Nimbostratus

Oct 16, 2012

Geolocation Irule

Hi All ;

i have the following irule :

when CLIENT_ACCEPTED {

if {[ whereis [IP::client_addr] country] eq US ] or [IP::addr [IP::client_addr] equals 10.7.10.1]}

{

set allowed 1

}

else { set allowed 0 }

}

when HTTP_REQUEST {

if { $allowed eq 1 } {

Uncomment the line below to turn on logging.

log local0. "Valid client IP: [IP::client_addr]"

}

else {

HTTP::respond 403 content "Not Allowed"}

}

but after applying it it seems that it accept the second portion (IP::client_addr] eq 1.1.1.34) and not Accept the first one (Country) .

could you please help me on this and also itf there is a way to create a data group for countries ?

Thank you

What_Lies_Bene1
Cirrostratus
Oct 16, 2012
This line needs some rounded brackets;

if { (([ whereis [IP::client_addr] country] eq US ]) or ([IP::addr [IP::client_addr] equals 10.7.10.1])) }

And yes, you could create and reference a data group for countries. If there are only a few a switch statement might be better;

https://devcentral.f5.com/Tutorials...-v101.aspx
mbamusa_59409
Nimbostratus
Oct 16, 2012
thank you Steve for your kind reply .

can you write an example for countries datagroup ,Please as i couldn't understand it from provided link .

your kind support is highly appreciated .

M. Bamusa
What_Lies_Bene1
Cirrostratus
Oct 16, 2012
You're welcome. I'd write an example but I'm just waiting for member nitass to jump in and do a better job than me ;-)

nitass

Employee

Oct 16, 2012

e.g.

root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
    when CLIENT_ACCEPTED {
   set allowed 0
   if { [class match -- [whereis [IP::client_addr] country] equals country_list] or \
        [IP::addr [IP::client_addr] equals 10.7.10.1] } {
      set allowed 1
   }
}

when HTTP_REQUEST {
   if { $allowed } {
       do something
   } else {
       do something
   }
}
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm data-group internal country_list
ltm data-group internal country_list {
    records {
        SG { }
        US { }
    }
    type string
}

hooleylist
Cirrostratus
Oct 16, 2012
Nice example Nitass. Also, if you're using just one country, I think you need to put it in quotes:

{[whereis [IP::client_addr] country] eq "US"]

Aaron
What_Lies_Bene1
Cirrostratus
Oct 16, 2012
Thanks nitass!
mbamusa_59409
Nimbostratus
Oct 16, 2012
thank you guys for your kind inputs ,i'll try to test it tomorrow and get back with the result .

regards

M. Bamusa
mbamusa_59409
Nimbostratus
Oct 17, 2012
Hi Guys ,

the following irule works fine :

when CLIENT_ACCEPTED {

set allowed 0

if { [ class match -- [whereis [IP::client_addr] country] eq Allowed_list] or [ IP::addr [IP::client_addr] equals 10.7.10.1 ] } {

set allowed 1 }

}

when HTTP_REQUEST {

if { $allowed == 0 } {

HTTP::respond 403 content "Blocked!"}

}

i appreciate your kind support .

Regards

M. Bamusa
- Naumin_Dave_144
  Nimbostratus
  Sep 02, 2015
  Hi Bamusa, I am trying to achieve something like this only. I have one quarry for you. Can you just tell me for above Irule, how can we add country in "Allowed_list" data group? My requirement is I want to publish one application over internet for India Users only.

Arie

Altostratus

Sep 02, 2015

If the only condition you're checking for is "India" it would be better to not use a data class due to the overhead.

when CLIENT_ACCEPTED {

    set allowed 0

    if {  [whereis [IP::client_addr] country] eq "IN" } {

        set allowed 1 

    }

}

when HTTP_REQUEST {

    if { $allowed == 0 } {

        HTTP::respond 403 content "Blocked!"

    }

}

Naumin_Dave_144
Nimbostratus
Sep 03, 2015
Hi Arie,

I tested this Irule as well. But it is exactly doing opposite of my requirement. Meaning For India Users, It is not opening and sending page with "Blocked!" and for other country users page is opening.. I am working on it but need your help too for doing same.
- Stanislas_Piro2
  Cumulonimbus
  Sep 03, 2015
  I confirm this irule allow only from India... Perhaps, the public IP you are using is not assigned to India. Check the localisation database on your F5 with the command: geoip_lookup [your Public IP]
- Naumin_Dave_144
  Nimbostratus
  Sep 03, 2015
  Thanks for your Instant reply... I have already checked location issue. I have two M/C. 1 with DNS address 4.2.2.2 and another with DNS address 121.242.190.211. [root@ltm:Active:Standalone] config geoip_lookup 121.242.190.211 Will attempt to lookup ip '121.242.190.211' No database specified. opening database in /shared/GeoIP/F5GeoIP.dat size of geoip database = 73530756, segments = 16252928, version = GEO-148 20150806 Build 1 Copyright (c) F5 Networks Inc All Rights Reserved geoip_seek = 00f8da67 geoip record ip = 121.242.190.211 country_code = IN country_name = India region_name = Maharashtra continent_code = AS [root@ltm:Active:Standalone] config geoip_lookup 4.2.2.2 Will attempt to lookup ip '4.2.2.2' No database specified. opening database in /shared/GeoIP/F5GeoIP.dat size of geoip database = 73530756, segments = 16252928, version = GEO-148 20150806 Build 1 Copyright (c) F5 Networks Inc All Rights Reserved geoip_seek = 00fb6de1 geoip record ip = 4.2.2.2 country_code = US country_name = United States region_name = Colorado continent_code = NA

Forum Discussion

Geolocation Irule

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

iRULE to allow active sync access only for certain geolocation

Geolocation irule multiple redirect error

irule ports

How can I skip ONLY Geolocation within ASM_REQUEST_VIOLATION if there is more than one Violation?

Geolocation redirection for external published DNS

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS