Forum Discussion
CirrostratusiRule - Using GeoIP to block/allow externally, and allow internal 10.0.0.0/8 subnets.
This should work.
when CLIENT_ACCEPTED {
if { [class match [IP::client_addr] equals allowed_internal_subnets] } {
log local0. "Internal Clients allowed: \ [IP::client_addr]"
pool MY_POOL
}
}
when FLOW_INIT {
set ipaddr [IP::client_addr]
set fromCountry [whereis $ipaddr country]
if {! [class match $fromCountry equals allowed_geoip_datagroup] && ! [class match [IP::client_addr] equals allowed_internal_subnets]}{
drop
}
}
Cirrostratuswhen FLOW_INIT {
set ipaddr [IP::client_addr]
set fromCountry [whereis $ipaddr country]
if {! [class match $fromCountry equals allowed_geoip_datagroup] && ! [class match [IP::client_addr] equals allowed_internal_subnets]}{
drop
}
}Hi Niels,
Thanks for you reply...I was wondering if I can use use this event statement instead of the "CLIENT_ACCEPTED" because this will be
tied to multiple VIPs. We just want to allow the internal subnets, but not allow any external client's that does not meet where they are coming from, i.e....country code (US and EU)... Would using just the FLOW_INIT work?
Hi,
Yes, for restricting access, the FLOW_INIT event would be sufficient. The CLIENT_ACCEPT event in your case does something extra. It assigns a specific pool for internal users. So it's possible to create a general irule containing the FLOW_INIT event for use on multiple virtual servers and an extra iRule holding the CLIENT_ACCEPTED event for the virtual server that needs it.
- ant77
Thank you Niels. Appreciate your explanation and help!
