Forum Discussion
GeoIP Whitelist iRule
I have been working on a GeoIP whitelist rule to filter traffic to a website. I created a very basic rule but it's not scalable and even less efficient. What I am trying to accomplish is referencing a data group allowed_country that I can add country codes to allowing access. Also I do not want to block traffic from RFC1918 private IP space so I would also want to add those. Any suggestions or assistance would be much appreciated.
when CLIENT_ACCEPTED {
if {not ([whereis [IP::client_addr] country] eq "allowed_country")}{
do nothing
} elseif { [IP::addr [IP::client_addr] equals 10.0.0.0/8] } {
do nothing send to default pool
} elseif { [IP::addr [IP::client_addr] equals 172.16.0.0/12] } {
do nothing
} else {
reject
}
}
- Cory_50405Noctilucent
Assuming you have your data group called 'allowed_country' and it's populated with countries you wish to allow access to, then this iRule should work for you:
when CLIENT_ACCEPTED { if { ! [class match -value [whereis [IP::client_addr] country] equals allowed_country] } { reject } }
- ltwagnonRet. Employee
I'm not sure if you have ASM, but if you do, you could use its built-in geolocation features (no iRule needed)...that might be a good option for you as well.
- bboyjnr_8532Cirrus
hi!
there is a great article with a port from hoolio about using the free geo DB within bigip, its limited to country and city i think but i have a form of the rule running on APM/LTM...
https://devcentral.f5.com/questions/restrict-access-based-on-country-using-ltm-or-asm
Thanks,
B
- bboyjnr_8532Cirrus
just be aware of this little issue i have running a the rule and whats being shown in my logs...
Apr 11 16:04:54 ns info tmm[10426]: Rule /Common/UK_allow : Washington172.32.0.65 Apr 11 16:04:57 ns info tmm1[10426]: Rule /Common/UK_allow : Washington172.32.0.65
for some reason "172.32" addresses are based in washington, well not exactly... a pc sitting next to my BIGIP ;)
thanks,
B
- Dave_R_20182Nimbostratus172.32.0.65 is in public address space. The RFC1918 range you're thinking of is 172.16.0.0 to 172.31.255.255 (172.16.0.0/12). I'd re-IP your server :)
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com