Forum Discussion
AltostratusModifying irule for geofiltering to include allowed ips
We would like to combine the possability to include certain ip addresses from countries that generally are not allowed but we anyway
like to allow access to the site. I hope ive explained it okay. below is the irule
when HTTP_REQUEST {
if { [matchclass [whereis [IP::client_addr] country] eq $::allowed_contry] } {
}
elseif { [matchclass [IP::client_addr] equals $::allowed_ip] }{
Uncomment the line below to turn on logging.
log local0. "Valid client IP: [IP::client_addr] - forwarding traffic"
forward
} else {
HTTP::respond 403 content "Forbidden Not Allowed "
log local0. "Blocked Country client IP: [IP::client_addr] from [whereis [IP::client_addr] country] "
}
}
When i test the rule the blocking for unallowed countries works but matchclass for allowed ip´s does not, iam sure there
is smoething wrong with the syntax but iam not sure what.
Any help greatly appreciated
/Craig
7 Replies
- Chris_MillerHere's how I'd do it:
when HTTP_REQUEST { if {([matchclass [whereis [IP::client_addr] country] eq allowed_country] or [matchclass [IP::client_addr] eq allowed_ip])} { Uncomment the line below to turn on logging. log local0. "Valid client IP: [IP::client_addr] - forwarding traffic" forward } else { HTTP::respond 403 content "Not Allowed" log local0. "Blocked Country client IP: [IP::client_addr] from [whereis [IP::client_addr] country]" } }
Depending your version, you can optimize this as well. I assumed you wanted to forward the traffic if it met either "allowed" criteria since you didn't have an action specified for the allowed_country match.
I got rid of your $:: so CMP would be used. 
CGIHi Chris thanks for the quick reply, we are running 10.2, and you were right in your assumptions that we would want to forward all the traffic
that meets the required criteria.
/Craig
- Chris_MillerPosted By Craigg on 10/08/2010 07:25 AM
Hi Chris thanks for the quick reply, we are running 10.2, and you were right in your assumptions that we would want to forward all the traffic
that meets the required criteria.
/Craig
Changed to use class match instead of matchclass.when HTTP_REQUEST { if {([class match [whereis [IP::client_addr] country] eq allowed_country] or [class match [IP::client_addr] eq allowed_ip])} { Uncomment the line below to turn on logging. log local0. "Valid client IP: [IP::client_addr] - forwarding traffic" forward } else { HTTP::respond 403 content "Not Allowed" log local0. "Blocked Country client IP: [IP::client_addr] from [whereis [IP::client_addr] country]" } } - hoolio
Cirrostratus
Nice work. You could move the client IP checking to CLIENT_ACCEPTED and set a variable to track whether the client is allowed or not. You could then reference that variable in HTTP_REQUEST to determine whether to allow the HTTP request or not. This would eliminate checking the client IP on every HTTP request on the same TCP connection for keep-alives.
Aaron - Chris_MillerGood call Hoolio
when CLIENT_ACCEPTED { if {([class match [whereis [IP::client_addr] country] eq allowed_country] or [class match [IP::client_addr] eq allowed_ip])} { set allowed 1 } else { set allowed 0 }} when HTTP_REQUEST { if { $allowed eq 1 } { Uncomment the line below to turn on logging. log local0. "Valid client IP: [IP::client_addr] - forwarding traffic" forward } else { HTTP::respond 403 content "Not Allowed" log local0. "Blocked Country client IP: [IP::client_addr] from [whereis [IP::client_addr] country]" } }
IIRC, I needed the "else set allowed 0" or we'll throw TCL errors...I suppose I could use catch, info exists, or check that the value != ""
Thoughts? - JRahm
Admin
I don't see anything in this iRule that would cause an issue with CMP. - hoolioIIRC, I needed the "else set allowed 0" or we'll throw TCL errors...I suppose I could use catch, info exists, or check that the value != ""
Hi Chris,
I think the way you've set the flag in both cases is the simplest and probably the most efficient.
Aaron
