For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mbamusa_59409's avatar
mbamusa_59409
Icon for Nimbostratus rankNimbostratus
Jan 24, 2012

Restrict Access based on country using LTM or ASM

hi all;

 

 

could you please help me to find a way to restrict access to virtual server for some countries using irule and GEOLocation Data Base .

 

 

thank you

 

 

Mbamusa

 

application delivery
dev
devops
iRules

9 Replies

  • frank_30469's avatar
    frank_30469
    Icon for Nimbostratus rankNimbostratus
    Jan 24, 2012
    Hello,

     

     

    you can find more info on how to use this on: http://devcentral.f5.com/wiki/iRules.whereis.ashx
  • Arie's avatar
    Arie
    Icon for Altostratus rankAltostratus
    Jan 24, 2012
    mbamusa, can you work with Frank's answer or do you need additional information and/or help?
  • mbamusa_59409's avatar
    mbamusa_59409
    Icon for Nimbostratus rankNimbostratus
    Jan 24, 2012
    thank you Frank and Arie for the support , but could you please provide me an example (i.e. restrict access comes from China and Russia )

     

     

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 24, 2012
    Here's a positive example:

    
when CLIENT_ACCEPTED {
     Get the country client IP 
    switch [whereis [IP::client_addr] country] {
        US -
        CA -
        MX {
            set allowed 1
        }
        default { set allowed 0 }
    }
}
when HTTP_REQUEST {
    if {$allowed == 0}{
        HTTP::respond 403 content {Blocked!}
    }
}

    And here's a negative example:

    
when CLIENT_ACCEPTED {
     Get the country client IP 
    switch [whereis [IP::client_addr] country] {
        "CN" -
        "RU" {
            set allowed 0
        }
        default { set allowed 1 }
    }
}
when HTTP_REQUEST {
    if {$allowed == 0}{
        HTTP::respond 403 content {Blocked!}
    }
}

    If you don't need to send an HTTP response you can use reject to reset the TCP connection:

    
when CLIENT_ACCEPTED {
     Get the country client IP 
    switch [whereis [IP::client_addr] country] {
        "CN" -
        "RU" {
             Reset the TCP connection
            reject
        }
    }
}

    Aaron
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jan 24, 2012
    can you try this? 

    [root@ve1023:Active] config  b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
        switch [whereis [IP::client_addr] country] {
                CN -
                RU { drop }
                default {
                        do something else
                }
        }
}
}
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jan 24, 2012
    oops! my page was not updated. Aaron's one is nicer. please follow his. :-)
  • mbamusa_59409's avatar
    mbamusa_59409
    Icon for Nimbostratus rankNimbostratus
    Jan 25, 2012
    Thank You All for your kind Support , i'll Try the IRule and I'll get back to you with the result .

     

     

    mbamusa
  • mbamusa_59409's avatar
    mbamusa_59409
    Icon for Nimbostratus rankNimbostratus
    Jan 30, 2012
    Dear All;

     

     

    i tried hoolio's Irule and it's working perfect thank you all for your kind support .

     

     

    mbamusa
  • Vijith_182946's avatar
    Vijith_182946
    Icon for Cirrostratus rankCirrostratus
    Mar 01, 2017

    I think iRule take a lots of resources, you should try the ASM geolocation feature before u make up your mind on iRule. The detailed write is here.

     

    Cheers