Forum Discussion

Tyson_James's avatar
Tyson_James
Icon for Cirrus rankCirrus
Mar 15, 2018

iRule to only allow traffic from US, Canada and private networks....

We have a current iRule that only accepts traffic from the US or private networks ( non-routable ). Shown below :

when CLIENT_ACCEPTED {
if {not ([whereis [IP::client_addr] country] eq "US") and not ([class match [IP::client_addr] equals "private_net"])
}
{reject}
}

We have now been asked to allow Canada as well. We are very new to F5 and iRules and are unable to figure out the logic needed.

Any assistance would be greatly appreciated. TIA.

iRules
LTM
security
  • Lee_Sutcliffe's avatar
    Lee_Sutcliffe
    Icon for Nacreous rankNacreous
    Mar 15, 2018

    Canada has a country code of 'CA' (see https://www.iso.org/obp/ui/search ) you could add another 'and' like the one for 'US' It might however be easier to maintain if you create a datagroup with the country codes, much like you've done with the IP addresses

     

    for example:

     

    when CLIENT_ACCEPTED {
  if {!([class match [whereis [IP::client_addr] country] equals "country_dg"]) && !([class match [IP::client_addr] equals "private_net"])}{
    reject
  }
}
  • oguzy's avatar
    oguzy
    Icon for Cirrostratus rankCirrostratus
    Mar 15, 2018

    Hi Tyson,

     

    You can try the below code:

     

    when CLIENT_ACCEPTED {
 if { not ([whereis [IP::client_addr] country] eq "US") and not ([whereis [IP::client_addr] country] eq "CA")} {
    if { not ( [class match [IP::client_addr] equals private_net] ) } {
        reject
    }
  } 
 }
Related Content