Forum Discussion
iRule - Using GeoIP to block/allow externally, and allow internal 10.0.0.0/8 subnets.
This should work.
when CLIENT_ACCEPTED {
if { [class match [IP::client_addr] equals allowed_internal_subnets] } {
log local0. "Internal Clients allowed: \ [IP::client_addr]"
pool MY_POOL
}
}
when FLOW_INIT {
set ipaddr [IP::client_addr]
set fromCountry [whereis $ipaddr country]
if {! [class match $fromCountry equals allowed_geoip_datagroup] && ! [class match [IP::client_addr] equals allowed_internal_subnets]}{
drop
}
}
- ant77Mar 02, 2024Cirrostratus
when FLOW_INIT { set ipaddr [IP::client_addr] set fromCountry [whereis $ipaddr country] if {! [class match $fromCountry equals allowed_geoip_datagroup] && ! [class match [IP::client_addr] equals allowed_internal_subnets]}{ drop } }
Hi Niels,
Thanks for you reply...I was wondering if I can use use this event statement instead of the "CLIENT_ACCEPTED" because this will be
tied to multiple VIPs. We just want to allow the internal subnets, but not allow any external client's that does not meet where they are coming from, i.e....country code (US and EU)... Would using just the FLOW_INIT work?
- Mar 02, 2024
Hi,
Yes, for restricting access, the FLOW_INIT event would be sufficient. The CLIENT_ACCEPT event in your case does something extra. It assigns a specific pool for internal users. So it's possible to create a general irule containing the FLOW_INIT event for use on multiple virtual servers and an extra iRule holding the CLIENT_ACCEPTED event for the virtual server that needs it.
- ant77Mar 04, 2024Cirrostratus
Thank you Niels. Appreciate your explanation and help!
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com