For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Domai's avatar
Domai
Icon for Altostratus rankAltostratus
Sep 07, 2016

iRule help to block traffic

Hello my intention is to block traffic from countries which are not on my safe list. So I used the below iRule

 

 when CLIENT_ACCEPTED {
    if { not([class match [whereis [IP::client_addr] country] equals allow-country]) } {
        log "Dropping connection from client: [IP::client_addr], country code: [whereis [IP::client_addr] 
        country]"
        drop
    }}

This works fine but when I looked at the logs I see that the internal IP's are getting dropped as well, I get that. Now I am using the below iRule to allow traffic from the allow countries and also all the internal subnets.

 

Rule /Common/Allow_Country_iRule : Dropping connection from client: 180.76.15.142, country code: CN

Rule /Common/Allow_Country_iRule : Dropping connection from client: 10.60.50.6, country code: 

Rule /Common/Allow_Country_iRule : Dropping connection from client: 10.60.53.12, country code:

I created a data group for internal subnets and am using the iRule below. It does not work. Is it the Syntax or the logic that is the issue? Can some one help? Thank you for your time in advance.

 

 when CLIENT_ACCEPTED {
    if { not([class match [whereis [IP::client_addr] country] equals allow_country]) or [IP::client_addr] equals allow_ip] )} {
        log "Dropping connection from client: [IP::client_addr], country code: [whereis [IP::client_addr] country]"
        drop
    }
}
application delivery
iRules

4 Replies

  • ekaleido's avatar
    ekaleido
    Icon for Cirrus rankCirrus
    Sep 07, 2016
    when CLIENT_ACCEPTED {
  set location [whereis [IP::client_addr]]
  if { [class match -value [IP::client_addr] equals allow_ip] || [class match -value $location equals allow_country] } {
    pool mypool
  } else {
    log "Dropping connection from client: [IP::client_addr], country code: [whereis [IP::client_addr] country]"
    drop
  }
}
  • Domai's avatar
    Domai
    Icon for Altostratus rankAltostratus
    Sep 07, 2016

    If I use "not" then its dropping the connections from the countries that are in the safe list

     

    Rule /Common/Allow_Country_iRule : Dropping connection from client: 195.154.47.12, country code: FR

     

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Sep 07, 2016

    Hi Domai,

    take a look to the nested iRule below. It queries [whereis [IP::client_addr] country] first and then checks if [whereis] was able to resolve a country code. If [whereis] was able to to resolve a country code it will lookup the allow-country data-group and if [whereis] was not able to resolve a country code it will lookup the allow-ip data-group. The nested approach will make sure, that only a single [wheris] and [class] execution is required for each connection attempt.

     

    when CLIENT_ACCEPTED {
    if { [set whereis_result [whereis [IP::client_addr] country]] ne "" } then {
        if { not ( [class match $whereis_result equals "allow-country"] ) } then {
            log "Dropping connection from client: [IP::client_addr], country code: $whereis_result"
            drop
        }
    } else {
        if { not ( [class match [IP::client_addr] equals "allow-ip"] ) } then {
            log "Dropping connection from client: [IP::client_addr], country code: not available"
            drop
        }
    }
}

     

    Cheers, Kai

  • Domai's avatar
    Domai
    Icon for Altostratus rankAltostratus
    Sep 07, 2016

     

    ltm data-group internal allow_ip {
    records {
        10.0.0.0/8 { }
        172.16.0.0/12 { }
        192.168.0.0/16 { }
    }
    type ip
}

     

    This is my allow_ip data group.