Forum Discussion

Kevin_Nail's avatar
Kevin_Nail
Icon for Nimbostratus rankNimbostratus
Mar 08, 2011

Need some help with an iRule

I have an iRule that appears to be processing correctly but does not drop my connection when it should. Please help!!

 

 

I have created 2 external data classes and to make this work, I added the US into the blocked_country data class.

 

 

 

when HTTP_REQUEST {

 

Check if country code is a part of the embargoed list

 

log local0.debug "IRule has been triggered"

 

log local0.debug "Connection attempt from country [whereis [IP::client_addr] country]"

 

if { ([class match [whereis [IP::client_addr] country] equals blocked_country]) } {

 

log local0.debug "The [whereis [IP::client_addr] country] is a part of the embargoed list"

 

Country code matched the embargoed list. Check the IP exception list

 

if { ([class match [IP::client_addr] equals ip_exception])} {

 

log local0.debug "[IP::client_addr] Your IP was approved via the exception list"

 

Client IP matched the class, so allow it

 

} else {

 

drop

 

log local0.debug "[IP::client_addr] was NOT approved via the exception list"

 

log local0.debug "Dropping connection" }

 

}

 

else {

 

log local0.debug "[whereis [IP::client_addr] country] Country approved"

 

}

 

}

 

 

This is what it logs:

 

 

 

Mar 8 15:50:36 local/tmm debug tmm[4948]: Rule GEOIP_Final : IRule has been triggered

 

Mar 8 15:50:36 local/tmm debug tmm[4948]: Rule GEOIP_Final : Connection attempt from country US

 

Mar 8 15:50:36 local/tmm debug tmm[4948]: Rule GEOIP_Final : The US is a part of the embargoed country list

 

Mar 8 15:50:36 local/tmm debug tmm[4948]: Rule GEOIP_Final : x.x.x.x was NOT approved via the exception list

 

Mar 8 15:50:36 local/tmm debug tmm[4948]: Rule GEOIP_Final : Dropping connection

 

 

 

And yet, I still get the page that I should not be seeing. What have I got out of place? Should the "drop" be the very last thing?

 

  • Hi Kevin,

     

     

    When using drop, the connection is silently discarded. Can you try to use the reject command to actively reject the connection sending an RST. Also, can you post the details of your Virtual Server.

     

     

    Brian

     

  • Hi Kevin,

     

     

    When using drop, the connection is silently discarded. Can you try to use the reject command to actively reject the connection sending an RST. Also, can you post the details of your Virtual Server.

     

     

    Brian

     

  • Hi Kevin,

     

     

    When using drop, the connection is silently discarded. Can you try to use the reject command to actively reject the connection sending an RST. Also, can you post the details of your Virtual Server.

     

     

    Brian

     

  • The virtual server is a standard vip. Nothing special, runs on port 80... with autosnat enabled.

     

     

    I changed from 'drop' to 'reject' still get the same messages in the log file and still get through.
  • figured this one out....

     

     

    the firefox web broswer cached the one good connection we made. After we cleared the cache, the iRule functions like I expect. Thanks for looking at this.

     

     

    Kevin
  • Hi Kevin

     

     

    Good news. Might want to change back to drop if you wish to silently drop the connections also.

     

     

    Bok