Forum Discussion

ant77's avatar
ant77
Icon for Cirrostratus rankCirrostratus
Mar 01, 2024

iRule - Using GeoIP to block/allow externally, and allow internal 10.0.0.0/8 subnets.

when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals allowed_internal_subnets] } { log local0. "Internal Clients allowed: \ [IP::client_addr]" pool MY_POOL } } when FLOW_I...
application delivery
devops
irule
security
ant77's avatar
ant77
Icon for Cirrostratus rankCirrostratus
when FLOW_INIT {
    set ipaddr [IP::client_addr]
    set fromCountry [whereis $ipaddr country]
    if {! [class match $fromCountry equals allowed_geoip_datagroup] && ! [class match [IP::client_addr] equals allowed_internal_subnets]}{
        drop
    }
}

Hi Niels,

Thanks for you reply...I was wondering if I can use use this event statement instead of the  "CLIENT_ACCEPTED" because this will be

tied to multiple VIPs.  We just want to allow the internal subnets, but not allow any external client's that does not meet where they are coming from, i.e....country code (US and EU)... Would using just the FLOW_INIT work?

 

Niels_van_Sluis's avatar
Niels_van_Sluis
Icon for MVP rankMVP
Mar 02, 2024

Hi,

Yes, for restricting access, the FLOW_INIT event would be sufficient. The CLIENT_ACCEPT event in your case does something extra. It assigns a specific pool for internal users. So it's possible to create a general irule containing the FLOW_INIT event for use on multiple virtual servers and an extra iRule holding the CLIENT_ACCEPTED event for the virtual server that needs it.

  • ant77's avatar
    ant77
    Icon for Cirrostratus rankCirrostratus
    Mar 04, 2024

    Thank you Niels. Appreciate your explanation and help!