter traffic to a website. I created a very basic rule but it's not scalable and even less efficient. What I am trying to accomplish is referencing a data group allowed_country that I can add country codes to allowing access. Also I do not want to block traffic from RFC1918 private IP space so I would also want to add those. Any suggestions or assistance would be much appreciated.

when CLIENT_ACCEPTED {

 if {not ([whereis [IP::client_addr] country] eq "allowed_country")}{
  do nothing
 } elseif { [IP::addr [IP::client_addr] equals 10.0.0.0/8] } {
     do nothing send to default pool
 } elseif { [IP::addr [IP::client_addr] equals 172.16.0.0/12] } {
     do nothing
  } else {
  reject
 }
}
application delivery
deployment
devops
iRules
LTM
security
  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Apr 11, 2014

    Assuming you have your data group called 'allowed_country' and it's populated with countries you wish to allow access to, then this iRule should work for you:

    when CLIENT_ACCEPTED {
 if { ! [class match -value [whereis [IP::client_addr] country] equals allowed_country] } {
  reject
 }
}
  • ltwagnon's avatar
    ltwagnon
    Ret. Employee
    Apr 11, 2014

    I'm not sure if you have ASM, but if you do, you could use its built-in geolocation features (no iRule needed)...that might be a good option for you as well.

     

  • bboyjnr_8532's avatar
    bboyjnr_8532
    Icon for Cirrus rankCirrus
    Apr 11, 2014

    hi!

     

    there is a great article with a port from hoolio about using the free geo DB within bigip, its limited to country and city i think but i have a form of the rule running on APM/LTM...

     

    https://devcentral.f5.com/questions/restrict-access-based-on-country-using-ltm-or-asm

     

    Thanks,

     

    B

     

  • bboyjnr_8532's avatar
    bboyjnr_8532
    Icon for Cirrus rankCirrus
    Apr 11, 2014

    just be aware of this little issue i have running a the rule and whats being shown in my logs...

     

    Apr 11 16:04:54 ns info tmm[10426]: Rule /Common/UK_allow : Washington172.32.0.65 Apr 11 16:04:57 ns info tmm1[10426]: Rule /Common/UK_allow : Washington172.32.0.65

     

    for some reason "172.32" addresses are based in washington, well not exactly... a pc sitting next to my BIGIP ;)

     

    thanks,

     

    B

     

    • Dave_R_20182's avatar
      Dave_R_20182
      Icon for Nimbostratus rankNimbostratus
      Jan 07, 2016
      172.32.0.65 is in public address space. The RFC1918 range you're thinking of is 172.16.0.0 to 172.31.255.255 (172.16.0.0/12). I'd re-IP your server :)