Forum Discussion

jlb4350's avatar
jlb4350
Icon for Cirrus rankCirrus
Jul 19, 2022

Help tweaking my iRule

Hello all. I have an oubound virtual server that allows all traffic and protocols to any address, it's a wildcard outbound. I'm wanting to use an iRule to block outbound connections to Russia using data referenced in a data group. I created the following data group and iRule, but it ended up blocking everything when I attached it to my wildcard outbound VS. Are there any iRule gurus could can help me tweak this? Any help is much appreciated!

Data group:

iRule:

security
  • David_Larsen's avatar
    David_Larsen
    Jul 19, 2022

    The iRule is slightly wrong in that it is trying to pull out a value of RU and then matching the IP address to the value which would never happen.  I would use the framework set in the support article and do something like this:

    when SERVER_CONNECTED {
    set ipaddr [IP::remote_addr]
    set fromCountry [whereis $ipaddr country]
    if { [class match $fromCountry equals GeoIPOutboundBlockRussia] } {
         log local0. "Attacker IP [IP::client_addr]"  ;#  This can be removed/commented out if not required
         drop
    }
}

     

    • jlb4350's avatar
      jlb4350
      Icon for Cirrus rankCirrus
      Jul 19, 2022

      Interesting. So I should just put RU in the string field and nothing in the value field, and that will be my string record, like this:


      How about the iRule, does that part look alright?

      Thank you for your reply and help!

      • David_Larsen's avatar
        David_Larsen
        Icon for Employee rankEmployee
        Jul 19, 2022

        The iRule is slightly wrong in that it is trying to pull out a value of RU and then matching the IP address to the value which would never happen.  I would use the framework set in the support article and do something like this:

        when SERVER_CONNECTED {
    set ipaddr [IP::remote_addr]
    set fromCountry [whereis $ipaddr country]
    if { [class match $fromCountry equals GeoIPOutboundBlockRussia] } {
         log local0. "Attacker IP [IP::client_addr]"  ;#  This can be removed/commented out if not required
         drop
    }
}

         

  • jlb4350's avatar
    jlb4350
    Icon for Cirrus rankCirrus
    Jul 29, 2022

    Sorry for the late reply, I've been traveling.

    I ended up piecing together a few iRules that I found to come up with this and it works perfectly. I may tweak it in the future, but this is working. It involves the countries to block access to in a data group and the iRule to reference that group:

  • jlb4350's avatar
    jlb4350
    Icon for Cirrus rankCirrus
    Jul 19, 2022

    Perfect, I'll give that a try and see what happens tonight. I'll report back, thank you again for your help!